Analysis
-
max time kernel
114s -
max time network
113s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
28-02-2021 18:14
Static task
static1
Behavioral task
behavioral1
Sample
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe
Resource
win7v20201028
General
-
Target
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe
-
Size
2.1MB
-
MD5
760ba691b33453c6fee622d5757cfdd0
-
SHA1
bdf715f38cd5609e036f95abf14d6ede8fd084da
-
SHA256
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d
-
SHA512
6a777757074ab9e2f49474230d74c6e96a48f6a08dc64cf279bc44269bd5df25cfd13d001caf9e8df51323a87445adc1b395d24816c178969e09e20ba3c7a373
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral1/memory/1064-3-0x0000000000160000-0x0000000000161000-memory.dmp vmprotect -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 6 api.ipify.org 9 ip-api.com -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exepid process 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exedescription pid process Token: SeDebugPrivilege 1064 d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe"C:\Users\Admin\AppData\Local\Temp\d244db3aca9903984b8aafbfeff7c4402f410b5e0508fb59d8c2a5385bff7a6d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1064-2-0x000007FEF5690000-0x000007FEF607C000-memory.dmpFilesize
9.9MB
-
memory/1064-3-0x0000000000160000-0x0000000000161000-memory.dmpFilesize
4KB
-
memory/1064-5-0x000000001B700000-0x000000001B702000-memory.dmpFilesize
8KB
-
memory/1064-6-0x0000000000650000-0x0000000000651000-memory.dmpFilesize
4KB
-
memory/1064-9-0x000000001B650000-0x000000001B6C1000-memory.dmpFilesize
452KB