Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
13-10-2020 15:16
Static task
static1
Behavioral task
behavioral1
Sample
index.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
index.exe
Resource
win10v200722
General
-
Target
index.exe
-
Size
510KB
-
MD5
7c1a4c9622e4b76e03aa95e55d9ff895
-
SHA1
25b3129ea5a77afdc84fb80923f21689f75a9205
-
SHA256
aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
-
SHA512
f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
index.exeindex.exepid process 1160 index.exe 1840 index.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
index.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Run\index = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\index.exe -boot" index.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
index.exedescription pid process target process PID 1160 set thread context of 1840 1160 index.exe index.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
index.exepid process 1840 index.exe 1840 index.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
index.exeindex.exeindex.exedescription pid process Token: SeDebugPrivilege 964 index.exe Token: SeDebugPrivilege 1160 index.exe Token: SeDebugPrivilege 1840 index.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
index.exepid process 1840 index.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
index.exeindex.exedescription pid process target process PID 964 wrote to memory of 1160 964 index.exe index.exe PID 964 wrote to memory of 1160 964 index.exe index.exe PID 964 wrote to memory of 1160 964 index.exe index.exe PID 1160 wrote to memory of 1840 1160 index.exe index.exe PID 1160 wrote to memory of 1840 1160 index.exe index.exe PID 1160 wrote to memory of 1840 1160 index.exe index.exe PID 1160 wrote to memory of 1840 1160 index.exe index.exe PID 1160 wrote to memory of 1840 1160 index.exe index.exe PID 1160 wrote to memory of 1840 1160 index.exe index.exe PID 1160 wrote to memory of 1840 1160 index.exe index.exe PID 1160 wrote to memory of 1840 1160 index.exe index.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\index.exe"C:\Users\Admin\AppData\Local\Temp\index.exe"1⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\index.exe.logMD5
ea77b5d9c31ccc3105c397f04c7af037
SHA15c154101ff6300b6bc2dff4d9e1ec8d05acb5ef0
SHA256c127af03059550eda08b2d9d112890b44b31aa43dd8fd93e7dbadc313b6ca0c2
SHA512037e99f76acc3a805d1b623b219e3ffc37471223eb8cbc3b5110f4d9a8aa615f59ff326afcfe9c1bf99b724d5dd25115852e0cd0c4807952155f6ee314154602
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeMD5
7c1a4c9622e4b76e03aa95e55d9ff895
SHA125b3129ea5a77afdc84fb80923f21689f75a9205
SHA256aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
SHA512f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeMD5
7c1a4c9622e4b76e03aa95e55d9ff895
SHA125b3129ea5a77afdc84fb80923f21689f75a9205
SHA256aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
SHA512f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exeMD5
7c1a4c9622e4b76e03aa95e55d9ff895
SHA125b3129ea5a77afdc84fb80923f21689f75a9205
SHA256aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
SHA512f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81
-
memory/1160-2-0x0000000000000000-mapping.dmp
-
memory/1840-8-0x0000000000402000-0x0000000000434000-memory.dmpFilesize
200KB