Overview

overview

8

Static

static

eTPiv.exe

windows7_x64

8

eTPiv.exe

windows10_x64

8

Analysis

  • max time kernel
    65s
  • max time network
    67s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    08-07-2020 20:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eTPiv.exe

  • Size

    941KB

  • MD5

    c126b47388c127334162f17ab4e0cb2c

  • SHA1

    d74b2309be4af77691bd424ea8ab5055af89e587

  • SHA256

    77867995d1e8388230c9f71fee5e835b346bfcfef3fde418c6a773eea11b4afd

  • SHA512

    7abdf106235dfe7311bcc1a1d847a2b4c9223aa3e59c59c486c4cb310e535de71b3680c937695210be0013c7158aaca97e2e664bb89a8dd5c7306a6cf1c9537a

Score
8/10
spywarediscoverypersistence

Malware Config

Signatures

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Checks for installed software on the system 1 TTPs 28 IoCs
    discovery
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence
  • Runs ping.exe 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eTPiv.exe
    "C:\Users\Admin\AppData\Local\Temp\eTPiv.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Adds Run entry to start application
    PID:2916
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c <nul set /p ="M" > SgrmBroker.com & type JDhB.com >> SgrmBroker.com & del JDhB.com & certutil -decode GiEs.com A & SgrmBroker.com A & ping 127.0.0.1 -n 3
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:560
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode GiEs.com A
        3⤵
          PID:900
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com
          SgrmBroker.com A
          3⤵
          • Suspicious use of WriteProcessMemory
          • Executes dropped EXE
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:680
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com A
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious behavior: MapViewOfSection
            PID:1132
            • C:\Windows\SysWOW64\ipconfig.exe
              "C:\Windows\SysWOW64\ipconfig.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              • Checks for installed software on the system
              PID:1480
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c ping google.com && erase C:\Windows\SysWOW64\ipconfig.exe
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1932
                • C:\Windows\SysWOW64\PING.EXE
                  ping google.com
                  7⤵
                  • Runs ping.exe
                  PID:2144
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 1316
                6⤵
                • Program crash
                PID:2636
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          3⤵
          • Runs ping.exe
          PID:1360

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    1
    T1012

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\A
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\GiEs.com
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JDhB.com
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\QJPvK.com
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com
      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SgrmBroker.com
      Download Submit
    • memory/560-0-0x0000000000000000-mapping.dmp
      Download
    • memory/680-4-0x0000000000000000-mapping.dmp
      Download
    • memory/900-2-0x0000000000000000-mapping.dmp
      Download
    • memory/1132-7-0x0000000000000000-mapping.dmp
      Download
    • memory/1360-10-0x0000000000000000-mapping.dmp
      Download
    • memory/1480-13-0x00000000004258D4-mapping.dmp
      Download
    • memory/1480-12-0x0000000000400000-0x0000000000440000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1480-14-0x0000000000400000-0x0000000000440000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1932-15-0x0000000000000000-mapping.dmp
      Download
    • memory/2144-16-0x0000000000000000-mapping.dmp
      Download