Analysis
-
max time kernel
133s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
09-07-2020 14:28
Static task
static1
Behavioral task
behavioral1
Sample
PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe
Resource
win7
Behavioral task
behavioral2
Sample
PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe
Resource
win10
General
-
Target
PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe
-
Size
586KB
-
MD5
771d6920c81e63c41104ceb4b31b3d95
-
SHA1
556f0940be0985b4f661d57fa894de06d945a53e
-
SHA256
2f749c6cbdf1d58629bc39b28bb2b1f74766bfb982cc31e3461d1c4bcbd32b01
-
SHA512
2ba7095fef121ed4d31e5bc5a171f09baa4b3c274e56428ec1b2c4e32ecc4a83315f13268f0e569d045a6c2fc189315b5897b2f703ecbb21ce8093dc0c5b1938
Malware Config
Signatures
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exedescription pid process target process PID 1768 wrote to memory of 528 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe schtasks.exe PID 1768 wrote to memory of 528 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe schtasks.exe PID 1768 wrote to memory of 528 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe schtasks.exe PID 1768 wrote to memory of 528 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe schtasks.exe PID 1768 wrote to memory of 1224 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1224 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1224 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1224 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1144 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1144 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1144 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1144 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1228 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1228 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1228 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1228 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1816 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1816 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1816 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1816 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1816 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1816 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1816 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1816 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PID 1768 wrote to memory of 1816 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exePO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exedescription pid process Token: SeDebugPrivilege 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe Token: SeDebugPrivilege 1816 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exePO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exepid process 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe 1816 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe 1816 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exedescription pid process target process PID 1768 set thread context of 1816 1768 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exepid process 1816 PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1768 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OcxusgpmmJu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4ECA.tmp"2⤵
- Creates scheduled task(s)
PID:528 -
C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"2⤵PID:1224
-
C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"2⤵PID:1144
-
C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"2⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"C:\Users\Admin\AppData\Local\Temp\PO#908827 dated 9-7-2020 2019BT206-1+2020BT021+042.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1816