Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
10-12-2020 12:04
Static task
static1
Behavioral task
behavioral1
Sample
ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe
Resource
win7v20201028
General
-
Target
ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe
-
Size
485KB
-
MD5
7b3a0c8d0b05933156402de9a42490fc
-
SHA1
49ea0ae6f2740dbbb7231423c16f8e88566bdb92
-
SHA256
ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d
-
SHA512
49e37363637fb91c2a8325c0a6f734f194d38a3aecdbf9f271a7dc2d22241a287467f7ad672a81e8b6fe6c5a642c45c3ceba05f762b18c7f5525f6c9c8988164
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 396 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exedescription pid process target process PID 612 set thread context of 1612 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exepid process 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe -
Suspicious use of AdjustPrivilegeToken 33 IoCs
Processes:
ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exeba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exedescription pid process Token: SeDebugPrivilege 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeImpersonatePrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeTcbPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeChangeNotifyPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeCreateTokenPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeBackupPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeRestorePrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeIncreaseQuotaPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeAssignPrimaryTokenPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeImpersonatePrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeTcbPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeChangeNotifyPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeCreateTokenPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeBackupPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeRestorePrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeIncreaseQuotaPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeAssignPrimaryTokenPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeImpersonatePrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeTcbPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeChangeNotifyPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeCreateTokenPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeBackupPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeRestorePrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeIncreaseQuotaPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeAssignPrimaryTokenPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeImpersonatePrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeTcbPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeChangeNotifyPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeCreateTokenPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeBackupPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeRestorePrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeIncreaseQuotaPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe Token: SeAssignPrimaryTokenPrivilege 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exeba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exedescription pid process target process PID 612 wrote to memory of 1612 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe PID 612 wrote to memory of 1612 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe PID 612 wrote to memory of 1612 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe PID 612 wrote to memory of 1612 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe PID 612 wrote to memory of 1612 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe PID 612 wrote to memory of 1612 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe PID 612 wrote to memory of 1612 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe PID 612 wrote to memory of 1612 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe PID 612 wrote to memory of 1612 612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe PID 1612 wrote to memory of 396 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe cmd.exe PID 1612 wrote to memory of 396 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe cmd.exe PID 1612 wrote to memory of 396 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe cmd.exe PID 1612 wrote to memory of 396 1612 ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe"C:\Users\Admin\AppData\Local\Temp\ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259346467.bat" "C:\Users\Admin\AppData\Local\Temp\ba0b2518a0073173f4940923af6e235eb8c392283903053d55e5dd31236a3b3d.exe" "3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259346467.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
memory/396-27-0x0000000000000000-mapping.dmp
-
memory/612-2-0x00000000748C0000-0x0000000074FAE000-memory.dmpFilesize
6.9MB
-
memory/612-3-0x0000000000A50000-0x0000000000A51000-memory.dmpFilesize
4KB
-
memory/612-5-0x0000000000350000-0x000000000039D000-memory.dmpFilesize
308KB
-
memory/612-20-0x0000000000480000-0x000000000048E000-memory.dmpFilesize
56KB
-
memory/612-21-0x0000000004EE0000-0x0000000004F31000-memory.dmpFilesize
324KB
-
memory/1216-26-0x000007FEF7E30000-0x000007FEF80AA000-memory.dmpFilesize
2.5MB
-
memory/1612-23-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB
-
memory/1612-24-0x0000000000410621-mapping.dmp
-
memory/1612-25-0x0000000000400000-0x0000000000419000-memory.dmpFilesize
100KB