Analysis
-
max time kernel
129s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-11-2020 10:56
Static task
static1
Behavioral task
behavioral1
Sample
02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe
Resource
win7v20201028
General
-
Target
02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe
-
Size
273KB
-
MD5
7f1d3c53b9ec4e4a0de133e294c59503
-
SHA1
0a5cf542342a579a2da13fe81f2a33e8beb2dd53
-
SHA256
02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74
-
SHA512
38693beb421aa4b18de14edc82a360e437e3269003ac94322f2cd34ce9a6c8cd4ee4d5d3fec785f36e752b7e6bd8f2a62a95988282240181d24f0f3341897486
Malware Config
Extracted
ursnif
- dga_base_url
-
dga_crc
0
-
dga_season
0
- dga_tlds
- dns_servers
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ACCTlg32.exepid process 856 ACCTlg32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe upx C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe upx -
Deletes itself 1 IoCs
Processes:
ACCTlg32.exepid process 856 ACCTlg32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\advadext = "C:\\Users\\Admin\\AppData\\Roaming\\capicatq\\ACCTlg32.exe" 02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ACCTlg32.exesvchost.exeExplorer.EXEdescription pid process target process PID 856 set thread context of 988 856 ACCTlg32.exe svchost.exe PID 988 set thread context of 2868 988 svchost.exe Explorer.EXE PID 2868 set thread context of 3480 2868 Explorer.EXE RuntimeBroker.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ACCTlg32.exeExplorer.EXEpid process 856 ACCTlg32.exe 856 ACCTlg32.exe 2868 Explorer.EXE 2868 Explorer.EXE -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
ACCTlg32.exesvchost.exeExplorer.EXEpid process 856 ACCTlg32.exe 988 svchost.exe 2868 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 2868 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.execmd.execmd.exeACCTlg32.exesvchost.exeExplorer.EXEdescription pid process target process PID 880 wrote to memory of 3228 880 02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe cmd.exe PID 880 wrote to memory of 3228 880 02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe cmd.exe PID 880 wrote to memory of 3228 880 02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe cmd.exe PID 3228 wrote to memory of 64 3228 cmd.exe cmd.exe PID 3228 wrote to memory of 64 3228 cmd.exe cmd.exe PID 3228 wrote to memory of 64 3228 cmd.exe cmd.exe PID 64 wrote to memory of 856 64 cmd.exe ACCTlg32.exe PID 64 wrote to memory of 856 64 cmd.exe ACCTlg32.exe PID 64 wrote to memory of 856 64 cmd.exe ACCTlg32.exe PID 856 wrote to memory of 988 856 ACCTlg32.exe svchost.exe PID 856 wrote to memory of 988 856 ACCTlg32.exe svchost.exe PID 856 wrote to memory of 988 856 ACCTlg32.exe svchost.exe PID 856 wrote to memory of 988 856 ACCTlg32.exe svchost.exe PID 856 wrote to memory of 988 856 ACCTlg32.exe svchost.exe PID 988 wrote to memory of 2868 988 svchost.exe Explorer.EXE PID 988 wrote to memory of 2868 988 svchost.exe Explorer.EXE PID 988 wrote to memory of 2868 988 svchost.exe Explorer.EXE PID 2868 wrote to memory of 3480 2868 Explorer.EXE RuntimeBroker.exe PID 2868 wrote to memory of 3480 2868 Explorer.EXE RuntimeBroker.exe PID 2868 wrote to memory of 3480 2868 Explorer.EXE RuntimeBroker.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe"C:\Users\Admin\AppData\Local\Temp\02d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74.exe"2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2D9E\10.bat" "C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe" "C:\Users\Admin\AppData\Local\Temp\02D165~1.EXE""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C ""C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe" "C:\Users\Admin\AppData\Local\Temp\02D165~1.EXE""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe"C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exe" "C:\Users\Admin\AppData\Local\Temp\02D165~1.EXE"5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2D9E\10.batMD5
080d26ee115b01a74a7e2d9d99cdd4ab
SHA1d2ece7f90e7eb9cecd2f2249852efd5a7cc37cb8
SHA2566885b9e820e6db3849a5c1dc9799e6a2cfacc67331960e1334371002588e7d0b
SHA51224b9715d356a69dde79e97578a2ace3c167ef18c998adad926eef0736990225536a6b288fe8fa625aab05ef62c7d270acd54216ccb8159547af0eae694bc933b
-
C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exeMD5
7f1d3c53b9ec4e4a0de133e294c59503
SHA10a5cf542342a579a2da13fe81f2a33e8beb2dd53
SHA25602d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74
SHA51238693beb421aa4b18de14edc82a360e437e3269003ac94322f2cd34ce9a6c8cd4ee4d5d3fec785f36e752b7e6bd8f2a62a95988282240181d24f0f3341897486
-
C:\Users\Admin\AppData\Roaming\capicatq\ACCTlg32.exeMD5
7f1d3c53b9ec4e4a0de133e294c59503
SHA10a5cf542342a579a2da13fe81f2a33e8beb2dd53
SHA25602d165251fbb673606e8c48754a9d5e4682317b5a277e71ad541d252e107aa74
SHA51238693beb421aa4b18de14edc82a360e437e3269003ac94322f2cd34ce9a6c8cd4ee4d5d3fec785f36e752b7e6bd8f2a62a95988282240181d24f0f3341897486
-
memory/64-2-0x0000000000000000-mapping.dmp
-
memory/856-3-0x0000000000000000-mapping.dmp
-
memory/856-7-0x00000000021C0000-0x0000000002256000-memory.dmpFilesize
600KB
-
memory/988-6-0x0000000000000000-mapping.dmp
-
memory/988-8-0x00000087E2C6F000-mapping.dmp
-
memory/988-9-0x0000024D2A6E0000-0x0000024D2A776000-memory.dmpFilesize
600KB
-
memory/2868-10-0x0000000005480000-0x0000000005516000-memory.dmpFilesize
600KB
-
memory/3228-0-0x0000000000000000-mapping.dmp