Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
06-12-2022 04:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe
Resource
win7-20220901-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe
-
Size
830KB
-
MD5
117d8fe530f41f5eb068b27480377234
-
SHA1
c61eb8e55dbaa0aaacddec463b39d6ef00cc3566
-
SHA256
0ce95ed2a26eb4e5f38cd27cbcac2065b3e6a71a26cdc24f56946dd0428f88be
-
SHA512
41a273e191f66b22cc3b86115b867df8fdf2721c5d5ffa3c4ec73f1bf91c5eb575ffecbf0ddd6fa5de817b4d63eb7f788a49e284780e04f14b8788b02486625f
-
SSDEEP
12288:Bc6sfZ344iymiLkOPQJzCcAipT+oXuKDz7AWPz5jjmahgKZ/nXt7virmWhlGLaQ1:S6sfe4iymiNPm2cepKDz7vPl
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exepowershell.exepid process 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe 472 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exepowershell.exedescription pid process Token: SeDebugPrivilege 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe Token: SeDebugPrivilege 472 powershell.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exedescription pid process target process PID 1228 wrote to memory of 472 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe powershell.exe PID 1228 wrote to memory of 472 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe powershell.exe PID 1228 wrote to memory of 472 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe powershell.exe PID 1228 wrote to memory of 472 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe powershell.exe PID 1228 wrote to memory of 1776 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe schtasks.exe PID 1228 wrote to memory of 1776 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe schtasks.exe PID 1228 wrote to memory of 1776 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe schtasks.exe PID 1228 wrote to memory of 1776 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe schtasks.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1660 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 544 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 544 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 544 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 544 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1504 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1504 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1504 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1504 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 636 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 636 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 636 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 636 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1488 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1488 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1488 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe PID 1228 wrote to memory of 1488 1228 SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UPpiXkLqi.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UPpiXkLqi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCA81.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCA81.tmpFilesize
1KB
MD5cb4a789db0f64b268479b147cf39d109
SHA1a2f9130d3f1688df03a8a0a82eebf0f153c46f96
SHA256273447d3f21eca9cb069dbba356159636d836163ef10f79c7aa2093a4c45513e
SHA51200d1d087f9dc472c0dde1b1ef4375c5e453d6d697653441880a5bdac8bb8dcaefe8c69a232d849d7b6f5c90eb35563cce6355e38f3f0fcb3446745b440d96ca7
-
memory/472-59-0x0000000000000000-mapping.dmp
-
memory/472-64-0x000000006E3C0000-0x000000006E96B000-memory.dmpFilesize
5.7MB
-
memory/1228-54-0x00000000003C0000-0x0000000000496000-memory.dmpFilesize
856KB
-
memory/1228-55-0x0000000075A11000-0x0000000075A13000-memory.dmpFilesize
8KB
-
memory/1228-56-0x0000000000350000-0x0000000000366000-memory.dmpFilesize
88KB
-
memory/1228-57-0x00000000003B0000-0x00000000003BE000-memory.dmpFilesize
56KB
-
memory/1228-58-0x0000000005050000-0x00000000050CC000-memory.dmpFilesize
496KB
-
memory/1228-63-0x0000000004E10000-0x0000000004E52000-memory.dmpFilesize
264KB
-
memory/1776-60-0x0000000000000000-mapping.dmp