Analysis
-
max time kernel
148s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
05-07-2022 05:35
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Variant.Strictor.273673.27165.exe
Resource
win7-20220414-en
General
-
Target
SecuriteInfo.com.Variant.Strictor.273673.27165.exe
-
Size
1.0MB
-
MD5
83fc6e09fa1e7f949345467c3c28fb0f
-
SHA1
78e5bdb5de645f7425462e017a665eca1154b06f
-
SHA256
acd7c7d3c967c0087a8b1ccf585c9c08f5d8399bda6c14f3c43c2acfb0121992
-
SHA512
70b57e2dca4184c793d492c9507758f4c24b4d90a7486406a9d35bc9b6c32522bb1cf81747bc1e882f00e9cfc6a66742cf7a23650f3573ba550583239e098d6f
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exepowershell.exepid process 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 1892 powershell.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exepowershell.exedescription pid process Token: SeDebugPrivilege 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe Token: SeDebugPrivilege 1892 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
SecuriteInfo.com.Variant.Strictor.273673.27165.exedescription pid process target process PID 784 wrote to memory of 1892 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe powershell.exe PID 784 wrote to memory of 1892 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe powershell.exe PID 784 wrote to memory of 1892 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe powershell.exe PID 784 wrote to memory of 1892 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe powershell.exe PID 784 wrote to memory of 1952 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe schtasks.exe PID 784 wrote to memory of 1952 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe schtasks.exe PID 784 wrote to memory of 1952 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe schtasks.exe PID 784 wrote to memory of 1952 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe schtasks.exe PID 784 wrote to memory of 1360 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 784 wrote to memory of 1360 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 784 wrote to memory of 1360 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 784 wrote to memory of 1360 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 784 wrote to memory of 1360 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe PID 784 wrote to memory of 1360 784 SecuriteInfo.com.Variant.Strictor.273673.27165.exe SecuriteInfo.com.Variant.Strictor.273673.27165.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\XKfmPt.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XKfmPt" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF7F6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Strictor.273673.27165.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF7F6.tmpFilesize
1KB
MD5d1bc4c20550f9de1be11368b6912fb58
SHA1742ef53bfa7fc4f8e285c294a5268a8501d0d65e
SHA2569204f205090df1f18f37701250e6381613e39c553717ef1afb566b606b2e0ab4
SHA512d9ebb05b6d1c488dc83297fc24fd0431fd4797e0e261e7bde93e372eac0f23bb96937363eb1d2e00301c335ec4cec4b1e03e33dfc39f3f50020702472d01bb04
-
memory/784-55-0x0000000076391000-0x0000000076393000-memory.dmpFilesize
8KB
-
memory/784-56-0x0000000000370000-0x0000000000390000-memory.dmpFilesize
128KB
-
memory/784-57-0x0000000000430000-0x000000000043E000-memory.dmpFilesize
56KB
-
memory/784-58-0x0000000004DF0000-0x0000000004E54000-memory.dmpFilesize
400KB
-
memory/784-54-0x0000000000990000-0x0000000000A98000-memory.dmpFilesize
1.0MB
-
memory/784-63-0x0000000004D20000-0x0000000004D40000-memory.dmpFilesize
128KB
-
memory/1360-64-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1360-65-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1360-67-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB
-
memory/1892-59-0x0000000000000000-mapping.dmp
-
memory/1892-69-0x000000006EC60000-0x000000006F20B000-memory.dmpFilesize
5.7MB
-
memory/1892-70-0x000000006EC60000-0x000000006F20B000-memory.dmpFilesize
5.7MB
-
memory/1952-60-0x0000000000000000-mapping.dmp