Analysis
-
max time kernel
141s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
07/05/2024, 04:16
Behavioral task
behavioral1
Sample
SecuriteInfo.com.PUA.Agent.1483.15930.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.PUA.Agent.1483.15930.exe
Resource
win10v2004-20240419-en
General
-
Target
SecuriteInfo.com.PUA.Agent.1483.15930.exe
-
Size
2.3MB
-
MD5
59fdd05b8090846c2fb71f445f449dec
-
SHA1
c913e02d60d255e3b3c62fb77834bec4b48bab48
-
SHA256
85840fb457d34c82233a6594b127d4ed0d85c93d4be740c0df7b0c019cf5cbd4
-
SHA512
fa53247ff72828883c55867dcbadac7794de98ecfc1ed87ffa1ab44c4b60ada21975b53ef9d5a2901fa6d4612c675040fcc8fbd3d0eaa48be15647a22af32ebc
-
SSDEEP
49152:W2MEdPw+PjHTlp8ubiPTV+AXTHHXcdm29XtYZPY0KqD224avU:E8bTb7bETVRHYm298Y0KqD224avU
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 288 VerE53.tmp -
Loads dropped DLL 1 IoCs
pid Process 2440 SecuriteInfo.com.PUA.Agent.1483.15930.exe -
resource yara_rule behavioral1/memory/2440-0-0x0000000000400000-0x00000000009A9000-memory.dmp upx behavioral1/memory/2440-8-0x0000000000400000-0x00000000009A9000-memory.dmp upx -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 VerE53.tmp File opened for modification \??\PhysicalDrive0 SecuriteInfo.com.PUA.Agent.1483.15930.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main SecuriteInfo.com.PUA.Agent.1483.15930.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2440 SecuriteInfo.com.PUA.Agent.1483.15930.exe 2440 SecuriteInfo.com.PUA.Agent.1483.15930.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2440 wrote to memory of 288 2440 SecuriteInfo.com.PUA.Agent.1483.15930.exe 28 PID 2440 wrote to memory of 288 2440 SecuriteInfo.com.PUA.Agent.1483.15930.exe 28 PID 2440 wrote to memory of 288 2440 SecuriteInfo.com.PUA.Agent.1483.15930.exe 28 PID 2440 wrote to memory of 288 2440 SecuriteInfo.com.PUA.Agent.1483.15930.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.PUA.Agent.1483.15930.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.PUA.Agent.1483.15930.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Users\Admin\AppData\Local\Temp\VerE53.tmpC:\Users\Admin\AppData\Local\Temp\VerE53.tmp 219028293_gsds/2.366.1011/2 startinstall2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:288
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD583f56b363eaf6bd2766ebacf70995bcb
SHA1cecb73bd12537567b14784541546760badc175d6
SHA2560d3ad00de0f06289d7919e66a4956d281473d20b256a5aed2903c5a6acfde74e
SHA5125252638dde71d938e7d999ff1b485181e0771baa7e5b55e316eddbd2fdb1c6da14b878c279ebd85d826d604160acd2d354b24bff58bea6a841d6e907c0f82fa9