Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28/03/2024, 09:24
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win64.CrypterX-gen.14448.exe
Resource
win7-20240221-en
General
-
Target
SecuriteInfo.com.Win64.CrypterX-gen.14448.exe
-
Size
673KB
-
MD5
e31217888b467821745770b0f9565f66
-
SHA1
a6b7f7f96f02c2e78f6d35570948f29ee89665d9
-
SHA256
664cf9b9a6c02eb803043cae1e2097d9fd1fa5c7fed6def439a969d6d5ea260b
-
SHA512
89e9ed74673f5894e4fc39d64cb0f74c2c8ac0e0a35d2c8ff11d95497bdbf3f799c87c3f2e86c03ece91e42002e67bd6de85023ca7a9264e2ae2fdc397e49557
-
SSDEEP
12288:kFjT8uf3TofH0ZYV4WYgeWYg955/155/9cR/DafecSUu9+sAS81mRhNmFbIesLIn:kaA3TofHEYVjg2fpHCIjCPfOtMdi
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2996 tmp.vbs -
Loads dropped DLL 1 IoCs
pid Process 2728 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2728 2876 SecuriteInfo.com.Win64.CrypterX-gen.14448.exe 28 PID 2876 wrote to memory of 2728 2876 SecuriteInfo.com.Win64.CrypterX-gen.14448.exe 28 PID 2876 wrote to memory of 2728 2876 SecuriteInfo.com.Win64.CrypterX-gen.14448.exe 28 PID 2728 wrote to memory of 2996 2728 cmd.exe 30 PID 2728 wrote to memory of 2996 2728 cmd.exe 30 PID 2728 wrote to memory of 2996 2728 cmd.exe 30 PID 2996 wrote to memory of 2816 2996 tmp.vbs 31 PID 2996 wrote to memory of 2816 2996 tmp.vbs 31 PID 2996 wrote to memory of 2816 2996 tmp.vbs 31 PID 2816 wrote to memory of 2248 2816 WScript.exe 32 PID 2816 wrote to memory of 2248 2816 WScript.exe 32 PID 2816 wrote to memory of 2248 2816 WScript.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.CrypterX-gen.14448.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.CrypterX-gen.14448.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\tmp.vbs2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\tmp.vbsC:\Users\Admin\AppData\Local\Temp\tmp.vbs3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.vbs"4⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\ping.bat" "5⤵PID:2248
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
125B
MD5d570d0e8e5cba465ed8dbf39b49e96b9
SHA19fee7d75e32a88326d51b79d282d55ee74df63ed
SHA2562374afd5f860e8eff24bb072284054d45d8625eb2a8837ecd83869925760ea50
SHA512d3d99e2290992b9073751a53f11187b86833778e2920136dc0fe644d4b0891f3df484cf165cf87dbe1f898c57760500596e1133f8ed3a8d629a7a8355e27650b
-
Filesize
121B
MD569d21d90d16b7a1a89699696ea892799
SHA12f6a6701310c85e52920ad3d972e5fb85ce64b9a
SHA256278af8bb4a00d8a8cddd66ec207f65665389d13e4fe32b442fb70a2d8c65318a
SHA512315a460f2d05abaea058c291f52592d802dafcc13ffbeca49d210908a5f6c00bba1d0b8451e59c249005811bfc38a6983a6a13c9161f3705ba63d6608e3ce510
-
Filesize
451KB
MD5daacfa20816a3ce2fcca32cb00c4ab84
SHA18cfb979be6e33f4351c390bfab9ddabfc39af9cd
SHA256f7454663e81530097350372f1fcf2e189f434917b886247c7ea86459bb729eef
SHA5123569eedfe0b953a975fc0190882fefe003397faaf2e166edecb5fcf6252e4df8665042cfe5898a59f9ac03d71adc7a8d1a256a1e0aad3b0cf9ddd7828b971bd7