Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 03:11
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
sample.exe
-
Size
151KB
-
MD5
678164b918832db3dbf71232ff6cd269
-
SHA1
733ad1e2269dd7b45f50ef7f5af61d19ea2a0c06
-
SHA256
47d0e767fbb39105786734ce9b9ad43478d16884244e8ea4b6be67d716b93891
-
SHA512
70f7223669ece572aae2e6cc7afc8e2aaaa0b3e795fdccdfff81aac28824b18be6a1a51d5f188256fb69ec0f23555a914c368c30339df0521d637f7614da47c3
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
sample.exesvchost.exedescription pid process target process PID 2024 set thread context of 1688 2024 sample.exe svchost.exe PID 1688 set thread context of 1992 1688 svchost.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 682 IoCs
Processes:
sample.exesvchost.exepid process 2024 sample.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe 1688 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
sample.exesvchost.exepid process 2024 sample.exe 1688 svchost.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
sample.exesvchost.exedescription pid process target process PID 2024 wrote to memory of 1688 2024 sample.exe svchost.exe PID 2024 wrote to memory of 1688 2024 sample.exe svchost.exe PID 2024 wrote to memory of 1688 2024 sample.exe svchost.exe PID 2024 wrote to memory of 1688 2024 sample.exe svchost.exe PID 1688 wrote to memory of 1992 1688 svchost.exe svchost.exe PID 1688 wrote to memory of 1992 1688 svchost.exe svchost.exe PID 1688 wrote to memory of 1992 1688 svchost.exe svchost.exe PID 1688 wrote to memory of 1992 1688 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵