Analysis
-
max time kernel
90s -
max time network
138s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 09:06
Static task
static1
Behavioral task
behavioral1
Sample
C.V.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
C.V.exe
Resource
win10
General
-
Target
C.V.exe
-
Size
578KB
-
MD5
c324006385f566a74f7ecb6bf039f7fd
-
SHA1
db72f12c53a1f8cd0204d6e771ab53cfb16d1db3
-
SHA256
2e597b08f1709f0af69632ea333d7ce0938909d9e7e60a601092ca4262d4ee70
-
SHA512
50858713cd720aa09e4370aebee23aa7aefa0cf40c75a4ff6ba783e3cf87d66e93c294610f161832b7d599cea82b1e89e2806d818b12b3feb7c73d77e32b2926
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
elchapo
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
C.V.exeC.V.exedescription pid process target process PID 3372 wrote to memory of 3936 3372 C.V.exe schtasks.exe PID 3372 wrote to memory of 3936 3372 C.V.exe schtasks.exe PID 3372 wrote to memory of 3936 3372 C.V.exe schtasks.exe PID 3372 wrote to memory of 3644 3372 C.V.exe C.V.exe PID 3372 wrote to memory of 3644 3372 C.V.exe C.V.exe PID 3372 wrote to memory of 3644 3372 C.V.exe C.V.exe PID 3372 wrote to memory of 3644 3372 C.V.exe C.V.exe PID 3372 wrote to memory of 3644 3372 C.V.exe C.V.exe PID 3372 wrote to memory of 3644 3372 C.V.exe C.V.exe PID 3372 wrote to memory of 3644 3372 C.V.exe C.V.exe PID 3372 wrote to memory of 3644 3372 C.V.exe C.V.exe PID 3644 wrote to memory of 2200 3644 C.V.exe netsh.exe PID 3644 wrote to memory of 2200 3644 C.V.exe netsh.exe PID 3644 wrote to memory of 2200 3644 C.V.exe netsh.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
C.V.exedescription pid process target process PID 3372 set thread context of 3644 3372 C.V.exe C.V.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
C.V.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKUgjc = "C:\\Users\\Admin\\AppData\\Roaming\\LKUgjc\\LKUgjc.exe" C.V.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
C.V.exedescription pid process Token: SeDebugPrivilege 3644 C.V.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
C.V.exepid process 3644 C.V.exe 3644 C.V.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
Processes
-
C:\Users\Admin\AppData\Local\Temp\C.V.exe"C:\Users\Admin\AppData\Local\Temp\C.V.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3372 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CYfSlv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83B2.tmp"2⤵
- Creates scheduled task(s)
PID:3936 -
C:\Users\Admin\AppData\Local\Temp\C.V.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3644 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:2200