Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 12:10
Static task
static1
Behavioral task
behavioral1
Sample
4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe
-
Size
1.1MB
-
MD5
7f7c5cacc9352348efed2bd68321dae6
-
SHA1
a01fe5803a58bdb1f3095806433186efbfc6f409
-
SHA256
4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32
-
SHA512
5cd1662246f7c6f3b3107d710c0ff754ed8c7bacaf5b6115a3c87ac54c95dd5ea08973ca72a609582620928dda2ea43f3af4aaf8e7971dbbdd48c1ca2f44a234
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.execmd.exedescription pid process target process PID 792 wrote to memory of 2304 792 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe PID 792 wrote to memory of 2304 792 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe PID 792 wrote to memory of 2304 792 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe PID 2304 wrote to memory of 1392 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe cmd.exe PID 2304 wrote to memory of 1392 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe cmd.exe PID 1392 wrote to memory of 3840 1392 cmd.exe PING.EXE PID 1392 wrote to memory of 3840 1392 cmd.exe PING.EXE -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exedescription pid process Token: SeImpersonatePrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeTcbPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeChangeNotifyPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeCreateTokenPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeBackupPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeRestorePrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeIncreaseQuotaPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeAssignPrimaryTokenPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeImpersonatePrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeTcbPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeChangeNotifyPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeCreateTokenPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeBackupPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeRestorePrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeIncreaseQuotaPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeAssignPrimaryTokenPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeImpersonatePrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeTcbPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeChangeNotifyPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeCreateTokenPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeBackupPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeRestorePrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeIncreaseQuotaPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeAssignPrimaryTokenPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeImpersonatePrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeTcbPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeChangeNotifyPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeCreateTokenPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeBackupPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeRestorePrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeIncreaseQuotaPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeAssignPrimaryTokenPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeImpersonatePrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeTcbPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeChangeNotifyPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeCreateTokenPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeBackupPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeRestorePrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeIncreaseQuotaPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Token: SeAssignPrimaryTokenPrivilege 2304 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Processes:
description flow ioc HTTP User-Agent header 3 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 6 WinHttp.WinHttpRequest.5.1 -
Checks for installed software on the system 1 TTPs 7 IoCs
Processes:
4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName 4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe"C:\Users\Admin\AppData\Local\Temp\4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Users\Admin\AppData\Local\Temp\4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exeC:\Users\Admin\AppData\Local\Temp\4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe dfsr2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
PID:2304 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\4e07e19a75305cc86b8714e29695b0297b663627d55e108fad4560613e02cd32.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:3840