Overview

overview

10

Static

static

SecuriteIn...25.exe

windows7-x64

3

SecuriteIn...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    45s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 04:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe

  • Size

    830KB

  • MD5

    117d8fe530f41f5eb068b27480377234

  • SHA1

    c61eb8e55dbaa0aaacddec463b39d6ef00cc3566

  • SHA256

    0ce95ed2a26eb4e5f38cd27cbcac2065b3e6a71a26cdc24f56946dd0428f88be

  • SHA512

    41a273e191f66b22cc3b86115b867df8fdf2721c5d5ffa3c4ec73f1bf91c5eb575ffecbf0ddd6fa5de817b4d63eb7f788a49e284780e04f14b8788b02486625f

  • SSDEEP

    12288:Bc6sfZ344iymiLkOPQJzCcAipT+oXuKDz7AWPz5jjmahgKZ/nXt7virmWhlGLaQ1:S6sfe4iymiNPm2cepKDz7vPl

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UPpiXkLqi.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:472
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UPpiXkLqi" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCA81.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1776
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"
      2⤵
        PID:1660
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"
        2⤵
          PID:544
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"
          2⤵
            PID:1504
          • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe
            "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"
            2⤵
              PID:636
            • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe
              "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.16696.22525.exe"
              2⤵
                PID:1488

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpCA81.tmp
              Filesize

              1KB

              MD5

              cb4a789db0f64b268479b147cf39d109

              SHA1

              a2f9130d3f1688df03a8a0a82eebf0f153c46f96

              SHA256

              273447d3f21eca9cb069dbba356159636d836163ef10f79c7aa2093a4c45513e

              SHA512

              00d1d087f9dc472c0dde1b1ef4375c5e453d6d697653441880a5bdac8bb8dcaefe8c69a232d849d7b6f5c90eb35563cce6355e38f3f0fcb3446745b440d96ca7

              Download Submit
            • memory/472-59-0x0000000000000000-mapping.dmp
              Download
            • memory/472-64-0x000000006E3C0000-0x000000006E96B000-memory.dmp
              Filesize

              5.7MB

              Download
            • memory/1228-54-0x00000000003C0000-0x0000000000496000-memory.dmp
              Filesize

              856KB

              Download
            • memory/1228-55-0x0000000075A11000-0x0000000075A13000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1228-56-0x0000000000350000-0x0000000000366000-memory.dmp
              Filesize

              88KB

              Download
            • memory/1228-57-0x00000000003B0000-0x00000000003BE000-memory.dmp
              Filesize

              56KB

              Download
            • memory/1228-58-0x0000000005050000-0x00000000050CC000-memory.dmp
              Filesize

              496KB

              Download
            • memory/1228-63-0x0000000004E10000-0x0000000004E52000-memory.dmp
              Filesize

              264KB

              Download
            • memory/1776-60-0x0000000000000000-mapping.dmp
              Download