Overview

overview

7

Static

static

ACVi5thpc2g7rav.exe

windows7_x64

7

ACVi5thpc2g7rav.exe

windows10_x64

1

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-12-2020 02:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ACVi5thpc2g7rav.exe

  • Size

    823KB

  • MD5

    38c36c621e2d3240a43e2065662d0b44

  • SHA1

    a90cf88c2ac557d01417465a3821443e58efa6f3

  • SHA256

    470ec39d83b15dbacbd1a3ead063329afc46a116e41b200cade7d8ee505adb70

  • SHA512

    9caa88a9fe37b2f3b262b821b603d72ed65f80734399f60a6f94d8153d2439d04fc6b31011359493741ba88c350db63d3f50cfe5948392d7b44d67cff8240e02

Score
7/10
spyware

Malware Config

Signatures

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ACVi5thpc2g7rav.exe
    "C:\Users\Admin\AppData\Local\Temp\ACVi5thpc2g7rav.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nInrwPNXrHrlqB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1FD.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF1FD.tmp
    MD5

    25c0831ea465a3288ae3b7e4764076ef

    SHA1

    ba3196c918525da0bee2a658f8af45104d886748

    SHA256

    576c09861b339e8b320920a64666e406846089a23597f5ac7f6463c8452c7f32

    SHA512

    1d2ec4158ec0b53f20b8e02e2e08e5f7aec855e28da77e85870094508b5ab5b259f69a3840c65b3f23cae83670bd5e32da2b160e8b397cf10a65ed9db1703fee

    Download Submit
  • memory/468-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1036-2-0x0000000074900000-0x0000000074FEE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1036-3-0x00000000010B0000-0x00000000010B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1036-5-0x0000000000340000-0x000000000034E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1036-6-0x00000000051F0000-0x00000000052CE000-memory.dmp
    Filesize

    888KB

    Download
  • memory/1036-9-0x00000000049B0000-0x0000000004A11000-memory.dmp
    Filesize

    388KB

    Download