Analysis
-
max time kernel
560s -
max time network
561s -
platform
windows10_x64 -
resource
win10 -
submitted
28-10-2020 11:13
Static task
static1
Behavioral task
behavioral1
Sample
fltMC7e0.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fltMC7e0.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
fltMC7e0.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
fltMC7e0.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
fltMC7e0.exe
-
Size
976KB
-
MD5
30d365051e1c8ef9a84843ac9b10998f
-
SHA1
4a01901391b9899b9d07ccff4f8c4521d4644faa
-
SHA256
d11866e458626e81d4aa4bd9fdb441bec5a684ccaf7b786acddb95377d66b72f
-
SHA512
8b5a4b88943bd3920fe0ab84369f1e1577a10c869c5c8ebf78e54e84352828adf3326fb368ce6ac9915939712e912ac400bfa750ad05b13f22fb5020ab125829
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3444 wermgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fltMC7e0.exepid process 3952 fltMC7e0.exe 3952 fltMC7e0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
fltMC7e0.exedescription pid process target process PID 3952 wrote to memory of 3444 3952 fltMC7e0.exe wermgr.exe PID 3952 wrote to memory of 3444 3952 fltMC7e0.exe wermgr.exe PID 3952 wrote to memory of 3444 3952 fltMC7e0.exe wermgr.exe PID 3952 wrote to memory of 3444 3952 fltMC7e0.exe wermgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fltMC7e0.exe"C:\Users\Admin\AppData\Local\Temp\fltMC7e0.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444
-