Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 12:25
Static task
static1
Behavioral task
behavioral1
Sample
12f463eaf4dcb88c65728d93a2ca6736.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
12f463eaf4dcb88c65728d93a2ca6736.exe
-
Size
686KB
-
MD5
12f463eaf4dcb88c65728d93a2ca6736
-
SHA1
edfdb10111cfabc4b3cc37b869f15d9c35950dae
-
SHA256
517a83a2bab64041edfcba42d9f2e407f50e8beaca0cbde44a250a790cf0c9c0
-
SHA512
57055ef137e29cec68a784276d59139cc70e9f5979752669b8b20903df2cb2aa676237e3fe7a3dcfacc5a13667adc740bd92520a8d22f8b4c26e5eb6ddb55907
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
omeudo@intarscan.org - Password:
L_7do9qu$$eB
Signatures
-
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
12f463eaf4dcb88c65728d93a2ca6736.exeRegSvcs.exedescription pid process target process PID 3932 wrote to memory of 2196 3932 12f463eaf4dcb88c65728d93a2ca6736.exe RegSvcs.exe PID 3932 wrote to memory of 2196 3932 12f463eaf4dcb88c65728d93a2ca6736.exe RegSvcs.exe PID 3932 wrote to memory of 2196 3932 12f463eaf4dcb88c65728d93a2ca6736.exe RegSvcs.exe PID 3932 wrote to memory of 2196 3932 12f463eaf4dcb88c65728d93a2ca6736.exe RegSvcs.exe PID 3932 wrote to memory of 2196 3932 12f463eaf4dcb88c65728d93a2ca6736.exe RegSvcs.exe PID 3932 wrote to memory of 2196 3932 12f463eaf4dcb88c65728d93a2ca6736.exe RegSvcs.exe PID 3932 wrote to memory of 2196 3932 12f463eaf4dcb88c65728d93a2ca6736.exe RegSvcs.exe PID 3932 wrote to memory of 2196 3932 12f463eaf4dcb88c65728d93a2ca6736.exe RegSvcs.exe PID 2196 wrote to memory of 3892 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3892 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3892 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3892 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3892 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3892 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3892 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3892 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3892 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3828 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3828 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3828 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3828 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3828 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3828 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3828 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3828 2196 RegSvcs.exe vbc.exe PID 2196 wrote to memory of 3828 2196 RegSvcs.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
12f463eaf4dcb88c65728d93a2ca6736.exeRegSvcs.exedescription pid process target process PID 3932 set thread context of 2196 3932 12f463eaf4dcb88c65728d93a2ca6736.exe RegSvcs.exe PID 2196 set thread context of 3892 2196 RegSvcs.exe vbc.exe PID 2196 set thread context of 3828 2196 RegSvcs.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2196 RegSvcs.exe -
Uses the VBS compiler for execution 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 whatismyipaddress.com 8 whatismyipaddress.com 9 whatismyipaddress.com -
Suspicious behavior: EnumeratesProcesses 583 IoCs
Processes:
RegSvcs.exepid process 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe 2196 RegSvcs.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\12f463eaf4dcb88c65728d93a2ca6736.exe"C:\Users\Admin\AppData\Local\Temp\12f463eaf4dcb88c65728d93a2ca6736.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
-
memory/2196-0-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/2196-1-0x0000000000480BEE-mapping.dmp
-
memory/3828-5-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3828-6-0x0000000000442628-mapping.dmp
-
memory/3828-7-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/3892-2-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3892-3-0x0000000000411654-mapping.dmp
-
memory/3892-4-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB