Analysis
-
max time kernel
87s -
max time network
54s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 09:27
Static task
static1
Behavioral task
behavioral1
Sample
INV10072020PO67487.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INV10072020PO67487.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
INV10072020PO67487.exe
-
Size
416KB
-
MD5
83ab076e21939b242d02b1c1b89e3097
-
SHA1
e278bd2d4d9b1e5fc55b448aa4e42506a3e47574
-
SHA256
8d9b4ac8385e86b7a40756c1c3d5cb1a7e84cffbb43e242438f8e60ec48e092b
-
SHA512
fef69363cdf8b3c30e1bf0cb992558ee77d2f1326d842768fb20f5c2fff4a14e9def0434965bacf9fd82cb908a342e0fa5af5c5ab9d715899ed734510a5a01fd
Score
7/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
INV10072020PO67487.exepid process 1444 INV10072020PO67487.exe 1444 INV10072020PO67487.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
INV10072020PO67487.exepid process 1444 INV10072020PO67487.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
INV10072020PO67487.exedescription pid process target process PID 832 wrote to memory of 1444 832 INV10072020PO67487.exe INV10072020PO67487.exe PID 832 wrote to memory of 1444 832 INV10072020PO67487.exe INV10072020PO67487.exe PID 832 wrote to memory of 1444 832 INV10072020PO67487.exe INV10072020PO67487.exe PID 832 wrote to memory of 1444 832 INV10072020PO67487.exe INV10072020PO67487.exe PID 832 wrote to memory of 1444 832 INV10072020PO67487.exe INV10072020PO67487.exe PID 832 wrote to memory of 1444 832 INV10072020PO67487.exe INV10072020PO67487.exe PID 832 wrote to memory of 1444 832 INV10072020PO67487.exe INV10072020PO67487.exe PID 832 wrote to memory of 1444 832 INV10072020PO67487.exe INV10072020PO67487.exe PID 832 wrote to memory of 1444 832 INV10072020PO67487.exe INV10072020PO67487.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV10072020PO67487.exedescription pid process target process PID 832 set thread context of 1444 832 INV10072020PO67487.exe INV10072020PO67487.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
INV10072020PO67487.exedescription pid process Token: SeDebugPrivilege 1444 INV10072020PO67487.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV10072020PO67487.exe"C:\Users\Admin\AppData\Local\Temp\INV10072020PO67487.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:832 -
C:\Users\Admin\AppData\Local\Temp\INV10072020PO67487.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
PID:1444