Analysis
-
max time kernel
63s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 12:10
Static task
static1
Behavioral task
behavioral1
Sample
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe
-
Size
1.1MB
-
MD5
9a4c7ae4bcaa653ffd966d17785ed92d
-
SHA1
610343dbeb9e63ddd7fa2cfb765c8dda3c37c150
-
SHA256
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff
-
SHA512
e6da37f1da3c075f0d435592eb69ef9cbfeb94f96f450b1a560fc7f9e7b6a5b903fdefa4fd2a749dfa0e3c5d0eac2777428e7dc92af0543cbc6ea55d3bf5d51f
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exed06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.execmd.exedescription pid process target process PID 2888 wrote to memory of 4004 2888 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe PID 2888 wrote to memory of 4004 2888 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe PID 2888 wrote to memory of 4004 2888 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe PID 4004 wrote to memory of 3872 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe cmd.exe PID 4004 wrote to memory of 3872 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe cmd.exe PID 3872 wrote to memory of 3552 3872 cmd.exe PING.EXE PID 3872 wrote to memory of 3552 3872 cmd.exe PING.EXE -
Suspicious use of AdjustPrivilegeToken 40 IoCs
Processes:
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exedescription pid process Token: SeImpersonatePrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeTcbPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeChangeNotifyPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeCreateTokenPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeBackupPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeRestorePrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeIncreaseQuotaPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeAssignPrimaryTokenPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeImpersonatePrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeTcbPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeChangeNotifyPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeCreateTokenPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeBackupPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeRestorePrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeIncreaseQuotaPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeAssignPrimaryTokenPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeImpersonatePrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeTcbPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeChangeNotifyPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeCreateTokenPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeBackupPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeRestorePrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeIncreaseQuotaPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeAssignPrimaryTokenPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeImpersonatePrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeTcbPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeChangeNotifyPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeCreateTokenPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeBackupPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeRestorePrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeIncreaseQuotaPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeAssignPrimaryTokenPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeImpersonatePrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeTcbPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeChangeNotifyPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeCreateTokenPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeBackupPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeRestorePrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeIncreaseQuotaPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Token: SeAssignPrimaryTokenPrivilege 4004 d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Accesses cryptocurrency wallets, possible credential harvesting 2 TTPs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 2 IoCs
Processes:
description flow ioc HTTP User-Agent header 4 WinHttp.WinHttpRequest.5.1 HTTP User-Agent header 5 WinHttp.WinHttpRequest.5.1 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks for installed software on the system 1 TTPs 7 IoCs
Processes:
d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\DisplayName d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe Key enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe"C:\Users\Admin\AppData\Local\Temp\d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Users\Admin\AppData\Local\Temp\d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exeC:\Users\Admin\AppData\Local\Temp\d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe dfsr2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Checks for installed software on the system
PID:4004 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c ping 127.0.0.1 & del /F /Q "C:\Users\Admin\AppData\Local\Temp\d06be7bd36b4cdd6ac12e3c7fb675515cd33ae9ea75a26e7dc7fc3a7db14caff.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\system32\PING.EXEping 127.0.0.14⤵
- Runs ping.exe
PID:3552