Analysis
-
max time kernel
148s -
max time network
137s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 12:10
Static task
static1
Behavioral task
behavioral1
Sample
Acount Details.com.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Acount Details.com.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Acount Details.com.exe
-
Size
291KB
-
MD5
d15fc838aacf85c873bca9adfe7b9997
-
SHA1
43ff525b542d1e73c4345fd3312788876cf422a5
-
SHA256
abdae1b1965bafd334bb46028ddeffc82d495bf84aaa3f44403d9a17963f12c5
-
SHA512
831e8bb86b3fb42a678052db8c8d703546320525cfd211d51b7dea56abeddb0a4ecfa37f45de3543768db784eee15d70bd7033906b1ecc31fa0019744cd5f92f
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Acount Details.com.exeExplorer.EXEnetsh.exedescription pid process target process PID 3984 wrote to memory of 3640 3984 Acount Details.com.exe Acount Details.com.exe PID 3984 wrote to memory of 3640 3984 Acount Details.com.exe Acount Details.com.exe PID 3984 wrote to memory of 3640 3984 Acount Details.com.exe Acount Details.com.exe PID 3984 wrote to memory of 3640 3984 Acount Details.com.exe Acount Details.com.exe PID 3984 wrote to memory of 3640 3984 Acount Details.com.exe Acount Details.com.exe PID 3984 wrote to memory of 3640 3984 Acount Details.com.exe Acount Details.com.exe PID 3028 wrote to memory of 3908 3028 Explorer.EXE netsh.exe PID 3028 wrote to memory of 3908 3028 Explorer.EXE netsh.exe PID 3028 wrote to memory of 3908 3028 Explorer.EXE netsh.exe PID 3908 wrote to memory of 3412 3908 netsh.exe cmd.exe PID 3908 wrote to memory of 3412 3908 netsh.exe cmd.exe PID 3908 wrote to memory of 3412 3908 netsh.exe cmd.exe PID 3908 wrote to memory of 1196 3908 netsh.exe cmd.exe PID 3908 wrote to memory of 1196 3908 netsh.exe cmd.exe PID 3908 wrote to memory of 1196 3908 netsh.exe cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Acount Details.com.exeAcount Details.com.exenetsh.exedescription pid process target process PID 3984 set thread context of 3640 3984 Acount Details.com.exe Acount Details.com.exe PID 3640 set thread context of 3028 3640 Acount Details.com.exe Explorer.EXE PID 3908 set thread context of 3028 3908 netsh.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Acount Details.com.exenetsh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3640 Acount Details.com.exe Token: SeDebugPrivilege 3908 netsh.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run netsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MF1PGTBPO2 = "C:\\Program Files (x86)\\Ynfc82xt\\nrulmsxe.exe" netsh.exe -
Drops file in Program Files directory 1 IoCs
Processes:
netsh.exedescription ioc process File opened for modification C:\Program Files (x86)\Ynfc82xt\nrulmsxe.exe netsh.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
netsh.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer netsh.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
Acount Details.com.exenetsh.exepid process 3640 Acount Details.com.exe 3640 Acount Details.com.exe 3640 Acount Details.com.exe 3640 Acount Details.com.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe 3908 netsh.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Acount Details.com.exenetsh.exepid process 3640 Acount Details.com.exe 3640 Acount Details.com.exe 3640 Acount Details.com.exe 3908 netsh.exe 3908 netsh.exe -
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe"C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to policy start application
- Drops file in Program Files directory
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Acount Details.com.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logim.jpeg
-
C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logrg.ini
-
C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logri.ini
-
C:\Users\Admin\AppData\Roaming\N98A4CAW\N98logrv.ini
-
memory/1196-8-0x0000000000000000-mapping.dmp
-
memory/3412-6-0x0000000000000000-mapping.dmp
-
memory/3640-0-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3640-1-0x000000000041B680-mapping.dmp
-
memory/3908-3-0x0000000000000000-mapping.dmp
-
memory/3908-4-0x0000000000980000-0x000000000099E000-memory.dmpFilesize
120KB
-
memory/3908-5-0x0000000000980000-0x000000000099E000-memory.dmpFilesize
120KB