Overview

overview

8

Static

static

3

SecuriteIn...13.exe

windows7-x64

8

SecuriteIn...13.exe

windows10-2004-x64

Analysis

  • max time kernel
    146s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-03-2024 15:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.DownLoader45.1081.7048.8713.exe

  • Size

    5.3MB

  • MD5

    b59631e064541c8651576128708e50f9

  • SHA1

    7aae996d4990f37a48288fa5f15a7889c3ff49b3

  • SHA256

    4e5fcc788287580ed19402eadaab8c69ca5f0a904ead605153feb534bbe87002

  • SHA512

    571a06f0ec88fe3697388195dd0a7f7e8d63945748855d928fb5005b51fd2c2baea1a63bd871ed0cfade5eabb879f577b7b04f9cd4d1222de52da641feee1f92

  • SSDEEP

    98304:69w8PMOW9ZI6aO7sd/mzt5mAiN1vw+/YR8ov/bkMJmJZNOnTdjyip:ndIV0G/mzsN1vl/YRV4MY9OnTdjy

Score
8/10
evasionpersistence

Malware Config

Signatures

  • Creates new service(s) 1 TTPs
    persistence
  • Drops file in Drivers directory 1 IoCs
  • Stops running service(s) 3 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe 7 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\winlogon.exe
    winlogon.exe
    1⤵
      PID:424
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader45.1081.7048.8713.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.DownLoader45.1081.7048.8713.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1908
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAaABlACMAPgA="
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2012
      • C:\Users\Admin\AppData\Roaming\Miner.exe
        "C:\Users\Admin\AppData\Roaming\Miner.exe"
        2⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2956
        • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
          C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2436
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1708
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            4⤵
            • Drops file in Windows directory
            PID:2756
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop UsoSvc
          3⤵
          • Launches sc.exe
          PID:2664
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop WaaSMedicSvc
          3⤵
          • Launches sc.exe
          PID:2744
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop wuauserv
          3⤵
          • Launches sc.exe
          PID:2780
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop bits
          3⤵
          • Launches sc.exe
          PID:2872
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe stop dosvc
          3⤵
          • Launches sc.exe
          PID:2180
        • C:\Windows\system32\dialer.exe
          C:\Windows\system32\dialer.exe
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1668
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe delete "RYVSUJUA"
          3⤵
          • Launches sc.exe
          PID:2336
        • C:\Windows\system32\sc.exe
          C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
          3⤵
          • Launches sc.exe
          PID:1168
      • C:\Users\Admin\AppData\Roaming\Shortcutter.exe
        "C:\Users\Admin\AppData\Roaming\Shortcutter.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2648
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:2464
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
          PID:3044

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZNJZ7ZLV449MIKLP1X6O.temp
          Filesize

          7KB

          MD5

          f9e81bf9f6ac287e4d4af80c71529350

          SHA1

          9d5be14cb8ef080b4b388c0fe638d3c86010b746

          SHA256

          8ccfdc4b6f01167afe6b89bcc55b2d7d18e550d93fa6ea6cfb40821e89c2aa9a

          SHA512

          fad29ba68aac32b4d3d5f7a65e5e319c29f77b1f7904eaa591f22b14fbc1feaaf0e26d01ec9de461bd39219542efc7bdd45e75e6c2b726fe3924d0920ba7fb44

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Miner.exe
          Filesize

          704KB

          MD5

          6949c1c4c90f7530dae39b1dea975131

          SHA1

          ec3e72c62e861d00f55f86a381e1bddbb36a75cc

          SHA256

          0c2c2ee4c0bade2516fcb0903e5157eff8c7a268e4171c05abfb09af33820429

          SHA512

          9e0ce8b8350caeca35c59194f3e907e7cf1a519ae2f04a9d3a0429ab0ff80105897ded9b4054de2aba38b54542f812a8693f2e3c08ea11b07f799a81b4f897fa

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Miner.exe
          Filesize

          1.8MB

          MD5

          e89371f755b748bdd303134b0eaf8ea9

          SHA1

          ede64fa99dea78ca56d6b7995892d6c1f0116f2a

          SHA256

          ca5f6dff3e541dbebc198ceb1db70ea9241e0733b305cb8f6825f65e4582b9c4

          SHA512

          5261230f56d7e9d56506dbc7f8f6f96a9317d8583eb052bb94ac3d05765b27a6c3efeae3958f4da25ecea83183593321fc0b38e23ec85d52f08574b468bf7d2a

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Shortcutter.exe
          Filesize

          50KB

          MD5

          4ce8fc5016e97f84dadaf983cca845f2

          SHA1

          0d6fb5a16442cf393d5658a9f40d2501d8fd725c

          SHA256

          f4da7f22e8eb28cfd8ecb0c3fdc8923b2ba5c5e96b917cbcf53b6bbed1c22551

          SHA512

          4adeb4774ca136a085bc92cf6f02aa340f927ae12e1db90e8a2be69ef045611d333904ef5714c876ab03f8bcc52ee0140e724bd1659b9cf9eacf0a7d6a7bdd46

          Download Submit

        • \Users\Admin\AppData\Roaming\Miner.exe
          Filesize

          1.8MB

          MD5

          464cd3cca1f63443d7533abc298b39f0

          SHA1

          57163151753ab3772f3b987d7306c6618cb90fcf

          SHA256

          cd0aa494395a33007cd57a9301c9ed46cc65a241cd8957bd818f2e57f723c053

          SHA512

          908f44ada6bb3ae3d3e48672bc1e6eaf7c6b0f0c911190310bd0e28170074a8ab2c6792cfdb8bad51e8b887e4f0fdbe5ad0ba0c856c1cb90490d8f9c5980c80f

          Download Submit

        • \Users\Admin\AppData\Roaming\Miner.exe
          Filesize

          2.1MB

          MD5

          11af2658c7c002c3f7026643b1111e5b

          SHA1

          40920606a2a6426c6a8d7f4d801f2aadd98fb81e

          SHA256

          0cf30b373140d1cb0cd8b8559e64fbd6173a6a80f0822f37703fcfdbe65b3c67

          SHA512

          eee1e61f1251e5ef367d3217171faf703d826c38fc0da8987c0016931c2a6e20cc4fe98077270a8a178a86bac2648f110ff2d6eecb84404fbb514afcd934124a

          Download Submit

        • memory/424-51-0x0000000000930000-0x0000000000954000-memory.dmp

          Filesize

          144KB

          Download

        • memory/424-55-0x0000000000960000-0x000000000098B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/424-50-0x0000000000930000-0x0000000000954000-memory.dmp

          Filesize

          144KB

          Download

        • memory/424-53-0x000007FEBDFC0000-0x000007FEBDFD0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/424-54-0x0000000036F40000-0x0000000036F50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/424-52-0x0000000000960000-0x000000000098B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1668-47-0x0000000140000000-0x000000014002B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1668-63-0x0000000076F00000-0x00000000770A9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1668-40-0x0000000140000000-0x000000014002B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1668-44-0x0000000076F00000-0x00000000770A9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1668-46-0x0000000076F00000-0x00000000770A9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1668-45-0x0000000076CE0000-0x0000000076DFF000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1668-43-0x0000000140000000-0x000000014002B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1668-38-0x0000000140000000-0x000000014002B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1668-41-0x0000000140000000-0x000000014002B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/1668-39-0x0000000140000000-0x000000014002B000-memory.dmp

          Filesize

          172KB

          Download

        • memory/2012-22-0x0000000002680000-0x00000000026C0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2012-19-0x00000000738F0000-0x0000000073E9B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2012-16-0x00000000738F0000-0x0000000073E9B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2012-20-0x0000000002680000-0x00000000026C0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2012-21-0x0000000002680000-0x00000000026C0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2012-24-0x00000000738F0000-0x0000000073E9B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2436-34-0x0000000002720000-0x00000000027A0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2436-30-0x00000000023A0000-0x00000000023A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2436-29-0x000000001B220000-0x000000001B502000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/2436-32-0x0000000002720000-0x00000000027A0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2436-33-0x000007FEECD70000-0x000007FEED70D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2436-31-0x000007FEECD70000-0x000007FEED70D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2436-36-0x000007FEECD70000-0x000007FEED70D000-memory.dmp

          Filesize

          9.6MB

          Download

        • memory/2436-35-0x0000000002720000-0x00000000027A0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2648-23-0x000000001AF30000-0x000000001AFB0000-memory.dmp

          Filesize

          512KB

          Download

        • memory/2648-18-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2648-58-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2648-17-0x0000000001080000-0x0000000001092000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2648-60-0x000007FEF52C0000-0x000007FEF5CAC000-memory.dmp

          Filesize

          9.9MB

          Download