Overview

overview

10

Static

static

WHITE SPIR...df.exe

windows7_x64

10

WHITE SPIR...df.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    24-06-2020 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WHITE SPIRIT MSDS_pdf.exe

  • Size

    1.2MB

  • MD5

    da0c1d3e4b6526d4c99022e8894ceee9

  • SHA1

    355db74ab7cf7797863b94a3e700d30548db76bb

  • SHA256

    8d1512de63fd1bf66f80c8ec2ec640464a6ce986101849488372a38fed2bcfb6

  • SHA512

    e31bedf4ed0b209859a3024a0c93d24301e25b59d37a11f40d8c356068f717f867c7244a4c19733c14775707aa8ef86665cbf3374093808bc7c162ccf503fb58

Score
10/10
spywareevasiontrojanstealerformbookpersistence

Malware Config

Signatures

  • Adds Run entry to policy start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious use of SetThreadContext 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Suspicious use of FindShellTrayWindow 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of SendNotifyMessage
    • Checks whether UAC is enabled
    • Suspicious use of FindShellTrayWindow
    PID:1304
    • C:\Users\Admin\AppData\Local\Temp\WHITE SPIRIT MSDS_pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\WHITE SPIRIT MSDS_pdf.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetThreadContext
      • Suspicious use of FindShellTrayWindow
      PID:376
      • C:\Windows\SysWOW64\dllhost.exe
        "C:\Windows\SysWOW64\dllhost.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        PID:1080
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\SysWOW64\netsh.exe"
          4⤵
          • Adds Run entry to policy start application
          • Suspicious use of WriteProcessMemory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious behavior: MapViewOfSection
          • Drops file in Program Files directory
          • Modifies Internet Explorer settings
          • Suspicious use of SetThreadContext
          • System policy modification
          PID:1832
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\SysWOW64\dllhost.exe"
            5⤵
              PID:1860
            • C:\Program Files\Mozilla Firefox\Firefox.exe
              "C:\Program Files\Mozilla Firefox\Firefox.exe"
              5⤵
                PID:1644

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      3
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1080-0-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/1080-1-0x000000000041E2A0-mapping.dmp
        Download
      • memory/1304-2-0x0000000004870000-0x00000000049A9000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1304-7-0x0000000006C60000-0x0000000006DF6000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1832-3-0x0000000000000000-mapping.dmp
        Download
      • memory/1832-4-0x0000000001590000-0x00000000015AB000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1832-6-0x0000000000A40000-0x0000000000AF1000-memory.dmp
        Filesize

        708KB

        Download
      • memory/1860-5-0x0000000000000000-mapping.dmp
        Download