Analysis

  • max time kernel
    133s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09-07-2020 14:28

General

  • Target

    PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe

  • Size

    586KB

  • MD5

    771d6920c81e63c41104ceb4b31b3d95

  • SHA1

    556f0940be0985b4f661d57fa894de06d945a53e

  • SHA256

    2f749c6cbdf1d58629bc39b28bb2b1f74766bfb982cc31e3461d1c4bcbd32b01

  • SHA512

    2ba7095fef121ed4d31e5bc5a171f09baa4b3c274e56428ec1b2c4e32ecc4a83315f13268f0e569d045a6c2fc189315b5897b2f703ecbb21ce8093dc0c5b1938

Score
7/10

Malware Config

Signatures

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Suspicious use of WriteProcessMemory 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe
    "C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetThreadContext
    PID:1768
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OcxusgpmmJu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4ECA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:528
    • C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe
      "C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"
      2⤵
        PID:1224
      • C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe
        "C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"
        2⤵
          PID:1144
        • C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe
          "C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"
          2⤵
            PID:1228
          • C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe
            "C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"
            2⤵
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:1816

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp4ECA.tmp

        • memory/528-2-0x0000000000000000-mapping.dmp

        • memory/1768-1-0x0000000000000000-0x0000000000000000-disk.dmp

        • memory/1816-4-0x0000000000400000-0x0000000000450000-memory.dmp

          Filesize

          320KB

        • memory/1816-5-0x000000000044B37E-mapping.dmp

        • memory/1816-6-0x0000000000400000-0x0000000000450000-memory.dmp

          Filesize

          320KB

        • memory/1816-7-0x0000000000400000-0x0000000000450000-memory.dmp

          Filesize

          320KB