825cc69fcaba6cdd1afd55f938d7de491beca7365dfb34e071e613328fcddd98

Analysis

max time kernel
171s
max time network
188s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.FileRepMalware.31168.16257.exe
Size

4.7MB
MD5

14f1ec19b3c6146461fed798b1ee4f5f
SHA1

bdb4407851fb84ecb34c5a1c27162b9bff83d224
SHA256

825cc69fcaba6cdd1afd55f938d7de491beca7365dfb34e071e613328fcddd98
SHA512

61ec83bc28849a66a64c43d030124ed260e7bf8b2fa8e6622062fc6b2a190610fdb3d6edaa0ac40ce95ca120a766dc734341a09a79815089e2bc9ed14e7c3ded
SSDEEP

98304:Q88Ruln+yZ3OUCwYP14fIcvm8iK7rf90LE0mIsofzdI1ciOr4dm8:58slDIU0tQHe8iKaPXW1cRr4dD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
992	jsonstdapi.exe
1348	jsonstdapi.exe

Loads dropped DLL 6 IoCs

pid	Process
2840	SecuriteInfo.com.FileRepMalware.31168.16257.exe
2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	152.89.198.214

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-BOHC2.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-GKOD4.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\lessmsi\is-3V8MN.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-8AC3V.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-8L8VB.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File opened for modification	C:\Program Files (x86)\JSON Stdandart API\unins000.dat	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-T9OAH.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-LQG5Q.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-NQ6NC.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-BSJOH.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-Q2NP1.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-J077T.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-50ICP.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File opened for modification	C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\plugins\internal\is-A8DH9.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\unins000.dat	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-2NJT0.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-FTOOQ.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-CUL98.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-83LP0.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-LFTH1.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\plugins\internal\is-57FM2.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-DNF26.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-318BO.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-ADUL7.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-O9410.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-RENK8.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-NTETO.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-0VNIG.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-FNIQH.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-IUB9P.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-0FH67.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-JSK39.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-LM4KC.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-KHFPC.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-T4OJS.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-I6RPT.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-SG6L7.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-13LQN.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-0UEMG.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-CA3CF.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-4ORB9.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-7P3MK.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-ER1C7.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-F3S7S.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-QC7QH.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-QEU3Q.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\is-CF5FQ.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\is-N8H29.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-GM4O6.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-9HC6O.tmp	SecuriteInfo.com.FileRepMalware.31168.16257.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2944	2840	SecuriteInfo.com.FileRepMalware.31168.16257.exe	28
PID 2840 wrote to memory of 2944	2840	SecuriteInfo.com.FileRepMalware.31168.16257.exe	28
PID 2840 wrote to memory of 2944	2840	SecuriteInfo.com.FileRepMalware.31168.16257.exe	28
PID 2840 wrote to memory of 2944	2840	SecuriteInfo.com.FileRepMalware.31168.16257.exe	28
PID 2840 wrote to memory of 2944	2840	SecuriteInfo.com.FileRepMalware.31168.16257.exe	28
PID 2840 wrote to memory of 2944	2840	SecuriteInfo.com.FileRepMalware.31168.16257.exe	28
PID 2840 wrote to memory of 2944	2840	SecuriteInfo.com.FileRepMalware.31168.16257.exe	28
PID 2944 wrote to memory of 596	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	30
PID 2944 wrote to memory of 596	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	30
PID 2944 wrote to memory of 596	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	30
PID 2944 wrote to memory of 596	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	30
PID 2944 wrote to memory of 992	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	32
PID 2944 wrote to memory of 992	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	32
PID 2944 wrote to memory of 992	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	32
PID 2944 wrote to memory of 992	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	32
PID 596 wrote to memory of 1156	596	net.exe	33
PID 596 wrote to memory of 1156	596	net.exe	33
PID 596 wrote to memory of 1156	596	net.exe	33
PID 596 wrote to memory of 1156	596	net.exe	33
PID 2944 wrote to memory of 1348	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	34
PID 2944 wrote to memory of 1348	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	34
PID 2944 wrote to memory of 1348	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	34
PID 2944 wrote to memory of 1348	2944	SecuriteInfo.com.FileRepMalware.31168.16257.tmp	34

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.31168.16257.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.31168.16257.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\is-A16LB.tmp\SecuriteInfo.com.FileRepMalware.31168.16257.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-A16LB.tmp\SecuriteInfo.com.FileRepMalware.31168.16257.tmp" /SL5="$4017C,4662595,54272,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.31168.16257.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 30
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:596
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 30
      4⤵
      PID:1156
- - C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe
    "C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe" -i
    3⤵
    - Executes dropped EXE
    PID:992
- - C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe
    "C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe

Filesize
1.1MB

MD5
1b438e7a810899acc69127738810d32f

SHA1
a53ce77411fa07b4e5120ce88cab1ac6181517ad

SHA256
4a0356d3702ad521a22268b9f7613765c2a91d494f054f1bd33979a0bed56f76

SHA512
53d49b79d43df4a075350824a62e7f24896c28db3740d8f4d3c8785000ea087a328b462991a690af7f95abf76f2b763473c648ffdd2df92be14207f1334a202f

Download Submit
C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe

Filesize
424KB

MD5
5eb4edb08530e2399d1ab94105490f25

SHA1
8e98ccbc91bed46de2dfd87f499a6d3126e56c03

SHA256
b8833c80568bb9f0b2b8afb2e016b27d0dcfd74b79f819e900d5f55de714e546

SHA512
f6b0e622895601ec4682b3dcc35f24ca1fb91c6988229369da4af49e6b500dcfcb7d5fc96460534860591c25adda4cbbf374e46bdea048d5d948337b3d07bae2

Download Submit
C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe

Filesize
248KB

MD5
a8545d96fa4f17fb9a9be4c76ca5ec8d

SHA1
e6467a6638f59318747fd95f94858d8faf91e144

SHA256
8d5182e8adc05382ba1bc02d8c73f8f8b354993b4d6ef4573d9f458beeda64d9

SHA512
c26de1d8ca1d928254a8b92571105ccb29880cacb810f060b2a3baac6ac781eec554f092a09a80d6434875977ec016d05d6985c120c44ff2e457e9d699bf3b0f

Download Submit
\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe

Filesize
64KB

MD5
44c01366d31ae9e02a75a2dc775607bb

SHA1
1f3676779719b9cb5597b31bfef3203418d07f3c

SHA256
3ad46a7fb648cb227f99c2043914938a1b2d62f40f167aa9f0fd01aed9573f66

SHA512
18748c0c57e73cfd06a8c274e28b7ddc8c98e303ed4f3f7e60ef552a1ac22043a0f95cbfd308f6379ae88e5e47e0fc75a9db540a2dc4db25a3c2b8f3d5aba848

Download Submit
\Users\Admin\AppData\Local\Temp\is-A16LB.tmp\SecuriteInfo.com.FileRepMalware.31168.16257.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
\Users\Admin\AppData\Local\Temp\is-BQSDQ.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-BQSDQ.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
\Users\Admin\AppData\Local\Temp\is-BQSDQ.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/992-130-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/992-134-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/992-133-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/992-129-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-159-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-169-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-186-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-182-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-179-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-136-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-139-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-176-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-142-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-173-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-146-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-147-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-150-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-153-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-156-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1348-171-0x00000000024F0000-0x0000000002592000-memory.dmp

Filesize
648KB

Download
memory/1348-161-0x00000000024F0000-0x0000000002592000-memory.dmp

Filesize
648KB

Download
memory/1348-160-0x00000000024F0000-0x0000000002592000-memory.dmp

Filesize
648KB

Download
memory/1348-166-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2840-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2840-124-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2944-128-0x0000000003560000-0x00000000036F1000-memory.dmp

Filesize
1.6MB

Download
memory/2944-143-0x0000000003560000-0x00000000036F1000-memory.dmp

Filesize
1.6MB

Download
memory/2944-138-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2944-7-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2944-126-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download