Overview

overview

10

Static

static

SecuriteIn...59.exe

windows7_x64

10

SecuriteIn...59.exe

windows10_x64

10

Analysis

  • max time kernel
    38s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-01-2021 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe

  • Size

    2.0MB

  • MD5

    3c68883aec0f8998e92336eb1e4a5dfc

  • SHA1

    55f2c9c5622104af60bbdfdb50614d3add1cf83d

  • SHA256

    83ed44db03acc4abfb655a211c01e03c56bab2a016e603de64aeeb0bca8a77ca

  • SHA512

    530e1c300677f8a8dade7dbc1b15abef0974a935255c5739f720f000c2b1931cf0f7eaf7837d4630a920d2e674023abc699f8ccf325c0de4e7ce1846bfe78806

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Windows security modification 2 TTPs 8 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"
      2⤵
      • Windows security modification
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2012
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"
        3⤵
          PID:1500
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"
          3⤵
            PID:1244
          • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
            "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"
            3⤵
              PID:788
            • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
              "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"
              3⤵
                PID:1608
              • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
                "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"
                3⤵
                  PID:1580

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Persistence

            Modify Existing Service

            1
            T1031

            Privilege Escalation

            Defense Evasion

            Modify Registry

            3
            T1112

            Disabling Security Tools

            3
            T1089

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Web Service

            1
            T1102

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1104-8-0x00000000747F0000-0x0000000074EDE000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/1104-17-0x0000000004E70000-0x0000000004E71000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1104-9-0x0000000010000000-0x000000001004E000-memory.dmp
              Filesize

              312KB

              Download
            • memory/1104-6-0x0000000010000000-0x000000001004E000-memory.dmp
              Filesize

              312KB

              Download
            • memory/1104-7-0x0000000010049EFE-mapping.dmp
              Download
            • memory/2012-16-0x0000000004920000-0x0000000004921000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-20-0x0000000002500000-0x0000000002501000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-54-0x0000000006310000-0x0000000006311000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-12-0x0000000000000000-mapping.dmp
              Download
            • memory/2012-13-0x0000000075C31000-0x0000000075C33000-memory.dmp
              Filesize

              8KB

              Download
            • memory/2012-14-0x00000000747F0000-0x0000000074EDE000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/2012-15-0x0000000002350000-0x0000000002351000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-53-0x0000000006300000-0x0000000006301000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-39-0x0000000005610000-0x0000000005611000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-18-0x00000000027C0000-0x00000000027C1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-19-0x00000000027C2000-0x00000000027C3000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-38-0x000000007EF30000-0x000000007EF31000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-21-0x0000000002850000-0x0000000002851000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-24-0x0000000005650000-0x0000000005651000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-29-0x00000000056B0000-0x00000000056B1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-30-0x00000000060A0000-0x00000000060A1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2012-37-0x0000000006240000-0x0000000006241000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2028-5-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2028-3-0x0000000000270000-0x0000000000271000-memory.dmp
              Filesize

              4KB

              Download
            • memory/2028-2-0x0000000074EE0000-0x00000000755CE000-memory.dmp
              Filesize

              6.9MB

              Download
            • memory/2028-11-0x0000000000480000-0x0000000000481000-memory.dmp
              Filesize

              4KB

              Download