Analysis
-
max time kernel
131s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 12:10
Static task
static1
Behavioral task
behavioral1
Sample
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe
Resource
win7v200430
General
-
Target
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe
-
Size
1.1MB
-
MD5
9a4c7ae4bcaa653ffd966d17785ed92d
-
SHA1
610343dbeb9e63ddd7fa2cfb765c8dda3c37c150
-
SHA256
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff
-
SHA512
e6da37f1da3c075f0d435592eb69ef9cbfeb94f96f450b1a560fc7f9e7b6a5b903fdefa4fd2a749dfa0e3c5d0eac2777428e7dc92af0543cbc6ea55d3bf5d51f
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exedescription pid process Token: SeImpersonatePrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeTcbPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeChangeNotifyPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeCreateTokenPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeBackupPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeRestorePrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeIncreaseQuotaPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeAssignPrimaryTokenPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeImpersonatePrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeTcbPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeChangeNotifyPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeCreateTokenPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeBackupPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeRestorePrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeIncreaseQuotaPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeAssignPrimaryTokenPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeImpersonatePrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeTcbPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeChangeNotifyPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeCreateTokenPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeBackupPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeRestorePrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeIncreaseQuotaPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeAssignPrimaryTokenPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeImpersonatePrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeTcbPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeChangeNotifyPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeCreateTokenPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeBackupPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeRestorePrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeIncreaseQuotaPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeAssignPrimaryTokenPrivilege 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe -
Checks for installed software on the system 1 TTPs 10 IoCs
Processes:
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exedescription ioc process Key enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A90000000001}\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Adobe AIR\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{00203668-8170-44A0-BE44-B632FA4D780F}\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4087364\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Processes:
description flow ioc HTTP User-Agent header 4 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 9 WinHttp.WinHttpRequest.5.1 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exed06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.execmd.exedescription pid process target process PID 1060 wrote to memory of 872 1060 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe PID 1060 wrote to memory of 872 1060 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe PID 1060 wrote to memory of 872 1060 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe PID 1060 wrote to memory of 872 1060 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe PID 872 wrote to memory of 300 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe cmd.exe PID 872 wrote to memory of 300 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe cmd.exe PID 872 wrote to memory of 300 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe cmd.exe PID 872 wrote to memory of 300 872 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe cmd.exe PID 300 wrote to memory of 1648 300 cmd.exe PING.EXE PID 300 wrote to memory of 1648 300 cmd.exe PING.EXE PID 300 wrote to memory of 1648 300 cmd.exe PING.EXE -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 300 cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe"C:\Users\Admin\AppData\Local\Temp\d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exeC:\Users\Admin\AppData\Local\Temp\d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe dfsr2⤵
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\system32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe"3⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
PID:300 -
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:1648