Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
WHITE SPIRIT MSDS_pdf.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
WHITE SPIRIT MSDS_pdf.exe
Resource
win10
General
-
Target
WHITE SPIRIT MSDS_pdf.exe
-
Size
1.2MB
-
MD5
da0c1d3e4b6526d4c99022e8894ceee9
-
SHA1
355db74ab7cf7797863b94a3e700d30548db76bb
-
SHA256
8d1512de63fd1bf66f80c8ec2ec640464a6ce986101849488372a38fed2bcfb6
-
SHA512
e31bedf4ed0b209859a3024a0c93d24301e25b59d37a11f40d8c356068f717f867c7244a4c19733c14775707aa8ef86665cbf3374093808bc7c162ccf503fb58
Malware Config
Signatures
-
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run netsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JXK46TRX_TF = "C:\\Program Files (x86)\\J_nlddx5x\\chkdskubr.exe" netsh.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
WHITE SPIRIT MSDS_pdf.exedllhost.exenetsh.exedescription pid process target process PID 376 wrote to memory of 1080 376 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 376 wrote to memory of 1080 376 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 376 wrote to memory of 1080 376 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 376 wrote to memory of 1080 376 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 376 wrote to memory of 1080 376 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 376 wrote to memory of 1080 376 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 1080 wrote to memory of 1832 1080 dllhost.exe netsh.exe PID 1080 wrote to memory of 1832 1080 dllhost.exe netsh.exe PID 1080 wrote to memory of 1832 1080 dllhost.exe netsh.exe PID 1080 wrote to memory of 1832 1080 dllhost.exe netsh.exe PID 1832 wrote to memory of 1860 1832 netsh.exe cmd.exe PID 1832 wrote to memory of 1860 1832 netsh.exe cmd.exe PID 1832 wrote to memory of 1860 1832 netsh.exe cmd.exe PID 1832 wrote to memory of 1860 1832 netsh.exe cmd.exe PID 1832 wrote to memory of 1644 1832 netsh.exe Firefox.exe PID 1832 wrote to memory of 1644 1832 netsh.exe Firefox.exe PID 1832 wrote to memory of 1644 1832 netsh.exe Firefox.exe PID 1832 wrote to memory of 1644 1832 netsh.exe Firefox.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
dllhost.exenetsh.exepid process 1080 dllhost.exe 1080 dllhost.exe 1080 dllhost.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
dllhost.exenetsh.exedescription pid process Token: SeDebugPrivilege 1080 dllhost.exe Token: SeDebugPrivilege 1832 netsh.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
dllhost.exenetsh.exepid process 1080 dllhost.exe 1080 dllhost.exe 1080 dllhost.exe 1080 dllhost.exe 1832 netsh.exe 1832 netsh.exe 1832 netsh.exe -
Drops file in Program Files directory 1 IoCs
Processes:
netsh.exedescription ioc process File opened for modification C:\Program Files (x86)\J_nlddx5x\chkdskubr.exe netsh.exe -
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
WHITE SPIRIT MSDS_pdf.exeExplorer.EXEpid process 376 WHITE SPIRIT MSDS_pdf.exe 376 WHITE SPIRIT MSDS_pdf.exe 376 WHITE SPIRIT MSDS_pdf.exe 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
WHITE SPIRIT MSDS_pdf.exedllhost.exenetsh.exedescription pid process target process PID 376 set thread context of 1080 376 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 1080 set thread context of 1304 1080 dllhost.exe Explorer.EXE PID 1080 set thread context of 1304 1080 dllhost.exe Explorer.EXE PID 1832 set thread context of 1304 1832 netsh.exe Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer netsh.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
WHITE SPIRIT MSDS_pdf.exeExplorer.EXEpid process 376 WHITE SPIRIT MSDS_pdf.exe 376 WHITE SPIRIT MSDS_pdf.exe 376 WHITE SPIRIT MSDS_pdf.exe 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\WHITE SPIRIT MSDS_pdf.exe"C:\Users\Admin\AppData\Local\Temp\WHITE SPIRIT MSDS_pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\SysWOW64\dllhost.exe"3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"4⤵
- Adds Run entry to policy start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetThreadContext
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\dllhost.exe"5⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1080-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1080-1-0x000000000041E2A0-mapping.dmp
-
memory/1304-2-0x0000000004870000-0x00000000049A9000-memory.dmpFilesize
1.2MB
-
memory/1304-7-0x0000000006C60000-0x0000000006DF6000-memory.dmpFilesize
1.6MB
-
memory/1832-3-0x0000000000000000-mapping.dmp
-
memory/1832-4-0x0000000001590000-0x00000000015AB000-memory.dmpFilesize
108KB
-
memory/1832-6-0x0000000000A40000-0x0000000000AF1000-memory.dmpFilesize
708KB
-
memory/1860-5-0x0000000000000000-mapping.dmp