Overview

overview

10

Static

static

7

SecuriteIn...37.exe

windows7_x64

10

SecuriteIn...37.exe

windows10_x64

9

Analysis

  • max time kernel
    119s
  • max time network
    123s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    26-09-2021 19:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe

  • Size

    2.4MB

  • MD5

    5dc19fa9db54a8b2fbac18a1412165eb

  • SHA1

    d2300eacdcc517cfa065238d13355011cbf3b382

  • SHA256

    31ef0139218354a140f9feba6fc3ef036ce910a84babf8f27cccfa944dee1ccb

  • SHA512

    c71948e4e69a31ad324d0817305b8926e9f1d7d0610dae56f4894a5ac0a7307278e9ef749380793411d802174424ccb731044d6e64bc4fc9f05f5adc100b5f92

Score
9/10
discoveryevasionspywarestealerthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Razy.934040.7155.9937.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3592
    • C:\Users\Admin\AppData\Local\Temp\fl.exe
      "C:\Users\Admin\AppData\Local\Temp\fl.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4228
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fl.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4416
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DKgGiZFskWj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4883.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:4380
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:2204

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\fl.exe
      MD5

      b1f7f880924a93222a01cf3bc0a9ed83

      SHA1

      3b533f4fdd70bb7975bf3aa725e45fd3616b78e5

      SHA256

      b7e985ca880e7fee460e2d4d403606aa1cbfd093d8aef52c1ea120f2ae3f8eef

      SHA512

      910d170dc44674bc0df26c3071d8e79345cae9275d994530a2af6200bbb09598bef6fa1a54978dc2f6f984075f74229aa9ca96882a0ad633bf158ef18aacca0d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fl.exe
      MD5

      b1f7f880924a93222a01cf3bc0a9ed83

      SHA1

      3b533f4fdd70bb7975bf3aa725e45fd3616b78e5

      SHA256

      b7e985ca880e7fee460e2d4d403606aa1cbfd093d8aef52c1ea120f2ae3f8eef

      SHA512

      910d170dc44674bc0df26c3071d8e79345cae9275d994530a2af6200bbb09598bef6fa1a54978dc2f6f984075f74229aa9ca96882a0ad633bf158ef18aacca0d

      Download Submit

    • memory/2204-165-0x00000000056C0000-0x00000000056C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2204-152-0x000000000040416E-mapping.dmp

      Download

    • memory/2204-150-0x0000000000400000-0x000000000040A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3592-129-0x0000000007640000-0x0000000007641000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-117-0x0000000000C10000-0x0000000000C11000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-124-0x0000000005B70000-0x0000000005B71000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-123-0x0000000005B60000-0x0000000005B61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-126-0x0000000007990000-0x0000000007991000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-127-0x0000000007210000-0x0000000007211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-128-0x00000000083C0000-0x00000000083C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-115-0x0000000077170000-0x00000000772FE000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/3592-130-0x0000000007760000-0x0000000007761000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-131-0x0000000007800000-0x0000000007801000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-132-0x0000000007940000-0x0000000007941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-119-0x0000000006180000-0x0000000006181000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-122-0x0000000005AE0000-0x0000000005AE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-121-0x0000000005C80000-0x0000000005C81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-120-0x0000000005A80000-0x0000000005A81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3592-125-0x0000000007290000-0x0000000007291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4228-133-0x0000000000000000-mapping.dmp

      Download

    • memory/4228-142-0x0000000005150000-0x0000000005157000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4228-143-0x00000000051A0000-0x000000000569E000-memory.dmp

      Filesize

      5.0MB

      Download

    • memory/4228-144-0x0000000005E10000-0x0000000005E4A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4228-145-0x0000000005E50000-0x0000000005E5B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/4228-140-0x0000000005140000-0x0000000005141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4228-141-0x0000000005410000-0x0000000005411000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4228-136-0x00000000008A0000-0x00000000008A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4380-149-0x0000000000000000-mapping.dmp

      Download

    • memory/4416-259-0x0000000007303000-0x0000000007304000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-167-0x0000000008A40000-0x0000000008A41000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-390-0x0000000009BA0000-0x0000000009BA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-151-0x0000000004E60000-0x0000000004E61000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-166-0x00000000081B0000-0x00000000081B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-164-0x0000000007302000-0x0000000007303000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-146-0x0000000000000000-mapping.dmp

      Download

    • memory/4416-163-0x0000000007300000-0x0000000007301000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-162-0x00000000082D0000-0x00000000082D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-153-0x0000000007940000-0x0000000007941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-176-0x0000000009920000-0x0000000009953000-memory.dmp

      Filesize

      204KB

      Download

    • memory/4416-183-0x00000000098E0000-0x00000000098E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-188-0x0000000009A50000-0x0000000009A51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-189-0x000000007F020000-0x000000007F021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-190-0x0000000009C20000-0x0000000009C21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-160-0x0000000007FE0000-0x0000000007FE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-384-0x0000000009BB0000-0x0000000009BB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4416-158-0x00000000078A0000-0x00000000078A1000-memory.dmp

      Filesize

      4KB

      Download