Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17/04/2024, 04:34
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
Resource
win7-20240221-en
General
-
Target
SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe
-
Size
1.3MB
-
MD5
a10aff228a835255b89419bebf24bdb2
-
SHA1
959e432c06de820e4778461befb789bde41ebba8
-
SHA256
c673e00e0e5c771f2d146c07d656ba6c3ea2112146e5b382ba7391e513eb8160
-
SHA512
5f6bfff9f54d767b377526170f709a37f6fa4bdb066ba837a2603d0aca75f42a0cfdc9c8d4b6f52fdbe0d34573f8e5b13628c6a4f76554d20c36aef41f4f60b4
-
SSDEEP
24576:14GHnhIzO6YYXsf9vA5eNizYpnjfONnXfoMBtyfuzRODhXym0Iwzl7DDEb81O:Cshd6YYXYNA5L+njat9ROEJNDEo1
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x0008000000016d29-72.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 2148 MP3SoundRecorder.exe -
Loads dropped DLL 5 IoCs
pid Process 1324 SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe 1324 SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe 2148 MP3SoundRecorder.exe 2148 MP3SoundRecorder.exe 2148 MP3SoundRecorder.exe -
resource yara_rule behavioral1/memory/1324-0-0x0000000000040000-0x000000000030C000-memory.dmp upx behavioral1/memory/1324-79-0x0000000000040000-0x000000000030C000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/1324-79-0x0000000000040000-0x000000000030C000-memory.dmp autoit_exe -
Drops file in Program Files directory 28 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\record.dll SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\ti_play_p.ico SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\readme.txt SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\ti.ico SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\ti_play.ico SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\ti_play.ico SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\ti_play_p.ico SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\ti_rec_p.ico SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\mp3dec2.dll SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\readme.txt SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\set.ini SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\ti.ico SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\ti_rec_p.ico SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\ti_rec.ico SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\Help.chm SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\set.ini SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\ti_rec.ico SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\Help.chm SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\lame_enc.dll SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\mp3decdll.dll SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File created C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\prmixer.dll SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe File opened for modification C:\Program Files (x86)\MP3SoundRecorder\record.dll SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2148 MP3SoundRecorder.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1324 wrote to memory of 2148 1324 SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe 28 PID 1324 wrote to memory of 2148 1324 SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe 28 PID 1324 wrote to memory of 2148 1324 SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe 28 PID 1324 wrote to memory of 2148 1324 SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.PossibleThreat.5771.17792.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe"C:\Program Files (x86)\MP3SoundRecorder\MP3SoundRecorder.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:2148
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
248KB
MD59186d8fc4b4298ca4fc0caa405970a9e
SHA1f6f97cf79d261908a5872c657aba9cefd9c170c6
SHA256cff94f945b47337dcf86a255f34c86f7970cd03b194329be0cbd0b980a33ac61
SHA5125db9ac188a464e382c58c877cf4b4d8c4e528c5db93fe8f501cad8352ee74b59fc910d3de011c0d42e1ac6ec53c16a81f1bcf73e106a8117863e557e74a3f43e
-
Filesize
144KB
MD50900b5101c195e81136d9ae29f2ffab1
SHA123aa366cd9680a7cb9d852eafd792ecfacc1b2a0
SHA256db1773367d1f1577083c92f8af9aaad2697730a8e2114bd979077a2eb83cb3e1
SHA51229f3bcfe931d3e213362ddb9006cf3cee1279797edc296921075301be4c5b54a88941f252f055ea0141d15cba2e75bcd8a349a064b9811340a91cd74043ee944
-
Filesize
562B
MD53bdff134bb920cb94e0f8c276d15b641
SHA123fec0ca9ea4b75ed0a01ba8856d365eddd9c375
SHA256e4ddef3d1e5063d0e57bd70798c45a118b4fe8675029f14aeee3a7578e9e05bb
SHA512ffdb18835ef95258f16d101dae452c67e5c02d49b281684a67a2ac1d108a5c7643ea9e3d849fa428d0a86fbaa3048a949a59f6e3e99513d256c9daed50536ed8
-
Filesize
318B
MD5134c8bed1fc5e4a3e770601ae8f27da5
SHA16ff5a0f9c9edad8a30ce4892f1b8bf3d313d2160
SHA256b736782a412a078e8d46ea43199f2f8725cb40ea470ec314763f9cb2a88c9954
SHA512237941da48a648aa55624001ad3e7f8bf2289de4d6b5fdea78c9c552c7d21cd05d2d6665fa52ac0d761bdbbe3313bf4c8ba07da8e8e8e2de48dc1e1e0670bc81
-
Filesize
293KB
MD54b4596685b04d3d2fa26d3db2566e3d9
SHA1a585baa7927b7d9ed48e71d16be1cb082380ccf9
SHA2560febad3d37a4181e6fb0c4b22e3c474ed31feca37ed5cdf467c47034a12801d1
SHA51246a1919c33a4c560d148e819d723774d70a59a39d1bdcfbfdd8b21c35e79d539408a3c0eedaa8deb773a35fe460852840997eb46f7ae6e03301866a0cea81c39
-
Filesize
44KB
MD5e37e04a72f9c06a0ddb327c7a85c4433
SHA168dd5bc160ad3838264e3be75211f0a709790b8e
SHA256b77ef65a7e415a6aa4b10244057951d37e6c19750fec58e271360aa0dc5d94c3
SHA512de33fec8a9a560b4712c8f17eb34f66f44216e8b05d46f10b4e60636f7fda299cd91d8d893914f741d701497a95e636114e21c4f8533b082a9df49b5aa1c0c20
-
Filesize
184KB
MD543d7d7490fa34f55abb2d91a886f9f86
SHA1fcb09bc35908631db403a05bb9e4b0b72a0bb003
SHA25638ca4d2075d74f4ac6a5dade53754320cd31a4270e2c6ab0498ff4bcf4f07acc
SHA512e48effed54499cfa39ea252064f71bba157e2afb55f7006f6f670d9b1e9a4bd3c8f4d7869658fa5e7b7b043c162df565f64ee07ce3d704647858971b6dc72038