Analysis
-
max time kernel
143s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
submitted
09-09-2022 15:59
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.Malware-gen.30674.exe
Resource
win7-20220812-en
windows7-x64
6 signatures
150 seconds
General
-
Target
SecuriteInfo.com.Win32.Malware-gen.30674.exe
-
Size
3.7MB
-
MD5
e33d877aeec8818d72035377f935768d
-
SHA1
4ac4a0a50c9ef6da3054bd5323661f02d586c61c
-
SHA256
fbf66aa4641ee40b89b7adeb3479c0e3366991ebbd22c513e25223ac62116141
-
SHA512
7f955bd759fda37f1331c3825713a0d792e989914c432895c2429de636b413b5b890a6d069a349fb200501a02ce0a749c362a30217e896b765f5c7273d783671
-
SSDEEP
98304:w9s1MuuckDr8MzdvX/Rn69WFTrKgVo5cPUjPPKw:wBuiDr8MRXBjF3NWcPUZ
Malware Config
Extracted
Family
ffdroider
C2
http://103.136.42.153
Signatures
-
FFDroider payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4392-138-0x0000000000400000-0x00000000009B2000-memory.dmp family_ffdroider behavioral2/memory/4392-139-0x0000000000400000-0x00000000009B2000-memory.dmp family_ffdroider behavioral2/memory/4392-176-0x0000000000400000-0x00000000009B2000-memory.dmp family_ffdroider -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win32.Malware-gen.30674.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyStart = "C:\\Users\\Admin\\AppData\\Local\\Temp\\securiteinfo.com.win32.malware-gen.30674.exe" SecuriteInfo.com.Win32.Malware-gen.30674.exe -
Processes:
SecuriteInfo.com.Win32.Malware-gen.30674.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Win32.Malware-gen.30674.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
SecuriteInfo.com.Win32.Malware-gen.30674.exepid process 4392 SecuriteInfo.com.Win32.Malware-gen.30674.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Win32.Malware-gen.30674.exedescription pid process Token: SeManageVolumePrivilege 4392 SecuriteInfo.com.Win32.Malware-gen.30674.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.30674.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.30674.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:4392