Analysis
-
max time kernel
151s -
max time network
168s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 23:31
Behavioral task
behavioral1
Sample
SecuriteInfo.com.FileRepMalware.9786.25455.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.FileRepMalware.9786.25455.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.FileRepMalware.9786.25455.exe
-
Size
528KB
-
MD5
5a88d8e2be02b85a62a4ac969406b643
-
SHA1
8cf4575add13e7e7fe5d70fb014f0857890a2414
-
SHA256
36ab6110a522e29709f6f3d85c800a8965dd8d222e361a5c7f31d5b85e671d6a
-
SHA512
0efe0bda29031c07d574182bde11da3cf333b47066b0161c243281b44f748906036af295d892bb817d5d5ce197d22f7d4658688f27df7e2fcdbde2ad9b76797b
-
SSDEEP
12288:Ho5mh631p5TsYkg0dWQ02SZ2s6DgGC4i8Rx5I8u4y55t:I5J1p5QaUtszqRpIt5t
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.9786.25455.exedescription ioc process File opened for modification C:\WINDOWS\system32\drivers\etc\hosts SecuriteInfo.com.FileRepMalware.9786.25455.exe -
Processes:
resource yara_rule behavioral2/memory/4708-132-0x0000000000400000-0x0000000000585000-memory.dmp vmprotect behavioral2/memory/4708-133-0x0000000000400000-0x0000000000585000-memory.dmp vmprotect -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
SecuriteInfo.com.FileRepMalware.9786.25455.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch SecuriteInfo.com.FileRepMalware.9786.25455.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" SecuriteInfo.com.FileRepMalware.9786.25455.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync SecuriteInfo.com.FileRepMalware.9786.25455.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" SecuriteInfo.com.FileRepMalware.9786.25455.exe -
Modifies Internet Explorer start page 1 TTPs 1 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.9786.25455.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.wz123.com/?nuli" SecuriteInfo.com.FileRepMalware.9786.25455.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.9786.25455.exepid process 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.9786.25455.exedescription pid process Token: SeDebugPrivilege 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
SecuriteInfo.com.FileRepMalware.9786.25455.exepid process 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe 4708 SecuriteInfo.com.FileRepMalware.9786.25455.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.9786.25455.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.9786.25455.exe"1⤵
- Drops file in Drivers directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4708