Analysis
-
max time kernel
70s -
max time network
68s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-11-2020 17:43
Static task
static1
Behavioral task
behavioral1
Sample
f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe
Resource
win7v20201028
General
-
Target
f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe
-
Size
541KB
-
MD5
c8a7a82ce56939564cfc46b78935e64a
-
SHA1
ed58a285000ac47ef0ff0626f14c003ff0e9f78e
-
SHA256
f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02
-
SHA512
7d2d42574031227e7fbc523b9d9cd469df4af68ab09bbeaf1bee3c0bea4903de153a6e0ee3a798b2159c5e28bc66df77e08f29931c5d09f87ecbb2e3025b5f64
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1432 cmd.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 912 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exepid process 1816 f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe 1816 f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe 1816 f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe 1816 f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 912 taskkill.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.execmd.exedescription pid process target process PID 1816 wrote to memory of 1432 1816 f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe cmd.exe PID 1816 wrote to memory of 1432 1816 f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe cmd.exe PID 1816 wrote to memory of 1432 1816 f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe cmd.exe PID 1816 wrote to memory of 1432 1816 f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe cmd.exe PID 1432 wrote to memory of 912 1432 cmd.exe taskkill.exe PID 1432 wrote to memory of 912 1432 cmd.exe taskkill.exe PID 1432 wrote to memory of 912 1432 cmd.exe taskkill.exe PID 1432 wrote to memory of 912 1432 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe"C:\Users\Admin\AppData\Local\Temp\f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe /f & erase C:\Users\Admin\AppData\Local\Temp\f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im f96c7c55ff73a463bd4ebef73ed08ae0080fa6104437a66425e689241935dc02.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:912