Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
WHITE SPIRIT MSDS_pdf.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
WHITE SPIRIT MSDS_pdf.exe
Resource
win10
General
-
Target
WHITE SPIRIT MSDS_pdf.exe
-
Size
1.2MB
-
MD5
da0c1d3e4b6526d4c99022e8894ceee9
-
SHA1
355db74ab7cf7797863b94a3e700d30548db76bb
-
SHA256
8d1512de63fd1bf66f80c8ec2ec640464a6ce986101849488372a38fed2bcfb6
-
SHA512
e31bedf4ed0b209859a3024a0c93d24301e25b59d37a11f40d8c356068f717f867c7244a4c19733c14775707aa8ef86665cbf3374093808bc7c162ccf503fb58
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
WHITE SPIRIT MSDS_pdf.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 3920 wrote to memory of 3008 3920 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 3920 wrote to memory of 3008 3920 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 3920 wrote to memory of 3008 3920 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 3920 wrote to memory of 3008 3920 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 3920 wrote to memory of 3008 3920 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 2988 wrote to memory of 3916 2988 Explorer.EXE colorcpl.exe PID 2988 wrote to memory of 3916 2988 Explorer.EXE colorcpl.exe PID 2988 wrote to memory of 3916 2988 Explorer.EXE colorcpl.exe PID 3916 wrote to memory of 3520 3916 colorcpl.exe cmd.exe PID 3916 wrote to memory of 3520 3916 colorcpl.exe cmd.exe PID 3916 wrote to memory of 3520 3916 colorcpl.exe cmd.exe PID 3916 wrote to memory of 3856 3916 colorcpl.exe cmd.exe PID 3916 wrote to memory of 3856 3916 colorcpl.exe cmd.exe PID 3916 wrote to memory of 3856 3916 colorcpl.exe cmd.exe PID 3916 wrote to memory of 848 3916 colorcpl.exe Firefox.exe PID 3916 wrote to memory of 848 3916 colorcpl.exe Firefox.exe PID 3916 wrote to memory of 848 3916 colorcpl.exe Firefox.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
WHITE SPIRIT MSDS_pdf.exedllhost.execolorcpl.exedescription pid process target process PID 3920 set thread context of 3008 3920 WHITE SPIRIT MSDS_pdf.exe dllhost.exe PID 3008 set thread context of 2988 3008 dllhost.exe Explorer.EXE PID 3916 set thread context of 2988 3916 colorcpl.exe Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
dllhost.execolorcpl.exepid process 3008 dllhost.exe 3008 dllhost.exe 3008 dllhost.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe -
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
WHITE SPIRIT MSDS_pdf.exeExplorer.EXEpid process 3920 WHITE SPIRIT MSDS_pdf.exe 3920 WHITE SPIRIT MSDS_pdf.exe 3920 WHITE SPIRIT MSDS_pdf.exe 2988 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
WHITE SPIRIT MSDS_pdf.exeExplorer.EXEpid process 3920 WHITE SPIRIT MSDS_pdf.exe 3920 WHITE SPIRIT MSDS_pdf.exe 3920 WHITE SPIRIT MSDS_pdf.exe 2988 Explorer.EXE -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
colorcpl.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run colorcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XP-TV42H = "C:\\Program Files (x86)\\Zcdvhx\\inyl0hbhtr6.exe" colorcpl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
Processes:
colorcpl.exedescription ioc process File opened for modification C:\Program Files (x86)\Zcdvhx\inyl0hbhtr6.exe colorcpl.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
dllhost.execolorcpl.exepid process 3008 dllhost.exe 3008 dllhost.exe 3008 dllhost.exe 3008 dllhost.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe 3916 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
dllhost.exeExplorer.EXEcolorcpl.exedescription pid process Token: SeDebugPrivilege 3008 dllhost.exe Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeDebugPrivilege 3916 colorcpl.exe Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WHITE SPIRIT MSDS_pdf.exe"C:\Users\Admin\AppData\Local\Temp\WHITE SPIRIT MSDS_pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\SysWOW64\dllhost.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Modifies Internet Explorer settings
- Adds Run entry to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\dllhost.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Roaming\6MA-SUR2\6MAlogim.jpeg
-
C:\Users\Admin\AppData\Roaming\6MA-SUR2\6MAlogrf.ini
-
C:\Users\Admin\AppData\Roaming\6MA-SUR2\6MAlogrg.ini
-
C:\Users\Admin\AppData\Roaming\6MA-SUR2\6MAlogri.ini
-
C:\Users\Admin\AppData\Roaming\6MA-SUR2\6MAlogrv.ini
-
memory/848-12-0x00007FF74F010000-0x00007FF74F0A3000-memory.dmpFilesize
588KB
-
memory/848-10-0x0000000000000000-mapping.dmp
-
memory/848-11-0x00007FF74F010000-0x00007FF74F0A3000-memory.dmpFilesize
588KB
-
memory/848-13-0x00007FF74F010000-0x00007FF74F0A3000-memory.dmpFilesize
588KB
-
memory/3008-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/3008-1-0x000000000041E2A0-mapping.dmp
-
memory/3520-5-0x0000000000000000-mapping.dmp
-
memory/3856-7-0x0000000000000000-mapping.dmp
-
memory/3916-6-0x0000000005C30000-0x0000000005D19000-memory.dmpFilesize
932KB
-
memory/3916-9-0x0000000005C70000-0x0000000005D0A000-memory.dmpFilesize
616KB
-
memory/3916-4-0x00000000010D0000-0x00000000010E9000-memory.dmpFilesize
100KB
-
memory/3916-3-0x00000000010D0000-0x00000000010E9000-memory.dmpFilesize
100KB
-
memory/3916-2-0x0000000000000000-mapping.dmp