Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
09-07-2020 18:01
Static task
static1
Behavioral task
behavioral1
Sample
eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe
-
Size
1.1MB
-
MD5
b70279fc1c857dc76a50f77a46460657
-
SHA1
fbcabd564c13287b0a0d42026c77006f0c6e7983
-
SHA256
eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca
-
SHA512
424726d9175411466cb5fb0d99ecb843fb9609506b88e708c13717d5b47921485c370324b08f3f5379b6e7b2266ae30e45f49a6030ad2409446ec971ddbd761f
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Script User-Agent 2 IoCs
Processes:
description flow ioc HTTP User-Agent header 5 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 9 WinHttp.WinHttpRequest.5.1 -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exeeda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.execmd.exedescription pid process target process PID 1072 wrote to memory of 1660 1072 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe PID 1072 wrote to memory of 1660 1072 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe PID 1072 wrote to memory of 1660 1072 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe PID 1072 wrote to memory of 1660 1072 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe PID 1660 wrote to memory of 1940 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe cmd.exe PID 1660 wrote to memory of 1940 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe cmd.exe PID 1660 wrote to memory of 1940 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe cmd.exe PID 1660 wrote to memory of 1940 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe cmd.exe PID 1940 wrote to memory of 1976 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1976 1940 cmd.exe PING.EXE PID 1940 wrote to memory of 1976 1940 cmd.exe PING.EXE -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exedescription pid process Token: SeImpersonatePrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeTcbPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeChangeNotifyPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeCreateTokenPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeBackupPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeRestorePrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeIncreaseQuotaPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeAssignPrimaryTokenPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeImpersonatePrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeTcbPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeChangeNotifyPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeCreateTokenPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeBackupPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeRestorePrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeIncreaseQuotaPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeAssignPrimaryTokenPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeImpersonatePrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeTcbPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeChangeNotifyPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeCreateTokenPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeBackupPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeRestorePrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeIncreaseQuotaPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeAssignPrimaryTokenPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeImpersonatePrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeTcbPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeChangeNotifyPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeCreateTokenPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeBackupPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeRestorePrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeIncreaseQuotaPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Token: SeAssignPrimaryTokenPrivilege 1660 eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1940 cmd.exe -
Checks for installed software on the system 1 TTPs 10 IoCs
Processes:
eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe -
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe"C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exeC:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe dfsr2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
PID:1660 -
C:\Windows\system32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\eda6bc27798b7230d63cae9225c466b67b05e788b315e4dc443c43cf1baabfca.exe"3⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
PID:1940 -
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:1976