Overview

overview

8

Static

static

https://mobaxterm.mo...

windows10_x64

8

Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    26/06/2020, 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://mobaxterm.mobatek.net/

  • Sample

    200626-mhexs79smx

Score
8/10
persistencediscoveryevasionspywaretrojan

Malware Config

Signatures

  • Drops file in Program Files directory 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Modifies data under HKEY_USERS 14 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
    adwarespyware
  • Modifies registry class 55 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 145 IoCs
  • Loads dropped DLL 24 IoCs
  • Modifies system certificate store 2 TTPs 26 IoCs
    evasionspywaretrojan
  • Checks SCSI registry key(s) 3 TTPs 96 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Drops file in Windows directory 12 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Executes dropped EXE 4 IoCs
  • Modifies service 2 TTPs 161 IoCs
    persistence
  • Checks for installed software on the system 1 TTPs 129 IoCs
    discovery
  • Enumerates connected drives 3 TTPs
  • Suspicious use of FindShellTrayWindow 13 IoCs
  • Blacklisted process makes network request 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Checks whether UAC is enabled 2 IoCs

Processes

  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://mobaxterm.mobatek.net/
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    • Suspicious use of FindShellTrayWindow
    • Checks whether UAC is enabled
    PID:2896
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2896 CREDAT:82945 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      • Modifies system certificate store
      • Checks whether UAC is enabled
      PID:3572
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2336
    • C:\Windows\System32\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Documents\MobaXterm_Installer_v20.2\MobaXterm_installer_20.2.msi"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Modifies system certificate store
      • Suspicious use of FindShellTrayWindow
      • Blacklisted process makes network request
      PID:3652
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Modifies system certificate store
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      • Modifies service
      • Checks for installed software on the system
      PID:852
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 166A7659C1644A1CB83E1ED61608F16C C
        2⤵
        • Loads dropped DLL
        PID:1124
      • C:\Windows\system32\srtasks.exe
        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
        2⤵
        • Modifies service
        PID:1944
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding C42297F148B2E5D4893CBC8B457FEA79
        2⤵
        • Loads dropped DLL
        PID:4132
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 75037441C89B363ACFA679E9452604EB E Global\MSI0000
        2⤵
        • Modifies data under HKEY_USERS
        • Loads dropped DLL
        PID:4224
      • C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe
        "C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe" -instunpack -msipath C:\Users\Admin\Documents\MobaXterm_Installer_v20.2\MobaXterm_installer_20.2.msi
        2⤵
        • Drops file in Program Files directory
        • Suspicious use of SendNotifyMessage
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        PID:4316
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Modifies service
      PID:1400
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
      1⤵
      • Modifies data under HKEY_USERS
      • Checks SCSI registry key(s)
      PID:3856
    • C:\Windows\system32\compattelrunner.exe
      C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
      1⤵
      • Checks for installed software on the system
      PID:4604
    • C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe
      "C:\Program Files (x86)\Mobatek\MobaXterm\MobaXterm.exe"
      1⤵
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:5032
      • C:\Users\Admin\DOCUME~1\MobaXterm\slash\bin\XWin_MobaX.exe
        "C:\Users\Admin\DOCUME~1\MobaXterm\slash\bin\XWin_MobaX.exe" -silent-dup-error -notrayicon -nolisten inet6 -hostintitle +bs -clipboard -nowgl -multiwindow -noreset :0
        2⤵
        • Suspicious use of SendNotifyMessage
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Suspicious use of FindShellTrayWindow
        • Suspicious behavior: AddClipboardFormatListener
        PID:4168
        • C:\Users\Admin\DOCUME~1\MobaXterm\slash\bin\xkbcomp_w32.exe
          "C:\Users\Admin\DOCUME~1\MobaXterm\slash\bin\xkbcomp_w32.exe" -w 1 "-RC:\Users\Admin\DOCUME~1\MobaXterm\slash\usr\share\X11\xkb" -xkm "C:\Users\Admin\DOCUME~1\MobaXterm\slash\var\log\xwin\xkb_a04124" -em1 "The XKEYBOARD keymap compiler (xkbcomp) reports:" -emp "> " -eml "Errors from xkbcomp are not fatal to the X server" "C:\Users\Admin\DOCUME~1\MobaXterm\slash\var\log\xwin\server-0.xkm"
          3⤵
          • Loads dropped DLL
          • Executes dropped EXE
          PID:4288

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3652-18-0x000001D731D10000-0x000001D731D14000-memory.dmp

      Filesize

      16KB

      Download

    • memory/5032-44-0x00000000063A0000-0x00000000063A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5032-45-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5032-47-0x00000000063A0000-0x00000000063A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5032-48-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5032-51-0x0000000007020000-0x0000000007021000-memory.dmp

      Filesize

      4KB

      Download