Analysis
-
max time kernel
94s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2022 08:29
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
Resource
win7-20220812-en
General
-
Target
SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
-
Size
1.0MB
-
MD5
d8896273f6e3976c0051d2985fca39d3
-
SHA1
ffa987faeda3e9d6a912b63dbd8fb7adf105fa8f
-
SHA256
773e21380e7b28202c6c142d4562bcfd733de46ffa3e63a1351dd2860c065a94
-
SHA512
8f90bf50ec129b11e06dc7f48f13399a4b59d67f2daf6043a5fcd5d6b9f6dd584a9bc86a7586056720c79ed834b5b2f31ae2c52018c2d4678f02de5a4fc00d38
-
SSDEEP
24576:TrqkTiwAAgEEY4BjH04VwMQJXP7XLBRFPG1e/1:HTQpfVwMMP7XL7Fu1eN
Malware Config
Extracted
formbook
fh8p
51F23EN4Txw0zl7VSV72h3U1
r51e7umgAYu/WtxeMGHnGxLw2sBpOeZJ
IQ38brXAkQLFMYHztA==
ZsVI1+ZC1m5iov4xpA==
3sltsjJTHbqCqj4yzxAxSg==
cd/wV6bAp00lenVgURspAmkDrXpY
FPiMqs88TyH2LcbQ
B+tfkhM6CKKnkwHY
3UG4Fv6Z1YbVcKhGADQ=
7HWXwp4acUvZid/eOwbUBPCsF+4=
cFmdzrE0gUTDYnlFzxAxSg==
NZ68/khRFLankwHY
iwOpJcLSmHX2LcbQ
Riu+/F9kYTgDK5SAc0Rmsmcs
F2wn+jKjVAwF
Z77ISAWVozHM7Xs/XIK5
V71c6sFWuV6uagGJWMUBxCs=
JvYlUje3B95h+Ts+jv61WcvMdO4AdzSVjQ==
fOMJf5pQ2nKHJn3XzxAxSg==
5k9hflzYDY/GQnjazxAxSg==
uB8tTk4BPa618BNz6/Jmsmcs
rpYpUByttqLtbpn1tA==
I4+nAlBSMNOCoTI+I0SP+5QSAg==
YT/QKfuO534LjBPP
89GLDd5hoTSCIHDazxAxSg==
90KjZvDpIeMicPdduvDccApNK/ruazygkw==
JhPA9sVtdk6kNw==
TTm8C/iNymKjbHN0vA==
fmcSeWwjagJPC2An9i0=
kvYmVjfkdUWibHN0vA==
3rlenhse55ynkwHY
51HMOAB9wlWebHN0vA==
qRmL9vy0BrcCsA7AI/dfZSM=
BgIhowo7VSruFHlhKDHd8vCsF+4=
oBlIdVyjVAwF
Xj7bGflzdk6kNw==
nG+htPMYIgeKKg==
rp63HYS0dRLP2UZ/QND2vcHlUC6VxA==
4OCRDe6L10lZ92rXzxAxSg==
30VVjGrjG6DwmbiWApNsJqnLLwupVixe
YtVc8UJF2rNu8W0=
aS9EEnCTv+AYs6hGADQ=
hF4Hd1vtNBCywmbWzxAxSg==
LYKXE2l+OhGEKg==
M6ULDMJHdk6kNw==
pQ4unOrrv5GUvahGADQ=
wcd2s3zwHsojw96q83TiyKI/HQ==
EWh1+m+FOhGEKg==
jOPpQKi6P87bb6hGADQ=
oH/D7d2aLMrbbqhGADQ=
TZjZ3FSGuvMwieHmB5kUufMDrXpY
5FJpqRYisYbTU5GO82JENfOEnigUzA==
/+yJFPJvdk6kNw==
Sjr4Oq6rgZt0/XU=
MB/FQhSU1mvCYK2zPMUBxCs=
lI1Gw5pe73Z9EHHWzxAxSg==
7u19vaoyE5yXjygxAsOx
yLLDJunPUQsF
iY+2OLjxw2ZEcZwY6SCteNKoaBaBgEk=
ivcicHkqrk9QcK0/XIK5
//qwMf11dk6kNw==
L42d5kFPGez8eahGADQ=
0z1wrbBadk6kNw==
UXTPREqrIdQm2Ww=
s6d5c3erb7hzgn8.buzz
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exedescription pid process target process PID 4452 set thread context of 1192 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exeSecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exepid process 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe 1192 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe 1192 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exedescription pid process Token: SeDebugPrivilege 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exedescription pid process target process PID 4452 wrote to memory of 1192 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe PID 4452 wrote to memory of 1192 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe PID 4452 wrote to memory of 1192 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe PID 4452 wrote to memory of 1192 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe PID 4452 wrote to memory of 1192 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe PID 4452 wrote to memory of 1192 4452 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1192
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1192-137-0x0000000000000000-mapping.dmp
-
memory/1192-138-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1192-140-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1192-141-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1192-142-0x0000000001850000-0x0000000001B9A000-memory.dmpFilesize
3.3MB
-
memory/4452-132-0x00000000001F0000-0x0000000000304000-memory.dmpFilesize
1.1MB
-
memory/4452-133-0x0000000005380000-0x0000000005924000-memory.dmpFilesize
5.6MB
-
memory/4452-134-0x0000000004CC0000-0x0000000004D52000-memory.dmpFilesize
584KB
-
memory/4452-135-0x0000000004CB0000-0x0000000004CBA000-memory.dmpFilesize
40KB
-
memory/4452-136-0x0000000008A70000-0x0000000008B0C000-memory.dmpFilesize
624KB