Analysis
-
max time kernel
126s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25/12/2023, 07:14
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe
Resource
win10v2004-20231215-en
General
-
Target
SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe
-
Size
2.6MB
-
MD5
808149e0981d14d747f5cfd8516fa74f
-
SHA1
e11502647f3d0dcbe3e2c2b67fb26f57c1474032
-
SHA256
126c28a384755ca7d55b558a8ac91ea0b50c4128d51b310e2ee55b481aa0571a
-
SHA512
bfe71446f332744be5bebc5a54bdfad79cfd9c77c2352e3e6876ee911e318511741705171220d8ddcdd7aec7a85c5d2629eb62720c8a0f077753d41c544f4481
-
SSDEEP
49152:xWhlkLBfJXAEXvUlFWYhdN5Bb3WVIOrIIWUNfGneJ4d7ZLInQyKCXPAM:xWhl0BfKE/MDdltIImG7ZmKgD
Malware Config
Signatures
-
Loads dropped DLL 8 IoCs
pid Process 1272 rundll32.exe 1272 rundll32.exe 1272 rundll32.exe 1272 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe 2560 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1772 wrote to memory of 1412 1772 SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe 19 PID 1772 wrote to memory of 1412 1772 SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe 19 PID 1772 wrote to memory of 1412 1772 SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe 19 PID 1772 wrote to memory of 1412 1772 SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe 19 PID 1412 wrote to memory of 1272 1412 control.exe 18 PID 1412 wrote to memory of 1272 1412 control.exe 18 PID 1412 wrote to memory of 1272 1412 control.exe 18 PID 1412 wrote to memory of 1272 1412 control.exe 18 PID 1412 wrote to memory of 1272 1412 control.exe 18 PID 1412 wrote to memory of 1272 1412 control.exe 18 PID 1412 wrote to memory of 1272 1412 control.exe 18 PID 1272 wrote to memory of 1796 1272 rundll32.exe 32 PID 1272 wrote to memory of 1796 1272 rundll32.exe 32 PID 1272 wrote to memory of 1796 1272 rundll32.exe 32 PID 1272 wrote to memory of 1796 1272 rundll32.exe 32 PID 1796 wrote to memory of 2560 1796 RunDll32.exe 33 PID 1796 wrote to memory of 2560 1796 RunDll32.exe 33 PID 1796 wrote to memory of 2560 1796 RunDll32.exe 33 PID 1796 wrote to memory of 2560 1796 RunDll32.exe 33 PID 1796 wrote to memory of 2560 1796 RunDll32.exe 33 PID 1796 wrote to memory of 2560 1796 RunDll32.exe 33 PID 1796 wrote to memory of 2560 1796 RunDll32.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.25170.8652.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\control.exe"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\OZPPek.Cpl",2⤵
- Suspicious use of WriteProcessMemory
PID:1412
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OZPPek.Cpl",1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\OZPPek.Cpl",2⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\OZPPek.Cpl",3⤵
- Loads dropped DLL
PID:2560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD56cccfba9baa25547231081111d7a35d7
SHA1e6ae0126d376b9a5f3db4ed265e9842b200a4b4b
SHA25608983be81c255754c647f18e9c09f410690016af30d06cde845fc048ce44f293
SHA51217aa29f5ecc4ce5d60d83f85cb71d4270718e510d80b1fa469f94c7e3f22543a435fd0fd184af8f21171bd86a25db5b2748b55459e9f35b12a3b4ba4d5ed79ca