Analysis
-
max time kernel
126s -
max time network
121s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 12:43
Static task
static1
Behavioral task
behavioral1
Sample
Items.exe
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Items.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
Items.exe
-
Size
522KB
-
MD5
1460fb4b266589b7b04d24d4da9a1f92
-
SHA1
ba493e1450da8e67264a9e32adea1512f75282e7
-
SHA256
9c5da09379aac3c9b0c5fe8dbca524809a1109f2e57b218b5f48b9f2e32a4bf0
-
SHA512
a1c99f2f9d8788ff78fd17fd02a539ebbd41ea2bbf01b79c3df0b9011b9036225ce2525fa4166e2acccc2939519142b5c3080ad5415e38b022f8f60e108899e6
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2892 wrote to memory of 1404 2892 Items.exe 73 PID 2892 wrote to memory of 1404 2892 Items.exe 73 PID 2892 wrote to memory of 1404 2892 Items.exe 73 PID 2892 wrote to memory of 1672 2892 Items.exe 75 PID 2892 wrote to memory of 1672 2892 Items.exe 75 PID 2892 wrote to memory of 1672 2892 Items.exe 75 PID 2892 wrote to memory of 1672 2892 Items.exe 75 PID 2892 wrote to memory of 1672 2892 Items.exe 75 PID 2892 wrote to memory of 1672 2892 Items.exe 75 PID 2892 wrote to memory of 1672 2892 Items.exe 75 PID 2892 wrote to memory of 1672 2892 Items.exe 75 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2892 set thread context of 1672 2892 Items.exe 75 -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2892 Items.exe Token: SeDebugPrivilege 1672 Items.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1404 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2892 Items.exe 1672 Items.exe 1672 Items.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1672 Items.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Officex = "C:\\Users\\Admin\\AppData\\Roaming\\Officex\\Officex.exe" Items.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Items.exe"C:\Users\Admin\AppData\Local\Temp\Items.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:2892 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KXaYalrxZow" /XML "C:\Users\Admin\AppData\Local\Temp\tmp843.tmp"2⤵
- Creates scheduled task(s)
PID:1404
-
-
C:\Users\Admin\AppData\Local\Temp\Items.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Adds Run entry to start application
PID:1672
-