Analysis
-
max time kernel
90s -
max time network
125s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
11-07-2020 06:10
Static task
static1
Behavioral task
behavioral1
Sample
cuentas.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
cuentas.exe
Resource
win10
General
-
Target
cuentas.exe
-
Size
703KB
-
MD5
4257c31396f2298a0ff642464ea2de68
-
SHA1
cb2ac642f5743533b79fef9bd4e97da0b1c18aef
-
SHA256
0264a3c84d3a268983747939a9345ccdd32e2614133e362803cc992e0aaf6897
-
SHA512
daf209fb4abe928c974d2ddef6dd40b2b29a02cf9c6b66b386a0a6b240fafd9a285ceb3eee04466fbe8e59ce1d91856b26a22ea8e71d66343673b9bed5f2933f
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
cuentas.exedescription pid process target process PID 1296 wrote to memory of 1128 1296 cuentas.exe cuentas.exe PID 1296 wrote to memory of 1128 1296 cuentas.exe cuentas.exe PID 1296 wrote to memory of 1128 1296 cuentas.exe cuentas.exe PID 1296 wrote to memory of 1128 1296 cuentas.exe cuentas.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cuentas.exepid process 1296 cuentas.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cuentas.exedescription pid process target process PID 1296 set thread context of 1128 1296 cuentas.exe cuentas.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cuentas.exedescription pid process Token: SeDebugPrivilege 1128 cuentas.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1128-0-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1128-2-0x0000000000400000-0x0000000000450000-memory.dmp upx behavioral1/memory/1128-3-0x0000000000400000-0x0000000000450000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
cuentas.execuentas.exepid process 1296 cuentas.exe 1128 cuentas.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\cuentas.exe"C:\Users\Admin\AppData\Local\Temp\cuentas.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\cuentas.exe"C:\Users\Admin\AppData\Local\Temp\cuentas.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1128-0-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1128-1-0x000000000044E440-mapping.dmp
-
memory/1128-2-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1128-3-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1128-4-0x0000000000270000-0x0000000000292000-memory.dmpFilesize
136KB
-
memory/1128-5-0x0000000001F52000-0x0000000001F53000-memory.dmpFilesize
4KB
-
memory/1128-6-0x0000000000220000-0x000000000023C000-memory.dmpFilesize
112KB