Overview

overview

10

Static

static

4d712b5dc9...25.exe

windows7_x64

10

4d712b5dc9...25.exe

windows10_x64

8

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    30-06-2020 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4d712b5dc93ea0ef4c153dfa30aacd25.exe

  • Size

    285KB

  • MD5

    4d712b5dc93ea0ef4c153dfa30aacd25

  • SHA1

    a6a4179eee29bf8e05dd34dda07c27b60a894465

  • SHA256

    d7083f1007834bbc16f0b6d2ee0e1e2b9e79a04af2a2e21f2d2682c9dff939eb

  • SHA512

    3e69b19b9314d84097e5b98802c76e6b9892bd167bcc57699fc5d574f6976bb4820bd38c3613130382fb477aefe55d3ec18d6abb9482af8828f6a5d3b0461144

Score
10/10
persistencespywareevasiontrojanstealerformbook

Malware Config

Signatures

  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of WriteProcessMemory 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 6050 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Program crash 1 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Checks whether UAC is enabled
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SendNotifyMessage
    PID:1280
    • C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe
      "C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetThreadContext
      PID:1316
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetThreadContext
        PID:280
      • C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe
        "C:\Users\Admin\AppData\Local\Temp\4d712b5dc93ea0ef4c153dfa30aacd25.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:808
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 808 -s 7396
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Program crash
          PID:1576
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Adds Run entry to start application
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      PID:1080
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        3⤵
          PID:1036
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1232

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/280-0-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/280-1-0x000000000041E2F0-mapping.dmp
        Download
      • memory/808-15-0x0000000000000000-mapping.dmp
        Download
      • memory/808-12-0x0000000000000000-mapping.dmp
        Download
      • memory/808-16-0x0000000000000000-mapping.dmp
        Download
      • memory/808-2-0x0000000000000000-mapping.dmp
        Download
      • memory/808-14-0x0000000000000000-mapping.dmp
        Download
      • memory/808-13-0x0000000000000000-mapping.dmp
        Download
      • memory/808-9-0x0000000000000000-mapping.dmp
        Download
      • memory/808-10-0x0000000000000000-mapping.dmp
        Download
      • memory/808-11-0x0000000000000000-mapping.dmp
        Download
      • memory/1036-5-0x0000000000000000-mapping.dmp
        Download
      • memory/1080-18-0x00000000768A0000-0x00000000768AC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/1080-6-0x0000000000630000-0x00000000006EB000-memory.dmp
        Filesize

        748KB

        Download
      • memory/1080-4-0x0000000000620000-0x000000000062E000-memory.dmp
        Filesize

        56KB

        Download
      • memory/1080-3-0x0000000000000000-mapping.dmp
        Download
      • memory/1080-19-0x00000000756B0000-0x00000000757CD000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1080-20-0x0000000003460000-0x0000000003505000-memory.dmp
        Filesize

        660KB

        Download
      • memory/1232-21-0x0000000000000000-mapping.dmp
        Download
      • memory/1232-22-0x000000013F840000-0x000000013F8D3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1576-8-0x0000000001EE0000-0x0000000001EF1000-memory.dmp
        Filesize

        68KB

        Download
      • memory/1576-7-0x0000000000000000-mapping.dmp
        Download
      • memory/1576-17-0x0000000002530000-0x0000000002541000-memory.dmp
        Filesize

        68KB

        Download