Analysis
-
max time kernel
89s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
10-07-2020 07:33
Static task
static1
Behavioral task
behavioral1
Sample
aKDzIJRX7hjOy0J.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
aKDzIJRX7hjOy0J.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
aKDzIJRX7hjOy0J.exe
-
Size
423KB
-
MD5
93acf64e4e9895ba3b94b976af3b41ac
-
SHA1
66e1c012ac8ce53e3cb25debc75eeadcfd26d45a
-
SHA256
921c7a4ec72f857913362b7cd75300e57ae805dba29c8ac0e62806295dfa60ce
-
SHA512
f08f75ddc28cec487489dee06a20f5945a7cc6ad67dd47780887684e1960ec94300219f7574d7acbd02cda35c522cee1d95182515cb4753592888ad058313632
Score
7/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
aKDzIJRX7hjOy0J.exedescription pid process target process PID 3100 set thread context of 3864 3100 aKDzIJRX7hjOy0J.exe RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3864 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3864 RegSvcs.exe 3864 RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
aKDzIJRX7hjOy0J.exedescription pid process target process PID 3100 wrote to memory of 3864 3100 aKDzIJRX7hjOy0J.exe RegSvcs.exe PID 3100 wrote to memory of 3864 3100 aKDzIJRX7hjOy0J.exe RegSvcs.exe PID 3100 wrote to memory of 3864 3100 aKDzIJRX7hjOy0J.exe RegSvcs.exe PID 3100 wrote to memory of 3864 3100 aKDzIJRX7hjOy0J.exe RegSvcs.exe PID 3100 wrote to memory of 3864 3100 aKDzIJRX7hjOy0J.exe RegSvcs.exe PID 3100 wrote to memory of 3864 3100 aKDzIJRX7hjOy0J.exe RegSvcs.exe PID 3100 wrote to memory of 3864 3100 aKDzIJRX7hjOy0J.exe RegSvcs.exe PID 3100 wrote to memory of 3864 3100 aKDzIJRX7hjOy0J.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\aKDzIJRX7hjOy0J.exe"C:\Users\Admin\AppData\Local\Temp\aKDzIJRX7hjOy0J.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3864