Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

SecuriteIn...99.exe

windows7-x64

10

SecuriteIn...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2023, 10:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.30771.2599.exe

  • Size

    268KB

  • MD5

    eac56810ae04fc2704b1b89559841ee3

  • SHA1

    bbc1dad3bf50eb73a7dbb429ed4bb7016b860968

  • SHA256

    b68d46be4a85016270a6cb5d11295225ae4fab655eada32344422edad43c155b

  • SHA512

    86f1eb3164669f1a70944e17f29cc419e8d76ae3351665527af7e3f513b44a0e6ae2555bb3b869fd20b310c7de8e45480106e9483e72eb7a9c02f3167f1d25bb

  • SSDEEP

    1536:c9H/84RBumqgVp+INHZs5zv2RHtPO19HRYkw+Uo4V8cv/SxDmjLg2BrIGd99XZGY:yEvgVHNHTRNPgRX1SvnlBrII/J+M

Score
10/10
originbotnetkeyloggerrattrojan

Malware Config

Extracted

Family

originbotnet

C2

https://joshua6440.nitrosoftwares.shop/gate

Attributes
  • add_startup

    false

  • download_folder_name

    jfede1fc.mke

  • hide_file_startup

    false

  • startup_directory_name

    MnNshND

  • startup_environment_name

    appdata

  • startup_installation_name

    MnNshND.exe

  • startup_registry_name

    MnNshND

  • user_agent

    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0

Signatures

  • OriginBotnet

    OriginBotnet is a remote access trojan written in C#.

    trojanratkeyloggeroriginbotnet
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.30771.2599.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.30771.2599.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.30771.2599.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.30771.2599.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1556
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 808
        3⤵
        • Program crash
        PID:3304
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      2⤵
        PID:4524
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.30771.2599.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
        2⤵
          PID:1552
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3504
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
            3⤵
            • Creates scheduled task(s)
            PID:4436
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1556 -ip 1556
        1⤵
          PID:3728
        • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
          C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
            "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1504
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 780
              3⤵
              • Program crash
              PID:8
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
            2⤵
              PID:4312
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3904
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
                3⤵
                • Creates scheduled task(s)
                PID:1828
            • C:\Windows\SysWOW64\cmd.exe
              "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
              2⤵
                PID:4688
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1504 -ip 1504
              1⤵
                PID:5112

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log
                Filesize

                520B

                MD5

                03febbff58da1d3318c31657d89c8542

                SHA1

                c9e017bd9d0a4fe533795b227c855935d86c2092

                SHA256

                5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

                SHA512

                3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

                Download Submit

              • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
                Filesize

                268KB

                MD5

                eac56810ae04fc2704b1b89559841ee3

                SHA1

                bbc1dad3bf50eb73a7dbb429ed4bb7016b860968

                SHA256

                b68d46be4a85016270a6cb5d11295225ae4fab655eada32344422edad43c155b

                SHA512

                86f1eb3164669f1a70944e17f29cc419e8d76ae3351665527af7e3f513b44a0e6ae2555bb3b869fd20b310c7de8e45480106e9483e72eb7a9c02f3167f1d25bb

                Download Submit

              • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
                Filesize

                268KB

                MD5

                eac56810ae04fc2704b1b89559841ee3

                SHA1

                bbc1dad3bf50eb73a7dbb429ed4bb7016b860968

                SHA256

                b68d46be4a85016270a6cb5d11295225ae4fab655eada32344422edad43c155b

                SHA512

                86f1eb3164669f1a70944e17f29cc419e8d76ae3351665527af7e3f513b44a0e6ae2555bb3b869fd20b310c7de8e45480106e9483e72eb7a9c02f3167f1d25bb

                Download Submit

              • C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
                Filesize

                268KB

                MD5

                eac56810ae04fc2704b1b89559841ee3

                SHA1

                bbc1dad3bf50eb73a7dbb429ed4bb7016b860968

                SHA256

                b68d46be4a85016270a6cb5d11295225ae4fab655eada32344422edad43c155b

                SHA512

                86f1eb3164669f1a70944e17f29cc419e8d76ae3351665527af7e3f513b44a0e6ae2555bb3b869fd20b310c7de8e45480106e9483e72eb7a9c02f3167f1d25bb

                Download Submit

              • memory/1420-5-0x00000000050C0000-0x00000000050D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1420-2-0x0000000005680000-0x0000000005C24000-memory.dmp

                Filesize

                5.6MB

                Download

              • memory/1420-6-0x0000000000B00000-0x0000000000B0C000-memory.dmp

                Filesize

                48KB

                Download

              • memory/1420-0-0x00000000749D0000-0x0000000075180000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1420-10-0x00000000749D0000-0x0000000075180000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1420-4-0x00000000749D0000-0x0000000075180000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1420-3-0x00000000050C0000-0x00000000050D0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1420-1-0x00000000006C0000-0x0000000000708000-memory.dmp

                Filesize

                288KB

                Download

              • memory/1504-24-0x00000000749D0000-0x0000000075180000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1504-22-0x00000000749D0000-0x0000000075180000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1556-9-0x00000000749D0000-0x0000000075180000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1556-13-0x00000000749D0000-0x0000000075180000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1556-7-0x0000000000400000-0x000000000040E000-memory.dmp

                Filesize

                56KB

                Download

              • memory/1732-17-0x00000000749D0000-0x0000000075180000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1732-16-0x00000000749D0000-0x0000000075180000-memory.dmp

                Filesize

                7.7MB

                Download

              • memory/1732-23-0x00000000749D0000-0x0000000075180000-memory.dmp

                Filesize

                7.7MB

                Download