Analysis
-
max time kernel
103s -
max time network
104s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
13-10-2020 15:16
Static task
static1
Behavioral task
behavioral1
Sample
index.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
index.exe
Resource
win10v200722
General
-
Target
index.exe
-
Size
510KB
-
MD5
7c1a4c9622e4b76e03aa95e55d9ff895
-
SHA1
25b3129ea5a77afdc84fb80923f21689f75a9205
-
SHA256
aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
-
SHA512
f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
index.exeindex.exepid process 1676 index.exe 1912 index.exe -
Loads dropped DLL 1 IoCs
Processes:
index.exepid process 836 index.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
index.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2090973689-680783404-4292415065-1000\Software\Microsoft\Windows\CurrentVersion\Run\index = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\index.exe -boot" index.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
index.exedescription pid process target process PID 1676 set thread context of 1912 1676 index.exe index.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
index.exepid process 1912 index.exe 1912 index.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
index.exeindex.exeindex.exedescription pid process Token: SeDebugPrivilege 836 index.exe Token: SeDebugPrivilege 1676 index.exe Token: SeDebugPrivilege 1912 index.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
index.exepid process 1912 index.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
index.exeindex.exedescription pid process target process PID 836 wrote to memory of 1676 836 index.exe index.exe PID 836 wrote to memory of 1676 836 index.exe index.exe PID 836 wrote to memory of 1676 836 index.exe index.exe PID 836 wrote to memory of 1676 836 index.exe index.exe PID 1676 wrote to memory of 1912 1676 index.exe index.exe PID 1676 wrote to memory of 1912 1676 index.exe index.exe PID 1676 wrote to memory of 1912 1676 index.exe index.exe PID 1676 wrote to memory of 1912 1676 index.exe index.exe PID 1676 wrote to memory of 1912 1676 index.exe index.exe PID 1676 wrote to memory of 1912 1676 index.exe index.exe PID 1676 wrote to memory of 1912 1676 index.exe index.exe PID 1676 wrote to memory of 1912 1676 index.exe index.exe PID 1676 wrote to memory of 1912 1676 index.exe index.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\index.exe"C:\Users\Admin\AppData\Local\Temp\index.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeMD5
7c1a4c9622e4b76e03aa95e55d9ff895
SHA125b3129ea5a77afdc84fb80923f21689f75a9205
SHA256aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
SHA512f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeMD5
7c1a4c9622e4b76e03aa95e55d9ff895
SHA125b3129ea5a77afdc84fb80923f21689f75a9205
SHA256aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
SHA512f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeMD5
7c1a4c9622e4b76e03aa95e55d9ff895
SHA125b3129ea5a77afdc84fb80923f21689f75a9205
SHA256aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
SHA512f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81
-
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeMD5
7c1a4c9622e4b76e03aa95e55d9ff895
SHA125b3129ea5a77afdc84fb80923f21689f75a9205
SHA256aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
SHA512f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81
-
memory/1676-1-0x0000000000000000-mapping.dmp
-
memory/1912-4-0x0000000000402000-0x0000000000434000-memory.dmpFilesize
200KB
-
memory/1912-6-0x0000000000400000-0x0000000000400200-memory.dmpFilesize
512B
-
memory/1912-7-0x0000000000402000-0x0000000000434000-memory.dmpFilesize
200KB
-
memory/2000-8-0x000007FEF8550000-0x000007FEF87CA000-memory.dmpFilesize
2.5MB