Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01/05/2024, 16:24
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win64.PWSX-gen.17352.exe
Resource
win7-20240221-en
General
-
Target
SecuriteInfo.com.Win64.PWSX-gen.17352.exe
-
Size
739KB
-
MD5
120f43da8f3b2b7f24d2b509d197a885
-
SHA1
bb27a97f1c6e012b470e5035821bdad604037267
-
SHA256
ebe535e02ec19a129be4434bfa18f1fceed895db2befd06ec711594f44481990
-
SHA512
66bc3a9c4b4e115bbd9df2f6b0c8eef539e0cb2bc36042785dacbb24b0dccd6b66c00e647a71e8c8a9e5c2913b17f1527b689afb77a305d48164745f74457f7b
-
SSDEEP
12288:c5lgDBfevt7xVz/0yM5XxNfLG4KDGEoZ/ifs76cFaaxS3/KTX9xnOEp:eKDBfevlfz/0yMrNfa4WLVcw2S3sTTp
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecuriteInfo.com.Win64.PWSX-gen.17352.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-1298544033-3225604241-2703760938-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dllhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\E4ZHQJ40SHS = "C:\\Program Files (x86)\\Windows Mail\\wab.exe" dllhost.exe -
Uses the VBS compiler for execution 1 TTPs
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SecuriteInfo.com.Win64.PWSX-gen.17352.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecuriteInfo.com.Win64.PWSX-gen.17352.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 756 set thread context of 2456 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 37 PID 2456 set thread context of 1196 2456 wab.exe 21 PID 2456 set thread context of 1620 2456 wab.exe 41 PID 1620 set thread context of 1196 1620 dllhost.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 2072 powershell.exe 2456 wab.exe 2456 wab.exe 2456 wab.exe 2456 wab.exe 2456 wab.exe 2456 wab.exe 2456 wab.exe 2456 wab.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe 1620 dllhost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2456 wab.exe 1196 Explorer.EXE 1196 Explorer.EXE 1620 dllhost.exe 1620 dllhost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2072 powershell.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 756 wrote to memory of 2072 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 29 PID 756 wrote to memory of 2072 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 29 PID 756 wrote to memory of 2072 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 29 PID 756 wrote to memory of 2648 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 31 PID 756 wrote to memory of 2648 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 31 PID 756 wrote to memory of 2648 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 31 PID 756 wrote to memory of 2648 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 31 PID 756 wrote to memory of 2568 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 32 PID 756 wrote to memory of 2568 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 32 PID 756 wrote to memory of 2568 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 32 PID 756 wrote to memory of 2568 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 32 PID 756 wrote to memory of 2568 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 32 PID 756 wrote to memory of 2872 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 33 PID 756 wrote to memory of 2872 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 33 PID 756 wrote to memory of 2872 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 33 PID 756 wrote to memory of 2872 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 33 PID 756 wrote to memory of 2872 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 33 PID 756 wrote to memory of 3056 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 34 PID 756 wrote to memory of 3056 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 34 PID 756 wrote to memory of 3056 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 34 PID 756 wrote to memory of 3056 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 34 PID 756 wrote to memory of 3056 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 34 PID 756 wrote to memory of 3056 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 34 PID 756 wrote to memory of 2616 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 35 PID 756 wrote to memory of 2616 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 35 PID 756 wrote to memory of 2616 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 35 PID 756 wrote to memory of 2616 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 35 PID 756 wrote to memory of 2616 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 35 PID 756 wrote to memory of 2492 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 36 PID 756 wrote to memory of 2492 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 36 PID 756 wrote to memory of 2492 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 36 PID 756 wrote to memory of 2492 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 36 PID 756 wrote to memory of 2492 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 36 PID 756 wrote to memory of 2492 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 36 PID 756 wrote to memory of 2456 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 37 PID 756 wrote to memory of 2456 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 37 PID 756 wrote to memory of 2456 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 37 PID 756 wrote to memory of 2456 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 37 PID 756 wrote to memory of 2456 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 37 PID 756 wrote to memory of 2456 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 37 PID 756 wrote to memory of 2456 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 37 PID 756 wrote to memory of 3060 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 38 PID 756 wrote to memory of 3060 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 38 PID 756 wrote to memory of 3060 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 38 PID 756 wrote to memory of 3060 756 SecuriteInfo.com.Win64.PWSX-gen.17352.exe 38 PID 1196 wrote to memory of 1620 1196 Explorer.EXE 41 PID 1196 wrote to memory of 1620 1196 Explorer.EXE 41 PID 1196 wrote to memory of 1620 1196 Explorer.EXE 41 PID 1196 wrote to memory of 1620 1196 Explorer.EXE 41 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" SecuriteInfo.com.Win64.PWSX-gen.17352.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.17352.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.17352.exe"2⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.PWSX-gen.17352.exe" -Force3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"3⤵PID:2648
-
-
C:\Windows\System32\notepad.exe"C:\Windows\System32\notepad.exe"3⤵PID:2568
-
-
C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe"3⤵PID:2872
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"3⤵PID:3056
-
-
C:\Windows\System32\svchost.exe"C:\Windows\System32\svchost.exe"3⤵PID:2616
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:2492
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2456
-
-
C:\Program Files (x86)\Windows Mail\wab.exe"C:\Program Files (x86)\Windows Mail\wab.exe"3⤵PID:3060
-
-
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\SysWOW64\dllhost.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1620
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1