Overview

overview

10

Static

static

OZD Paymen...7U.scr

windows7_x64

10

OZD Paymen...7U.scr

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    27-02-2021 13:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OZD Payment Information TT784677U.scr

  • Size

    1.1MB

  • MD5

    05e699f1763f039ca9f696ef520c3b1e

  • SHA1

    e9dbd4a76a1ede5f201a849f9ba4d5cd1b35d796

  • SHA256

    ae8189a4bb0e5d94c656e530686caed2b724cfe2def4febecca71288280fd275

  • SHA512

    7d98738252993857f76267e45115bcf7cd3d9db7460ab47eef041437f936408998d0a3029f572884706cce2e70db0dda223a4db7079a0d423cd82e7eb12c94c8

Score
10/10
bitratxenarmorpasswordpersistencerecoveryspywaretrojanupx

Malware Config

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • BitRAT Payload 1 IoCs
  • XenArmor Suite

    XenArmor is as suite of password recovery tools for various application.

    recoverypasswordxenarmor
  • ACProtect 1.3x - 1.4x DLL software 2 IoCs

    Detects file using ACProtect software.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr
    "C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr" /S
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr
      "C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:520
      • C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr
        -a "C:\Users\Admin\AppData\Local\11769a5f\plg\57verqNy.json"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr
          -a "C:\Users\Admin\AppData\Local\Temp\unk.xml"
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1296

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\11769a5f\plg\57verqNy.json
    MD5

    77e6621fd939338d3f19f3dd948ecf43

    SHA1

    53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

    SHA256

    9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

    SHA512

    6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\License.XenArmor
    MD5

    4f3bde9212e17ef18226866d6ac739b6

    SHA1

    732733bec8314beb81437e60876ffa75e72ae6cd

    SHA256

    212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174

    SHA512

    10b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\License.XenArmor
    MD5

    bf5da170f7c9a8eae88d1cb1a191ff80

    SHA1

    dd1b991a1b03587a5d1edc94e919a2070e325610

    SHA256

    e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd

    SHA512

    9e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Unknown.dll
    MD5

    86114faba7e1ec4a667d2bcb2e23f024

    SHA1

    670df6e1ba1dc6bece046e8b2e573dd36748245e

    SHA256

    568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

    SHA512

    d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\unk.xml
    MD5

    77e6621fd939338d3f19f3dd948ecf43

    SHA1

    53df8b3a76c5d6c35a99aa7759ff3bd7ec46588c

    SHA256

    9cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867

    SHA512

    6e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Unknown.dll
    MD5

    86114faba7e1ec4a667d2bcb2e23f024

    SHA1

    670df6e1ba1dc6bece046e8b2e573dd36748245e

    SHA256

    568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d

    SHA512

    d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f

    Download Submit
  • memory/520-4-0x00000000007DC3D0-mapping.dmp
    Download
  • memory/520-3-0x0000000000400000-0x00000000007DE000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/520-5-0x0000000000400000-0x00000000007DE000-memory.dmp
    Filesize

    3.9MB

    Download
  • memory/1148-6-0x0000000000400000-0x00000000008DC000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1148-13-0x0000000000400000-0x00000000008DC000-memory.dmp
    Filesize

    4.9MB

    Download
  • memory/1148-7-0x00000000008D9FE0-mapping.dmp
    Download
  • memory/1296-9-0x00000000006FC1D0-mapping.dmp
    Download
  • memory/1296-14-0x0000000000400000-0x00000000006FE000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1296-8-0x0000000000400000-0x00000000006FE000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/4760-2-0x0000000000590000-0x0000000000591000-memory.dmp
    Filesize

    4KB

    Download