5c0b94de79ed0aecb92dabe4a6904eae55797d7296c40f21ada935ccac38e0c4

Analysis

max time kernel
95s
max time network
148s
platform
windows10_x64
resource
win10
submitted
09/07/2020, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

send the quotation please.exe
Size

538KB
MD5

725b624537a6fa7d5240a803c8c96fda
SHA1

eb3dffff34cd7541128fcf77b6d6f3484d988133
SHA256

5c0b94de79ed0aecb92dabe4a6904eae55797d7296c40f21ada935ccac38e0c4
SHA512

fbd28adc6003879d14915410fd9d3b3c7d08f272e57b504a77646c252c0c72157764a6dfcbf63385aa362de0ebcbe41882dd80cce28a7d53c852e30275e3f6e7

Score

7^/10

persistence spyware

Malware Config

Signatures

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 3756	792	send the quotation please.exe	66
PID 792 wrote to memory of 3756	792	send the quotation please.exe	66
PID 792 wrote to memory of 3756	792	send the quotation please.exe	66
PID 792 wrote to memory of 3756	792	send the quotation please.exe	66
PID 792 wrote to memory of 3756	792	send the quotation please.exe	66
PID 792 wrote to memory of 3756	792	send the quotation please.exe	66
PID 792 wrote to memory of 3756	792	send the quotation please.exe	66
PID 792 wrote to memory of 3756	792	send the quotation please.exe	66

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 792 set thread context of 3756	792	send the quotation please.exe	66

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3756	RegSvcs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3756	RegSvcs.exe
3756	RegSvcs.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAVLA = "C:\\Users\\Admin\\AppData\\Roaming\\BAVLA\\BAVLA.exe"	RegSvcs.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Users\Admin\AppData\Local\Temp\send the quotation please.exe
"C:\Users\Admin\AppData\Local\Temp\send the quotation please.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:792
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "{path}"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Adds Run entry to start application
  PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3756-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download