Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 12:20
Static task
static1
Behavioral task
behavioral1
Sample
4d712b5dc93ea0ef4c153dfa30aacd25.exe
Resource
win7
Behavioral task
behavioral2
Sample
4d712b5dc93ea0ef4c153dfa30aacd25.exe
Resource
win10
General
-
Target
4d712b5dc93ea0ef4c153dfa30aacd25.exe
-
Size
285KB
-
MD5
4d712b5dc93ea0ef4c153dfa30aacd25
-
SHA1
a6a4179eee29bf8e05dd34dda07c27b60a894465
-
SHA256
d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb
-
SHA512
3e69b19b9314d84097e5b98802c76e6b9892bd167bcc57699fc5d574f6976bb4820bd38c3613130382fb477aefe55d3ec18d6abb9482af8828f6a5d3b0461144
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
4d712b5dc93ea0ef4c153dfa30aacd25.exeExplorer.EXErundll32.exe4d712b5dc93ea0ef4c153dfa30aacd25.exedescription pid process target process PID 1316 wrote to memory of 280 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe RegAsm.exe PID 1316 wrote to memory of 280 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe RegAsm.exe PID 1316 wrote to memory of 280 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe RegAsm.exe PID 1316 wrote to memory of 280 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe RegAsm.exe PID 1316 wrote to memory of 280 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe RegAsm.exe PID 1316 wrote to memory of 280 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe RegAsm.exe PID 1316 wrote to memory of 280 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe RegAsm.exe PID 1316 wrote to memory of 280 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe RegAsm.exe PID 1316 wrote to memory of 808 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 4d712b5dc93ea0ef4c153dfa30aacd25.exe PID 1316 wrote to memory of 808 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 4d712b5dc93ea0ef4c153dfa30aacd25.exe PID 1316 wrote to memory of 808 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 4d712b5dc93ea0ef4c153dfa30aacd25.exe PID 1316 wrote to memory of 808 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 4d712b5dc93ea0ef4c153dfa30aacd25.exe PID 1280 wrote to memory of 1080 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1080 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1080 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1080 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1080 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1080 1280 Explorer.EXE rundll32.exe PID 1280 wrote to memory of 1080 1280 Explorer.EXE rundll32.exe PID 1080 wrote to memory of 1036 1080 rundll32.exe cmd.exe PID 1080 wrote to memory of 1036 1080 rundll32.exe cmd.exe PID 1080 wrote to memory of 1036 1080 rundll32.exe cmd.exe PID 1080 wrote to memory of 1036 1080 rundll32.exe cmd.exe PID 808 wrote to memory of 1576 808 4d712b5dc93ea0ef4c153dfa30aacd25.exe WerFault.exe PID 808 wrote to memory of 1576 808 4d712b5dc93ea0ef4c153dfa30aacd25.exe WerFault.exe PID 808 wrote to memory of 1576 808 4d712b5dc93ea0ef4c153dfa30aacd25.exe WerFault.exe PID 808 wrote to memory of 1576 808 4d712b5dc93ea0ef4c153dfa30aacd25.exe WerFault.exe PID 1080 wrote to memory of 1232 1080 rundll32.exe Firefox.exe PID 1080 wrote to memory of 1232 1080 rundll32.exe Firefox.exe PID 1080 wrote to memory of 1232 1080 rundll32.exe Firefox.exe PID 1080 wrote to memory of 1232 1080 rundll32.exe Firefox.exe PID 1080 wrote to memory of 1232 1080 rundll32.exe Firefox.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.exerundll32.exeExplorer.EXEWerFault.exedescription pid process Token: SeDebugPrivilege 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe Token: SeDebugPrivilege 280 RegAsm.exe Token: SeDebugPrivilege 1080 rundll32.exe Token: SeShutdownPrivilege 1280 Explorer.EXE Token: SeDebugPrivilege 1576 WerFault.exe Token: SeShutdownPrivilege 1280 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 6050 IoCs
Processes:
4d712b5dc93ea0ef4c153dfa30aacd25.exepid process 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\1B0LZ = "C:\\Program Files (x86)\\Jaxyl\\updatemlr.exe" rundll32.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.exerundll32.exepid process 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe 280 RegAsm.exe 280 RegAsm.exe 280 RegAsm.exe 1080 rundll32.exe 1080 rundll32.exe 1080 rundll32.exe 1080 rundll32.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
4d712b5dc93ea0ef4c153dfa30aacd25.exeRegAsm.exerundll32.exedescription pid process target process PID 1316 set thread context of 280 1316 4d712b5dc93ea0ef4c153dfa30aacd25.exe RegAsm.exe PID 280 set thread context of 1280 280 RegAsm.exe Explorer.EXE PID 1080 set thread context of 1280 1080 rundll32.exe Explorer.EXE -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1576 808 WerFault.exe 4d712b5dc93ea0ef4c153dfa30aacd25.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Jaxyl\updatemlr.exe rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe"C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe"C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 73964⤵
- Suspicious use of AdjustPrivilegeToken
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/280-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/280-1-0x000000000041E2F0-mapping.dmp
-
memory/808-15-0x0000000000000000-mapping.dmp
-
memory/808-12-0x0000000000000000-mapping.dmp
-
memory/808-16-0x0000000000000000-mapping.dmp
-
memory/808-2-0x0000000000000000-mapping.dmp
-
memory/808-14-0x0000000000000000-mapping.dmp
-
memory/808-13-0x0000000000000000-mapping.dmp
-
memory/808-9-0x0000000000000000-mapping.dmp
-
memory/808-10-0x0000000000000000-mapping.dmp
-
memory/808-11-0x0000000000000000-mapping.dmp
-
memory/1036-5-0x0000000000000000-mapping.dmp
-
memory/1080-18-0x00000000768A0000-0x00000000768AC000-memory.dmpFilesize
48KB
-
memory/1080-6-0x0000000000630000-0x00000000006EB000-memory.dmpFilesize
748KB
-
memory/1080-4-0x0000000000620000-0x000000000062E000-memory.dmpFilesize
56KB
-
memory/1080-3-0x0000000000000000-mapping.dmp
-
memory/1080-19-0x00000000756B0000-0x00000000757CD000-memory.dmpFilesize
1.1MB
-
memory/1080-20-0x0000000003460000-0x0000000003505000-memory.dmpFilesize
660KB
-
memory/1232-21-0x0000000000000000-mapping.dmp
-
memory/1232-22-0x000000013F840000-0x000000013F8D3000-memory.dmpFilesize
588KB
-
memory/1576-8-0x0000000001EE0000-0x0000000001EF1000-memory.dmpFilesize
68KB
-
memory/1576-7-0x0000000000000000-mapping.dmp
-
memory/1576-17-0x0000000002530000-0x0000000002541000-memory.dmpFilesize
68KB