Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-02-2021 13:12
Static task
static1
Behavioral task
behavioral1
Sample
OZD Payment Information TT784677U.scr
Resource
win7v20201028
General
-
Target
OZD Payment Information TT784677U.scr
-
Size
1.1MB
-
MD5
05e699f1763f039ca9f696ef520c3b1e
-
SHA1
e9dbd4a76a1ede5f201a849f9ba4d5cd1b35d796
-
SHA256
ae8189a4bb0e5d94c656e530686caed2b724cfe2def4febecca71288280fd275
-
SHA512
7d98738252993857f76267e45115bcf7cd3d9db7460ab47eef041437f936408998d0a3029f572884706cce2e70db0dda223a4db7079a0d423cd82e7eb12c94c8
Malware Config
Signatures
-
BitRAT Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/520-4-0x00000000007DC3D0-mapping.dmp family_bitrat -
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Unknown.dll acprotect \Users\Admin\AppData\Local\Temp\Unknown.dll acprotect -
Processes:
resource yara_rule behavioral2/memory/520-3-0x0000000000400000-0x00000000007DE000-memory.dmp upx behavioral2/memory/520-5-0x0000000000400000-0x00000000007DE000-memory.dmp upx behavioral2/memory/1148-6-0x0000000000400000-0x00000000008DC000-memory.dmp upx behavioral2/memory/1148-13-0x0000000000400000-0x00000000008DC000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
OZD Payment Information TT784677U.scrpid process 1296 OZD Payment Information TT784677U.scr -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
OZD Payment Information TT784677U.scrdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tbnjd = "C:\\Users\\Public\\Libraries\\djnbT.url" OZD Payment Information TT784677U.scr -
Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs
Processes:
OZD Payment Information TT784677U.scrpid process 520 OZD Payment Information TT784677U.scr 520 OZD Payment Information TT784677U.scr 520 OZD Payment Information TT784677U.scr 520 OZD Payment Information TT784677U.scr 520 OZD Payment Information TT784677U.scr -
Suspicious use of SetThreadContext 3 IoCs
Processes:
OZD Payment Information TT784677U.scrOZD Payment Information TT784677U.scrOZD Payment Information TT784677U.scrdescription pid process target process PID 4760 set thread context of 520 4760 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 520 set thread context of 1148 520 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 1148 set thread context of 1296 1148 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
OZD Payment Information TT784677U.scrpid process 1296 OZD Payment Information TT784677U.scr 1296 OZD Payment Information TT784677U.scr -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
OZD Payment Information TT784677U.scrOZD Payment Information TT784677U.scrdescription pid process Token: SeShutdownPrivilege 520 OZD Payment Information TT784677U.scr Token: SeDebugPrivilege 1296 OZD Payment Information TT784677U.scr -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OZD Payment Information TT784677U.scrpid process 520 OZD Payment Information TT784677U.scr 520 OZD Payment Information TT784677U.scr -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
OZD Payment Information TT784677U.scrOZD Payment Information TT784677U.scrOZD Payment Information TT784677U.scrdescription pid process target process PID 4760 wrote to memory of 520 4760 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 4760 wrote to memory of 520 4760 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 4760 wrote to memory of 520 4760 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 4760 wrote to memory of 520 4760 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 4760 wrote to memory of 520 4760 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 520 wrote to memory of 1148 520 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 520 wrote to memory of 1148 520 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 520 wrote to memory of 1148 520 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 520 wrote to memory of 1148 520 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 520 wrote to memory of 1148 520 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 520 wrote to memory of 1148 520 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 520 wrote to memory of 1148 520 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 520 wrote to memory of 1148 520 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 1148 wrote to memory of 1296 1148 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 1148 wrote to memory of 1296 1148 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 1148 wrote to memory of 1296 1148 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 1148 wrote to memory of 1296 1148 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 1148 wrote to memory of 1296 1148 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 1148 wrote to memory of 1296 1148 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 1148 wrote to memory of 1296 1148 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr PID 1148 wrote to memory of 1296 1148 OZD Payment Information TT784677U.scr OZD Payment Information TT784677U.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr"C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr" /S1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr"C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr-a "C:\Users\Admin\AppData\Local\11769a5f\plg\57verqNy.json"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\OZD Payment Information TT784677U.scr-a "C:\Users\Admin\AppData\Local\Temp\unk.xml"4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\11769a5f\plg\57verqNy.jsonMD5
77e6621fd939338d3f19f3dd948ecf43
SHA153df8b3a76c5d6c35a99aa7759ff3bd7ec46588c
SHA2569cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867
SHA5126e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f
-
C:\Users\Admin\AppData\Local\Temp\License.XenArmorMD5
4f3bde9212e17ef18226866d6ac739b6
SHA1732733bec8314beb81437e60876ffa75e72ae6cd
SHA256212173a405c78d70f90e8ec0699a60ed2f4a9f3a8070de62eabd666c268fb174
SHA51210b7cdae0b9a7b0f8e1bfc66a60675fa9b25c523864d5ae3da243f4e6e4c5194f3bd92af57ac956157442f66414bdd3393d0a1e5ba4ef0f192561e8524d4e744
-
C:\Users\Admin\AppData\Local\Temp\License.XenArmorMD5
bf5da170f7c9a8eae88d1cb1a191ff80
SHA1dd1b991a1b03587a5d1edc94e919a2070e325610
SHA256e5d5110feb21939d82d962981aeaaafc4643b40a9b87cbed800ace82135d57cd
SHA5129e32247d8556fd6efffbf7b6b9c325652d8c4b223b0fa38020879171476a49ab1f64d8897b5d8d92b79c5484fd9d5899be26ca5f664ee1f9c2acb0857084121e
-
C:\Users\Admin\AppData\Local\Temp\Unknown.dllMD5
86114faba7e1ec4a667d2bcb2e23f024
SHA1670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f
-
C:\Users\Admin\AppData\Local\Temp\unk.xmlMD5
77e6621fd939338d3f19f3dd948ecf43
SHA153df8b3a76c5d6c35a99aa7759ff3bd7ec46588c
SHA2569cb90c1d5c31396519b1f6c73899c062b6ccbd9a8cfc7c0bb054fe88c7825867
SHA5126e812be4c3b958f0497f91e0eb2e8b77d4a13e2b7af750a30ec9bff3dde09a233b5510ee6333a9ab3182c11ab6c3d38789921d517449c6a03164e216cee43c4f
-
\Users\Admin\AppData\Local\Temp\Unknown.dllMD5
86114faba7e1ec4a667d2bcb2e23f024
SHA1670df6e1ba1dc6bece046e8b2e573dd36748245e
SHA256568da887725ccfdc4c5aae3ff66792fe60eca4e0818338f6a8434be66a6fe46d
SHA512d26ee0da6ccd4022982cf848c46e40f6781b667e39d0c5daf5ea8d74c44e55c55a5f7590a4d2a60aa1911358ca783c4276a9b4e6311c4cea20df1ebd4f7f457f
-
memory/520-4-0x00000000007DC3D0-mapping.dmp
-
memory/520-3-0x0000000000400000-0x00000000007DE000-memory.dmpFilesize
3.9MB
-
memory/520-5-0x0000000000400000-0x00000000007DE000-memory.dmpFilesize
3.9MB
-
memory/1148-6-0x0000000000400000-0x00000000008DC000-memory.dmpFilesize
4.9MB
-
memory/1148-13-0x0000000000400000-0x00000000008DC000-memory.dmpFilesize
4.9MB
-
memory/1148-7-0x00000000008D9FE0-mapping.dmp
-
memory/1296-9-0x00000000006FC1D0-mapping.dmp
-
memory/1296-14-0x0000000000400000-0x00000000006FE000-memory.dmpFilesize
3.0MB
-
memory/1296-8-0x0000000000400000-0x00000000006FE000-memory.dmpFilesize
3.0MB
-
memory/4760-2-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB