Analysis
-
max time kernel
132s -
max time network
67s -
platform
windows7_x64 -
resource
win7 -
submitted
02-07-2020 13:27
Static task
static1
Behavioral task
behavioral1
Sample
TW200064 PO#13979 TW200301 TW200315 TW200170.exe
Resource
win7
Behavioral task
behavioral2
Sample
TW200064 PO#13979 TW200301 TW200315 TW200170.exe
Resource
win10
General
-
Target
TW200064 PO#13979 TW200301 TW200315 TW200170.exe
-
Size
535KB
-
MD5
3c2858806e45c62ae13e74b264ad352a
-
SHA1
2e226b15ba97c79bee76ecc1ee831a32be9d75c8
-
SHA256
c6dc66a444215d6221e09e8fd68ae3a28eacf55f8de8462fb975c235304d7c4b
-
SHA512
f6d7f32d622ace9bb243b1dec7b8fef6fa31a40e40d0f9b4c2271c0c02c2ab83d16bc69d0971e9937ed32667bfe0bb1981e3f0764102ca5361a4e879f9d04523
Malware Config
Signatures
-
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
TW200064 PO#13979 TW200301 TW200315 TW200170.exepid process 1780 TW200064 PO#13979 TW200301 TW200315 TW200170.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
TW200064 PO#13979 TW200301 TW200315 TW200170.exedescription pid process target process PID 1324 wrote to memory of 1252 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe schtasks.exe PID 1324 wrote to memory of 1252 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe schtasks.exe PID 1324 wrote to memory of 1252 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe schtasks.exe PID 1324 wrote to memory of 1252 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe schtasks.exe PID 1324 wrote to memory of 1780 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe TW200064 PO#13979 TW200301 TW200315 TW200170.exe PID 1324 wrote to memory of 1780 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe TW200064 PO#13979 TW200301 TW200315 TW200170.exe PID 1324 wrote to memory of 1780 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe TW200064 PO#13979 TW200301 TW200315 TW200170.exe PID 1324 wrote to memory of 1780 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe TW200064 PO#13979 TW200301 TW200315 TW200170.exe PID 1324 wrote to memory of 1780 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe TW200064 PO#13979 TW200301 TW200315 TW200170.exe PID 1324 wrote to memory of 1780 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe TW200064 PO#13979 TW200301 TW200315 TW200170.exe PID 1324 wrote to memory of 1780 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe TW200064 PO#13979 TW200301 TW200315 TW200170.exe PID 1324 wrote to memory of 1780 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe TW200064 PO#13979 TW200301 TW200315 TW200170.exe PID 1324 wrote to memory of 1780 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe TW200064 PO#13979 TW200301 TW200315 TW200170.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TW200064 PO#13979 TW200301 TW200315 TW200170.exedescription pid process target process PID 1324 set thread context of 1780 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe TW200064 PO#13979 TW200301 TW200315 TW200170.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
TW200064 PO#13979 TW200301 TW200315 TW200170.exeTW200064 PO#13979 TW200301 TW200315 TW200170.exedescription pid process Token: SeDebugPrivilege 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe Token: SeDebugPrivilege 1780 TW200064 PO#13979 TW200301 TW200315 TW200170.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
TW200064 PO#13979 TW200301 TW200315 TW200170.exeTW200064 PO#13979 TW200301 TW200315 TW200170.exepid process 1324 TW200064 PO#13979 TW200301 TW200315 TW200170.exe 1780 TW200064 PO#13979 TW200301 TW200315 TW200170.exe 1780 TW200064 PO#13979 TW200301 TW200315 TW200170.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TW200064 PO#13979 TW200301 TW200315 TW200170.exe"C:\Users\Admin\AppData\Local\Temp\TW200064 PO#13979 TW200301 TW200315 TW200170.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WTZujqgC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B77.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\TW200064 PO#13979 TW200301 TW200315 TW200170.exe"C:\Users\Admin\AppData\Local\Temp\TW200064 PO#13979 TW200301 TW200315 TW200170.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5B77.tmp
-
memory/1252-2-0x0000000000000000-mapping.dmp
-
memory/1324-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1780-4-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1780-5-0x000000000044B37E-mapping.dmp
-
memory/1780-6-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1780-7-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB