Analysis
-
max time kernel
107s -
max time network
17s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
20-01-2021 11:09
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
Resource
win10v20201028
General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
-
Size
34KB
-
MD5
5bb718a52c52383cea5361519559b683
-
SHA1
54298a1c380568d1d76b103fa267ded82d6a778a
-
SHA256
43ae34f089374f6293998924525d9e8516c59bf2cd8150a7c01d6c565c85aa10
-
SHA512
36ad2bbb7315f4290844cb433c081265815b69553c2fd025615e989bbf3214f16d0686e100f701db7c827d9c43f0d21f41da9b3d5648ec423b14b35ecc7d9781
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
assist@adipico.com - Password:
@Mexico1.,
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe\"" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe -
AgentTesla Payload 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1100-6-0x0000000004210000-0x0000000004274000-memory.dmp family_agenttesla behavioral1/memory/1180-28-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1180-29-0x000000000043748E-mapping.dmp family_agenttesla behavioral1/memory/1316-32-0x000000000043748E-mapping.dmp family_agenttesla behavioral1/memory/1180-34-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1628-37-0x000000000043748E-mapping.dmp family_agenttesla behavioral1/memory/1976-42-0x000000000043748E-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe -
Drops startup file 2 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exepid process 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exedescription pid process target process PID 1100 set thread context of 1180 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 set thread context of 1316 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 set thread context of 1628 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 set thread context of 1976 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 set thread context of 1008 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exepowershell.exepowershell.exepowershell.exepowershell.exeSecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exeSecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exepid process 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1632 powershell.exe 800 powershell.exe 1064 powershell.exe 268 powershell.exe 1976 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1976 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1316 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1316 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe 1064 powershell.exe 268 powershell.exe 1632 powershell.exe 800 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exepowershell.exepowershell.exepowershell.exepowershell.exeSecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exeSecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exedescription pid process Token: SeDebugPrivilege 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Token: SeDebugPrivilege 1632 powershell.exe Token: SeDebugPrivilege 1064 powershell.exe Token: SeDebugPrivilege 268 powershell.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeDebugPrivilege 1976 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe Token: SeDebugPrivilege 1316 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exepid process 1976 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exedescription pid process target process PID 1100 wrote to memory of 1632 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 1632 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 1632 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 1632 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 800 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 800 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 800 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 800 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 1064 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 1064 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 1064 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 1064 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 268 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 268 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 268 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 268 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe powershell.exe PID 1100 wrote to memory of 1180 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1180 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1180 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1180 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1180 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1180 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1180 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1180 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1180 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1316 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1316 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1316 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1316 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1316 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1316 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1316 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1316 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1316 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1628 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1628 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1628 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1628 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1628 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1628 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1628 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1628 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1628 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1976 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1976 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1976 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1976 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1976 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1976 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1976 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1976 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1976 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1008 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1008 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1008 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1008 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe PID 1100 wrote to memory of 1008 1100 SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.12782.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Winlogon Helper DLL
1Modify Existing Service
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
5Disabling Security Tools
3Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msMD5
911154a99ced7fe3d85b84fc4fbbce9c
SHA13eabca2918ba95849db5e72c40aea653f165b0ac
SHA256432ea7ea8506594416ef53e6eff4c5b1cd49d126cf02cfa86fe47a43a94d5eb8
SHA512b83983381ac909ffcadf0127b9ddb0f4411af27015fbcf75ec3e697cb218a47905fbee29fd86851910d6fa453a527b4e93faa8aac51b4a96a0ebf840ca6bed3e
-
memory/268-12-0x0000000000000000-mapping.dmp
-
memory/268-72-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/268-53-0x0000000004A70000-0x0000000004A71000-memory.dmpFilesize
4KB
-
memory/268-54-0x0000000004A72000-0x0000000004A73000-memory.dmpFilesize
4KB
-
memory/268-17-0x0000000074090000-0x000000007477E000-memory.dmpFilesize
6.9MB
-
memory/800-16-0x0000000074090000-0x000000007477E000-memory.dmpFilesize
6.9MB
-
memory/800-20-0x0000000000D30000-0x0000000000D31000-memory.dmpFilesize
4KB
-
memory/800-49-0x0000000000DA2000-0x0000000000DA3000-memory.dmpFilesize
4KB
-
memory/800-8-0x0000000000000000-mapping.dmp
-
memory/800-47-0x0000000000DA0000-0x0000000000DA1000-memory.dmpFilesize
4KB
-
memory/800-21-0x00000000048D0000-0x00000000048D1000-memory.dmpFilesize
4KB
-
memory/1008-48-0x000000000043748E-mapping.dmp
-
memory/1064-57-0x00000000023D2000-0x00000000023D3000-memory.dmpFilesize
4KB
-
memory/1064-67-0x0000000005340000-0x0000000005341000-memory.dmpFilesize
4KB
-
memory/1064-59-0x0000000005270000-0x0000000005271000-memory.dmpFilesize
4KB
-
memory/1064-18-0x0000000074090000-0x000000007477E000-memory.dmpFilesize
6.9MB
-
memory/1064-56-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/1064-9-0x0000000000000000-mapping.dmp
-
memory/1100-2-0x0000000074090000-0x000000007477E000-memory.dmpFilesize
6.9MB
-
memory/1100-5-0x0000000004C90000-0x0000000004C91000-memory.dmpFilesize
4KB
-
memory/1100-58-0x0000000000780000-0x0000000000781000-memory.dmpFilesize
4KB
-
memory/1100-6-0x0000000004210000-0x0000000004274000-memory.dmpFilesize
400KB
-
memory/1100-3-0x0000000000330000-0x0000000000331000-memory.dmpFilesize
4KB
-
memory/1180-31-0x0000000074090000-0x000000007477E000-memory.dmpFilesize
6.9MB
-
memory/1180-66-0x0000000004AC0000-0x0000000004AC1000-memory.dmpFilesize
4KB
-
memory/1180-34-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1180-29-0x000000000043748E-mapping.dmp
-
memory/1180-28-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1316-63-0x0000000001F90000-0x0000000001F91000-memory.dmpFilesize
4KB
-
memory/1316-33-0x0000000074090000-0x000000007477E000-memory.dmpFilesize
6.9MB
-
memory/1316-32-0x000000000043748E-mapping.dmp
-
memory/1628-39-0x0000000074090000-0x000000007477E000-memory.dmpFilesize
6.9MB
-
memory/1628-37-0x000000000043748E-mapping.dmp
-
memory/1628-65-0x0000000002010000-0x0000000002011000-memory.dmpFilesize
4KB
-
memory/1632-50-0x0000000004900000-0x0000000004901000-memory.dmpFilesize
4KB
-
memory/1632-10-0x00000000765E1000-0x00000000765E3000-memory.dmpFilesize
8KB
-
memory/1632-55-0x0000000004902000-0x0000000004903000-memory.dmpFilesize
4KB
-
memory/1632-19-0x0000000074090000-0x000000007477E000-memory.dmpFilesize
6.9MB
-
memory/1632-7-0x0000000000000000-mapping.dmp
-
memory/1976-43-0x0000000074090000-0x000000007477E000-memory.dmpFilesize
6.9MB
-
memory/1976-64-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/1976-42-0x000000000043748E-mapping.dmp
-
memory/1976-73-0x00000000047A1000-0x00000000047A2000-memory.dmpFilesize
4KB