Overview

overview

10

Static

static

7

SecurityHe...ay.exe

windows7-x64

10

SecurityHe...ay.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecurityHealthSystray.exe

  • Size

    1.5MB

  • MD5

    b0b618706bd5dc3ee0c7ea5df4141994

  • SHA1

    5c2fd255b837ec3e9e31f26906fc84c4f7915efd

  • SHA256

    d120c80694d06777d054968a966a04f6d83ac40cd45da47945bd118d00bcdf93

  • SHA512

    5d539c7df1c16b190822e0eedf8df217508d8c282011fd9b33673e067c5f122ce929f55942be8d24fd6cb32c2897963687fb44544e5e493fcbb9542380058a10

  • SSDEEP

    12288:10VtAsf/qHLHH70mLicSl6/xtdd7jJ04GrbhXC2ip7sf5PVle8isq:cfkZXbb+rbVC207suP

Score
10/10
credential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
    "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Windows\system32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "SecurityHealthSystray.exe" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "SecurityHealthSystray.exe" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2924
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2724
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2132
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\Documents\xdwdCitrix Receiver.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:564
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\Documents\xdwdCitrix Receiver.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:672
    • C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        • Suspicious behavior: EnumeratesProcesses
        PID:2988
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\xdwd.dll
    Filesize

    136KB

    MD5

    16e5a492c9c6ae34c59683be9c51fa31

    SHA1

    97031b41f5c56f371c28ae0d62a2df7d585adaba

    SHA256

    35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

    SHA512

    20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

    Download Submit

  • memory/672-60-0x000007FEF7AE0000-0x000007FEF7B02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/672-61-0x0000000077C20000-0x0000000077DC9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/672-46-0x0000000077C20000-0x0000000077DC9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/672-44-0x0000000077C71000-0x0000000077C72000-memory.dmp

    Filesize

    4KB

    Download

  • memory/672-45-0x0000000077C20000-0x0000000077DC9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1652-64-0x000007FEF7AE0000-0x000007FEF7B02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1680-63-0x000007FEF7AE0000-0x000007FEF7B02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2060-3-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2060-4-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2060-23-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2060-2-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2060-1-0x0000000000FE0000-0x0000000001160000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2060-17-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2060-0-0x000007FEF6253000-0x000007FEF6254000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2060-65-0x0000000000440000-0x000000000044C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2060-66-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2060-67-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2060-70-0x000007FEF6250000-0x000007FEF6C3C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2988-62-0x000007FEF7AE0000-0x000007FEF7B02000-memory.dmp

    Filesize

    136KB

    Download