Analysis
-
max time kernel
74s -
max time network
125s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 23:35
Static task
static1
Behavioral task
behavioral1
Sample
25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.exe
Resource
win10
General
-
Target
25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.exe
-
Size
1.9MB
-
MD5
cd50a4284e86c32cefc000be565f667b
-
SHA1
cc289817686d98f8bfab0172a12452cf7ede8dc8
-
SHA256
25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400
-
SHA512
cb645274816fb53d11ca0075cbcccb98a32e930ce860a9a9cefa03132adaeb9c7cb7853d36b9418aec2d85dcb2ed428e42493c14e47dc24a7bfaee4a51b8d319
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.exe25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmpdescription pid process target process PID 2728 wrote to memory of 3584 2728 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.exe 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp PID 2728 wrote to memory of 3584 2728 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.exe 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp PID 2728 wrote to memory of 3584 2728 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.exe 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp PID 3584 wrote to memory of 3880 3584 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp pdfreader2019.exe PID 3584 wrote to memory of 3880 3584 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp pdfreader2019.exe PID 3584 wrote to memory of 3880 3584 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp pdfreader2019.exe -
Executes dropped EXE 2 IoCs
Processes:
25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmppdfreader2019.exepid process 3584 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp 3880 pdfreader2019.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmppid process 3584 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp 3584 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmppid process 3584 25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.exe"C:\Users\Admin\AppData\Local\Temp\25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\is-JMIA7.tmp\25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp"C:\Users\Admin\AppData\Local\Temp\is-JMIA7.tmp\25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.tmp" /SL5="$70176,1249985,754688,C:\Users\Admin\AppData\Local\Temp\25c60987a0148c19477196257478f14c584600acd742369cb8859256ff005400.exe"2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3584 -
C:\Users\Admin\AppData\Local\Temp\pdfreader2019\pdfreader2019.exe"C:\Users\Admin\AppData\Local\Temp\pdfreader2019\pdfreader2019.exe" /S /uid=10243⤵
- Executes dropped EXE
PID:3880