Overview

overview

10

Static

static

SecuriteIn...66.exe

windows7_x64

10

SecuriteIn...66.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    52s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06-07-2022 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.W32.AIDetectNet.01.4166.exe

  • Size

    52KB

  • MD5

    1f90ecea05ef9adfaa814d95a750f4ef

  • SHA1

    71bfea6663dbfc06e228113e44723e91bf46f619

  • SHA256

    4f3642f36e5ba22aec031ad20349200b39114fdb470b78247f1c1a5626146a87

  • SHA512

    644696c4973d8ca08c8d054238688aa2a76ea97abe434608e77d82def125d714f21d59b8d35faceb80fdca52b6a0a580f7c1303c2c67fa65088df70c4d5d05cb

Score
10/10
asyncratpersistenceratsuricata

Malware Config

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4166.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.4166.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1492
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    fa7a4fc5ee07259c7f464e3bdefeeaf8

    SHA1

    d2c8d37aea971079390af3113ae8e213251390fe

    SHA256

    bda987abe2c4dd0738080008d4d1ba6daf4c3768180673d7f97a1ff18f41b7ea

    SHA512

    057cd2b2bb93c116f8eed43c465fac15436fde67193dcf571001e104dacc119a4e27c5154868942a2ee6047ad8a46f49620e31ccd8aa6fc0a2840de0887f8ebe

    Download Submit
  • memory/828-72-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/828-70-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/828-77-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/828-74-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/828-73-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/828-69-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/828-75-0x0000000000429CFE-mapping.dmp
    Download
  • memory/828-79-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1492-67-0x0000000070410000-0x00000000709BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1492-68-0x0000000070410000-0x00000000709BB000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1492-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1564-56-0x0000000005030000-0x00000000050AA000-memory.dmp
    Filesize

    488KB

    Download
  • memory/1564-54-0x0000000000F30000-0x0000000000F42000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1564-58-0x0000000000E50000-0x0000000000E9C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1564-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1564-57-0x0000000000750000-0x0000000000790000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2016-62-0x00000000703F0000-0x000000007099B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2016-63-0x00000000703F0000-0x000000007099B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2016-61-0x00000000703F0000-0x000000007099B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2016-59-0x0000000000000000-mapping.dmp
    Download