Overview

overview

10

Static

static

7

SecurityHe...ay.exe

windows7-x64

10

SecurityHe...ay.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 13:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecurityHealthSystray.exe

  • Size

    1.5MB

  • MD5

    b0b618706bd5dc3ee0c7ea5df4141994

  • SHA1

    5c2fd255b837ec3e9e31f26906fc84c4f7915efd

  • SHA256

    d120c80694d06777d054968a966a04f6d83ac40cd45da47945bd118d00bcdf93

  • SHA512

    5d539c7df1c16b190822e0eedf8df217508d8c282011fd9b33673e067c5f122ce929f55942be8d24fd6cb32c2897963687fb44544e5e493fcbb9542380058a10

  • SSDEEP

    12288:10VtAsf/qHLHH70mLicSl6/xtdd7jJ04GrbhXC2ip7sf5PVle8isq:cfkZXbb+rbVC207suP

Score
10/10
credential_accessdiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • .NET Reactor proctector 1 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe
    "C:\Users\Admin\AppData\Local\Temp\SecurityHealthSystray.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4028
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "SecurityHealthSystray.exe" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3300
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "SecurityHealthSystray.exe" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2908
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4316
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\xdwdMicrosoft Excel Host.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2124
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\Documents\xdwdCitrix Receiver.exe" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3852
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "SecurityHealthSystray" /tr "C:\Users\Admin\Documents\xdwdCitrix Receiver.exe" /RL HIGHEST
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:4408
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    PID:3700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Event Triggered Execution

1
T1546

AppInit DLLs

1
T1546.010

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

2
T1555

Credentials from Web Browsers

1
T1555.003

Windows Credential Manager

1
T1555.004

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Query Registry

1
T1012

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\xdwd.dll
    Filesize

    136KB

    MD5

    16e5a492c9c6ae34c59683be9c51fa31

    SHA1

    97031b41f5c56f371c28ae0d62a2df7d585adaba

    SHA256

    35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

    SHA512

    20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

    Download Submit

  • memory/4028-21-0x00007FFD8D670000-0x00007FFD8E131000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4028-109-0x000000001C800000-0x000000001C876000-memory.dmp

    Filesize

    472KB

    Download

  • memory/4028-3-0x00007FFD8D673000-0x00007FFD8D675000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4028-4-0x00007FFD8D670000-0x00007FFD8E131000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4028-20-0x00007FFD8D670000-0x00007FFD8E131000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4028-0-0x00007FFD8D673000-0x00007FFD8D675000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4028-1-0x00000000007E0000-0x0000000000960000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4028-2-0x00007FFD8D670000-0x00007FFD8E131000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4028-110-0x0000000001200000-0x000000000120C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4028-111-0x000000001B520000-0x000000001B53E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4028-112-0x00007FFD8D670000-0x00007FFD8E131000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4028-143-0x00007FFD8D670000-0x00007FFD8E131000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4028-355-0x000000001DA00000-0x000000001DB46000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4028-1018-0x00007FFD8D670000-0x00007FFD8E131000-memory.dmp

    Filesize

    10.8MB

    Download