Analysis
-
max time kernel
129s -
max time network
79s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 12:45
Static task
static1
Behavioral task
behavioral1
Sample
A2VqQ8z8Ip8FrFi.exe
Resource
win7
Behavioral task
behavioral2
Sample
A2VqQ8z8Ip8FrFi.exe
Resource
win10v200430
General
-
Target
A2VqQ8z8Ip8FrFi.exe
-
Size
505KB
-
MD5
05bf406665b0dd8d707bcd22dc7eb848
-
SHA1
4d38d07c41bc41e39af98931575c783b58d3b9e8
-
SHA256
56fbebdb22c7244e81aefb20b4a95c1e7fa95791c3d22ffa92676bf1e668952b
-
SHA512
41d07c6600ad81e3e6a7c7bd1e5ffbb5105015fce9635a7e0bc279a16a3fbdadb81bd685fe220413f11abe30da02999bcfa5c8ded704df7e5c7f9311c2aebc9f
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
A2VqQ8z8Ip8FrFi.exedescription pid process target process PID 1500 wrote to memory of 2472 1500 A2VqQ8z8Ip8FrFi.exe RegSvcs.exe PID 1500 wrote to memory of 2472 1500 A2VqQ8z8Ip8FrFi.exe RegSvcs.exe PID 1500 wrote to memory of 2472 1500 A2VqQ8z8Ip8FrFi.exe RegSvcs.exe PID 1500 wrote to memory of 2472 1500 A2VqQ8z8Ip8FrFi.exe RegSvcs.exe PID 1500 wrote to memory of 2472 1500 A2VqQ8z8Ip8FrFi.exe RegSvcs.exe PID 1500 wrote to memory of 2472 1500 A2VqQ8z8Ip8FrFi.exe RegSvcs.exe PID 1500 wrote to memory of 2472 1500 A2VqQ8z8Ip8FrFi.exe RegSvcs.exe PID 1500 wrote to memory of 2472 1500 A2VqQ8z8Ip8FrFi.exe RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
A2VqQ8z8Ip8FrFi.exedescription pid process target process PID 1500 set thread context of 2472 1500 A2VqQ8z8Ip8FrFi.exe RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2472 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2472 RegSvcs.exe 2472 RegSvcs.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
Processes
-
C:\Users\Admin\AppData\Local\Temp\A2VqQ8z8Ip8FrFi.exe"C:\Users\Admin\AppData\Local\Temp\A2VqQ8z8Ip8FrFi.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses