Analysis
-
max time kernel
133s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
14-04-2022 12:44
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe
Resource
win7-20220311-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe
Resource
win10v2004-20220310-en
General
-
Target
SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe
-
Size
667KB
-
MD5
1ba1f5a8783628e45caad235c8f640cf
-
SHA1
b41e98059945ddb010d3b50e5d0c83ecdde79716
-
SHA256
3ec377ffc5814c66d3417104617bc3a048448ef400c360480efc036c425afb95
-
SHA512
75c8de68fad66ec3bc8bc8c4887ee561c4e8e8af3e41021213bad8ea06947f379adca14bd3c2fb3ca17f4ac4a17f6bcf5a4cc630fe9979b40b2f0a60efc2b4a9
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6 = "C:\\Users\\Admin\\AppData\\Roaming\\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6.exe" iexplore.exe -
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "0" SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe -
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
iexplore.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts iexplore.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6 = "C:\\Users\\Admin\\AppData\\Roaming\\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6 = "C:\\Users\\Admin\\AppData\\Roaming\\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6.exe" iexplore.exe -
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4600 5012 WerFault.exe iexplore.exe -
Suspicious use of SetThreadContext 8 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exeSecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exeiexplore.exedescription pid process target process PID 4964 set thread context of 3700 4964 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe PID 3700 set thread context of 1192 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe iexplore.exe PID 1192 set thread context of 4476 1192 iexplore.exe iexplore.exe PID 1192 set thread context of 2260 1192 iexplore.exe iexplore.exe PID 1192 set thread context of 3824 1192 iexplore.exe iexplore.exe PID 1192 set thread context of 5012 1192 iexplore.exe iexplore.exe PID 1192 set thread context of 2440 1192 iexplore.exe iexplore.exe PID 1192 set thread context of 4120 1192 iexplore.exe iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exeiexplore.exeiexplore.exepid process 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe 4476 iexplore.exe 4476 iexplore.exe 3824 iexplore.exe 3824 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
iexplore.exeiexplore.exedescription pid process Token: SeDebugPrivilege 1192 iexplore.exe Token: SeDebugPrivilege 4476 iexplore.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exeiexplore.exepid process 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe 1192 iexplore.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exeSecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exeiexplore.exedescription pid process target process PID 4964 wrote to memory of 3700 4964 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe PID 4964 wrote to memory of 3700 4964 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe PID 4964 wrote to memory of 3700 4964 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe PID 4964 wrote to memory of 3700 4964 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe PID 4964 wrote to memory of 3700 4964 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe PID 4964 wrote to memory of 3700 4964 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe PID 4964 wrote to memory of 3700 4964 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe PID 3700 wrote to memory of 1192 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe iexplore.exe PID 3700 wrote to memory of 1192 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe iexplore.exe PID 3700 wrote to memory of 1192 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe iexplore.exe PID 3700 wrote to memory of 1192 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe iexplore.exe PID 3700 wrote to memory of 1192 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe iexplore.exe PID 3700 wrote to memory of 1192 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe iexplore.exe PID 3700 wrote to memory of 1192 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe iexplore.exe PID 3700 wrote to memory of 1192 3700 SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe iexplore.exe PID 1192 wrote to memory of 4476 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4476 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4476 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4476 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4476 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4476 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4476 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4476 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2260 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2260 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2260 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2260 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2260 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2260 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2260 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2260 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2260 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 3824 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 3824 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 3824 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 3824 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 3824 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 3824 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 3824 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 3824 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 3824 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 5012 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 5012 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 5012 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 5012 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 5012 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 5012 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 5012 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 5012 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2440 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2440 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2440 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2440 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2440 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2440 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2440 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 2440 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4120 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4120 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4120 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4120 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4120 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4120 1192 iexplore.exe iexplore.exe PID 1192 wrote to memory of 4120 1192 iexplore.exe iexplore.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe"2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.23558.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf0.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf1.txt"4⤵
- Accesses Microsoft Outlook accounts
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf2.txt"4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf3.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 845⤵
- Program crash
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf3.txt"4⤵
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe/stext "C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf4.txt"4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 5012 -ip 50121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf2.txtFilesize
3KB
MD5f94dc819ca773f1e3cb27abbc9e7fa27
SHA19a7700efadc5ea09ab288544ef1e3cd876255086
SHA256a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA51272a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196
-
C:\Users\Admin\AppData\Roaming\Q4V8N5Y3-O0F7-P7T5-U113-K7R6L4T0H6H6\vzasvyfwf4.txtFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
memory/3700-140-0x0000000000000000-mapping.dmp
-
memory/3700-141-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3700-143-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/3700-146-0x0000000000400000-0x000000000042C000-memory.dmpFilesize
176KB
-
memory/4964-134-0x0000000000230000-0x00000000002DE000-memory.dmpFilesize
696KB
-
memory/4964-135-0x0000000005310000-0x00000000058B4000-memory.dmpFilesize
5.6MB
-
memory/4964-136-0x0000000004C60000-0x0000000004CF2000-memory.dmpFilesize
584KB
-
memory/4964-137-0x0000000004D10000-0x0000000004D1A000-memory.dmpFilesize
40KB
-
memory/4964-138-0x0000000007450000-0x00000000074EC000-memory.dmpFilesize
624KB
-
memory/4964-139-0x00000000077F0000-0x0000000007856000-memory.dmpFilesize
408KB