Analysis
-
max time kernel
68s -
max time network
71s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 12:10
Static task
static1
Behavioral task
behavioral1
Sample
0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe
-
Size
1.1MB
-
MD5
4e5556b10c33c8bcd2a381880926a29a
-
SHA1
c902a31d3ab532a1a1fcbb8b51a8516a9703a6ef
-
SHA256
0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00
-
SHA512
68dba86c21dc76b5a0dc483ec14dcb2ed75eac63713be72704f1c1992cf8b0732f6f838bfd8abc6e7de536a6bb626443bc4b54982ea10b80145f134e94a38f00
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.execmd.exedescription pid process target process PID 3820 wrote to memory of 3236 3820 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe PID 3820 wrote to memory of 3236 3820 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe PID 3820 wrote to memory of 3236 3820 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe PID 3236 wrote to memory of 3868 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe cmd.exe PID 3236 wrote to memory of 3868 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe cmd.exe PID 3868 wrote to memory of 3960 3868 cmd.exe PING.EXE PID 3868 wrote to memory of 3960 3868 cmd.exe PING.EXE -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exedescription pid process Token: SeImpersonatePrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeTcbPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeChangeNotifyPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeCreateTokenPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeBackupPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeRestorePrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeIncreaseQuotaPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeAssignPrimaryTokenPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeImpersonatePrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeTcbPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeChangeNotifyPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeCreateTokenPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeBackupPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeRestorePrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeIncreaseQuotaPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeAssignPrimaryTokenPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeImpersonatePrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeTcbPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeChangeNotifyPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeCreateTokenPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeBackupPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeRestorePrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeIncreaseQuotaPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeAssignPrimaryTokenPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeImpersonatePrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeTcbPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeChangeNotifyPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeCreateTokenPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeBackupPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeRestorePrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeIncreaseQuotaPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeAssignPrimaryTokenPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeImpersonatePrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeTcbPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeChangeNotifyPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeCreateTokenPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeBackupPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeRestorePrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeIncreaseQuotaPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Token: SeAssignPrimaryTokenPrivilege 3236 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe -
Checks for installed software on the system 1 TTPs 7 IoCs
Processes:
0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe -
Script User-Agent 2 IoCs
Processes:
description flow ioc HTTP User-Agent header 3 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 4 WinHttp.WinHttpRequest.5.1
Processes
-
C:\Users\Admin\AppData\Local\Temp\0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe"C:\Users\Admin\AppData\Local\Temp\0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Users\Admin\AppData\Local\Temp\0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exeC:\Users\Admin\AppData\Local\Temp\0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe dfsr2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
PID:3236 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\0450362396084be91d1e47155b5af737c50d349315689bc538f09c1ef0593b00.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:3960