Analysis
-
max time kernel
77s -
max time network
67s -
platform
windows7_x64 -
resource
win7 -
submitted
09-07-2020 18:24
Static task
static1
Behavioral task
behavioral1
Sample
Disc FDBC 3660.exe
Resource
win7
Behavioral task
behavioral2
Sample
Disc FDBC 3660.exe
Resource
win10v200430
General
-
Target
Disc FDBC 3660.exe
-
Size
566KB
-
MD5
943270627e8eb4b1567dc76a6a9196fc
-
SHA1
592dc27309861b4ef99e122fe63293010dc7d812
-
SHA256
5a31aebe8d849348df31616a406d024dfc43a6c39187640d05c06f4a4d72887b
-
SHA512
bbdd498ad4e43372706acb94e9a780114ee85cd86172da9194e8710a8083663268ef2b878f3fe1b089330a386d648b76446d07dcea4b0df8062ccc7300f3d9ab
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Disc FDBC 3660.exedescription pid Process procid_target PID 112 wrote to memory of 740 112 Disc FDBC 3660.exe 24 PID 112 wrote to memory of 740 112 Disc FDBC 3660.exe 24 PID 112 wrote to memory of 740 112 Disc FDBC 3660.exe 24 PID 112 wrote to memory of 740 112 Disc FDBC 3660.exe 24 PID 112 wrote to memory of 740 112 Disc FDBC 3660.exe 24 PID 112 wrote to memory of 740 112 Disc FDBC 3660.exe 24 PID 112 wrote to memory of 740 112 Disc FDBC 3660.exe 24 PID 112 wrote to memory of 740 112 Disc FDBC 3660.exe 24 PID 112 wrote to memory of 740 112 Disc FDBC 3660.exe 24 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Disc FDBC 3660.exedescription pid Process Token: SeDebugPrivilege 740 Disc FDBC 3660.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Disc FDBC 3660.exepid Process 740 Disc FDBC 3660.exe 740 Disc FDBC 3660.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Disc FDBC 3660.exedescription pid Process procid_target PID 112 set thread context of 740 112 Disc FDBC 3660.exe 24 -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Disc FDBC 3660.exepid Process 740 Disc FDBC 3660.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Disc FDBC 3660.exe"C:\Users\Admin\AppData\Local\Temp\Disc FDBC 3660.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:112 -
C:\Users\Admin\AppData\Local\Temp\Disc FDBC 3660.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:740
-