Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 09:21
Static task
static1
Behavioral task
behavioral1
Sample
Zahlungsbestätigung.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
Zahlungsbestätigung.exe
-
Size
583KB
-
MD5
3c330f32f0b8812e072568e98adf1f1c
-
SHA1
cd1a65820235eeb9e6655e8290326f422270115c
-
SHA256
be4e6e428abbddc9ae13c274c65f86d9633a274ee45aaff9c32311b1a0e2b471
-
SHA512
db394c95c979fa5637e142210cb7119f9f72af11f6daf9dacae6862452ebf479f9622baed66067345e6f3519890820b70cafcd51f2487ce6d9b831b7823a0447
Malware Config
Signatures
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Zahlungsbestätigung.exeRegAsm.exedescription pid process target process PID 1456 wrote to memory of 296 1456 Zahlungsbestätigung.exe RegAsm.exe PID 1456 wrote to memory of 296 1456 Zahlungsbestätigung.exe RegAsm.exe PID 1456 wrote to memory of 296 1456 Zahlungsbestätigung.exe RegAsm.exe PID 1456 wrote to memory of 296 1456 Zahlungsbestätigung.exe RegAsm.exe PID 1456 wrote to memory of 296 1456 Zahlungsbestätigung.exe RegAsm.exe PID 1456 wrote to memory of 296 1456 Zahlungsbestätigung.exe RegAsm.exe PID 1456 wrote to memory of 296 1456 Zahlungsbestätigung.exe RegAsm.exe PID 1456 wrote to memory of 296 1456 Zahlungsbestätigung.exe RegAsm.exe PID 296 wrote to memory of 1236 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1236 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1236 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1236 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1236 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1236 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1236 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1236 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1236 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1236 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1768 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1768 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1768 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1768 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1768 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1768 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1768 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1768 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1768 296 RegAsm.exe vbc.exe PID 296 wrote to memory of 1768 296 RegAsm.exe vbc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Zahlungsbestätigung.exepid process 1456 Zahlungsbestätigung.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 296 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 whatismyipaddress.com 5 whatismyipaddress.com -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Zahlungsbestätigung.exeRegAsm.exedescription pid process target process PID 1456 set thread context of 296 1456 Zahlungsbestätigung.exe RegAsm.exe PID 296 set thread context of 1236 296 RegAsm.exe vbc.exe PID 296 set thread context of 1768 296 RegAsm.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 296 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 1405 IoCs
Processes:
RegAsm.exepid process 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe 296 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Zahlungsbestätigung.exe"C:\Users\Admin\AppData\Local\Temp\Zahlungsbestätigung.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1456 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:296 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵PID:1236
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵PID:1768