Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10_x64 -
resource
win10 -
submitted
13/07/2020, 14:48
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
file.exe
-
Size
178KB
-
MD5
269b3771f557dd8baf50335ab7165d81
-
SHA1
339394ee3109c21c6ee55b4aea36a8ac4c8444a7
-
SHA256
55fda8fe5169419bcbdfa68e712b378085ddd86638e0f84e50e6b6f43cf19334
-
SHA512
739abb3c8b81cde39fb1c10da9e911b27b9022ff326775f74f5cfb7912000be8062d50030b5824bba301f97356d877f3435954e9349a4fae9ba167376089d207
Score
8/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3044 file.exe 3044 file.exe 3044 file.exe 3044 file.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 3044 file.exe Token: SeDebugPrivilege 3888 help.exe Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2988 wrote to memory of 3888 2988 Explorer.EXE 67 PID 2988 wrote to memory of 3888 2988 Explorer.EXE 67 PID 2988 wrote to memory of 3888 2988 Explorer.EXE 67 PID 3888 wrote to memory of 4032 3888 help.exe 68 PID 3888 wrote to memory of 4032 3888 help.exe 68 PID 3888 wrote to memory of 4032 3888 help.exe 68 PID 3888 wrote to memory of 3172 3888 help.exe 76 PID 3888 wrote to memory of 3172 3888 help.exe 76 PID 3888 wrote to memory of 3172 3888 help.exe 76 PID 3888 wrote to memory of 804 3888 help.exe 78 PID 3888 wrote to memory of 804 3888 help.exe 78 PID 3888 wrote to memory of 804 3888 help.exe 78 -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2988 Explorer.EXE 2988 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2988 Explorer.EXE 2988 Explorer.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\B-zkdo\Cookies1bb.exe help.exe -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer help.exe -
Adds Run entry to policy start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run help.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\XLMDTXSP-27 = "C:\\Program Files (x86)\\B-zkdo\\Cookies1bb.exe" help.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 3044 file.exe 3044 file.exe 3044 file.exe 3888 help.exe 3888 help.exe 3888 help.exe 3888 help.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3044 set thread context of 2988 3044 file.exe 56 PID 3888 set thread context of 2988 3888 help.exe 56 -
description ioc Process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:3044
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Drops file in Program Files directory
- System policy modification
- Adds Run entry to policy start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
PID:3888 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\file.exe"3⤵PID:4032
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3172
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:804
-
-