Analysis
-
max time kernel
144s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25/03/2024, 00:44
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe
Resource
win7-20240221-en
General
-
Target
SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe
-
Size
1.9MB
-
MD5
8b176c80a6ff69b7beb12254dfaac8ee
-
SHA1
a51457eb62364526addd00b610cb1e16c7d3918d
-
SHA256
773070e1373913ea1709dde27c293ceca45fa966a83cba6a0483954b94253f78
-
SHA512
2eca1765e9d9ab3859fbcfa444125a396d420e194295ecd6f293e6b9d989de85e7b9fbeffe33590274c85ecdcb6939e81c2856c863a57f668df5b01ca0d66c0e
-
SSDEEP
49152:2Tqur9h3ToEg0fCmS2tmjTNvlHSbF6X88nDQz90b5OrPsxQTrnaG:233ToEg0fFmjBvxSu88DQ90b5ODs0
Malware Config
Extracted
amadey
4.18
http://193.233.132.56
-
install_dir
09fd851a4f
-
install_file
explorha.exe
-
strings_key
443351145ece4966ded809641c77cfa8
-
url_paths
/Pneh2sXQk0/index.php
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorha.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 28d3272688.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 7 1616 rundll32.exe 9 828 rundll32.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 28d3272688.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 28d3272688.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorha.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorha.exe -
Executes dropped EXE 3 IoCs
pid Process 2644 explorha.exe 3064 28d3272688.exe 2040 lumma21.exe -
Identifies Wine through registry keys 2 TTPs 3 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Wine SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe Key opened \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Wine explorha.exe Key opened \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Wine 28d3272688.exe -
Loads dropped DLL 16 IoCs
pid Process 1736 SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 688 rundll32.exe 1616 rundll32.exe 1616 rundll32.exe 1616 rundll32.exe 1616 rundll32.exe 2644 explorha.exe 2644 explorha.exe 828 rundll32.exe 828 rundll32.exe 828 rundll32.exe 828 rundll32.exe 2644 explorha.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Windows\CurrentVersion\Run\28d3272688.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000022001\\28d3272688.exe" explorha.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1736 SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe 2644 explorha.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\Tasks\chrosha.job lumma21.exe File created C:\Windows\Tasks\explorha.job SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1736 SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe 2644 explorha.exe 1616 rundll32.exe 1616 rundll32.exe 1616 rundll32.exe 1616 rundll32.exe 1616 rundll32.exe 844 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 844 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1736 SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe 2040 lumma21.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2644 1736 SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe 28 PID 1736 wrote to memory of 2644 1736 SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe 28 PID 1736 wrote to memory of 2644 1736 SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe 28 PID 1736 wrote to memory of 2644 1736 SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe 28 PID 2644 wrote to memory of 688 2644 explorha.exe 31 PID 2644 wrote to memory of 688 2644 explorha.exe 31 PID 2644 wrote to memory of 688 2644 explorha.exe 31 PID 2644 wrote to memory of 688 2644 explorha.exe 31 PID 2644 wrote to memory of 688 2644 explorha.exe 31 PID 2644 wrote to memory of 688 2644 explorha.exe 31 PID 2644 wrote to memory of 688 2644 explorha.exe 31 PID 688 wrote to memory of 1616 688 rundll32.exe 32 PID 688 wrote to memory of 1616 688 rundll32.exe 32 PID 688 wrote to memory of 1616 688 rundll32.exe 32 PID 688 wrote to memory of 1616 688 rundll32.exe 32 PID 1616 wrote to memory of 2716 1616 rundll32.exe 33 PID 1616 wrote to memory of 2716 1616 rundll32.exe 33 PID 1616 wrote to memory of 2716 1616 rundll32.exe 33 PID 1616 wrote to memory of 844 1616 rundll32.exe 35 PID 1616 wrote to memory of 844 1616 rundll32.exe 35 PID 1616 wrote to memory of 844 1616 rundll32.exe 35 PID 2644 wrote to memory of 3064 2644 explorha.exe 37 PID 2644 wrote to memory of 3064 2644 explorha.exe 37 PID 2644 wrote to memory of 3064 2644 explorha.exe 37 PID 2644 wrote to memory of 3064 2644 explorha.exe 37 PID 2644 wrote to memory of 828 2644 explorha.exe 41 PID 2644 wrote to memory of 828 2644 explorha.exe 41 PID 2644 wrote to memory of 828 2644 explorha.exe 41 PID 2644 wrote to memory of 828 2644 explorha.exe 41 PID 2644 wrote to memory of 828 2644 explorha.exe 41 PID 2644 wrote to memory of 828 2644 explorha.exe 41 PID 2644 wrote to memory of 828 2644 explorha.exe 41 PID 2644 wrote to memory of 556 2644 explorha.exe 42 PID 2644 wrote to memory of 556 2644 explorha.exe 42 PID 2644 wrote to memory of 556 2644 explorha.exe 42 PID 2644 wrote to memory of 556 2644 explorha.exe 42 PID 2644 wrote to memory of 2040 2644 explorha.exe 43 PID 2644 wrote to memory of 2040 2644 explorha.exe 43 PID 2644 wrote to memory of 2040 2644 explorha.exe 43 PID 2644 wrote to memory of 2040 2644 explorha.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:2716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\658372521424_Desktop.zip' -CompressionLevel Optimal5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:844
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000022001\28d3272688.exe"C:\Users\Admin\AppData\Local\Temp\1000022001\28d3272688.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
PID:3064
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:828
-
-
C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"C:\Users\Admin\AppData\Local\Temp\09fd851a4f\explorha.exe"3⤵PID:556
-
-
C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"C:\Users\Admin\AppData\Local\Temp\1000035001\lumma21.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
PID:2040
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Unsecured Credentials
3Credentials In Files
2Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5f4f865456bc29caab6eb78f48bd3ce05
SHA120405be101f1fc067c89043db61e198b4b8b2170
SHA256f127030eece82e15a979da5f5f51b4d15d8c6136d1628e4924b4c02955aba3b2
SHA5122527392c1f773c72d16db9045fc31c239f56856f8f6bb8869c1ee9951f9026cb837c93c24e17dc3c7c9d4ecd2a004d2582e28a3d3246a1d0848d16fcf210b752
-
Filesize
999KB
MD57dce24edd5c32b4c614e52dd5c9ac038
SHA1c7e8d014bb7c9badce13d66befc13364e93767b3
SHA256904258c59302a6bd0ef732f3c9d33f58680829362d4c0431505117d0232265f0
SHA51262981dc3f9576d910744b20bad138736cb6dd197ee3c8af6155eb65a2f18932d04e9f9b26df8cc75aa2966b2d769c5d3df68c3fd0fee157998bec00a4448e019
-
Filesize
2.6MB
MD521cf91eed95039c7a28baf8ff87cb0d0
SHA1bb2e15ac74130520bc58542913b9336b81d6bc79
SHA256cccbbd4790f205c6b50db8f744a4db6a848ae30d5a861ccb9c0447e4def69642
SHA512997f390f8940a293b18098ecc575ac309ceae8019fa35e21409bedc93414a8197ca9d6180fe496f382068ad8e69f7e9262dabb249b35b5e14f06b463003ae16e
-
Filesize
2.1MB
MD554ff67525dcadb18363d56d04add42b7
SHA12159fc0a4563a444c369e911bbf5e2d8a94f9237
SHA256ca449e4da5ef008f70d38fd392eeb6ced6357790a2a8ec49e42ed89a0561d2f6
SHA5124f095e4545bbf55249140404e184bcc9f24833c48eb8ff9fc6a77791f1d3ad21f803f80a36bb8a8597607b1a03fbc7a93c4b7035c332a0adaddfd87eaf091756
-
Filesize
413KB
MD5d467222c3bd563cb72fa49302f80b079
SHA19335e2a36abb8309d8a2075faf78d66b968b2a91
SHA256fedb08b3ec7034a15e9dee7ed4dec1a854fb78e74285e1ee05c90f9e9e4f8b3e
SHA512484b6c427e28193ddb73dd7062e2bfbd132ddc72ce4811bfe08784669de30e4b92bc27140373f62a4ce651401000a3c505188620c43da410bf6b0799a0791fa7
-
Filesize
109KB
MD5726cd06231883a159ec1ce28dd538699
SHA1404897e6a133d255ad5a9c26ac6414d7134285a2
SHA25612fef2d5995d671ec0e91bdbdc91e2b0d3c90ed3a8b2b13ddaa8ad64727dcd46
SHA5129ea82e7cb6c6a58446bd5033855947c3e2d475d2910f2b941235e0b96aa08eec822d2dd17cc86b2d3fce930f78b799291992408e309a6c63e3011266810ea83e
-
Filesize
1.2MB
MD515a42d3e4579da615a384c717ab2109b
SHA122aeedeb2307b1370cdab70d6a6b6d2c13ad2301
SHA2563c97bb410e49b11af8116feb7240b7101e1967cae7538418c45c3d2e072e8103
SHA5121eb7f126dccc88a2479e3818c36120f5af3caa0d632b9ea803485ee6531d6e2a1fd0805b1c4364983d280df23ea5ca3ad4a5fca558ac436efae36af9b795c444
-
Filesize
1.9MB
MD58b176c80a6ff69b7beb12254dfaac8ee
SHA1a51457eb62364526addd00b610cb1e16c7d3918d
SHA256773070e1373913ea1709dde27c293ceca45fa966a83cba6a0483954b94253f78
SHA5122eca1765e9d9ab3859fbcfa444125a396d420e194295ecd6f293e6b9d989de85e7b9fbeffe33590274c85ecdcb6939e81c2856c863a57f668df5b01ca0d66c0e
-
Filesize
3.0MB
MD527a9ce635fc9442693225c3de5ff87c7
SHA10b3ae30da0d85fea761c10738984dede41990ec8
SHA25678197da4786d151207b1cc66cfcec05ce6f6d900aeda3b48da3dd2b924ee7b89
SHA512d9653cd99bf986c1c1b70e1e2f5c8f1aa3ea8f19a8673345fc6ba141c5ab97a391c734b7bbd08ee882109fb1a10c1ef0f30969fc52d702b98ccc1718fe236686