Analysis
-
max time kernel
104s -
max time network
116s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 12:18
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7v200722
General
-
Target
PO.exe
-
Size
618KB
-
MD5
829316dec0bd0d3ae1a0d7dba9aa96fe
-
SHA1
435cbff7d1b6d0ad1a5992be3b658fa4c575bffd
-
SHA256
e3d23bafecccf8c1282d7c7f561490061216edabbbdafde8dca65608ba28a8fc
-
SHA512
29bf334d390eeda492797c7abab574cca03bb0dad9ee88cfbcc9f843ef16b3067d2fdf179d99d161a464c3805bc2b6b5c20f10ce503dfc779aa52c1b5f220754
Malware Config
Extracted
Protocol: smtp- Host:
mail.greatgoldenqlory.com - Port:
587 - Username:
logistics@greatgoldenqlory.com - Password:
chibuike12345@@@@@
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
PO.exePO.exepid process 2532 PO.exe 2532 PO.exe 3076 PO.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
PO.exedescription pid process target process PID 2532 wrote to memory of 3076 2532 PO.exe PO.exe PID 2532 wrote to memory of 3076 2532 PO.exe PO.exe PID 2532 wrote to memory of 3076 2532 PO.exe PO.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO.exedescription pid process Token: SeDebugPrivilege 3076 PO.exe -
Processes:
resource yara_rule behavioral2/memory/3076-0-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral2/memory/3076-0-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral2/memory/3076-2-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral2/memory/3076-2-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral2/memory/3076-3-0x0000000000400000-0x00000000004EE000-memory.dmp upx behavioral2/memory/3076-3-0x0000000000400000-0x00000000004EE000-memory.dmp upx -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PO.exepid process 2532 PO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 2532 set thread context of 3076 2532 PO.exe PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3076-0-0x0000000000400000-0x00000000004EE000-memory.dmpFilesize
952KB
-
memory/3076-1-0x00000000004EBF60-mapping.dmp
-
memory/3076-2-0x0000000000400000-0x00000000004EE000-memory.dmpFilesize
952KB
-
memory/3076-3-0x0000000000400000-0x00000000004EE000-memory.dmpFilesize
952KB
-
memory/3076-4-0x0000000000AA0000-0x0000000000B10000-memory.dmpFilesize
448KB
-
memory/3076-5-0x0000000000762000-0x0000000000763000-memory.dmpFilesize
4KB