Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 10:22
Static task
static1
Behavioral task
behavioral1
Sample
Versanddetails.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
Versanddetails.exe
-
Size
596KB
-
MD5
269a05d36d071c206dc87187d6136352
-
SHA1
85f8c093f487db02ebbbda53d0893be9bdbc0ace
-
SHA256
b774ad4c9780bdb6e4fec9dbd688f1ac6d0ee75e9771c64de99e1f5152e0b385
-
SHA512
2449cc3e98eb46ffb373552fe1ca7cca4fea9628482e0f3214a2ef19a97240b184eca1191607e6406d810238ef8a0a29030867bec0baf44a7c480d485d661ebc
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
Versanddetails.exeRegAsm.exedescription pid process target process PID 3488 wrote to memory of 2484 3488 Versanddetails.exe RegAsm.exe PID 3488 wrote to memory of 2484 3488 Versanddetails.exe RegAsm.exe PID 3488 wrote to memory of 2484 3488 Versanddetails.exe RegAsm.exe PID 3488 wrote to memory of 412 3488 Versanddetails.exe RegAsm.exe PID 3488 wrote to memory of 412 3488 Versanddetails.exe RegAsm.exe PID 3488 wrote to memory of 412 3488 Versanddetails.exe RegAsm.exe PID 3488 wrote to memory of 412 3488 Versanddetails.exe RegAsm.exe PID 412 wrote to memory of 1468 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 1468 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 1468 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 1468 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 1468 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 1468 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 1468 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 1468 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 1468 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 2668 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 2668 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 2668 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 2668 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 2668 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 2668 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 2668 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 2668 412 RegAsm.exe vbc.exe PID 412 wrote to memory of 2668 412 RegAsm.exe vbc.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Versanddetails.exepid process 3488 Versanddetails.exe 3488 Versanddetails.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 412 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 837 IoCs
Processes:
RegAsm.exepid process 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe 412 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 412 RegAsm.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Versanddetails.exeRegAsm.exedescription pid process target process PID 3488 set thread context of 412 3488 Versanddetails.exe RegAsm.exe PID 412 set thread context of 1468 412 RegAsm.exe vbc.exe PID 412 set thread context of 2668 412 RegAsm.exe vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 whatismyipaddress.com 3 whatismyipaddress.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\Versanddetails.exe"C:\Users\Admin\AppData\Local\Temp\Versanddetails.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
-
memory/412-0-0x0000000000400000-0x0000000000488000-memory.dmpFilesize
544KB
-
memory/412-1-0x0000000000480C5E-mapping.dmp
-
memory/1468-2-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/1468-3-0x0000000000411654-mapping.dmp
-
memory/1468-4-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/2668-5-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2668-6-0x0000000000442628-mapping.dmp
-
memory/2668-7-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB