Analysis
-
max time kernel
76s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-07-2020 07:40
Static task
static1
Behavioral task
behavioral1
Sample
TIN1-2007100001-AWB.JPG.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
TIN1-2007100001-AWB.JPG.exe
Resource
win10v200430
General
-
Target
TIN1-2007100001-AWB.JPG.exe
-
Size
590KB
-
MD5
d7dfb7d9efc85b906a72b2000f925061
-
SHA1
cfc684a0eacb1f49ff7473524337a8a6600760c0
-
SHA256
dc67ad0f1d9092eca89d3b0efc15e17b3490f9e90e99c5df611322053ce4c709
-
SHA512
3ed669655e28e9e1b6a57e99ebfdbaf608677047c102e7d509c9bdf09f975e8f96cc1a3b569afdf28bc0bdbebba3454fb9bfb312e02d5f62e3db65b6aa37779b
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 784 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 784 RegSvcs.exe 784 RegSvcs.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAVLA = "C:\\Users\\Admin\\AppData\\Roaming\\BAVLA\\BAVLA.exe" RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
TIN1-2007100001-AWB.JPG.exedescription pid process target process PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe PID 1068 wrote to memory of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TIN1-2007100001-AWB.JPG.exedescription pid process target process PID 1068 set thread context of 784 1068 TIN1-2007100001-AWB.JPG.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TIN1-2007100001-AWB.JPG.exe"C:\Users\Admin\AppData\Local\Temp\TIN1-2007100001-AWB.JPG.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:784