Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
16/08/2023, 07:12
Static task
static1
Behavioral task
behavioral1
Sample
ACCOUNTING STATEMENT.exe
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
ACCOUNTING STATEMENT.exe
Resource
win10v2004-20230703-en
General
-
Target
ACCOUNTING STATEMENT.exe
-
Size
882KB
-
MD5
752f2c3589148fc83a4d602e4670faec
-
SHA1
84ae1cc5b764c406989a02818b3b33eba32359ec
-
SHA256
a5299852cbd114f85d0ef4a8605caf998214014e89348d7af5d9df0c096a8863
-
SHA512
e57d51d79b7130d745e7b752f30c1b4de07aaf009ad8325652e652711cb7b0760a75c26551dc266e300b5a29d982f3c588e0773d8205a9af82f17e7d2fb39794
-
SSDEEP
24576:M1YYRs6CE3jLMpppdpppppUO9Rs6CE3jLMpppdpppppUOIOguc02ZccLbB:KZRs6CE3jLbO9Rs6CE3jLbOQub2HPB
Malware Config
Signatures
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4159544280-4273523227-683900707-1000\Software\Microsoft\Windows\CurrentVersion\Run\yStNrF = "C:\\Users\\Admin\\AppData\\Roaming\\yStNrF\\yStNrF.exe" ACCOUNTING STATEMENT.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2460 set thread context of 2980 2460 ACCOUNTING STATEMENT.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3040 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2980 ACCOUNTING STATEMENT.exe 2980 ACCOUNTING STATEMENT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2980 ACCOUNTING STATEMENT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2980 ACCOUNTING STATEMENT.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 2460 wrote to memory of 3040 2460 ACCOUNTING STATEMENT.exe 30 PID 2460 wrote to memory of 3040 2460 ACCOUNTING STATEMENT.exe 30 PID 2460 wrote to memory of 3040 2460 ACCOUNTING STATEMENT.exe 30 PID 2460 wrote to memory of 3040 2460 ACCOUNTING STATEMENT.exe 30 PID 2460 wrote to memory of 2980 2460 ACCOUNTING STATEMENT.exe 32 PID 2460 wrote to memory of 2980 2460 ACCOUNTING STATEMENT.exe 32 PID 2460 wrote to memory of 2980 2460 ACCOUNTING STATEMENT.exe 32 PID 2460 wrote to memory of 2980 2460 ACCOUNTING STATEMENT.exe 32 PID 2460 wrote to memory of 2980 2460 ACCOUNTING STATEMENT.exe 32 PID 2460 wrote to memory of 2980 2460 ACCOUNTING STATEMENT.exe 32 PID 2460 wrote to memory of 2980 2460 ACCOUNTING STATEMENT.exe 32 PID 2460 wrote to memory of 2980 2460 ACCOUNTING STATEMENT.exe 32 PID 2460 wrote to memory of 2980 2460 ACCOUNTING STATEMENT.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\ACCOUNTING STATEMENT.exe"C:\Users\Admin\AppData\Local\Temp\ACCOUNTING STATEMENT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\kawntyAd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2B8.tmp"2⤵
- Creates scheduled task(s)
PID:3040
-
-
C:\Users\Admin\AppData\Local\Temp\ACCOUNTING STATEMENT.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5572995560f7306e08b9ec31e2b43f591
SHA12f3b21867b58d2b2d64c1fe2cc96b12a08b17c7c
SHA256f76c00b391a9bf23c0a18800dbf4abfbe951f871ea6b3961c3cf52b036126b9b
SHA512b2adbc8485d30a09e46c4c9dcdd03efc5136d5d67e4055bff8e040dad4d12695e18d2d75d16c657814b653fd87459e254d01cb33704b130ae9a14bae32d2b80b