Analysis
-
max time kernel
148s -
max time network
75s -
platform
windows7_x64 -
resource
win7 -
submitted
16-07-2020 10:07
Static task
static1
Behavioral task
behavioral1
Sample
Copia veloce.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Copia veloce.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Copia veloce.exe
-
Size
626KB
-
MD5
862a0c97d4eb40f77df90006d24cd462
-
SHA1
bb5ffb6f696e8c73d80b9eeecada892a7af3a680
-
SHA256
8018cda9143d0dfeddb6ef8e5e90a920d837d0bb7eea826b9ce37f3c96850859
-
SHA512
414815ef9faa054e2659725b6586c19d78918e99012b10f067b2490bd45ccb1b206fbd661407be41749d27b05796e701b2ff4d38da7e272ea80eb8a0043b8847
Score
8/10
Malware Config
Signatures
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1880 ipconfig.exe -
Adds policy Run key to start application 2 TTPs 1 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ipconfig.exe -
description ioc Process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 ipconfig.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1492 wrote to memory of 1756 1492 Copia veloce.exe 26 PID 1492 wrote to memory of 1756 1492 Copia veloce.exe 26 PID 1492 wrote to memory of 1756 1492 Copia veloce.exe 26 PID 1492 wrote to memory of 1756 1492 Copia veloce.exe 26 PID 1492 wrote to memory of 1756 1492 Copia veloce.exe 26 PID 1492 wrote to memory of 1756 1492 Copia veloce.exe 26 PID 1492 wrote to memory of 1756 1492 Copia veloce.exe 26 PID 1492 wrote to memory of 1756 1492 Copia veloce.exe 26 PID 1492 wrote to memory of 1756 1492 Copia veloce.exe 26 PID 1492 wrote to memory of 1756 1492 Copia veloce.exe 26 PID 1228 wrote to memory of 1880 1228 Explorer.EXE 27 PID 1228 wrote to memory of 1880 1228 Explorer.EXE 27 PID 1228 wrote to memory of 1880 1228 Explorer.EXE 27 PID 1228 wrote to memory of 1880 1228 Explorer.EXE 27 PID 1880 wrote to memory of 1816 1880 ipconfig.exe 28 PID 1880 wrote to memory of 1816 1880 ipconfig.exe 28 PID 1880 wrote to memory of 1816 1880 ipconfig.exe 28 PID 1880 wrote to memory of 1816 1880 ipconfig.exe 28 PID 1880 wrote to memory of 1816 1880 ipconfig.exe 28 -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1756 ieinstal.exe Token: SeDebugPrivilege 1880 ipconfig.exe Token: SeShutdownPrivilege 1228 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1756 ieinstal.exe 1756 ieinstal.exe 1756 ieinstal.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Copia veloce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Copia veloce.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Copia veloce.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ipconfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\K6AD-6RXGV = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 1756 ieinstal.exe 1756 ieinstal.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe 1880 ipconfig.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1756 set thread context of 1228 1756 ieinstal.exe 20 PID 1880 set thread context of 1228 1880 ipconfig.exe 20 -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\Copia veloce.exe"C:\Users\Admin\AppData\Local\Temp\Copia veloce.exe"2⤵
- Suspicious use of WriteProcessMemory
- Modifies system certificate store
PID:1492 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1756
-
-
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Gathers network information
- Adds policy Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1880 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1816
-
-