Analysis
-
max time kernel
138s -
max time network
51s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 18:25
Static task
static1
Behavioral task
behavioral1
Sample
document01.image.scan--11.jpg.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
document01.image.scan--11.jpg.exe
-
Size
624KB
-
MD5
0189f099f1d4340903c64c40fcf3d3a2
-
SHA1
57ef299e94c76a87cc083097bf88af2061e1d04b
-
SHA256
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a
-
SHA512
860689bedcb99e33729b70fb28a67d677db72ef81cc48bfa8c8113f522e74971c998ba25122a26e5004dabd0e4eb8f9ba4694808159652475e7b09e6407093e9
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
description pid Process Token: SeImpersonatePrivilege 3300 RegSvcs.exe Token: SeTcbPrivilege 3300 RegSvcs.exe Token: SeChangeNotifyPrivilege 3300 RegSvcs.exe Token: SeCreateTokenPrivilege 3300 RegSvcs.exe Token: SeBackupPrivilege 3300 RegSvcs.exe Token: SeRestorePrivilege 3300 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 3300 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 3300 RegSvcs.exe Token: SeImpersonatePrivilege 3300 RegSvcs.exe Token: SeTcbPrivilege 3300 RegSvcs.exe Token: SeChangeNotifyPrivilege 3300 RegSvcs.exe Token: SeCreateTokenPrivilege 3300 RegSvcs.exe Token: SeBackupPrivilege 3300 RegSvcs.exe Token: SeRestorePrivilege 3300 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 3300 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 3300 RegSvcs.exe Token: SeImpersonatePrivilege 3300 RegSvcs.exe Token: SeTcbPrivilege 3300 RegSvcs.exe Token: SeChangeNotifyPrivilege 3300 RegSvcs.exe Token: SeCreateTokenPrivilege 3300 RegSvcs.exe Token: SeBackupPrivilege 3300 RegSvcs.exe Token: SeRestorePrivilege 3300 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 3300 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 3300 RegSvcs.exe Token: SeImpersonatePrivilege 3300 RegSvcs.exe Token: SeTcbPrivilege 3300 RegSvcs.exe Token: SeChangeNotifyPrivilege 3300 RegSvcs.exe Token: SeCreateTokenPrivilege 3300 RegSvcs.exe Token: SeBackupPrivilege 3300 RegSvcs.exe Token: SeRestorePrivilege 3300 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 3300 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 3300 RegSvcs.exe Token: SeImpersonatePrivilege 3300 RegSvcs.exe Token: SeTcbPrivilege 3300 RegSvcs.exe Token: SeChangeNotifyPrivilege 3300 RegSvcs.exe Token: SeCreateTokenPrivilege 3300 RegSvcs.exe Token: SeBackupPrivilege 3300 RegSvcs.exe Token: SeRestorePrivilege 3300 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 3300 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 3300 RegSvcs.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2916 schtasks.exe -
Checks for installed software on the system 1 TTPs 7 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName RegSvcs.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall RegSvcs.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2916 2904 document01.image.scan--11.jpg.exe 73 PID 2904 wrote to memory of 2916 2904 document01.image.scan--11.jpg.exe 73 PID 2904 wrote to memory of 2916 2904 document01.image.scan--11.jpg.exe 73 PID 2904 wrote to memory of 3300 2904 document01.image.scan--11.jpg.exe 75 PID 2904 wrote to memory of 3300 2904 document01.image.scan--11.jpg.exe 75 PID 2904 wrote to memory of 3300 2904 document01.image.scan--11.jpg.exe 75 PID 2904 wrote to memory of 3300 2904 document01.image.scan--11.jpg.exe 75 PID 2904 wrote to memory of 3300 2904 document01.image.scan--11.jpg.exe 75 PID 2904 wrote to memory of 3300 2904 document01.image.scan--11.jpg.exe 75 PID 2904 wrote to memory of 3300 2904 document01.image.scan--11.jpg.exe 75 PID 2904 wrote to memory of 3300 2904 document01.image.scan--11.jpg.exe 75 PID 3300 wrote to memory of 3912 3300 RegSvcs.exe 76 PID 3300 wrote to memory of 3912 3300 RegSvcs.exe 76 PID 3300 wrote to memory of 3912 3300 RegSvcs.exe 76 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2904 set thread context of 3300 2904 document01.image.scan--11.jpg.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\document01.image.scan--11.jpg.exe"C:\Users\Admin\AppData\Local\Temp\document01.image.scan--11.jpg.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2904 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VIfLoEDyviu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp54AE.tmp"2⤵
- Creates scheduled task(s)
PID:2916
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\156671.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" "3⤵PID:3912
-
-