Analysis
-
max time kernel
103s -
max time network
112s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 06:14
Static task
static1
Behavioral task
behavioral1
Sample
PO 07O1_O8_20_01.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
PO 07O1_O8_20_01.exe
Resource
win10
General
-
Target
PO 07O1_O8_20_01.exe
-
Size
516KB
-
MD5
e3018d0d8cf7d0776dacdf35bdcd4693
-
SHA1
8fc37ccbc250a7b8ad9dcf28b921390916faf720
-
SHA256
8f746ab02591cecc45226d28bf483dff6616f697c1d79f8d1daddd5e8ba1d764
-
SHA512
2b483b002b7cca53d7c59665a9107f4695e67b98983aa162433b2b95c60f62e74553047ad174795a53ee97add114a3700aa5cef16afd5745b8a00eb6800b1209
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
PO 07O1_O8_20_01.exedescription pid process target process PID 3588 wrote to memory of 3792 3588 PO 07O1_O8_20_01.exe PO 07O1_O8_20_01.exe PID 3588 wrote to memory of 3792 3588 PO 07O1_O8_20_01.exe PO 07O1_O8_20_01.exe PID 3588 wrote to memory of 3792 3588 PO 07O1_O8_20_01.exe PO 07O1_O8_20_01.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO 07O1_O8_20_01.exedescription pid process target process PID 3588 set thread context of 3792 3588 PO 07O1_O8_20_01.exe PO 07O1_O8_20_01.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral2/memory/3792-0-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3792-2-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral2/memory/3792-3-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 checkip.dyndns.org -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PO 07O1_O8_20_01.exePO 07O1_O8_20_01.exepid process 3588 PO 07O1_O8_20_01.exe 3588 PO 07O1_O8_20_01.exe 3792 PO 07O1_O8_20_01.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PO 07O1_O8_20_01.exepid process 3588 PO 07O1_O8_20_01.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO 07O1_O8_20_01.exedescription pid process Token: SeDebugPrivilege 3792 PO 07O1_O8_20_01.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO 07O1_O8_20_01.exe"C:\Users\Admin\AppData\Local\Temp\PO 07O1_O8_20_01.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\PO 07O1_O8_20_01.exe"C:\Users\Admin\AppData\Local\Temp\PO 07O1_O8_20_01.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3792-0-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3792-1-0x000000000044E450-mapping.dmp
-
memory/3792-2-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3792-3-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/3792-4-0x0000000000600000-0x0000000000622000-memory.dmpFilesize
136KB