Analysis
-
max time kernel
61s -
max time network
61s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 18:25
Static task
static1
Behavioral task
behavioral1
Sample
document01.image.scan--11.jpg.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
document01.image.scan--11.jpg.exe
-
Size
624KB
-
MD5
0189f099f1d4340903c64c40fcf3d3a2
-
SHA1
57ef299e94c76a87cc083097bf88af2061e1d04b
-
SHA256
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a
-
SHA512
860689bedcb99e33729b70fb28a67d677db72ef81cc48bfa8c8113f522e74971c998ba25122a26e5004dabd0e4eb8f9ba4694808159652475e7b09e6407093e9
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
description pid Process Token: SeImpersonatePrivilege 304 RegSvcs.exe Token: SeTcbPrivilege 304 RegSvcs.exe Token: SeChangeNotifyPrivilege 304 RegSvcs.exe Token: SeCreateTokenPrivilege 304 RegSvcs.exe Token: SeBackupPrivilege 304 RegSvcs.exe Token: SeRestorePrivilege 304 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 304 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 304 RegSvcs.exe Token: SeImpersonatePrivilege 304 RegSvcs.exe Token: SeTcbPrivilege 304 RegSvcs.exe Token: SeChangeNotifyPrivilege 304 RegSvcs.exe Token: SeCreateTokenPrivilege 304 RegSvcs.exe Token: SeBackupPrivilege 304 RegSvcs.exe Token: SeRestorePrivilege 304 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 304 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 304 RegSvcs.exe Token: SeImpersonatePrivilege 304 RegSvcs.exe Token: SeTcbPrivilege 304 RegSvcs.exe Token: SeChangeNotifyPrivilege 304 RegSvcs.exe Token: SeCreateTokenPrivilege 304 RegSvcs.exe Token: SeBackupPrivilege 304 RegSvcs.exe Token: SeRestorePrivilege 304 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 304 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 304 RegSvcs.exe Token: SeImpersonatePrivilege 304 RegSvcs.exe Token: SeTcbPrivilege 304 RegSvcs.exe Token: SeChangeNotifyPrivilege 304 RegSvcs.exe Token: SeCreateTokenPrivilege 304 RegSvcs.exe Token: SeBackupPrivilege 304 RegSvcs.exe Token: SeRestorePrivilege 304 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 304 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 304 RegSvcs.exe -
Checks for installed software on the system 1 TTPs 10 IoCs
description ioc Process Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName RegSvcs.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1452 schtasks.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1196 wrote to memory of 1452 1196 document01.image.scan--11.jpg.exe 24 PID 1196 wrote to memory of 1452 1196 document01.image.scan--11.jpg.exe 24 PID 1196 wrote to memory of 1452 1196 document01.image.scan--11.jpg.exe 24 PID 1196 wrote to memory of 1452 1196 document01.image.scan--11.jpg.exe 24 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 1196 wrote to memory of 304 1196 document01.image.scan--11.jpg.exe 26 PID 304 wrote to memory of 1360 304 RegSvcs.exe 28 PID 304 wrote to memory of 1360 304 RegSvcs.exe 28 PID 304 wrote to memory of 1360 304 RegSvcs.exe 28 PID 304 wrote to memory of 1360 304 RegSvcs.exe 28 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1196 set thread context of 304 1196 document01.image.scan--11.jpg.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\document01.image.scan--11.jpg.exe"C:\Users\Admin\AppData\Local\Temp\document01.image.scan--11.jpg.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1196 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VIfLoEDyviu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8B5D.tmp"2⤵
- Creates scheduled task(s)
PID:1452
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\108420.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" "3⤵PID:1360
-
-