Analysis
-
max time kernel
110s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:01
Static task
static1
Behavioral task
behavioral1
Sample
SOA PT. SUN TAK INDONESIA.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SOA PT. SUN TAK INDONESIA.exe
Resource
win10v2004-20220414-en
General
-
Target
SOA PT. SUN TAK INDONESIA.exe
-
Size
610KB
-
MD5
0a7a9244122a56e9d286dde0744290ae
-
SHA1
1e774ca58ebf1f8172ad1eefd58732084616de10
-
SHA256
80434f5dca269d5ef426a319de156d51a0d3268b42cb5e9239737d853a863450
-
SHA512
6f0fc50395b5a851a53cb261637c35475b5ab68db6eeffef3b4c1c081212286e957fde9b804bd929441e7a6b1bdcb255168f1d583914f27a2d4c9cefc1375839
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SOA PT. SUN TAK INDONESIA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook SOA PT. SUN TAK INDONESIA.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook SOA PT. SUN TAK INDONESIA.exe Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook SOA PT. SUN TAK INDONESIA.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SOA PT. SUN TAK INDONESIA.exedescription pid process target process PID 2028 set thread context of 1956 2028 SOA PT. SUN TAK INDONESIA.exe SOA PT. SUN TAK INDONESIA.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
SOA PT. SUN TAK INDONESIA.exepid process 2028 SOA PT. SUN TAK INDONESIA.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SOA PT. SUN TAK INDONESIA.exepid process 2028 SOA PT. SUN TAK INDONESIA.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
SOA PT. SUN TAK INDONESIA.exepid process 1956 SOA PT. SUN TAK INDONESIA.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SOA PT. SUN TAK INDONESIA.exedescription pid process Token: SeDebugPrivilege 1956 SOA PT. SUN TAK INDONESIA.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
SOA PT. SUN TAK INDONESIA.exedescription pid process target process PID 2028 wrote to memory of 1956 2028 SOA PT. SUN TAK INDONESIA.exe SOA PT. SUN TAK INDONESIA.exe PID 2028 wrote to memory of 1956 2028 SOA PT. SUN TAK INDONESIA.exe SOA PT. SUN TAK INDONESIA.exe PID 2028 wrote to memory of 1956 2028 SOA PT. SUN TAK INDONESIA.exe SOA PT. SUN TAK INDONESIA.exe PID 2028 wrote to memory of 1956 2028 SOA PT. SUN TAK INDONESIA.exe SOA PT. SUN TAK INDONESIA.exe -
outlook_office_path 1 IoCs
Processes:
SOA PT. SUN TAK INDONESIA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook SOA PT. SUN TAK INDONESIA.exe -
outlook_win_path 1 IoCs
Processes:
SOA PT. SUN TAK INDONESIA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook SOA PT. SUN TAK INDONESIA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SOA PT. SUN TAK INDONESIA.exe"C:\Users\Admin\AppData\Local\Temp\SOA PT. SUN TAK INDONESIA.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\SOA PT. SUN TAK INDONESIA.exe"C:\Users\Admin\AppData\Local\Temp\SOA PT. SUN TAK INDONESIA.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1956