Analysis
-
max time kernel
41s -
max time network
61s -
platform
windows7_x64 -
resource
win7 -
submitted
09-07-2020 09:30
Static task
static1
Behavioral task
behavioral1
Sample
Atikus9Bumpers.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Atikus9Bumpers.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
Errors
Reason
Machine shutdown
General
-
Target
Atikus9Bumpers.exe
-
Size
278.1MB
-
MD5
c8e4fd178e3816a8507efd185f8f3b26
-
SHA1
b20226115f0d6330182b7ae9bdbfdb3855de6641
-
SHA256
69f40b23e0605683899e5df5d843266665790fce6c7e61fc84c7c85f53313dfa
-
SHA512
4e31091d35cd593531917c611d284907e43e473800464c22937443a5649d84de9b47fa6d33d06e6fdfb6ae177d5f10c6ead73fa42f10d8186037ec5096e60ff3
Score
7/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
Atikus9Bumpers.exepid process 1552 Atikus9Bumpers.exe 1552 Atikus9Bumpers.exe 1552 Atikus9Bumpers.exe 1552 Atikus9Bumpers.exe 1552 Atikus9Bumpers.exe 1552 Atikus9Bumpers.exe 1552 Atikus9Bumpers.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Atikus9Bumpers.exedescription pid process Token: SeDebugPrivilege 1552 Atikus9Bumpers.exe Token: SeShutdownPrivilege 1552 Atikus9Bumpers.exe -
Loads dropped DLL 1 IoCs
Processes:
Atikus9Bumpers.exepid process 1552 Atikus9Bumpers.exe -
Drops startup file 1 IoCs
Processes:
Atikus9Bumpers.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZIOCKDDHFWXDXDCI.lnk Atikus9Bumpers.exe -
Enumerates connected drives 3 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ipinfo.io
Processes
-
C:\Users\Admin\AppData\Local\Temp\Atikus9Bumpers.exe"C:\Users\Admin\AppData\Local\Temp\Atikus9Bumpers.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
- Drops startup file
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵