Overview

overview

10

Static

static

SecuriteIn...39.exe

windows7-x64

10

SecuriteIn...39.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    87s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2022 17:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.6439.exe

  • Size

    953KB

  • MD5

    705e29680f4f0f0310b4680e05f053d0

  • SHA1

    15ab85f450c8fd3e7d25a7889dc658fdfcee9ede

  • SHA256

    444eb9da59786055bffa5f9d294fc26edc82a7b31975383efb7f2b9764402cf5

  • SHA512

    1290bd274a3b4d426edd46d5597f05d8e056cbae92c5eda29616264cdf28fc6387f282e4188dff740e1aeed86974ffdb22ca70dab0e9e2c7a49ff218d932779e

  • SSDEEP

    12288:KFnvWXswpJFQLW3pTLPRVS6IsoDJdrDpvdoxZYg1+kWA/hP1SBh71B:+Wx73ZdmnbAagsA/h9s

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Uses the VBS compiler for execution 1 TTPs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6439.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.6439.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4600
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LoLOUy.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LoLOUy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBCF7.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4584
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:4528
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
          PID:2008
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
          2⤵
            PID:376
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
            2⤵
              PID:3964
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
              "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
              2⤵
                PID:4288

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scripting

            1
            T1064

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Scripting

            1
            T1064

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpBCF7.tmp
              Filesize

              1KB

              MD5

              b49c0a4f774fa212a5d3efc68d5bf7cb

              SHA1

              c3b6e484cbfcce05afc60091c67570cf65143cef

              SHA256

              e3683cf08e5e2a7c18e52a23f5fb290afd2e467fb881000f18f7550b58430e2a

              SHA512

              3ab89569e2cb82c65640b9707bad134e129c329788c53e08b547ba1eba326994a1b3a8fb8b88bfaa1104a08a17382a1a743695670d19a5f671fcf4d518693a0a

              Download Submit
            • memory/376-146-0x0000000000000000-mapping.dmp
              Download
            • memory/2008-144-0x0000000000000000-mapping.dmp
              Download
            • memory/2700-156-0x0000000006F30000-0x0000000006F3A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/2700-159-0x0000000007200000-0x000000000721A000-memory.dmp
              Filesize

              104KB

              Download
            • memory/2700-152-0x0000000070D80000-0x0000000070DCC000-memory.dmp
              Filesize

              304KB

              Download
            • memory/2700-138-0x0000000000000000-mapping.dmp
              Download
            • memory/2700-155-0x0000000006EC0000-0x0000000006EDA000-memory.dmp
              Filesize

              104KB

              Download
            • memory/2700-140-0x0000000004590000-0x00000000045C6000-memory.dmp
              Filesize

              216KB

              Download
            • memory/2700-158-0x00000000070F0000-0x00000000070FE000-memory.dmp
              Filesize

              56KB

              Download
            • memory/2700-154-0x0000000007520000-0x0000000007B9A000-memory.dmp
              Filesize

              6.5MB

              Download
            • memory/2700-143-0x0000000004C60000-0x0000000005288000-memory.dmp
              Filesize

              6.2MB

              Download
            • memory/2700-157-0x0000000007140000-0x00000000071D6000-memory.dmp
              Filesize

              600KB

              Download
            • memory/2700-151-0x0000000006BB0000-0x0000000006BE2000-memory.dmp
              Filesize

              200KB

              Download
            • memory/2700-153-0x0000000006150000-0x000000000616E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/2700-160-0x00000000071E0000-0x00000000071E8000-memory.dmp
              Filesize

              32KB

              Download
            • memory/2700-148-0x0000000004A60000-0x0000000004A82000-memory.dmp
              Filesize

              136KB

              Download
            • memory/2700-149-0x0000000005440000-0x00000000054A6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/2700-150-0x0000000005BB0000-0x0000000005BCE000-memory.dmp
              Filesize

              120KB

              Download
            • memory/3964-145-0x0000000000000000-mapping.dmp
              Download
            • memory/4288-147-0x0000000000000000-mapping.dmp
              Download
            • memory/4528-142-0x0000000000000000-mapping.dmp
              Download
            • memory/4584-139-0x0000000000000000-mapping.dmp
              Download
            • memory/4600-132-0x00000000008E0000-0x00000000009D4000-memory.dmp
              Filesize

              976KB

              Download
            • memory/4600-137-0x00000000092A0000-0x0000000009306000-memory.dmp
              Filesize

              408KB

              Download
            • memory/4600-136-0x0000000008F90000-0x000000000902C000-memory.dmp
              Filesize

              624KB

              Download
            • memory/4600-135-0x0000000005420000-0x000000000542A000-memory.dmp
              Filesize

              40KB

              Download
            • memory/4600-134-0x0000000005370000-0x0000000005402000-memory.dmp
              Filesize

              584KB

              Download
            • memory/4600-133-0x0000000005840000-0x0000000005DE4000-memory.dmp
              Filesize

              5.6MB

              Download