Analysis
-
max time kernel
147s -
max time network
123s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
01-12-2021 19:11
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
Resource
win10-en-20211014
General
-
Target
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe
-
Size
487KB
-
MD5
604c93c0c41e8eb994e7315b3885ec38
-
SHA1
9af5baeab9f2461335ad3e2439bc3e5cb850932e
-
SHA256
af29096b6cbbd74cca47337f62cc2a5553eb3cf225de3dcc993a14e452c3e9bd
-
SHA512
59307cc35eb0606d33bd0cde817e82c1e941d9d2e903888634a77357570b67b6b4b138dc19b502b9dcf8209b46bfae757a0a6200bd56280990c76f17936948b9
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1564 1548 WerFault.exe SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
WerFault.exepowershell.exepid process 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1564 WerFault.exe 1816 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1564 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
WerFault.exepowershell.exedescription pid process Token: SeDebugPrivilege 1564 WerFault.exe Token: SeDebugPrivilege 1816 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SecuriteInfo.com.MSIL.Packed.19.19491.9488.exedescription pid process target process PID 1548 wrote to memory of 1816 1548 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe powershell.exe PID 1548 wrote to memory of 1816 1548 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe powershell.exe PID 1548 wrote to memory of 1816 1548 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe powershell.exe PID 1548 wrote to memory of 1816 1548 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe powershell.exe PID 1548 wrote to memory of 1564 1548 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe WerFault.exe PID 1548 wrote to memory of 1564 1548 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe WerFault.exe PID 1548 wrote to memory of 1564 1548 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe WerFault.exe PID 1548 wrote to memory of 1564 1548 SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Packed.19.19491.9488.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 10202⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1548-55-0x00000000000D0000-0x00000000000D1000-memory.dmpFilesize
4KB
-
memory/1548-57-0x0000000076531000-0x0000000076533000-memory.dmpFilesize
8KB
-
memory/1548-58-0x0000000004AD0000-0x0000000004AD1000-memory.dmpFilesize
4KB
-
memory/1548-59-0x0000000000390000-0x0000000000396000-memory.dmpFilesize
24KB
-
memory/1548-60-0x0000000004F10000-0x0000000004F79000-memory.dmpFilesize
420KB
-
memory/1564-63-0x0000000000000000-mapping.dmp
-
memory/1564-66-0x0000000000250000-0x0000000000251000-memory.dmpFilesize
4KB
-
memory/1816-61-0x0000000000000000-mapping.dmp
-
memory/1816-64-0x0000000002570000-0x00000000031BA000-memory.dmpFilesize
12.3MB
-
memory/1816-65-0x0000000002570000-0x00000000031BA000-memory.dmpFilesize
12.3MB
-
memory/1816-67-0x0000000002570000-0x00000000031BA000-memory.dmpFilesize
12.3MB