b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a

Analysis

max time kernel
96s
max time network
98s
platform
windows10_x64
resource
win10v20210408
submitted
17-09-2021 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.GenericKD.46968833.5808.6408.exe
Size

188KB
MD5

e74b2720eaf32bfc409eb52a3d5e937f
SHA1

c931871ebdb109ee7b8ad58e33245530cb346293
SHA256

b26af435a04aa06ce23d5858501a076e73708911506380d4c6b6bfc79fcdf27a
SHA512

b99118dd30125b6f512fd6e4b89a1bdb999c0701edc1698296cf2233d0f911fe70f04e3bceefd2fda99ba6e8a4e9c22cf37ecc909a6dba7bf6ad081daa12f150

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

svchost64.exe

pid	Process
3568	svchost64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
3652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesvchost64.exe

pid	Process
1172	powershell.exe
1172	powershell.exe
1172	powershell.exe
3824	powershell.exe
3824	powershell.exe
3824	powershell.exe
3440	powershell.exe
3440	powershell.exe
3440	powershell.exe
2044	powershell.exe
2044	powershell.exe
2044	powershell.exe
3568	svchost64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeIncreaseQuotaPrivilege	1172	powershell.exe
Token: SeSecurityPrivilege	1172	powershell.exe
Token: SeTakeOwnershipPrivilege	1172	powershell.exe
Token: SeLoadDriverPrivilege	1172	powershell.exe
Token: SeSystemProfilePrivilege	1172	powershell.exe
Token: SeSystemtimePrivilege	1172	powershell.exe
Token: SeProfSingleProcessPrivilege	1172	powershell.exe
Token: SeIncBasePriorityPrivilege	1172	powershell.exe
Token: SeCreatePagefilePrivilege	1172	powershell.exe
Token: SeBackupPrivilege	1172	powershell.exe
Token: SeRestorePrivilege	1172	powershell.exe
Token: SeShutdownPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeSystemEnvironmentPrivilege	1172	powershell.exe
Token: SeRemoteShutdownPrivilege	1172	powershell.exe
Token: SeUndockPrivilege	1172	powershell.exe
Token: SeManageVolumePrivilege	1172	powershell.exe
Token: 33	1172	powershell.exe
Token: 34	1172	powershell.exe
Token: 35	1172	powershell.exe
Token: 36	1172	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeIncreaseQuotaPrivilege	3824	powershell.exe
Token: SeSecurityPrivilege	3824	powershell.exe
Token: SeTakeOwnershipPrivilege	3824	powershell.exe
Token: SeLoadDriverPrivilege	3824	powershell.exe
Token: SeSystemProfilePrivilege	3824	powershell.exe
Token: SeSystemtimePrivilege	3824	powershell.exe
Token: SeProfSingleProcessPrivilege	3824	powershell.exe
Token: SeIncBasePriorityPrivilege	3824	powershell.exe
Token: SeCreatePagefilePrivilege	3824	powershell.exe
Token: SeBackupPrivilege	3824	powershell.exe
Token: SeRestorePrivilege	3824	powershell.exe
Token: SeShutdownPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeSystemEnvironmentPrivilege	3824	powershell.exe
Token: SeRemoteShutdownPrivilege	3824	powershell.exe
Token: SeUndockPrivilege	3824	powershell.exe
Token: SeManageVolumePrivilege	3824	powershell.exe
Token: 33	3824	powershell.exe
Token: 34	3824	powershell.exe
Token: 35	3824	powershell.exe
Token: 36	3824	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeIncreaseQuotaPrivilege	3440	powershell.exe
Token: SeSecurityPrivilege	3440	powershell.exe
Token: SeTakeOwnershipPrivilege	3440	powershell.exe
Token: SeLoadDriverPrivilege	3440	powershell.exe
Token: SeSystemProfilePrivilege	3440	powershell.exe
Token: SeSystemtimePrivilege	3440	powershell.exe
Token: SeProfSingleProcessPrivilege	3440	powershell.exe
Token: SeIncBasePriorityPrivilege	3440	powershell.exe
Token: SeCreatePagefilePrivilege	3440	powershell.exe
Token: SeBackupPrivilege	3440	powershell.exe
Token: SeRestorePrivilege	3440	powershell.exe
Token: SeShutdownPrivilege	3440	powershell.exe
Token: SeDebugPrivilege	3440	powershell.exe
Token: SeSystemEnvironmentPrivilege	3440	powershell.exe
Token: SeRemoteShutdownPrivilege	3440	powershell.exe
Token: SeUndockPrivilege	3440	powershell.exe
Token: SeManageVolumePrivilege	3440	powershell.exe
Token: 33	3440	powershell.exe
Token: 34	3440	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

SecuriteInfo.com.Trojan.GenericKD.46968833.5808.6408.execmd.execmd.exesvchost64.execmd.execmd.exe

description	pid	Process	procid_target
PID 808 wrote to memory of 696	808	SecuriteInfo.com.Trojan.GenericKD.46968833.5808.6408.exe	68
PID 808 wrote to memory of 696	808	SecuriteInfo.com.Trojan.GenericKD.46968833.5808.6408.exe	68
PID 696 wrote to memory of 1172	696	cmd.exe	70
PID 696 wrote to memory of 1172	696	cmd.exe	70
PID 696 wrote to memory of 3824	696	cmd.exe	72
PID 696 wrote to memory of 3824	696	cmd.exe	72
PID 696 wrote to memory of 3440	696	cmd.exe	73
PID 696 wrote to memory of 3440	696	cmd.exe	73
PID 696 wrote to memory of 2044	696	cmd.exe	74
PID 696 wrote to memory of 2044	696	cmd.exe	74
PID 808 wrote to memory of 740	808	SecuriteInfo.com.Trojan.GenericKD.46968833.5808.6408.exe	75
PID 808 wrote to memory of 740	808	SecuriteInfo.com.Trojan.GenericKD.46968833.5808.6408.exe	75
PID 740 wrote to memory of 3568	740	cmd.exe	77
PID 740 wrote to memory of 3568	740	cmd.exe	77
PID 3568 wrote to memory of 4088	3568	svchost64.exe	78
PID 3568 wrote to memory of 4088	3568	svchost64.exe	78
PID 4088 wrote to memory of 3652	4088	cmd.exe	80
PID 4088 wrote to memory of 3652	4088	cmd.exe	80
PID 3568 wrote to memory of 1736	3568	svchost64.exe	81
PID 3568 wrote to memory of 1736	3568	svchost64.exe	81
PID 1736 wrote to memory of 3836	1736	cmd.exe	83
PID 1736 wrote to memory of 3836	1736	cmd.exe	83

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46968833.5808.6408.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46968833.5808.6408.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:808
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46968833.5808.6408.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\svchost64.exe
    C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.46968833.5808.6408.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4088
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Local\Temp\services64.exe"'
        5⤵
        Creates scheduled task(s)
        
        PID:3652
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
b00b5425ff6f877e1dd72e93a09921c7

SHA1
85b904cc3691d6c685e872942378f90965950449

SHA256
b3f133d7bb0aa301ee754f0863f5abf64f3b775100f6c995cf6abae3b94f3585

SHA512
4f0ac1792711d711ed31929f0f0ceb17e31511334c76eee43e990076724110c7be9f655a96bb77ddfc0b3fe1949e3f43b9105c5d1adfefe66a01b511f255f27f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
0a8f4cc6f2a24affc03611e5a96b1f5a

SHA1
0dcc0c272aa59da77a206d7b4e1346ccdd6710e5

SHA256
5f575253f05386cce669b9d358394bd0c8c8c150f674810d678cae198a239daf

SHA512
892add514ced300c2c1bab2b0a1324971cc047407e3184f6a75b905f65f8f83bdffd4e2b9d963f3c6f8591fd65c7d185b00a0c6f33220b691fda7435ae11e629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
a577a3d61dd361802ed523ed3b0b2157

SHA1
ad995afbd004257df7ee9896df2235d4321d283c

SHA256
b9300da253087c027607638d72e0e3ed6090dfcd4721b485033f50a371d5e8b5

SHA512
131b07ec4db470e1edb6cb27dc396c0f5ebfeb44a07a1aff0c1db55cef374e3c3468f2fa55db5d931ab1079add843061b5d958434cdcd3d51b15bbae430427b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe

MD5
dcb4b25c427f6f177b2548b4607a2bc0

SHA1
e9cff09a5b701d029e700b2a1d94827d2b193f68

SHA256
5a219a59dddfc7f04727b3ce435a70c7be99452e8ebc43fe51821b23db8c9e05

SHA512
f2c774786f99de0745c1c5896d57dcfd438f32aeeb2d6be42e7a713a0f1fac4ae1dc7c4847066738816e8e0dfdcd578bd57cf9305ea168fafc5d5fc2331477e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost64.exe

MD5
dcb4b25c427f6f177b2548b4607a2bc0

SHA1
e9cff09a5b701d029e700b2a1d94827d2b193f68

SHA256
5a219a59dddfc7f04727b3ce435a70c7be99452e8ebc43fe51821b23db8c9e05

SHA512
f2c774786f99de0745c1c5896d57dcfd438f32aeeb2d6be42e7a713a0f1fac4ae1dc7c4847066738816e8e0dfdcd578bd57cf9305ea168fafc5d5fc2331477e2

Download Submit
memory/696-116-0x0000000000000000-mapping.dmp

Download
memory/740-278-0x0000000000000000-mapping.dmp

Download
memory/808-125-0x000000001C380000-0x000000001C382000-memory.dmp

Filesize
8KB

Download
memory/808-114-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1172-128-0x000001BDCBE93000-0x000001BDCBE95000-memory.dmp

Filesize
8KB

Download
memory/1172-131-0x000001BDCBE96000-0x000001BDCBE98000-memory.dmp

Filesize
8KB

Download
memory/1172-169-0x000001BDCBE98000-0x000001BDCBE99000-memory.dmp

Filesize
4KB

Download
memory/1172-126-0x000001BDCBE90000-0x000001BDCBE92000-memory.dmp

Filesize
8KB

Download
memory/1172-127-0x000001BDCC0A0000-0x000001BDCC0A1000-memory.dmp

Filesize
4KB

Download
memory/1172-122-0x000001BDCBDC0000-0x000001BDCBDC1000-memory.dmp

Filesize
4KB

Download
memory/1172-117-0x0000000000000000-mapping.dmp

Download
memory/1736-288-0x0000000000000000-mapping.dmp

Download
memory/2044-244-0x000001AA6E200000-0x000001AA6E202000-memory.dmp

Filesize
8KB

Download
memory/2044-277-0x000001AA6E208000-0x000001AA6E209000-memory.dmp

Filesize
4KB

Download
memory/2044-273-0x000001AA6E206000-0x000001AA6E208000-memory.dmp

Filesize
8KB

Download
memory/2044-236-0x0000000000000000-mapping.dmp

Download
memory/2044-245-0x000001AA6E203000-0x000001AA6E205000-memory.dmp

Filesize
8KB

Download
memory/3440-209-0x000001D8F3AF3000-0x000001D8F3AF5000-memory.dmp

Filesize
8KB

Download
memory/3440-242-0x000001D8F3AF6000-0x000001D8F3AF8000-memory.dmp

Filesize
8KB

Download
memory/3440-208-0x000001D8F3AF0000-0x000001D8F3AF2000-memory.dmp

Filesize
8KB

Download
memory/3440-197-0x0000000000000000-mapping.dmp

Download
memory/3440-243-0x000001D8F3AF8000-0x000001D8F3AF9000-memory.dmp

Filesize
4KB

Download
memory/3568-282-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/3568-287-0x000000001C2F0000-0x000000001C2F2000-memory.dmp

Filesize
8KB

Download
memory/3568-279-0x0000000000000000-mapping.dmp

Download
memory/3568-284-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/3652-286-0x0000000000000000-mapping.dmp

Download
memory/3824-171-0x00000222F11A0000-0x00000222F11A2000-memory.dmp

Filesize
8KB

Download
memory/3824-170-0x00000222F11A6000-0x00000222F11A8000-memory.dmp

Filesize
8KB

Download
memory/3824-172-0x00000222F11A3000-0x00000222F11A5000-memory.dmp

Filesize
8KB

Download
memory/3824-207-0x00000222F11A8000-0x00000222F11A9000-memory.dmp

Filesize
4KB

Download
memory/3824-156-0x0000000000000000-mapping.dmp

Download
memory/3836-289-0x0000000000000000-mapping.dmp

Download
memory/4088-285-0x0000000000000000-mapping.dmp

Download