844e9cb99590b9d850dd755b821d1b92a14a02a6abd240451dad752cc930b315

Analysis

max time kernel
146s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.exe
Size

4.7MB
MD5

356b79fd22983f3cd2d707a3aaeea02f
SHA1

5141786b7bbac78d41b450316e10178ab72534ce
SHA256

844e9cb99590b9d850dd755b821d1b92a14a02a6abd240451dad752cc930b315
SHA512

7734c2bc41426ba255e7477f8df90ffbdc142d994e1849db8cb302f1ccbbb5b0864944ce58f8d86e144eb5c04c1b62aaecd44f0f3883ba3a654ab4f8ba816b7b
SSDEEP

98304:QQjMpDv4oHEBKrSS8R9jGHyU1B5Xxk6yZnNVGBmwvGPTuPbyV4dm8:njWDBdYbjGHV1B5Xxk6gMtsTuP64dD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
5072	jsonstdapi.exe
2604	jsonstdapi.exe

Loads dropped DLL 3 IoCs

pid	Process
1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-F48H6.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-4PC87.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\is-UD3GM.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-D5N2F.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-C2RH5.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-6EK1T.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File opened for modification	C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-IJ7AQ.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-N3RTK.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-MJ42U.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-LUA2E.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-78S9L.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-A4P3G.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-CN8PJ.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-7EDQQ.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-TNFCI.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-03ROE.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-GM4JV.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-BKCUE.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-PFKJ7.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\lessmsi\is-K738N.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-5RGD0.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-NGQKV.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-FN81K.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\unins000.dat	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\is-U0PV0.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-886SV.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-V4D9F.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-PV4V6.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\plugins\internal\is-TSM55.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-IF4BU.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-4Q2KQ.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File opened for modification	C:\Program Files (x86)\JSON Stdandart API\unins000.dat	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-VMDB5.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-2RU32.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-BI5SA.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-CSQN3.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-2U3OD.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-6AP2T.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-30KCO.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-FIV27.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-4KM1U.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-IF03G.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-FAJ86.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-NFP4L.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-T2AJN.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-H231A.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-0LJIM.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-VDH33.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\plugins\internal\is-51BQ7.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-DH0DP.tmp	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1228	4600	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.exe	20
PID 4600 wrote to memory of 1228	4600	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.exe	20
PID 4600 wrote to memory of 1228	4600	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.exe	20
PID 1228 wrote to memory of 1936	1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp	29
PID 1228 wrote to memory of 1936	1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp	29
PID 1228 wrote to memory of 1936	1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp	29
PID 1228 wrote to memory of 5072	1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp	28
PID 1228 wrote to memory of 5072	1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp	28
PID 1228 wrote to memory of 5072	1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp	28
PID 1936 wrote to memory of 548	1936	net.exe	27
PID 1936 wrote to memory of 548	1936	net.exe	27
PID 1936 wrote to memory of 548	1936	net.exe	27
PID 1228 wrote to memory of 2604	1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp	26
PID 1228 wrote to memory of 2604	1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp	26
PID 1228 wrote to memory of 2604	1228	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp	26

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\is-2K7MQ.tmp\SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-2K7MQ.tmp\SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp" /SL5="$901E2,4658082,54272,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe
    "C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe" -s
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe
    "C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe" -i
    3⤵
    - Executes dropped EXE
    PID:5072
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 30
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 helpmsg 30
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe

Filesize
92KB

MD5
75d5de5973549dc01f29dad07e46c1ea

SHA1
edfaea775c9f5ba73927f9cea56322746bf8df6f

SHA256
5d4e0dd03ec29479d9752cfcddd0e0705b0e038863317bb815c8737b997ec756

SHA512
b4cb678c4720989aef9b875698442842b1d4c07ea767b8cda9f61e89a5ad89484e0addd98dd967010f2f82fa878fda08d53a2e65e8861774c4501644415659b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-04RU7.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-04RU7.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2K7MQ.tmp\SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp

Filesize
382KB

MD5
6e4278aef0f6eb0a54563b193f54e071

SHA1
8c15d3869f6852fef0afcac57a5253a1ef7d395b

SHA256
5f6582d7b9930a57a2e932ed8757a6249f9cd92005a36e6db97d0d883a29f207

SHA512
ed1df98d61ca583c535e54b994d1b33d14ec56c59f7a24128c11d6de63840e04c92d6a00e391f60021243fdf17cc6cc2f26ff36ca058c4bf303b7c5a4484b2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-2K7MQ.tmp\SecuriteInfo.com.Trojan-Dropper.Win32.Agent.12815.12090.tmp

Filesize
98KB

MD5
81cab524f6dbe6729148606d6d380482

SHA1
27efc67868cee08ffd7c1fdcac86f71d0525128a

SHA256
6d6fa144e5fb1041833ca2729483996d56bd63ce8c34189fa4f5a8226672cf1b

SHA512
f1d09bce31b9ea8dab9504246ae80d51cccd5789163623d221137f00f17f7621db17881df81c3d4869c99c528eff9219593ed4ec49b2ae0f91c9865997a1f4a5

Download Submit
memory/1228-7-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1228-137-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/1228-135-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2604-131-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-148-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-184-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-181-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-178-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-174-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-171-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-136-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-168-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-165-0x0000000000720000-0x00000000007C2000-memory.dmp

Filesize
648KB

Download
memory/2604-142-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-141-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-145-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-133-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-151-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-158-0x0000000000720000-0x00000000007C2000-memory.dmp

Filesize
648KB

Download
memory/2604-157-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-152-0x0000000000720000-0x00000000007C2000-memory.dmp

Filesize
648KB

Download
memory/2604-161-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2604-164-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4600-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4600-134-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4600-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5072-139-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/5072-125-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/5072-126-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/5072-129-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download