Analysis
-
max time kernel
12s -
max time network
12s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
25-07-2021 23:11
Behavioral task
behavioral1
Sample
3C5FA813A7815B81E5990D15442D3DE7.exe
Resource
win7v20210408
General
-
Target
3C5FA813A7815B81E5990D15442D3DE7.exe
-
Size
105KB
-
MD5
3c5fa813a7815b81e5990d15442d3de7
-
SHA1
280671ce7c7b215fcf59e089908e98730eb17cab
-
SHA256
4131ccbef9251524c0b1f72439733b31d69cb1f2b1849fdc87a5b04fce0a3d82
-
SHA512
03a9f4fdadd9ce9a7b822fbb48c4c15b475b2c8495dd8978bf155cc8323b5075f25b5f30cce75ac1d55229ee6fe2ff34eec536a35c4015ecd461704433099936
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1092 cmd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
3C5FA813A7815B81E5990D15442D3DE7.exedescription pid process Token: SeImpersonatePrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeTcbPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeChangeNotifyPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeCreateTokenPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeBackupPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeRestorePrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeIncreaseQuotaPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeAssignPrimaryTokenPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeImpersonatePrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeTcbPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeChangeNotifyPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeCreateTokenPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeBackupPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeRestorePrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeIncreaseQuotaPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeAssignPrimaryTokenPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeImpersonatePrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeTcbPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeChangeNotifyPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeCreateTokenPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeBackupPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeRestorePrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeIncreaseQuotaPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeAssignPrimaryTokenPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeImpersonatePrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeTcbPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeChangeNotifyPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeCreateTokenPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeBackupPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeRestorePrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeIncreaseQuotaPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe Token: SeAssignPrimaryTokenPrivilege 736 3C5FA813A7815B81E5990D15442D3DE7.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
3C5FA813A7815B81E5990D15442D3DE7.exedescription pid process target process PID 736 wrote to memory of 1092 736 3C5FA813A7815B81E5990D15442D3DE7.exe cmd.exe PID 736 wrote to memory of 1092 736 3C5FA813A7815B81E5990D15442D3DE7.exe cmd.exe PID 736 wrote to memory of 1092 736 3C5FA813A7815B81E5990D15442D3DE7.exe cmd.exe PID 736 wrote to memory of 1092 736 3C5FA813A7815B81E5990D15442D3DE7.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3C5FA813A7815B81E5990D15442D3DE7.exe"C:\Users\Admin\AppData\Local\Temp\3C5FA813A7815B81E5990D15442D3DE7.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\259301414.bat" "C:\Users\Admin\AppData\Local\Temp\3C5FA813A7815B81E5990D15442D3DE7.exe" "2⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\259301414.batMD5
3880eeb1c736d853eb13b44898b718ab
SHA14eec9d50360cd815211e3c4e6bdd08271b6ec8e6
SHA256936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7
SHA5123eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b
-
memory/736-60-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/1092-61-0x0000000000000000-mapping.dmp