Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 07:33
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe
Resource
win10v2004-20230220-en
General
-
Target
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe
-
Size
1.1MB
-
MD5
f91e53e0379eac34c222de4a46588cf1
-
SHA1
523d61b31dd1104a20bbd04e3f4c30729191af64
-
SHA256
35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975
-
SHA512
52789dfa07b6d8f1a0e843eae9f1f50c49d31059f22b3c01457315f7cd3738db4cbaef089419c0fd47900d979e611c1916141fdc1bb7cdc2e7faedd7eb4c6c92
-
SSDEEP
24576:MOp5uo31uJ1xQ/YNuZb4c9JsJchzWN82fRwFceVXmgNbo6qYfQD:Dg0gHQuuGSLhjwhMo6qYfi
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ipinfo.io 13 ipinfo.io -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exedescription pid process target process PID 4908 set thread context of 1988 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe jsc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 jsc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier jsc.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exepid process 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exepid process 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exejsc.exedescription pid process Token: SeDebugPrivilege 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Token: SeLoadDriverPrivilege 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Token: SeDebugPrivilege 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe Token: SeDebugPrivilege 1988 jsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exedescription pid process target process PID 4908 wrote to memory of 3744 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe AddInProcess32.exe PID 4908 wrote to memory of 3744 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe AddInProcess32.exe PID 4908 wrote to memory of 3744 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe AddInProcess32.exe PID 4908 wrote to memory of 3888 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe cvtres.exe PID 4908 wrote to memory of 3888 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe cvtres.exe PID 4908 wrote to memory of 2956 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe aspnet_regiis.exe PID 4908 wrote to memory of 2956 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe aspnet_regiis.exe PID 4908 wrote to memory of 1972 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe csc.exe PID 4908 wrote to memory of 1972 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe csc.exe PID 4908 wrote to memory of 1152 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe aspnet_regbrowsers.exe PID 4908 wrote to memory of 1152 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe aspnet_regbrowsers.exe PID 4908 wrote to memory of 2504 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe AddInUtil.exe PID 4908 wrote to memory of 2504 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe AddInUtil.exe PID 4908 wrote to memory of 1856 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe AppLaunch.exe PID 4908 wrote to memory of 1856 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe AppLaunch.exe PID 4908 wrote to memory of 1432 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe EdmGen.exe PID 4908 wrote to memory of 1432 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe EdmGen.exe PID 4908 wrote to memory of 1716 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe DataSvcUtil.exe PID 4908 wrote to memory of 1716 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe DataSvcUtil.exe PID 4908 wrote to memory of 1988 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe jsc.exe PID 4908 wrote to memory of 1988 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe jsc.exe PID 4908 wrote to memory of 1988 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe jsc.exe PID 4908 wrote to memory of 1988 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe jsc.exe PID 4908 wrote to memory of 1988 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe jsc.exe PID 4908 wrote to memory of 1988 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe jsc.exe PID 4908 wrote to memory of 1988 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe jsc.exe PID 4908 wrote to memory of 1988 4908 SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe jsc.exe -
outlook_office_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe"1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7650.tmp.tmpdbFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
memory/1988-136-0x0000000000400000-0x00000000004D4000-memory.dmpFilesize
848KB
-
memory/1988-138-0x0000000005750000-0x0000000005760000-memory.dmpFilesize
64KB
-
memory/1988-139-0x0000000007BE0000-0x0000000007C46000-memory.dmpFilesize
408KB
-
memory/1988-143-0x0000000008FF0000-0x0000000009012000-memory.dmpFilesize
136KB
-
memory/1988-181-0x0000000009400000-0x000000000940A000-memory.dmpFilesize
40KB
-
memory/1988-182-0x0000000009430000-0x0000000009442000-memory.dmpFilesize
72KB
-
memory/4908-133-0x00000264B1D40000-0x00000264B1E58000-memory.dmpFilesize
1.1MB
-
memory/4908-134-0x00000264CD180000-0x00000264CD190000-memory.dmpFilesize
64KB