Analysis
-
max time kernel
38s -
max time network
45s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-01-2021 11:06
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
-
Size
2.0MB
-
MD5
3c68883aec0f8998e92336eb1e4a5dfc
-
SHA1
55f2c9c5622104af60bbdfdb50614d3add1cf83d
-
SHA256
83ed44db03acc4abfb655a211c01e03c56bab2a016e603de64aeeb0bca8a77ca
-
SHA512
530e1c300677f8a8dade7dbc1b15abef0974a935255c5739f720f000c2b1931cf0f7eaf7837d4630a920d2e674023abc699f8ccf325c0de4e7ce1846bfe78806
Malware Config
Signatures
-
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe = "0" SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exedescription pid process target process PID 2028 set thread context of 1104 2028 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
powershell.exeSecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exepid process 2012 powershell.exe 2012 powershell.exe 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exepowershell.exedescription pid process Token: SeDebugPrivilege 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe Token: SeDebugPrivilege 2012 powershell.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exeSecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exedescription pid process target process PID 2028 wrote to memory of 1104 2028 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2028 wrote to memory of 1104 2028 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2028 wrote to memory of 1104 2028 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2028 wrote to memory of 1104 2028 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2028 wrote to memory of 1104 2028 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2028 wrote to memory of 1104 2028 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2028 wrote to memory of 1104 2028 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2028 wrote to memory of 1104 2028 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 2028 wrote to memory of 1104 2028 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 2012 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe powershell.exe PID 1104 wrote to memory of 2012 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe powershell.exe PID 1104 wrote to memory of 2012 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe powershell.exe PID 1104 wrote to memory of 2012 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe powershell.exe PID 1104 wrote to memory of 1500 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1500 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1500 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1500 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1244 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1244 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1244 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1244 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 788 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 788 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 788 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 788 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1608 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1608 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1608 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1608 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1580 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1580 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1580 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe PID 1104 wrote to memory of 1580 1104 SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"2⤵
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1104-8-0x00000000747F0000-0x0000000074EDE000-memory.dmpFilesize
6.9MB
-
memory/1104-17-0x0000000004E70000-0x0000000004E71000-memory.dmpFilesize
4KB
-
memory/1104-9-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB
-
memory/1104-6-0x0000000010000000-0x000000001004E000-memory.dmpFilesize
312KB
-
memory/1104-7-0x0000000010049EFE-mapping.dmp
-
memory/2012-16-0x0000000004920000-0x0000000004921000-memory.dmpFilesize
4KB
-
memory/2012-20-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/2012-54-0x0000000006310000-0x0000000006311000-memory.dmpFilesize
4KB
-
memory/2012-12-0x0000000000000000-mapping.dmp
-
memory/2012-13-0x0000000075C31000-0x0000000075C33000-memory.dmpFilesize
8KB
-
memory/2012-14-0x00000000747F0000-0x0000000074EDE000-memory.dmpFilesize
6.9MB
-
memory/2012-15-0x0000000002350000-0x0000000002351000-memory.dmpFilesize
4KB
-
memory/2012-53-0x0000000006300000-0x0000000006301000-memory.dmpFilesize
4KB
-
memory/2012-39-0x0000000005610000-0x0000000005611000-memory.dmpFilesize
4KB
-
memory/2012-18-0x00000000027C0000-0x00000000027C1000-memory.dmpFilesize
4KB
-
memory/2012-19-0x00000000027C2000-0x00000000027C3000-memory.dmpFilesize
4KB
-
memory/2012-38-0x000000007EF30000-0x000000007EF31000-memory.dmpFilesize
4KB
-
memory/2012-21-0x0000000002850000-0x0000000002851000-memory.dmpFilesize
4KB
-
memory/2012-24-0x0000000005650000-0x0000000005651000-memory.dmpFilesize
4KB
-
memory/2012-29-0x00000000056B0000-0x00000000056B1000-memory.dmpFilesize
4KB
-
memory/2012-30-0x00000000060A0000-0x00000000060A1000-memory.dmpFilesize
4KB
-
memory/2012-37-0x0000000006240000-0x0000000006241000-memory.dmpFilesize
4KB
-
memory/2028-5-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/2028-3-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2028-2-0x0000000074EE0000-0x00000000755CE000-memory.dmpFilesize
6.9MB
-
memory/2028-11-0x0000000000480000-0x0000000000481000-memory.dmpFilesize
4KB