e2e17c7a66b0571f7d35ecd4f5522eb697a234d2b3d803d609d3f804a63de168

Analysis

max time kernel
151s
max time network
149s
platform
windows7_x64
resource
win7v20201028
submitted
13-01-2021 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe
Size

387KB
MD5

1d6edfa073e4a8f072df28cfd5321bba
SHA1

a62fc3e619711102d3e8a62e9e2456db1e194997
SHA256

e2e17c7a66b0571f7d35ecd4f5522eb697a234d2b3d803d609d3f804a63de168
SHA512

c1426d54140a6cac1dabeb41fa6d21c0894b9d70afd677254ff0ed3afcb8bde3ba34b61b8fb7633ba4c85ebaf81620b79b53f626b3076c3aad8ff77bdad378cd

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

608 cmd.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1552 ipconfig.exe

pid	process
608	cmd.exe

pid	process
1552	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 147 IoCs

Processes:

ndadmin.exesvchost.exeSearchProtocolHost.exeExplorer.EXE

pid	process
1252	ndadmin.exe
1252	ndadmin.exe
1252	ndadmin.exe
800	svchost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1260	Explorer.EXE
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1260	Explorer.EXE
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1260	Explorer.EXE
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1260	Explorer.EXE
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1260	Explorer.EXE
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe

Suspicious use of AdjustPrivilegeToken 117 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exendadmin.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe
Token: SeTcbPrivilege	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe
Token: SeDebugPrivilege	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe
Token: SeDebugPrivilege	1252	ndadmin.exe
Token: SeTcbPrivilege	1252	ndadmin.exe
Token: SeCreateTokenPrivilege	1252	ndadmin.exe
Token: SeAssignPrimaryTokenPrivilege	1252	ndadmin.exe
Token: SeLockMemoryPrivilege	1252	ndadmin.exe
Token: SeIncreaseQuotaPrivilege	1252	ndadmin.exe
Token: SeMachineAccountPrivilege	1252	ndadmin.exe
Token: SeTcbPrivilege	1252	ndadmin.exe
Token: SeSecurityPrivilege	1252	ndadmin.exe
Token: SeTakeOwnershipPrivilege	1252	ndadmin.exe
Token: SeLoadDriverPrivilege	1252	ndadmin.exe
Token: SeSystemProfilePrivilege	1252	ndadmin.exe
Token: SeSystemtimePrivilege	1252	ndadmin.exe
Token: SeProfSingleProcessPrivilege	1252	ndadmin.exe
Token: SeIncBasePriorityPrivilege	1252	ndadmin.exe
Token: SeCreatePagefilePrivilege	1252	ndadmin.exe
Token: SeCreatePermanentPrivilege	1252	ndadmin.exe
Token: SeBackupPrivilege	1252	ndadmin.exe
Token: SeRestorePrivilege	1252	ndadmin.exe
Token: SeShutdownPrivilege	1252	ndadmin.exe
Token: SeDebugPrivilege	1252	ndadmin.exe
Token: SeAuditPrivilege	1252	ndadmin.exe
Token: SeSystemEnvironmentPrivilege	1252	ndadmin.exe
Token: SeChangeNotifyPrivilege	1252	ndadmin.exe
Token: SeRemoteShutdownPrivilege	1252	ndadmin.exe
Token: SeUndockPrivilege	1252	ndadmin.exe
Token: SeSyncAgentPrivilege	1252	ndadmin.exe
Token: SeEnableDelegationPrivilege	1252	ndadmin.exe
Token: SeManageVolumePrivilege	1252	ndadmin.exe
Token: SeImpersonatePrivilege	1252	ndadmin.exe
Token: SeCreateGlobalPrivilege	1252	ndadmin.exe
Token: 31	1252	ndadmin.exe
Token: 32	1252	ndadmin.exe
Token: 33	1252	ndadmin.exe
Token: 34	1252	ndadmin.exe
Token: 35	1252	ndadmin.exe
Token: SeDebugPrivilege	1252	ndadmin.exe
Token: SeDebugPrivilege	800	svchost.exe
Token: SeTcbPrivilege	800	svchost.exe
Token: SeCreateTokenPrivilege	800	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	800	svchost.exe
Token: SeLockMemoryPrivilege	800	svchost.exe
Token: SeIncreaseQuotaPrivilege	800	svchost.exe
Token: SeMachineAccountPrivilege	800	svchost.exe
Token: SeTcbPrivilege	800	svchost.exe
Token: SeSecurityPrivilege	800	svchost.exe
Token: SeTakeOwnershipPrivilege	800	svchost.exe
Token: SeLoadDriverPrivilege	800	svchost.exe
Token: SeSystemProfilePrivilege	800	svchost.exe
Token: SeSystemtimePrivilege	800	svchost.exe
Token: SeProfSingleProcessPrivilege	800	svchost.exe
Token: SeIncBasePriorityPrivilege	800	svchost.exe
Token: SeCreatePagefilePrivilege	800	svchost.exe
Token: SeCreatePermanentPrivilege	800	svchost.exe
Token: SeBackupPrivilege	800	svchost.exe
Token: SeRestorePrivilege	800	svchost.exe
Token: SeShutdownPrivilege	800	svchost.exe
Token: SeDebugPrivilege	800	svchost.exe
Token: SeAuditPrivilege	800	svchost.exe
Token: SeSystemEnvironmentPrivilege	800	svchost.exe
Token: SeChangeNotifyPrivilege	800	svchost.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE
1260 Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE

pid	process
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE
1260	Explorer.EXE

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

SearchProtocolHost.exe

pid	process
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe
1604	SearchProtocolHost.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exendadmin.exesvchost.exeSearchProtocolHost.exe

description	pid	process	target process
PID 532 wrote to memory of 1252	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	ndadmin.exe
PID 532 wrote to memory of 1252	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	ndadmin.exe
PID 532 wrote to memory of 1252	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	ndadmin.exe
PID 532 wrote to memory of 1252	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	ndadmin.exe
PID 532 wrote to memory of 1252	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	ndadmin.exe
PID 532 wrote to memory of 1252	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	ndadmin.exe
PID 532 wrote to memory of 1252	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	ndadmin.exe
PID 532 wrote to memory of 1252	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	ndadmin.exe
PID 532 wrote to memory of 1252	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	ndadmin.exe
PID 1252 wrote to memory of 800	1252	ndadmin.exe	svchost.exe
PID 1252 wrote to memory of 800	1252	ndadmin.exe	svchost.exe
PID 1252 wrote to memory of 800	1252	ndadmin.exe	svchost.exe
PID 1252 wrote to memory of 800	1252	ndadmin.exe	svchost.exe
PID 1252 wrote to memory of 800	1252	ndadmin.exe	svchost.exe
PID 800 wrote to memory of 1604	800	svchost.exe	SearchProtocolHost.exe
PID 800 wrote to memory of 1604	800	svchost.exe	SearchProtocolHost.exe
PID 800 wrote to memory of 1604	800	svchost.exe	SearchProtocolHost.exe
PID 800 wrote to memory of 1604	800	svchost.exe	SearchProtocolHost.exe
PID 800 wrote to memory of 1604	800	svchost.exe	SearchProtocolHost.exe
PID 800 wrote to memory of 1604	800	svchost.exe	SearchProtocolHost.exe
PID 800 wrote to memory of 1604	800	svchost.exe	SearchProtocolHost.exe
PID 800 wrote to memory of 1604	800	svchost.exe	SearchProtocolHost.exe
PID 1604 wrote to memory of 1552	1604	SearchProtocolHost.exe	ipconfig.exe
PID 1604 wrote to memory of 1552	1604	SearchProtocolHost.exe	ipconfig.exe
PID 1604 wrote to memory of 1552	1604	SearchProtocolHost.exe	ipconfig.exe
PID 1604 wrote to memory of 1260	1604	SearchProtocolHost.exe	Explorer.EXE
PID 1604 wrote to memory of 1260	1604	SearchProtocolHost.exe	Explorer.EXE
PID 1604 wrote to memory of 1260	1604	SearchProtocolHost.exe	Explorer.EXE
PID 1604 wrote to memory of 1260	1604	SearchProtocolHost.exe	Explorer.EXE
PID 1604 wrote to memory of 1260	1604	SearchProtocolHost.exe	Explorer.EXE
PID 532 wrote to memory of 608	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	cmd.exe
PID 532 wrote to memory of 608	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	cmd.exe
PID 532 wrote to memory of 608	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	cmd.exe
PID 532 wrote to memory of 608	532	SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1260

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\system32\ndadmin.exe
"C:\Windows\system32\ndadmin.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c del /Q /F "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader36.34153.28149.7918.exe"
3⤵
- Deletes itself
PID:608

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604

C:\windows\system32\ipconfig.exe
/flushdns
3⤵
- Gathers network information
PID:1552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_8561586058D2ED9ACF276BAB29F2865E
MD5
72dc05094094de2759bc76b158fbe405

SHA1
6763e718e1689ab0de8a1ffc9aadb262e910e3c3

SHA256
5ed4145c1a2a33e4c40fae6799287cf4811e6263f24da2b976117fc33b444907

SHA512
6d0a2ee96041c5b55287b9edf55e63cdc39b168cf2c08cab4fdc94bd0614fe7fedb1f1ca3fcded500a299dec14643d8b698c44d2be6657f6594d7331ef5e345f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
MD5
5cb54cb2c6df3a0e1788998bb0cf3b35

SHA1
abec167ee3900564a6e25b67ffe539d086904a8e

SHA256
3939c212ae74b7a83dba6c8371b605fb77686c351e5cb8753359c2eceb72832d

SHA512
3d00ade67811f7aea1791196d1933538a7657ae393c863904898f060e43bf58796ba5eee24c9477cc31c22f9cbdcd34a6fd0c4a609a9570dcc62cf1d888a3c0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
21922806495622b55f15de5d9a05b0c2

SHA1
63eac24ef56d4543a2518c8dd3d1373197ad8e4a

SHA256
78e329ef90db210c9ad2f8c86d49e45f3c53bf089ef66f9a22c7a7cc3cba7b9a

SHA512
97b5f9c5391c9a64b97629bec0c463129f8f2d0e49b23446299a1d2df4eabb9c3890507e3ece59be867e61a166c399a60abc2462294613de0295922c67dd6e80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
85ff75cf4a2129620a29e89507062b42

SHA1
75c7bc31354d48e7a6ae7bbb0bfafd75e51ff909

SHA256
f3860f94cf8374825472dcedda9f269c4e7648ebf49b25c2e8e5e5e10cc16801

SHA512
6ba3250379033aa6d7bc42934410875a5586805ecb7b818e2a371a7bb806d40f68d9d9471df14f2d6a6b3eb2b66a889a015e6cbf6215abb1c30d6556b09fbb80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
7eb729161d081adc2c316df1e3ffbb7b

SHA1
a379bbd647951ab2066d8fe09beffcb7ebe7d6be

SHA256
7e2ff5b505b76354c9ac34c5ca6502a5b7cfeca701431bdfeea58cc69c27143f

SHA512
d9eeb2ba2d9beee188be4bf3b1b12e67969e111247a58e3e7c3557d39106e90540b23b6651c2057ce9cf7aeaba5e2835d288df9c294eca34005e6d28eb49a8a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
bdbf0928d5ec813ff3116b7fe422673c

SHA1
9422d3bbcd208b012931040f0737a2debf7df6b2

SHA256
fcd68b891a0e91be15258abc2271560cc0c0cc03b77039390c822edc1c195352

SHA512
cca0ea98a89488f2c05fb07d1974e06f72fd2cd984d839413d00975c1216d79f275258bd8a12a4b4f8af0e7e6d8226e2e4f6fec92a64a4af6491c2159d8a01b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
68268ca474bf3034c694588f9b7c9a70

SHA1
760967f75b1954dba8f63430fbecb14e67e6a391

SHA256
5266d827d6a5594038096cebe526b3ccef00c64a0d734e0ddb5a57fbedc5648a

SHA512
42edbb83872a0c11dbb6af4dd6f267b735cea18130e33bfafb704dedad49b91f53cf7f9070449e17774494fc9ec16ca8a7a1423200176a2798ec4ccd529da755

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_8561586058D2ED9ACF276BAB29F2865E
MD5
f38db53758c14b4f6fc5180040523cce

SHA1
28637baf315ad0bcded94c3d69b4230c9a367c7a

SHA256
f5fd7efd2b23749c7cca6084eb4e05da4e16759f7fb037a1e286bdd314dcbd9f

SHA512
e70faf5be75aed99df443416cd815b5d591b2d13e188bdab74abd943068de372a81e0af7bec3f7868491e99d416383242bc86c9189fc2619982d5f1cacff9c47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
MD5
f992272c98a7c487143be439d4b7ab9c

SHA1
825333cf8350cb8cdf665f584344f74af471d061

SHA256
0fdee35a33fe0a714506e4e4a8ec1a5e87a7f5dc50cbf34bc8ca7c8fa596cf69

SHA512
7830a64c1758a70ddfdc0cb638ff6e5d88bf2c8acaf9de73576eee668ce412962fec05f9ea87714d08189cebbbba911a20de8d4205265dbde363f09f45014189

Download Submit
memory/608-24-0x0000000000000000-mapping.dmp

Download
memory/1252-3-0x0000000000090000-0x0000000000093000-memory.dmp

Filesize
12KB

Download
memory/1552-11-0x0000000000000000-mapping.dmp

Download
memory/1604-8-0x0000000000000000-mapping.dmp

Download
memory/1828-14-0x000007FEF7590000-0x000007FEF780A000-memory.dmp

Filesize
2.5MB

Download