Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    13-10-2020 15:16

General

  • Target

    index.exe

  • Size

    510KB

  • MD5

    7c1a4c9622e4b76e03aa95e55d9ff895

  • SHA1

    25b3129ea5a77afdc84fb80923f21689f75a9205

  • SHA256

    aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43

  • SHA512

    f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81

Score
8/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\index.exe
    "C:\Users\Admin\AppData\Local\Temp\index.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1840

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\index.exe.log
    MD5

    ea77b5d9c31ccc3105c397f04c7af037

    SHA1

    5c154101ff6300b6bc2dff4d9e1ec8d05acb5ef0

    SHA256

    c127af03059550eda08b2d9d112890b44b31aa43dd8fd93e7dbadc313b6ca0c2

    SHA512

    037e99f76acc3a805d1b623b219e3ffc37471223eb8cbc3b5110f4d9a8aa615f59ff326afcfe9c1bf99b724d5dd25115852e0cd0c4807952155f6ee314154602

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
    MD5

    7c1a4c9622e4b76e03aa95e55d9ff895

    SHA1

    25b3129ea5a77afdc84fb80923f21689f75a9205

    SHA256

    aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43

    SHA512

    f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
    MD5

    7c1a4c9622e4b76e03aa95e55d9ff895

    SHA1

    25b3129ea5a77afdc84fb80923f21689f75a9205

    SHA256

    aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43

    SHA512

    f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\index.exe
    MD5

    7c1a4c9622e4b76e03aa95e55d9ff895

    SHA1

    25b3129ea5a77afdc84fb80923f21689f75a9205

    SHA256

    aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43

    SHA512

    f0a5e7038127c0de6a91066d4379b88648b82ba49aeb8f3061b684d81c4f1f3799deade0c6be340cc8e8fa0da2cd85d3b824b5297026ee44c626e6add6320d81

  • memory/1160-2-0x0000000000000000-mapping.dmp
  • memory/1840-8-0x0000000000402000-0x0000000000434000-memory.dmp
    Filesize

    200KB