Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 14:56
General
-
Target
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe
-
Size
453KB
-
MD5
59f1f5348151b176018bd54b53798ab1
-
SHA1
91d59f9c6cc1d757b58af475f4d51386eff1177d
-
SHA256
2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d
-
SHA512
8afbbedc1be5839cc044009eef51d7161d7dc207f9755ae04d83c54b30c14bef810ee002450475dd47bb193772fe4afa61d25cad831ed713e374a624243a1acc
Score
8/10
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 591 IoCs
-
Suspicious use of WriteProcessMemory 58 IoCs
-
Executes dropped EXE 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Deletes itself 1 IoCs
-
Adds Run entry to start application 2 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 19 IoCs
-
Loads dropped DLL 5 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe"C:\Users\Admin\AppData\Local\Temp\2d9788648b02d198623fcd299ff6b1853759f1bf026e5d47a5ee83b7e5a7791d.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
-
C:\Users\Admin\AppData\Roaming\Becyapup\ceuwtebour.exe"C:\Users\Admin\AppData\Roaming\Becyapup\ceuwtebour.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp42251ee1.bat"3⤵
- Suspicious use of AdjustPrivilegeToken
- Deletes itself
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail.exe" -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp42251ee1.bat
-
C:\Users\Admin\AppData\Roaming\Becyapup\ceuwtebour.exe
-
C:\Users\Admin\AppData\Roaming\Becyapup\ceuwtebour.exe
-
C:\Users\Admin\AppData\Roaming\Uxamvida\owgiaberytv.sot
-
\Users\Admin\AppData\Local\Temp\tmp4587.tmp
-
\Users\Admin\AppData\Local\Temp\tmp45A7.tmp
-
\Users\Admin\AppData\Local\Temp\tmpA11E.tmp
-
\Users\Admin\AppData\Local\Temp\tmpA15E.tmp
-
\Users\Admin\AppData\Roaming\Becyapup\ceuwtebour.exe
-
memory/740-69-0x0000000000050000-0x0000000000097000-memory.dmpFilesize
284KB
-
memory/740-71-0x000000000007025A-mapping.dmp
-
memory/1588-34-0x0000000003EA0000-0x0000000003EA2000-memory.dmpFilesize
8KB
-
memory/1588-40-0x0000000005670000-0x0000000005672000-memory.dmpFilesize
8KB
-
memory/1588-18-0x0000000003560000-0x0000000003562000-memory.dmpFilesize
8KB
-
memory/1588-19-0x0000000003570000-0x0000000003572000-memory.dmpFilesize
8KB
-
memory/1588-20-0x0000000003550000-0x0000000003552000-memory.dmpFilesize
8KB
-
memory/1588-21-0x0000000003560000-0x0000000003562000-memory.dmpFilesize
8KB
-
memory/1588-22-0x0000000003B50000-0x0000000003B52000-memory.dmpFilesize
8KB
-
memory/1588-23-0x0000000003C70000-0x0000000003C72000-memory.dmpFilesize
8KB
-
memory/1588-24-0x0000000003550000-0x0000000003552000-memory.dmpFilesize
8KB
-
memory/1588-25-0x0000000003B50000-0x0000000003B52000-memory.dmpFilesize
8KB
-
memory/1588-26-0x0000000003550000-0x0000000003552000-memory.dmpFilesize
8KB
-
memory/1588-27-0x0000000003B50000-0x0000000003B52000-memory.dmpFilesize
8KB
-
memory/1588-28-0x0000000003C50000-0x0000000003C52000-memory.dmpFilesize
8KB
-
memory/1588-29-0x0000000004440000-0x0000000004442000-memory.dmpFilesize
8KB
-
memory/1588-31-0x0000000003C40000-0x0000000003C42000-memory.dmpFilesize
8KB
-
memory/1588-32-0x0000000003B60000-0x0000000003B62000-memory.dmpFilesize
8KB
-
memory/1588-33-0x0000000003D90000-0x0000000003D92000-memory.dmpFilesize
8KB
-
memory/1588-13-0x0000000003930000-0x0000000003B30000-memory.dmpFilesize
2.0MB
-
memory/1588-35-0x0000000004450000-0x0000000004452000-memory.dmpFilesize
8KB
-
memory/1588-36-0x0000000005710000-0x0000000005712000-memory.dmpFilesize
8KB
-
memory/1588-37-0x0000000004460000-0x0000000004462000-memory.dmpFilesize
8KB
-
memory/1588-38-0x0000000005700000-0x0000000005702000-memory.dmpFilesize
8KB
-
memory/1588-39-0x0000000004470000-0x0000000004472000-memory.dmpFilesize
8KB
-
memory/1588-14-0x0000000003A30000-0x0000000003B30000-memory.dmpFilesize
1024KB
-
memory/1588-41-0x0000000004490000-0x0000000004492000-memory.dmpFilesize
8KB
-
memory/1588-42-0x0000000005660000-0x0000000005662000-memory.dmpFilesize
8KB
-
memory/1588-43-0x0000000004440000-0x0000000004442000-memory.dmpFilesize
8KB
-
memory/1588-44-0x0000000004A30000-0x0000000004A32000-memory.dmpFilesize
8KB
-
memory/1588-45-0x00000000049A0000-0x00000000049A2000-memory.dmpFilesize
8KB
-
memory/1588-46-0x0000000004990000-0x0000000004992000-memory.dmpFilesize
8KB
-
memory/1588-47-0x00000000044C0000-0x00000000044C2000-memory.dmpFilesize
8KB
-
memory/1588-48-0x00000000044B0000-0x00000000044B2000-memory.dmpFilesize
8KB
-
memory/1588-49-0x0000000003C30000-0x0000000003C32000-memory.dmpFilesize
8KB
-
memory/1588-50-0x0000000004A50000-0x0000000004A52000-memory.dmpFilesize
8KB
-
memory/1588-51-0x0000000004AF0000-0x0000000004AF2000-memory.dmpFilesize
8KB
-
memory/1588-52-0x0000000004B00000-0x0000000004B02000-memory.dmpFilesize
8KB
-
memory/1588-53-0x0000000004B10000-0x0000000004B12000-memory.dmpFilesize
8KB
-
memory/1588-54-0x0000000004B20000-0x0000000004B22000-memory.dmpFilesize
8KB
-
memory/1588-55-0x0000000003930000-0x0000000003B30000-memory.dmpFilesize
2.0MB
-
memory/1588-56-0x0000000003A30000-0x0000000003B30000-memory.dmpFilesize
1024KB
-
memory/1588-57-0x0000000002450000-0x0000000002460000-memory.dmpFilesize
64KB
-
memory/1588-12-0x0000000003930000-0x0000000003A30000-memory.dmpFilesize
1024KB
-
memory/1588-10-0x0000000003930000-0x0000000003B30000-memory.dmpFilesize
2.0MB
-
memory/1588-8-0x0000000003930000-0x0000000003A30000-memory.dmpFilesize
1024KB
-
memory/1588-63-0x00000000020B0000-0x00000000020C0000-memory.dmpFilesize
64KB
-
memory/1612-3-0x0000000000000000-mapping.dmp