Overview

overview

7

Static

static

SecuriteIn...69.exe

windows7-x64

3

SecuriteIn...69.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/10/2022, 03:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.MSIL.GenKryptik.GAVU.tr.14921.5169.exe

  • Size

    1.1MB

  • MD5

    802ef372b8d95eba887816b1efd8eeaa

  • SHA1

    469ad95f34b5299dc6e768fdf50b6df4a202a2da

  • SHA256

    231ba68aed77233685a7431ba8b1df348d0dc71860f41c7d43a5f6f486a1c66d

  • SHA512

    b10b292bb4405eb615e0f7b5f2dc96db05d32cedbdd2332d973273ad93a3321befd0fcc45f7ecefa367589331fbd695f8fa8bf45b07c250099fe5dd63a8cae55

  • SSDEEP

    12288:SsJ2u3ZXBI3nz5rp4dsAkopiP+To0BsJgnS4h57wlURHP1dBLllRsO4:usBQ+iopimDBsJgjxscv1dBL6O4

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.GAVU.tr.14921.5169.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.GAVU.tr.14921.5169.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1948
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.GAVU.tr.14921.5169.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1772
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DUcDhX.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1676
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DUcDhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA5C2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1668
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.GAVU.tr.14921.5169.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.GAVU.tr.14921.5169.exe"
      2⤵
        PID:280
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.GAVU.tr.14921.5169.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.GenKryptik.GAVU.tr.14921.5169.exe"
        2⤵
          PID:1784

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpA5C2.tmp
        Filesize

        1KB

        MD5

        f5564d5c11f80183d72d993e3585b69a

        SHA1

        5788d2b9c91a5185b83498db0c9d93acd03407ad

        SHA256

        9897fe95f5b0651f3a5efbd12aa25043d8d87815c33b7419a02823d2d6c70afd

        SHA512

        8afe6a5e079ce833a95c6b55bd43c96922ed96645d4e0f49b6fe0a857f154d320754ba65018ca2fe84f8cbfc73eb39e097d4f9a5c207df983d19a9be9dcd03d5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        f0b862fd347b670ca7578a12bf5c7806

        SHA1

        aa19e2a18833914ebd41757db2bd8326d71fe90d

        SHA256

        f9430a1a3cfff0e94430aab91368bd980262f003af18a3edf0560a83cdb8b6a4

        SHA512

        4869d6d940ee9c2a8521e9cfb62f81eafe83a4ed46a03324947160215b6955497a0d39bad06f005569a4faac8af17adf4671b91548c2e753b5d37ade7bb00a48

        Download Submit

      • memory/1676-72-0x000000006E190000-0x000000006E73B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1676-71-0x000000006E190000-0x000000006E73B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1772-73-0x000000006E190000-0x000000006E73B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1772-70-0x000000006E190000-0x000000006E73B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1784-68-0x0000000000400000-0x0000000000465000-memory.dmp

        Filesize

        404KB

        Download

      • memory/1784-67-0x0000000000400000-0x0000000000465000-memory.dmp

        Filesize

        404KB

        Download

      • memory/1948-66-0x00000000059B0000-0x0000000005A1C000-memory.dmp

        Filesize

        432KB

        Download

      • memory/1948-54-0x0000000000BA0000-0x0000000000CB4000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1948-58-0x0000000009C90000-0x0000000009D50000-memory.dmp

        Filesize

        768KB

        Download

      • memory/1948-57-0x0000000000570000-0x000000000057C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/1948-56-0x0000000000280000-0x0000000000298000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1948-55-0x0000000076031000-0x0000000076033000-memory.dmp

        Filesize

        8KB

        Download