t35.exe.bin

General
Target

t35.exe.bin.exe

Filesize

266KB

Completed

23-11-2020 19:39

Score
7 /10
MD5

1db6bd4d13cb9966e8875b3812aef71d

SHA1

974c46a807d2d680dad5b6d63c38dd0e06e1ed68

SHA256

9bdbb8dde9ad9be8d9303df1697e13a0f846cca95bc9e41d513c1f5f2a7a37b3

Malware Config
Signatures 10

Filter: none

Collection
Credential Access
Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses cryptocurrency files/wallets, possible credential harvesting

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Checks installed software on the system

    Description

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    Tags

    TTPs

    Query Registry
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    7api.ipify.org
  • Checks SCSI registry key(s)
    taskmgr.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000taskmgr.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000Ataskmgr.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyNametaskmgr.exe
  • Checks processor information in registry
    t35.exe.bin.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0t35.exe.bin.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringt35.exe.bin.exe
  • Suspicious behavior: EnumeratesProcesses
    t35.exe.bin.exetaskmgr.exe

    Reported IOCs

    pidprocess
    3980t35.exe.bin.exe
    3980t35.exe.bin.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
  • Suspicious use of AdjustPrivilegeToken
    taskmgr.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege188taskmgr.exe
    Token: SeSystemProfilePrivilege188taskmgr.exe
    Token: SeCreateGlobalPrivilege188taskmgr.exe
    Token: 33188taskmgr.exe
    Token: SeIncBasePriorityPrivilege188taskmgr.exe
  • Suspicious use of FindShellTrayWindow
    taskmgr.exe

    Reported IOCs

    pidprocess
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
  • Suspicious use of SendNotifyMessage
    taskmgr.exe

    Reported IOCs

    pidprocess
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
    188taskmgr.exe
Processes 2
  • C:\Users\Admin\AppData\Local\Temp\t35.exe.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\t35.exe.bin.exe"
    Checks processor information in registry
    Suspicious behavior: EnumeratesProcesses
    PID:3980
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    Checks SCSI registry key(s)
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    PID:188
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads