Analysis
-
max time kernel
113s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 06:58
Static task
static1
Behavioral task
behavioral1
Sample
PO# TTL-0509189..exe
Resource
win7
Behavioral task
behavioral2
Sample
PO# TTL-0509189..exe
Resource
win10v200430
General
-
Target
PO# TTL-0509189..exe
-
Size
744KB
-
MD5
5cc4bab9bd01d39b3e5da9fd8f2d7bfe
-
SHA1
e1f2f286115193f40793eb80b18a1ebd0de4c5e3
-
SHA256
306f60a415f3935c8eb3e3d13fa6957f8ab8161e0818fc93850d54f0f69d0b3f
-
SHA512
1bfa4257e8804723cbb6851bafd85ef774937858dc1840be36a9f44490addd6c7feac9d1554372c77e2e33edf1696eb681ff1004df2bc16a4b54f18fcb56e9e4
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
PO# TTL-0509189..exedescription pid process target process PID 1460 wrote to memory of 1624 1460 PO# TTL-0509189..exe schtasks.exe PID 1460 wrote to memory of 1624 1460 PO# TTL-0509189..exe schtasks.exe PID 1460 wrote to memory of 1624 1460 PO# TTL-0509189..exe schtasks.exe PID 1460 wrote to memory of 1624 1460 PO# TTL-0509189..exe schtasks.exe PID 1460 wrote to memory of 1064 1460 PO# TTL-0509189..exe PO# TTL-0509189..exe PID 1460 wrote to memory of 1064 1460 PO# TTL-0509189..exe PO# TTL-0509189..exe PID 1460 wrote to memory of 1064 1460 PO# TTL-0509189..exe PO# TTL-0509189..exe PID 1460 wrote to memory of 1064 1460 PO# TTL-0509189..exe PO# TTL-0509189..exe PID 1460 wrote to memory of 1064 1460 PO# TTL-0509189..exe PO# TTL-0509189..exe PID 1460 wrote to memory of 1064 1460 PO# TTL-0509189..exe PO# TTL-0509189..exe PID 1460 wrote to memory of 1064 1460 PO# TTL-0509189..exe PO# TTL-0509189..exe PID 1460 wrote to memory of 1064 1460 PO# TTL-0509189..exe PO# TTL-0509189..exe PID 1460 wrote to memory of 1064 1460 PO# TTL-0509189..exe PO# TTL-0509189..exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO# TTL-0509189..exedescription pid process target process PID 1460 set thread context of 1064 1460 PO# TTL-0509189..exe PO# TTL-0509189..exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO# TTL-0509189..exePO# TTL-0509189..exedescription pid process Token: SeDebugPrivilege 1460 PO# TTL-0509189..exe Token: SeDebugPrivilege 1064 PO# TTL-0509189..exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PO# TTL-0509189..exePO# TTL-0509189..exepid process 1460 PO# TTL-0509189..exe 1064 PO# TTL-0509189..exe 1064 PO# TTL-0509189..exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO# TTL-0509189..exe"C:\Users\Admin\AppData\Local\Temp\PO# TTL-0509189..exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1460 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ETClwd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC5FC.tmp"2⤵
- Creates scheduled task(s)
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\PO# TTL-0509189..exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1064