Analysis
-
max time kernel
136s -
max time network
50s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
08-07-2020 06:09
Static task
static1
Behavioral task
behavioral1
Sample
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe
-
Size
624KB
-
MD5
0189f099f1d4340903c64c40fcf3d3a2
-
SHA1
57ef299e94c76a87cc083097bf88af2061e1d04b
-
SHA256
240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a
-
SHA512
860689bedcb99e33729b70fb28a67d677db72ef81cc48bfa8c8113f522e74971c998ba25122a26e5004dabd0e4eb8f9ba4694808159652475e7b09e6407093e9
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3848 wrote to memory of 2188 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 72 PID 3848 wrote to memory of 2188 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 72 PID 3848 wrote to memory of 2188 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 72 PID 3848 wrote to memory of 2708 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 74 PID 3848 wrote to memory of 2708 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 74 PID 3848 wrote to memory of 2708 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 74 PID 3848 wrote to memory of 2724 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 75 PID 3848 wrote to memory of 2724 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 75 PID 3848 wrote to memory of 2724 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 75 PID 3848 wrote to memory of 2724 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 75 PID 3848 wrote to memory of 2724 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 75 PID 3848 wrote to memory of 2724 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 75 PID 3848 wrote to memory of 2724 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 75 PID 3848 wrote to memory of 2724 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 75 PID 2724 wrote to memory of 3892 2724 RegSvcs.exe 76 PID 2724 wrote to memory of 3892 2724 RegSvcs.exe 76 PID 2724 wrote to memory of 3892 2724 RegSvcs.exe 76 -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3848 set thread context of 2724 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 75 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeDebugPrivilege 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe Token: SeImpersonatePrivilege 2724 RegSvcs.exe Token: SeTcbPrivilege 2724 RegSvcs.exe Token: SeChangeNotifyPrivilege 2724 RegSvcs.exe Token: SeCreateTokenPrivilege 2724 RegSvcs.exe Token: SeBackupPrivilege 2724 RegSvcs.exe Token: SeRestorePrivilege 2724 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2724 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2724 RegSvcs.exe Token: SeImpersonatePrivilege 2724 RegSvcs.exe Token: SeTcbPrivilege 2724 RegSvcs.exe Token: SeChangeNotifyPrivilege 2724 RegSvcs.exe Token: SeCreateTokenPrivilege 2724 RegSvcs.exe Token: SeBackupPrivilege 2724 RegSvcs.exe Token: SeRestorePrivilege 2724 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2724 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2724 RegSvcs.exe Token: SeImpersonatePrivilege 2724 RegSvcs.exe Token: SeTcbPrivilege 2724 RegSvcs.exe Token: SeChangeNotifyPrivilege 2724 RegSvcs.exe Token: SeCreateTokenPrivilege 2724 RegSvcs.exe Token: SeBackupPrivilege 2724 RegSvcs.exe Token: SeRestorePrivilege 2724 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2724 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2724 RegSvcs.exe Token: SeImpersonatePrivilege 2724 RegSvcs.exe Token: SeTcbPrivilege 2724 RegSvcs.exe Token: SeChangeNotifyPrivilege 2724 RegSvcs.exe Token: SeCreateTokenPrivilege 2724 RegSvcs.exe Token: SeBackupPrivilege 2724 RegSvcs.exe Token: SeRestorePrivilege 2724 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2724 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2724 RegSvcs.exe Token: SeImpersonatePrivilege 2724 RegSvcs.exe Token: SeTcbPrivilege 2724 RegSvcs.exe Token: SeChangeNotifyPrivilege 2724 RegSvcs.exe Token: SeCreateTokenPrivilege 2724 RegSvcs.exe Token: SeBackupPrivilege 2724 RegSvcs.exe Token: SeRestorePrivilege 2724 RegSvcs.exe Token: SeIncreaseQuotaPrivilege 2724 RegSvcs.exe Token: SeAssignPrimaryTokenPrivilege 2724 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe 3848 240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2188 schtasks.exe -
Checks for installed software on the system 1 TTPs 7 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName RegSvcs.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall RegSvcs.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName RegSvcs.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe"C:\Users\Admin\AppData\Local\Temp\240cb0b0443f8e63dc65887da08db0b05a6912be194bd870b07e4cd86865d12a.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3848 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VIfLoEDyviu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp59AF.tmp"2⤵
- Creates scheduled task(s)
PID:2188
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵PID:2708
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
PID:2724 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\157140.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe" "3⤵PID:3892
-
-