Analysis
-
max time kernel
61s -
max time network
61s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 06:09
Static task
static1
Behavioral task
behavioral1
Sample
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe
-
Size
624KB
-
MD5
0189f099f1d4340903c64c40fcf3d3a2
-
SHA1
57ef299e94c76a87cc083097bf88af2061e1d04b
-
SHA256
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a
-
SHA512
860689bedcb99e33729b70fb28a67d677db72ef81cc48bfa8c8113f522e74971c998ba25122a26e5004dabd0e4eb8f9ba4694808159652475e7b09e6407093e9
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1588 set thread context of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 752 schtasks.exe -
Checks for installed software on the system 1 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName RegSvcs.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName RegSvcs.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 1588 wrote to memory of 752 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 24 PID 1588 wrote to memory of 752 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 24 PID 1588 wrote to memory of 752 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 24 PID 1588 wrote to memory of 752 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 24 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1588 wrote to memory of 1028 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 26 PID 1028 wrote to memory of 1872 1028 RegSvcs.exe 28 PID 1028 wrote to memory of 1872 1028 RegSvcs.exe 28 PID 1028 wrote to memory of 1872 1028 RegSvcs.exe 28 PID 1028 wrote to memory of 1872 1028 RegSvcs.exe 28 -
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 1588 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe Token: SeImpersonatePrivilege 1028 RegSvcs.exe Token: SeTcbPrivilege 1028 RegSvcs.exe Token: SeChangeNotifyPrivilege 1028 RegSvcs.exe Token: SeCreateTokenPrivilege 1028 RegSvcs.exe Token: SeBackupPrivilege 1028 RegSvcs.exe Token: SeRestorePrivilege 1028 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 1028 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 1028 RegSvcs.exe Token: SeImpersonatePrivilege 1028 RegSvcs.exe Token: SeTcbPrivilege 1028 RegSvcs.exe Token: SeChangeNotifyPrivilege 1028 RegSvcs.exe Token: SeCreateTokenPrivilege 1028 RegSvcs.exe Token: SeBackupPrivilege 1028 RegSvcs.exe Token: SeRestorePrivilege 1028 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 1028 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 1028 RegSvcs.exe Token: SeImpersonatePrivilege 1028 RegSvcs.exe Token: SeTcbPrivilege 1028 RegSvcs.exe Token: SeChangeNotifyPrivilege 1028 RegSvcs.exe Token: SeCreateTokenPrivilege 1028 RegSvcs.exe Token: SeBackupPrivilege 1028 RegSvcs.exe Token: SeRestorePrivilege 1028 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 1028 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 1028 RegSvcs.exe Token: SeImpersonatePrivilege 1028 RegSvcs.exe Token: SeTcbPrivilege 1028 RegSvcs.exe Token: SeChangeNotifyPrivilege 1028 RegSvcs.exe Token: SeCreateTokenPrivilege 1028 RegSvcs.exe Token: SeBackupPrivilege 1028 RegSvcs.exe Token: SeRestorePrivilege 1028 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 1028 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 1028 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe"C:\Users\Admin\AppData\Local\Temp\240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1588 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VIfLoEDyviu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8841.tmp"2⤵
- Creates scheduled task(s)
PID:752
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Checks for installed software on the system
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:1028 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\107453.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" "3⤵PID:1872
-
-