Analysis Overview
SHA256
f069c599fb95c28f7f92c4ecd5a7472efa44471f8d38ec6628b116d8518e5d3f
Threat Level: Shows suspicious behavior
The file SecuriteInfo.com.FileRepMalware.1652.24439.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
UPX packed file
Loads dropped DLL
Writes to the Master Boot Record (MBR)
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 20:44
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 20:44
Reported
2024-06-14 20:46
Platform
win7-20240611-en
Max time kernel
141s
Max time network
123s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT dlSecuriteInfo.cps5.com
C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT dlwebSecuriteInfo.cps5.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.cps5.com | udp |
| CN | 106.55.172.132:9000 | api.cps5.com | tcp |
| CN | 203.107.1.33:80 | tcp | |
| US | 8.8.8.8:53 | up.cps5.com | udp |
| FR | 128.1.77.226:80 | up.cps5.com | tcp |
| US | 8.8.8.8:53 | up.cps5.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dlSecuriteInfo.cps5.com | udp |
| US | 8.8.8.8:53 | dlSecuriteInfo.cps5.com | udp |
| FR | 128.1.77.226:80 | up.cps5.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dlwebSecuriteInfo.cps5.com | udp |
| US | 8.8.8.8:53 | dlwebSecuriteInfo.cps5.com | udp |
| CN | 106.55.172.132:9000 | api.cps5.com | tcp |
| CN | 203.107.1.34:80 | tcp | |
| CN | 203.107.1.65:80 | tcp | |
| CN | 1.116.117.217:9000 | tcp |
Files
\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll
| MD5 | 50c266e46ccf9bc8956279f78d51f205 |
| SHA1 | 0ba5b98a91a9a019cd9b87cf01796c65ee6a0839 |
| SHA256 | c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00 |
| SHA512 | 7350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37 |
memory/1440-0-0x0000000000400000-0x000000000104B000-memory.dmp
memory/1440-5-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-7-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-9-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-8-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-10-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-11-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-15-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-13-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-39-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-21-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-52-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-49-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-47-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-45-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-43-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-41-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-37-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-35-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-34-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-31-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-30-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-27-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-26-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-23-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-19-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-17-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-54-0x0000000075C20000-0x0000000075D20000-memory.dmp
memory/1440-53-0x0000000075C8F000-0x0000000075C90000-memory.dmp
memory/1440-59-0x0000000000400000-0x000000000104B000-memory.dmp
memory/1440-61-0x0000000010000000-0x000000001003E000-memory.dmp
memory/1440-62-0x0000000075C8F000-0x0000000075C90000-memory.dmp
memory/1440-63-0x0000000075C20000-0x0000000075D20000-memory.dmp
memory/1440-65-0x0000000000400000-0x000000000104B000-memory.dmp
memory/1440-68-0x0000000000400000-0x000000000104B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 20:44
Reported
2024-06-14 20:46
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
159s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2548 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | C:\Windows\SysWOW64\nslookup.exe |
| PID 2548 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | C:\Windows\SysWOW64\nslookup.exe |
| PID 2548 wrote to memory of 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | C:\Windows\SysWOW64\nslookup.exe |
| PID 2548 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | C:\Windows\SysWOW64\nslookup.exe |
| PID 2548 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | C:\Windows\SysWOW64\nslookup.exe |
| PID 2548 wrote to memory of 1212 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe | C:\Windows\SysWOW64\nslookup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1652.24439.exe"
C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT dlSecuriteInfo.cps5.com
C:\Windows\SysWOW64\nslookup.exe
nslookup -qt=TXT dlwebSecuriteInfo.cps5.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.cps5.com | udp |
| CN | 106.55.172.132:9000 | api.cps5.com | tcp |
| CN | 203.107.1.33:80 | tcp | |
| US | 8.8.8.8:53 | up.cps5.com | udp |
| FR | 128.1.77.226:80 | up.cps5.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dlSecuriteInfo.cps5.com | udp |
| FR | 128.1.77.226:80 | up.cps5.com | tcp |
| US | 8.8.8.8:53 | dlSecuriteInfo.cps5.com | udp |
| US | 8.8.8.8:53 | 226.77.1.128.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dlwebSecuriteInfo.cps5.com | udp |
| US | 8.8.8.8:53 | dlwebSecuriteInfo.cps5.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 13.107.253.67:443 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| CN | 106.55.172.132:9000 | api.cps5.com | tcp |
| CN | 203.107.1.34:80 | tcp | |
| CN | 203.107.1.65:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| CN | 1.116.117.217:9000 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/2548-0-0x0000000000400000-0x000000000104B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.9.dll
| MD5 | 50c266e46ccf9bc8956279f78d51f205 |
| SHA1 | 0ba5b98a91a9a019cd9b87cf01796c65ee6a0839 |
| SHA256 | c58e066a293ff260037487d37e37bf3d890c16383d817c7573dab51c514cbd00 |
| SHA512 | 7350a82820faeba3172fad3d87b04c6a2967b797a321a78a53e7156c37fed4661a66d2f78e2f3ddbcbc0d10a56f5d761f7eb761f05d2841568b34841c17e0d37 |
memory/2548-6-0x0000000000400000-0x000000000104B000-memory.dmp
memory/2548-7-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-30-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-38-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-53-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-50-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-48-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-44-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-42-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-41-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-36-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-34-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-32-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-28-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-26-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-24-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-22-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-20-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-18-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-14-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-12-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-46-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-10-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-16-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-11-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-9-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-54-0x0000000000400000-0x000000000104B000-memory.dmp
memory/2548-56-0x0000000076A73000-0x0000000076A74000-memory.dmp
memory/2548-55-0x0000000000400000-0x000000000104B000-memory.dmp
memory/2548-61-0x0000000000400000-0x000000000104B000-memory.dmp
memory/2548-62-0x0000000010000000-0x000000001003E000-memory.dmp
memory/2548-64-0x0000000076A73000-0x0000000076A74000-memory.dmp
memory/2548-69-0x0000000000400000-0x000000000104B000-memory.dmp