Analysis
-
max time kernel
49s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 17:18
Static task
static1
Behavioral task
behavioral1
Sample
phy__1__31629__2649094674__1605642612.exe
Resource
win7v20201028
General
-
Target
phy__1__31629__2649094674__1605642612.exe
-
Size
796KB
-
MD5
6bcfa9f7cff3724c68ab9d9a5a7cfa61
-
SHA1
56b9891386dd507afc6fa109feee6eb783abecb9
-
SHA256
664ed6ed7e3992bdf022771e85f3ccf0930649b105cfe38c6fd1adad75f3b479
-
SHA512
94eaf0cbd7eea9a6d412eb4ce6d88e83fcb33c50cf545d7a8aa281aca7ed074f34a91c8cdb03429ca11da6cf85bdd974f64f5cbc17246cc8c52e115f0960a776
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
phy__1__31629__2649094674__1605642612.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 phy__1__31629__2649094674__1605642612.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString phy__1__31629__2649094674__1605642612.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
phy__1__31629__2649094674__1605642612.exepid process 4076 phy__1__31629__2649094674__1605642612.exe 4076 phy__1__31629__2649094674__1605642612.exe