23af16d3c63373e2e6789381782572f3b0d17fe7587f243a100c6123ea1e3020

Analysis

max time kernel
143s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2023, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfocomVariantBar.exe
Size

7.3MB
MD5

7f74098f87d5a070e59b03ca9b042fe8
SHA1

26b883eb1af62dcaf5c0d5c20ab0cd281309f04d
SHA256

23af16d3c63373e2e6789381782572f3b0d17fe7587f243a100c6123ea1e3020
SHA512

4da95808589307efe6e73ad4818b1a7c58549006df70427dbdd1f2ff8c739c482a75093815eee552f7d8bd40c24dc432ef8726ab44d194af7adccb258a82a41d
SSDEEP

196608:uJJwSGQtuwVvZnfEJuoblq82iYD4ehf31sD:xSTzo5q81ga

Score

10^/10

collection

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3872 created 3124	3872	SecuriteInfocomVariantBar.exe	50

Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook	certreq.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2196 set thread context of 3872	2196	SecuriteInfocomVariantBar.exe	96

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	certreq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	certreq.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2196	SecuriteInfocomVariantBar.exe
2196	SecuriteInfocomVariantBar.exe
2196	SecuriteInfocomVariantBar.exe
2196	SecuriteInfocomVariantBar.exe
2196	SecuriteInfocomVariantBar.exe
3872	SecuriteInfocomVariantBar.exe
3872	SecuriteInfocomVariantBar.exe
3872	SecuriteInfocomVariantBar.exe
3872	SecuriteInfocomVariantBar.exe
4260	certreq.exe
4260	certreq.exe
4260	certreq.exe
4260	certreq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2196	SecuriteInfocomVariantBar.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1144	2196	SecuriteInfocomVariantBar.exe	94
PID 2196 wrote to memory of 1144	2196	SecuriteInfocomVariantBar.exe	94
PID 2196 wrote to memory of 1144	2196	SecuriteInfocomVariantBar.exe	94
PID 2196 wrote to memory of 3940	2196	SecuriteInfocomVariantBar.exe	95
PID 2196 wrote to memory of 3940	2196	SecuriteInfocomVariantBar.exe	95
PID 2196 wrote to memory of 3940	2196	SecuriteInfocomVariantBar.exe	95
PID 2196 wrote to memory of 3872	2196	SecuriteInfocomVariantBar.exe	96
PID 2196 wrote to memory of 3872	2196	SecuriteInfocomVariantBar.exe	96
PID 2196 wrote to memory of 3872	2196	SecuriteInfocomVariantBar.exe	96
PID 2196 wrote to memory of 3872	2196	SecuriteInfocomVariantBar.exe	96
PID 2196 wrote to memory of 3872	2196	SecuriteInfocomVariantBar.exe	96
PID 2196 wrote to memory of 3872	2196	SecuriteInfocomVariantBar.exe	96
PID 2196 wrote to memory of 3872	2196	SecuriteInfocomVariantBar.exe	96
PID 2196 wrote to memory of 3872	2196	SecuriteInfocomVariantBar.exe	96
PID 2196 wrote to memory of 3872	2196	SecuriteInfocomVariantBar.exe	96
PID 3872 wrote to memory of 4260	3872	SecuriteInfocomVariantBar.exe	97
PID 3872 wrote to memory of 4260	3872	SecuriteInfocomVariantBar.exe	97
PID 3872 wrote to memory of 4260	3872	SecuriteInfocomVariantBar.exe	97
PID 3872 wrote to memory of 4260	3872	SecuriteInfocomVariantBar.exe	97

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	certreq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-508929744-1894537824-211734425-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3124
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomVariantBar.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomVariantBar.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomVariantBar.exe
    C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomVariantBar.exe
    3⤵
    PID:1144
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomVariantBar.exe
    C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomVariantBar.exe
    3⤵
    PID:3940
- - C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomVariantBar.exe
    C:\Users\Admin\AppData\Local\Temp\SecuriteInfocomVariantBar.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3872
- C:\Windows\system32\certreq.exe
  "C:\Windows\system32\certreq.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - outlook_office_path
  - outlook_win_path
  PID:4260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2196-133-0x0000000000300000-0x0000000000A50000-memory.dmp

Filesize
7.3MB

Download
memory/2196-134-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-135-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-137-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-139-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-141-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-143-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-145-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-147-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-149-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-151-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-153-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-155-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/2196-156-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-158-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-160-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-162-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-164-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-166-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-168-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-170-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-172-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-174-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-176-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-178-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-180-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-182-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-184-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-186-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-188-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-190-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-192-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-194-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-196-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-198-0x00000000053E0000-0x00000000054CD000-memory.dmp

Filesize
948KB

Download
memory/2196-1179-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/2196-1180-0x0000000005560000-0x0000000005570000-memory.dmp

Filesize
64KB

Download
memory/2196-1181-0x0000000005FA0000-0x0000000006544000-memory.dmp

Filesize
5.6MB

Download
memory/3872-1186-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/3872-1198-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download