Overview

overview

8

Static

static

3

SecuriteIn...29.exe

windows7-x64

8

SecuriteIn...29.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    147s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    09/04/2024, 21:23

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Tool.Nssm.5.28597.25829.exe

  • Size

    2.3MB

  • MD5

    12bd32c54d014ca722ac95b87bf78331

  • SHA1

    96828fa8bde3d52a84a979e2b056dda403d05841

  • SHA256

    9462b76ac528bdec226b714ce6e8756fff28f33048897ed1e11ec73218e8d1e4

  • SHA512

    03da3edf29165da936a182e10f0725c571ef9fa92db2c0bd51fc87a3e17305f94fa543fa851f90282ee887d7b3eb0a8400c3df95dc7b2eac7c2902222bdd3526

  • SSDEEP

    49152:zgwRwVkqb4dzwJSxAI+hbusA0Oyo9T/DSNNdar0RIzJCD:zgwRucB4SxqbusAvnroYID

Score
8/10
evasion

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
    evasion
  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 8 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Tool.Nssm.5.28597.25829.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Tool.Nssm.5.28597.25829.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2220
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Program Files (x86)\GameServerClient\install.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2584
      • C:\Windows\SysWOW64\sc.exe
        Sc delete GameServerClient
        3⤵
        • Launches sc.exe
        PID:2740
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService remove GameServerClient confirm
        3⤵
        • Executes dropped EXE
        PID:2536
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService install GameServerClient "C:\Program Files (x86)\GameServerClient\GameClient.exe"
        3⤵
        • Executes dropped EXE
        PID:2384
      • C:\Program Files (x86)\GameServerClient\GameService.exe
        GameService start GameServerClient
        3⤵
        • Executes dropped EXE
        PID:2496
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
      2⤵
      • Deletes itself
      PID:404
  • C:\Program Files (x86)\GameServerClient\GameService.exe
    "C:\Program Files (x86)\GameServerClient\GameService.exe"
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Program Files (x86)\GameServerClient\GameClient.exe
      "C:\Program Files (x86)\GameServerClient\GameClient.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2304
      • C:\Windows\Temp\387051.exe
        "C:\Windows\Temp\387051.exe" --points 512 --out xxx.txt --keyspace 0000000312bbac7800000000:0000000312bbac7fffffffff 13zb1hQbWVsc2S7ZTZnP2G4undNNpdh5so 15Nq7pULBfe18w5sspqXcnHC8iH3hMFY6r
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1200
      • C:\Windows\Temp\934793.exe
        "C:\Windows\Temp\934793.exe" --coin BTC -m ADDRESSES -t 0 --range 0000000312bbac7800000000:0000000312bbac7fffffffff -o xxx.txt -i curjob.bin
        3⤵
        • Executes dropped EXE
        PID:2448

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\GameServerClient\GameService.exe
          Filesize

          288KB

          MD5

          d9ec6f3a3b2ac7cd5eef07bd86e3efbc

          SHA1

          e1908caab6f938404af85a7df0f80f877a4d9ee6

          SHA256

          472232ca821b5c2ef562ab07f53638bc2cc82eae84cea13fbe674d6022b6481c

          SHA512

          1b6b8702dca3cb90fe64c4e48f2477045900c5e71dd96b84f673478bab1089febfa186bfc55aebd721ca73db1669145280ebb4e1862d3b9dc21f712cd76a07c4

          Download Submit

        • C:\Program Files (x86)\GameServerClient\curjob.bin
          Filesize

          40B

          MD5

          8129d7b39803ef5d2c79e3d26100d31f

          SHA1

          9e365e9c5dec7af4946556fff598f25fdfce8f13

          SHA256

          2b1ab97af33cee729e1c580575c40f035bc484a3d7737ca90d73b8ae7609d435

          SHA512

          45f9e2b50ee103506b1f8b3b0dbaedd02c9122e4c3b26f251d4a66f9a19db78f176071a2a828ae3f1bee4f0c78eddd8a231062b1cc8bb2b38be840dd150a7b66

          Download Submit

        • C:\Program Files (x86)\GameServerClient\install.bat
          Filesize

          232B

          MD5

          c8b4629d16c431d7b59144c7f6cae93a

          SHA1

          34e073bcdb881425aefc45dc88eaebc1b45a2509

          SHA256

          9c72b6edcb779d7d3c766d993e6a8ae457c550069214f5669577314b1e17dd8d

          SHA512

          5386b008ffe983bafe11dcff963b5fc30473ffc3406f7268c54eceeb463592bc95d7164a55292b9bf04ecbfc02d40383b3a7ba0d44889046040cfa97a70d6999

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd
          Filesize

          252B

          MD5

          5e002859fa5cc53edc964641e85fad8a

          SHA1

          b0fed03fa86efbd61c83c8612260542914ff1aba

          SHA256

          2d6051da63131f9ab7fa51290be4e7296d5d1b20b3688ecefad653b74958f4be

          SHA512

          c10838f49834345633f87740284ed6fb6783c40f513a57f44924708238590ec9e7577b9045fd378dd875f63d32debc55959c9ba26a3f4cea86a60997be534e65

          Download Submit

        • C:\Windows\Temp\934793.exe
          Filesize

          13.1MB

          MD5

          bfe6b13011bbba05c28109cf6730f8a1

          SHA1

          28da37544341c3587c11c1f1f294505516434d40

          SHA256

          93fc509fc9fad8d0191ceb7fe43ae7be1ed176862eacf0f905120257b15ecbdd

          SHA512

          d717859dd8b04832588e9ada5f83a8e2953c6214364a189b1b731212a5d4cdd1ac441646339efc9484b38a49d518d70f09624028e0a12921d7f2778fd9982660

          Download Submit

        • C:\Windows\Temp\cudart64_101.dll
          Filesize

          398KB

          MD5

          1d7955354884a9058e89bb8ea34415c9

          SHA1

          62c046984afd51877ecadad1eca209fda74c8cb1

          SHA256

          111f216aef35f45086888c3f0a30bb9ab48e2b333daeddafd3a76be037a22a6e

          SHA512

          7eb8739841c476cda3cf4c8220998bc8c435c04a89c4bbef27b8f3b904762dede224552b4204d35935562aa73f258c4e0ddb69d065f732cb06cc357796cdd1b2

          Download Submit

        • \Program Files (x86)\GameServerClient\GameClient.exe
          Filesize

          15.5MB

          MD5

          f1e2848e561de109a3a4aa8b1034f965

          SHA1

          788c365842a4914902b95510bd78ae96b8b30d83

          SHA256

          f85087d443cfde16cc0704f57a48b32f9c1867421ef5624ab6332bf0d723ef39

          SHA512

          1e16743c073fe5b5a71915a45a5a43d5b4f6d4fc5fb7cfd64a4f176887403049e7227e180cf020d1b545eaaa1c603c55a6ddd73d81d53b33ad1ab271be40119e

          Download Submit

        • \Windows\Temp\387051.exe
          Filesize

          2.0MB

          MD5

          5c9e996ee95437c15b8d312932e72529

          SHA1

          eb174c76a8759f4b85765fa24d751846f4a2d2ef

          SHA256

          0eecdbfabaaef36f497e944a6ceb468d01824f3ae6457b4ae4b3ac8e95eebb55

          SHA512

          935102aad64da7eeb3e4b172488b3a0395298d480f885ecedc5d8325f0a9eabeea8ba1ece512753ac170a03016c80ba4990786ab608b4de0b11e6343fbf2192b

          Download Submit