Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
05-12-2020 03:14
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
sample.exe
-
Size
153KB
-
MD5
972092cbe7791d27fc9ff6e9acc12cc3
-
SHA1
5a9482423dd4b9c5ca7251d40420c6487489d8ad
-
SHA256
ac7068caed0df4e6427d635b4379a2eacf6ee03ed700b9f6ae74e9fe047381f1
-
SHA512
6ecc8e38d49280e3e16a6bcc1664a91b7fffe81162254cbd27bcb2c1093570f9ece1ee4128ba3d642d5cbeff76973cf47dd5003ff1c47358e32b268b497fa4f4
Score
7/10
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
svchost.exepid process 1496 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in System32 directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\SysWOW64\com\svchost.exe svchost.exe File opened for modification C:\Windows\SysWOW64\com\svchost.exe svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
sample.exesvchost.exedescription pid process target process PID 1916 set thread context of 1496 1916 sample.exe svchost.exe PID 1496 set thread context of 1520 1496 svchost.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 329 IoCs
Processes:
sample.exesvchost.exepid process 1916 sample.exe 1916 sample.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe 1496 svchost.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
svchost.exepid process 1496 svchost.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
sample.exesvchost.exepid process 1916 sample.exe 1496 svchost.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
sample.exesvchost.exedescription pid process target process PID 1916 wrote to memory of 1496 1916 sample.exe svchost.exe PID 1916 wrote to memory of 1496 1916 sample.exe svchost.exe PID 1916 wrote to memory of 1496 1916 sample.exe svchost.exe PID 1916 wrote to memory of 1496 1916 sample.exe svchost.exe PID 1916 wrote to memory of 1496 1916 sample.exe svchost.exe PID 1496 wrote to memory of 1520 1496 svchost.exe svchost.exe PID 1496 wrote to memory of 1520 1496 svchost.exe svchost.exe PID 1496 wrote to memory of 1520 1496 svchost.exe svchost.exe PID 1496 wrote to memory of 1520 1496 svchost.exe svchost.exe PID 1496 wrote to memory of 1520 1496 svchost.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Deletes itself
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵