Analysis
-
max time kernel
149s -
max time network
92s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 17:38
Static task
static1
Behavioral task
behavioral1
Sample
PO 30091.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PO 30091.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
PO 30091.exe
-
Size
684KB
-
MD5
9ac778fb946e20543b571464843fd232
-
SHA1
1ab3d9251802a6f3c8475cdbf9f7276689b61dd7
-
SHA256
1ebe8c4369b01611d9c49ed8aadbbd36de80d306532927b21b426dd0e648f3f3
-
SHA512
fb67073a5576592a5775ce1c37d99b378202b33f82ce4efa94a68305e601c1687c179f599551c752399d7e37368280836bf6ef25a2cd729f00c2dbbecf367475
Malware Config
Signatures
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
PO 30091.exePO 30091.exesvchost.exedescription pid process target process PID 1088 set thread context of 1204 1088 PO 30091.exe PO 30091.exe PID 1204 set thread context of 1276 1204 PO 30091.exe Explorer.EXE PID 1204 set thread context of 1276 1204 PO 30091.exe Explorer.EXE PID 1284 set thread context of 1276 1284 svchost.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Eanm\configez7.exe svchost.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
PO 30091.exePO 30091.exesvchost.exepid process 1088 PO 30091.exe 1204 PO 30091.exe 1204 PO 30091.exe 1204 PO 30091.exe 1204 PO 30091.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
PO 30091.exePO 30091.exesvchost.exepid process 1088 PO 30091.exe 1204 PO 30091.exe 1204 PO 30091.exe 1204 PO 30091.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe 1284 svchost.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8P-XJVHXZD = "C:\\Program Files (x86)\\Eanm\\configez7.exe" svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO 30091.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1204 PO 30091.exe Token: SeDebugPrivilege 1284 svchost.exe Token: SeShutdownPrivilege 1276 Explorer.EXE -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1448 cmd.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PO 30091.exePO 30091.exesvchost.exedescription pid process target process PID 1088 wrote to memory of 1204 1088 PO 30091.exe PO 30091.exe PID 1088 wrote to memory of 1204 1088 PO 30091.exe PO 30091.exe PID 1088 wrote to memory of 1204 1088 PO 30091.exe PO 30091.exe PID 1088 wrote to memory of 1204 1088 PO 30091.exe PO 30091.exe PID 1204 wrote to memory of 1284 1204 PO 30091.exe svchost.exe PID 1204 wrote to memory of 1284 1204 PO 30091.exe svchost.exe PID 1204 wrote to memory of 1284 1204 PO 30091.exe svchost.exe PID 1204 wrote to memory of 1284 1204 PO 30091.exe svchost.exe PID 1284 wrote to memory of 1448 1284 svchost.exe cmd.exe PID 1284 wrote to memory of 1448 1284 svchost.exe cmd.exe PID 1284 wrote to memory of 1448 1284 svchost.exe cmd.exe PID 1284 wrote to memory of 1448 1284 svchost.exe cmd.exe PID 1284 wrote to memory of 1620 1284 svchost.exe Firefox.exe PID 1284 wrote to memory of 1620 1284 svchost.exe Firefox.exe PID 1284 wrote to memory of 1620 1284 svchost.exe Firefox.exe PID 1284 wrote to memory of 1620 1284 svchost.exe Firefox.exe PID 1284 wrote to memory of 1620 1284 svchost.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"4⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"5⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogim.jpeg
-
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogrf.ini
-
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogri.ini
-
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogrv.ini
-
memory/1204-1-0x000000000041E330-mapping.dmp
-
memory/1204-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1276-6-0x0000000007480000-0x00000000075DB000-memory.dmpFilesize
1.4MB
-
memory/1284-3-0x0000000000A40000-0x0000000000A48000-memory.dmpFilesize
32KB
-
memory/1284-7-0x0000000003320000-0x00000000033CE000-memory.dmpFilesize
696KB
-
memory/1284-5-0x0000000000870000-0x00000000009CF000-memory.dmpFilesize
1.4MB
-
memory/1284-2-0x0000000000000000-mapping.dmp
-
memory/1448-4-0x0000000000000000-mapping.dmp
-
memory/1620-8-0x0000000000000000-mapping.dmp
-
memory/1620-9-0x000000013FE20000-0x000000013FEB3000-memory.dmpFilesize
588KB