Overview

overview

8

Static

static

Product Sp...0).exe

windows7_x64

8

Product Sp...0).exe

windows10_x64

8

Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    30-06-2020 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe

  • Size

    258KB

  • MD5

    05865820025c38359bb2f51c1e6a5ce6

  • SHA1

    4b8c9a275dcf3992839703a95d03e3acb75ac5a5

  • SHA256

    37d250d71a687db0e2c094fd5932bd32a6198a94b86553580d495cbb592d0f96

  • SHA512

    bbe6e903505611f8f769dc391485f6ed41df56ef5fde3f95eeb509b2427424f562d9bcb82fe1162a00f9762b9efa3120e431dfd655919288a3ccb4ae5deb620c

Score
8/10
persistencespyware

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 12 IoCs
  • Loads dropped DLL 7 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe
    "C:\Users\Admin\AppData\Local\Temp\Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SetThreadContext
    PID:1124
    • C:\Users\Admin\AppData\Local\Temp\Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe
      "{path}"
      2⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Drops file in System32 directory
      • Suspicious use of AdjustPrivilegeToken
      • Modifies WinLogon
      • Sets DLL path for service in the registry
      PID:1320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Program Files\Microsoft DN1\sqlmap.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\freebl3.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\mozglue.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\msvcp140.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\nss3.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\softokn3.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\vcruntime140.dll
    Download Submit
  • memory/1320-1-0x0000000000405A3D-mapping.dmp
    Download
  • memory/1320-0-0x0000000000400000-0x0000000000554000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1320-2-0x0000000000400000-0x0000000000554000-memory.dmp
    Filesize

    1.3MB

    Download