Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 07:14
Static task
static1
Behavioral task
behavioral1
Sample
P.O_310006132800154200.scr
Resource
win7
Behavioral task
behavioral2
Sample
P.O_310006132800154200.scr
Resource
win10v200430
General
-
Target
P.O_310006132800154200.scr
-
Size
426KB
-
MD5
10edd461dae11be49d9c73cf57081b78
-
SHA1
beeeee39d7496d6076b4aeb869acf70355b6b404
-
SHA256
be6a3c4a0636cf4d05cdc8a58a42221d4e6358460d8dd7a679aebeeafe254a06
-
SHA512
639ef485afd33fd4bcc947c220ebdd218e1b02bf1ccc20340c5494bf298faa2d7ecb53087ffd671511b800602ed2dfe2d9b84cffd93251b7c5abc9f6a5329968
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
P.O_310006132800154200.scrdescription pid process target process PID 1496 wrote to memory of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr PID 1496 wrote to memory of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr PID 1496 wrote to memory of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr PID 1496 wrote to memory of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr PID 1496 wrote to memory of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr PID 1496 wrote to memory of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr PID 1496 wrote to memory of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr PID 1496 wrote to memory of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr PID 1496 wrote to memory of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr -
Suspicious use of SetThreadContext 1 IoCs
Processes:
P.O_310006132800154200.scrdescription pid process target process PID 1496 set thread context of 1904 1496 P.O_310006132800154200.scr P.O_310006132800154200.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
P.O_310006132800154200.scrdescription pid process Token: SeDebugPrivilege 1904 P.O_310006132800154200.scr -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
P.O_310006132800154200.scrpid process 1904 P.O_310006132800154200.scr 1904 P.O_310006132800154200.scr -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\P.O_310006132800154200.scr"C:\Users\Admin\AppData\Local\Temp\P.O_310006132800154200.scr" /S1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\P.O_310006132800154200.scr"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1496-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1904-2-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1904-3-0x0000000000445C4E-mapping.dmp
-
memory/1904-4-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1904-5-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB