Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 02:49
Static task
static1
Behavioral task
behavioral1
Sample
ACVi5thpc2g7rav.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ACVi5thpc2g7rav.exe
Resource
win10v20201028
General
-
Target
ACVi5thpc2g7rav.exe
-
Size
823KB
-
MD5
38c36c621e2d3240a43e2065662d0b44
-
SHA1
a90cf88c2ac557d01417465a3821443e58efa6f3
-
SHA256
470ec39d83b15dbacbd1a3ead063329afc46a116e41b200cade7d8ee505adb70
-
SHA512
9caa88a9fe37b2f3b262b821b603d72ed65f80734399f60a6f94d8153d2439d04fc6b31011359493741ba88c350db63d3f50cfe5948392d7b44d67cff8240e02
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 freegeoip.app 6 checkip.dyndns.org 11 freegeoip.app -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ACVi5thpc2g7rav.exepid process 1036 ACVi5thpc2g7rav.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ACVi5thpc2g7rav.exedescription pid process Token: SeDebugPrivilege 1036 ACVi5thpc2g7rav.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ACVi5thpc2g7rav.exedescription pid process target process PID 1036 wrote to memory of 468 1036 ACVi5thpc2g7rav.exe schtasks.exe PID 1036 wrote to memory of 468 1036 ACVi5thpc2g7rav.exe schtasks.exe PID 1036 wrote to memory of 468 1036 ACVi5thpc2g7rav.exe schtasks.exe PID 1036 wrote to memory of 468 1036 ACVi5thpc2g7rav.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACVi5thpc2g7rav.exe"C:\Users\Admin\AppData\Local\Temp\ACVi5thpc2g7rav.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nInrwPNXrHrlqB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1FD.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpF1FD.tmpMD5
25c0831ea465a3288ae3b7e4764076ef
SHA1ba3196c918525da0bee2a658f8af45104d886748
SHA256576c09861b339e8b320920a64666e406846089a23597f5ac7f6463c8452c7f32
SHA5121d2ec4158ec0b53f20b8e02e2e08e5f7aec855e28da77e85870094508b5ab5b259f69a3840c65b3f23cae83670bd5e32da2b160e8b397cf10a65ed9db1703fee
-
memory/468-7-0x0000000000000000-mapping.dmp
-
memory/1036-2-0x0000000074900000-0x0000000074FEE000-memory.dmpFilesize
6.9MB
-
memory/1036-3-0x00000000010B0000-0x00000000010B1000-memory.dmpFilesize
4KB
-
memory/1036-5-0x0000000000340000-0x000000000034E000-memory.dmpFilesize
56KB
-
memory/1036-6-0x00000000051F0000-0x00000000052CE000-memory.dmpFilesize
888KB
-
memory/1036-9-0x00000000049B0000-0x0000000004A11000-memory.dmpFilesize
388KB