Overview

overview

8

Static

static

eTPiv.exe

windows7_x64

8

eTPiv.exe

windows10_x64

8

Analysis

  • max time kernel
    56s
  • max time network
    68s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    08/07/2020, 20:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eTPiv.exe

  • Size

    941KB

  • MD5

    c126b47388c127334162f17ab4e0cb2c

  • SHA1

    d74b2309be4af77691bd424ea8ab5055af89e587

  • SHA256

    77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd

  • SHA512

    7abdf106235dfe7311bcc1a1d847a2b4c9223aa3e59c59c486c4cb310e535de71b3680c937695210be0013c7158aaca97e2e664bb89a8dd5c7306a6cf1c9537a

Score
8/10
persistencespywarediscovery

Malware Config

Signatures

  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence
  • Runs ping.exe 1 TTPs 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks for installed software on the system 1 TTPs 29 IoCs
    discovery
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eTPiv.exe
    "C:\Users\Admin\AppData\Local\Temp\eTPiv.exe"
    1⤵
    • Adds Run entry to start application
    • Suspicious use of WriteProcessMemory
    PID:112
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c <nul set /p ="M" > SgrmBroker.com & type JDhB.com >> SgrmBroker.com & del JDhB.com & certutil -decode GiEs.com A & SgrmBroker.com A & ping 127.0.0.1 -n 3
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode GiEs.com A
        3⤵
          PID:740
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com
          SgrmBroker.com A
          3⤵
          • Suspicious use of FindShellTrayWindow
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1068
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com A
            4⤵
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetThreadContext
            • Executes dropped EXE
            • Suspicious use of SendNotifyMessage
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1056
            • C:\Windows\SysWOW64\ipconfig.exe
              "C:\Windows\SysWOW64\ipconfig.exe"
              5⤵
              • Checks for installed software on the system
              • Suspicious use of WriteProcessMemory
              PID:1836
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c ping google.com && erase C:\Windows\SysWOW64\ipconfig.exe
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:2024
                • C:\Windows\SysWOW64\PING.EXE
                  ping google.com
                  7⤵
                  • Runs ping.exe
                  PID:1972
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          3⤵
          • Runs ping.exe
          PID:1696

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1836-14-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download

          • memory/1836-16-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

            Download