Analysis
-
max time kernel
134s -
max time network
135s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
11-07-2020 06:03
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE (A21)GH-SC200710F.exe
Resource
win7
Behavioral task
behavioral2
Sample
INVOICE (A21)GH-SC200710F.exe
Resource
win10v200430
General
-
Target
INVOICE (A21)GH-SC200710F.exe
-
Size
865KB
-
MD5
604f34919b1cb3c002f78789a183aa1e
-
SHA1
356268c526fa8182b89fc6bf71a4e5e382ee6c87
-
SHA256
14780eb585efbdc339799d90eefcb8b4b613464566f8cb3f1fed2bcb06dcd17f
-
SHA512
9932bd0c45396ba853fb05c7325b41fa3114ac3c8e990cbe2f29eed7f6f8916c281424aa09763f0da8141f95eee5a66ec1d1954f2f1af0203fcfb35482e37df2
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2076 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2076 RegSvcs.exe 2076 RegSvcs.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\BAVLA = "C:\\Users\\Admin\\AppData\\Roaming\\BAVLA\\BAVLA.exe" RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
INVOICE (A21)GH-SC200710F.exedescription pid process target process PID 3896 wrote to memory of 2076 3896 INVOICE (A21)GH-SC200710F.exe RegSvcs.exe PID 3896 wrote to memory of 2076 3896 INVOICE (A21)GH-SC200710F.exe RegSvcs.exe PID 3896 wrote to memory of 2076 3896 INVOICE (A21)GH-SC200710F.exe RegSvcs.exe PID 3896 wrote to memory of 2076 3896 INVOICE (A21)GH-SC200710F.exe RegSvcs.exe PID 3896 wrote to memory of 2076 3896 INVOICE (A21)GH-SC200710F.exe RegSvcs.exe PID 3896 wrote to memory of 2076 3896 INVOICE (A21)GH-SC200710F.exe RegSvcs.exe PID 3896 wrote to memory of 2076 3896 INVOICE (A21)GH-SC200710F.exe RegSvcs.exe PID 3896 wrote to memory of 2076 3896 INVOICE (A21)GH-SC200710F.exe RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INVOICE (A21)GH-SC200710F.exedescription pid process target process PID 3896 set thread context of 2076 3896 INVOICE (A21)GH-SC200710F.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INVOICE (A21)GH-SC200710F.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE (A21)GH-SC200710F.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3896 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
PID:2076