Overview

overview

7

Static

static

BL Draft C...s .exe

windows7_x64

7

BL Draft C...s .exe

windows10_x64

3

Analysis

  • max time kernel
    138s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    13/07/2020, 11:29

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    BL Draft Copy shipping Documents .exe

  • Size

    325KB

  • MD5

    0299adcd27d62af62ef8342bd71e205e

  • SHA1

    de7978bf877f57671cb65b25aa29d9e780fbc67a

  • SHA256

    9a53f9cbf04e13a0df2cfa0869356a9772ef9bb92a87303661c27031f682bd10

  • SHA512

    3d97e0f73d52e1a1e92d8ad576e05fff411a1ee3d18577dfd045b2108147528e7cb3ad5764afc37e6fd10229e39ff5c9e5060d113f57b79e8181292343209c6e

Score
7/10
spyware

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BL Draft Copy shipping Documents .exe
    "C:\Users\Admin\AppData\Local\Temp\BL Draft Copy shipping Documents .exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    PID:1304
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RZCVOqSQXSVXpF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB59.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1804
    • C:\Users\Admin\AppData\Local\Temp\BL Draft Copy shipping Documents .exe
      "{path}"
      2⤵
        PID:1776
      • C:\Users\Admin\AppData\Local\Temp\BL Draft Copy shipping Documents .exe
        "{path}"
        2⤵
          PID:1784
        • C:\Users\Admin\AppData\Local\Temp\BL Draft Copy shipping Documents .exe
          "{path}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1788

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1788-4-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

              Download

            • memory/1788-6-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

              Download

            • memory/1788-7-0x0000000000400000-0x000000000044A000-memory.dmp

              Filesize

              296KB

              Download