Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    26-10-2020 07:09

General

  • Target

    c3c4e97a92372bba5299301c96a20a15.exe

  • Size

    2.0MB

  • MD5

    c3c4e97a92372bba5299301c96a20a15

  • SHA1

    059ce2d62526a9c4bb1ab81cacb1945fa23a4478

  • SHA256

    e138114de7be8b668de032a3bacf123dc855eead36d2765689c990cf1951771c

  • SHA512

    7eb8b4d87004d0edffd43ef90656d2e805befe3743a626fe60bce11b240959995ba39f5dc15a19e47f34edd9180c9d1d7547df447efaed5fbb72f30ea1007780

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • JavaScript code in executable 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Delays execution with timeout.exe 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 800 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 37 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe
    "C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1508
    • C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe
      "C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe"
      2⤵
      • Loads dropped DLL
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe
        "C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1168
        • C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe
          "C:\Users\Admin\AppData\Local\Temp\v8wvLSmoy2.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1644
          • C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
            "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
            5⤵
            • Executes dropped EXE
            PID:1056
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\c3c4e97a92372bba5299301c96a20a15.exe"
        3⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Windows\SysWOW64\timeout.exe
          timeout /T 10 /NOBREAK
          4⤵
          • Delays execution with timeout.exe
          PID:1488

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/324-8-0x000007FEF7E20000-0x000007FEF809A000-memory.dmp

    Filesize

    2.5MB

  • memory/1168-23-0x0000000001240000-0x0000000001241000-memory.dmp

    Filesize

    4KB

  • memory/1168-26-0x0000000000620000-0x0000000000689000-memory.dmp

    Filesize

    420KB

  • memory/1168-22-0x0000000073460000-0x0000000073B4E000-memory.dmp

    Filesize

    6.9MB

  • memory/1508-4-0x0000000000280000-0x000000000028C000-memory.dmp

    Filesize

    48KB

  • memory/1508-0-0x00000000740D0000-0x00000000747BE000-memory.dmp

    Filesize

    6.9MB

  • memory/1508-3-0x0000000001260000-0x00000000012BF000-memory.dmp

    Filesize

    380KB

  • memory/1508-1-0x00000000012F0000-0x00000000012F1000-memory.dmp

    Filesize

    4KB

  • memory/1644-29-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/1644-32-0x0000000000400000-0x000000000045A000-memory.dmp

    Filesize

    360KB

  • memory/1644-41-0x0000000000370000-0x000000000038F000-memory.dmp

    Filesize

    124KB

  • memory/1644-42-0x0000000000390000-0x0000000000391000-memory.dmp

    Filesize

    4KB

  • memory/1948-5-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB

  • memory/1948-7-0x0000000000400000-0x0000000000493000-memory.dmp

    Filesize

    588KB