Analysis
-
max time kernel
31s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-03-2023 07:33
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe
Resource
win10v2004-20230220-en
General
-
Target
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe
-
Size
1.1MB
-
MD5
f91e53e0379eac34c222de4a46588cf1
-
SHA1
523d61b31dd1104a20bbd04e3f4c30729191af64
-
SHA256
35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975
-
SHA512
52789dfa07b6d8f1a0e843eae9f1f50c49d31059f22b3c01457315f7cd3738db4cbaef089419c0fd47900d979e611c1916141fdc1bb7cdc2e7faedd7eb4c6c92
-
SSDEEP
24576:MOp5uo31uJ1xQ/YNuZb4c9JsJchzWN82fRwFceVXmgNbo6qYfQD:Dg0gHQuuGSLhjwhMo6qYfi
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exedescription pid process target process PID 1400 set thread context of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1452 1220 WerFault.exe Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exepid process 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exepid process 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exedescription pid process Token: SeDebugPrivilege 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Token: SeLoadDriverPrivilege 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Token: SeDebugPrivilege 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exeSetup.exedescription pid process target process PID 1400 wrote to memory of 992 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe aspnet_regbrowsers.exe PID 1400 wrote to memory of 992 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe aspnet_regbrowsers.exe PID 1400 wrote to memory of 992 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe aspnet_regbrowsers.exe PID 1400 wrote to memory of 1908 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe RegSvcs.exe PID 1400 wrote to memory of 1908 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe RegSvcs.exe PID 1400 wrote to memory of 1908 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe RegSvcs.exe PID 1400 wrote to memory of 1072 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe ngen.exe PID 1400 wrote to memory of 1072 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe ngen.exe PID 1400 wrote to memory of 1072 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe ngen.exe PID 1400 wrote to memory of 584 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe RegAsm.exe PID 1400 wrote to memory of 584 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe RegAsm.exe PID 1400 wrote to memory of 584 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe RegAsm.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1400 wrote to memory of 1220 1400 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Setup.exe PID 1220 wrote to memory of 1452 1220 Setup.exe WerFault.exe PID 1220 wrote to memory of 1452 1220 Setup.exe WerFault.exe PID 1220 wrote to memory of 1452 1220 Setup.exe WerFault.exe PID 1220 wrote to memory of 1452 1220 Setup.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe"1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1220 -s 3043⤵
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1220-58-0x0000000000400000-0x00000000004D4000-memory.dmpFilesize
848KB
-
memory/1400-54-0x0000000001060000-0x0000000001178000-memory.dmpFilesize
1.1MB
-
memory/1400-55-0x0000000000FE0000-0x0000000001060000-memory.dmpFilesize
512KB
-
memory/1400-56-0x000000001BB90000-0x000000001BCA4000-memory.dmpFilesize
1.1MB