Analysis
-
max time kernel
42s -
max time network
139s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 12:18
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7v200722
General
-
Target
PO.exe
-
Size
618KB
-
MD5
829316dec0bd0d3ae1a0d7dba9aa96fe
-
SHA1
435cbff7d1b6d0ad1a5992be3b658fa4c575bffd
-
SHA256
e3d23bafecccf8c1282d7c7f561490061216edabbbdafde8dca65608ba28a8fc
-
SHA512
29bf334d390eeda492797c7abab574cca03bb0dad9ee88cfbcc9f843ef16b3067d2fdf179d99d161a464c3805bc2b6b5c20f10ce503dfc779aa52c1b5f220754
Malware Config
Extracted
Protocol: smtp- Host:
mail.greatgoldenqlory.com - Port:
587 - Username:
logistics@greatgoldenqlory.com - Password:
chibuike12345@@@@@
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 1588 set thread context of 364 1588 PO.exe PO.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 checkip.dyndns.org -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO.exedescription pid process Token: SeDebugPrivilege 364 PO.exe -
Processes:
resource yara_rule behavioral1/memory/364-0-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral1/memory/364-0-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral1/memory/364-2-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral1/memory/364-2-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral1/memory/364-3-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral1/memory/364-3-0x0000000000400000-0x00000000004EE000-memory.dmp upx -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO.exePO.exepid process 1588 PO.exe 364 PO.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
PO.exedescription pid process target process PID 1588 wrote to memory of 364 1588 PO.exe PO.exe PID 1588 wrote to memory of 364 1588 PO.exe PO.exe PID 1588 wrote to memory of 364 1588 PO.exe PO.exe PID 1588 wrote to memory of 364 1588 PO.exe PO.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PO.exepid process 1588 PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/364-1-0x00000000004EBF60-mapping.dmp
-
memory/364-0-0x0000000000400000-0x00000000004EE000-memory.dmpFilesize
952KB
-
memory/364-2-0x0000000000400000-0x00000000004EE000-memory.dmpFilesize
952KB
-
memory/364-3-0x0000000000400000-0x00000000004EE000-memory.dmpFilesize
952KB
-
memory/364-4-0x0000000000350000-0x00000000003C0000-memory.dmpFilesize
448KB
-
memory/364-5-0x0000000002022000-0x0000000002023000-memory.dmpFilesize
4KB
-
memory/364-6-0x0000000000220000-0x000000000028B000-memory.dmpFilesize
428KB