Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 17:38
Static task
static1
Behavioral task
behavioral1
Sample
PO 30091.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PO 30091.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
PO 30091.exe
-
Size
684KB
-
MD5
9ac778fb946e20543b571464843fd232
-
SHA1
1ab3d9251802a6f3c8475cdbf9f7276689b61dd7
-
SHA256
1ebe8c4369b01611d9c49ed8aadbbd36de80d306532927b21b426dd0e648f3f3
-
SHA512
fb67073a5576592a5775ce1c37d99b378202b33f82ce4efa94a68305e601c1687c179f599551c752399d7e37368280836bf6ef25a2cd729f00c2dbbecf367475
Score
8/10
Malware Config
Signatures
-
Drops file in Program Files directory 1 IoCs
Processes:
msdt.exedescription ioc process File opened for modification C:\Program Files (x86)\Mgzsd-6h\9rixjv3f0.exe msdt.exe -
Processes:
msdt.exedescription ioc process Key created \Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msdt.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
PO 30091.exeExplorer.EXEmsdt.exedescription pid process target process PID 652 wrote to memory of 808 652 PO 30091.exe PO 30091.exe PID 652 wrote to memory of 808 652 PO 30091.exe PO 30091.exe PID 652 wrote to memory of 808 652 PO 30091.exe PO 30091.exe PID 3024 wrote to memory of 988 3024 Explorer.EXE msdt.exe PID 3024 wrote to memory of 988 3024 Explorer.EXE msdt.exe PID 3024 wrote to memory of 988 3024 Explorer.EXE msdt.exe PID 988 wrote to memory of 1556 988 msdt.exe cmd.exe PID 988 wrote to memory of 1556 988 msdt.exe cmd.exe PID 988 wrote to memory of 1556 988 msdt.exe cmd.exe PID 988 wrote to memory of 1992 988 msdt.exe cmd.exe PID 988 wrote to memory of 1992 988 msdt.exe cmd.exe PID 988 wrote to memory of 1992 988 msdt.exe cmd.exe PID 988 wrote to memory of 2548 988 msdt.exe Firefox.exe PID 988 wrote to memory of 2548 988 msdt.exe Firefox.exe PID 988 wrote to memory of 2548 988 msdt.exe Firefox.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
PO 30091.exePO 30091.exemsdt.exepid process 652 PO 30091.exe 808 PO 30091.exe 808 PO 30091.exe 808 PO 30091.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PO 30091.exePO 30091.exemsdt.exedescription pid process target process PID 652 set thread context of 808 652 PO 30091.exe PO 30091.exe PID 808 set thread context of 3024 808 PO 30091.exe Explorer.EXE PID 988 set thread context of 3024 988 msdt.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
PO 30091.exemsdt.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 808 PO 30091.exe Token: SeDebugPrivilege 988 msdt.exe Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE Token: SeShutdownPrivilege 3024 Explorer.EXE Token: SeCreatePagefilePrivilege 3024 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 3024 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
PO 30091.exePO 30091.exemsdt.exepid process 652 PO 30091.exe 652 PO 30091.exe 808 PO 30091.exe 808 PO 30091.exe 808 PO 30091.exe 808 PO 30091.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe 988 msdt.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
msdt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msdt.exe -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
msdt.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msdt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YDJPOT20A0H = "C:\\Program Files (x86)\\Mgzsd-6h\\9rixjv3f0.exe" msdt.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Adds Run entry to policy start application
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PO 30091.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogim.jpeg
-
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogrf.ini
-
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogrg.ini
-
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogri.ini
-
C:\Users\Admin\AppData\Roaming\L5P8R4-3\L5Plogrv.ini
-
memory/808-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/808-1-0x000000000041E330-mapping.dmp
-
memory/988-10-0x00000000059A0000-0x0000000005A4A000-memory.dmpFilesize
680KB
-
memory/988-5-0x0000000000280000-0x00000000003F3000-memory.dmpFilesize
1.4MB
-
memory/988-4-0x0000000000280000-0x00000000003F3000-memory.dmpFilesize
1.4MB
-
memory/988-3-0x0000000000000000-mapping.dmp
-
memory/1556-6-0x0000000000000000-mapping.dmp
-
memory/1992-8-0x0000000000000000-mapping.dmp
-
memory/2548-11-0x0000000000000000-mapping.dmp
-
memory/2548-12-0x00007FF7C03D0000-0x00007FF7C0463000-memory.dmpFilesize
588KB
-
memory/2548-13-0x00007FF7C03D0000-0x00007FF7C0463000-memory.dmpFilesize
588KB
-
memory/2548-14-0x00007FF7C03D0000-0x00007FF7C0463000-memory.dmpFilesize
588KB