Overview

overview

8

Static

static

1

SecuriteIn...80.exe

windows7-x64

8

SecuriteIn...80.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    91s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2023 07:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe

  • Size

    1.1MB

  • MD5

    f91e53e0379eac34c222de4a46588cf1

  • SHA1

    523d61b31dd1104a20bbd04e3f4c30729191af64

  • SHA256

    35a7141973dd708723ae711b94f845d36740f2613d4f94dde3aa9c75519f0975

  • SHA512

    52789dfa07b6d8f1a0e843eae9f1f50c49d31059f22b3c01457315f7cd3738db4cbaef089419c0fd47900d979e611c1916141fdc1bb7cdc2e7faedd7eb4c6c92

  • SSDEEP

    24576:MOp5uo31uJ1xQ/YNuZb4c9JsJchzWN82fRwFceVXmgNbo6qYfQD:Dg0gHQuuGSLhjwhMo6qYfi

Score
8/10
collectionpersistence

Malware Config

Signatures

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.29890.2280.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:3744
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
        2⤵
          PID:3888
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
          2⤵
            PID:2956
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
            2⤵
              PID:1972
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
              2⤵
                PID:1152
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
                2⤵
                  PID:2504
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                  2⤵
                    PID:1856
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
                    2⤵
                      PID:1432
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
                      2⤵
                        PID:1716
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                        2⤵
                        • Accesses Microsoft Outlook profiles
                        • Checks processor information in registry
                        • Suspicious use of AdjustPrivilegeToken
                        • outlook_office_path
                        • outlook_win_path
                        PID:1988

                    Network

                    MITRE ATT&CK Matrix ATT&CK v6

                    Initial Access

                    Execution

                    Persistence

                    Registry Run Keys / Startup Folder

                    1
                    T1060

                    Privilege Escalation

                    Defense Evasion

                    Modify Registry

                    1
                    T1112

                    Credential Access

                    Discovery

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    1
                    T1082

                    Lateral Movement

                    Collection

                    Email Collection

                    1
                    T1114

                    Exfiltration

                    Command and Control

                    Web Service

                    1
                    T1102

                    Impact

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\tmp7650.tmp.tmpdb
                      Filesize

                      46KB

                      MD5

                      02d2c46697e3714e49f46b680b9a6b83

                      SHA1

                      84f98b56d49f01e9b6b76a4e21accf64fd319140

                      SHA256

                      522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

                      SHA512

                      60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

                      Download Submit
                    • memory/1988-136-0x0000000000400000-0x00000000004D4000-memory.dmp
                      Filesize

                      848KB

                      Download
                    • memory/1988-138-0x0000000005750000-0x0000000005760000-memory.dmp
                      Filesize

                      64KB

                      Download
                    • memory/1988-139-0x0000000007BE0000-0x0000000007C46000-memory.dmp
                      Filesize

                      408KB

                      Download
                    • memory/1988-143-0x0000000008FF0000-0x0000000009012000-memory.dmp
                      Filesize

                      136KB

                      Download
                    • memory/1988-181-0x0000000009400000-0x000000000940A000-memory.dmp
                      Filesize

                      40KB

                      Download
                    • memory/1988-182-0x0000000009430000-0x0000000009442000-memory.dmp
                      Filesize

                      72KB

                      Download
                    • memory/4908-133-0x00000264B1D40000-0x00000264B1E58000-memory.dmp
                      Filesize

                      1.1MB

                      Download
                    • memory/4908-134-0x00000264CD180000-0x00000264CD190000-memory.dmp
                      Filesize

                      64KB

                      Download