Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 06:41
Static task
static1
Behavioral task
behavioral1
Sample
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe
Resource
win7
Behavioral task
behavioral2
Sample
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe
Resource
win10
General
-
Target
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe
-
Size
258KB
-
MD5
05865820025c38359bb2f51c1e6a5ce6
-
SHA1
4b8c9a275dcf3992839703a95d03e3acb75ac5a5
-
SHA256
37d250d71a687db0e2c094fd5932bd32a6198a94b86553580d495cbb592d0f96
-
SHA512
bbe6e903505611f8f769dc391485f6ed41df56ef5fde3f95eeb509b2427424f562d9bcb82fe1162a00f9762b9efa3120e431dfd655919288a3ccb4ae5deb620c
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exedescription pid process target process PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe PID 1124 wrote to memory of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe -
Loads dropped DLL 7 IoCs
Processes:
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exepid process 1096 1320 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe 1320 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe 1320 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe 1320 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe 1320 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe 1320 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe -
Suspicious behavior: LoadsDriver 4 IoCs
Processes:
pid process 1096 1096 1096 1096 -
Drops file in Program Files directory 2 IoCs
Processes:
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exedescription ioc process File created C:\Program Files\Microsoft DN1\rdpwrap.ini Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe File created C:\Program Files\Microsoft DN1\sqlmap.dll Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe -
Drops file in System32 directory 1 IoCs
Processes:
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exedescription ioc process File created C:\Windows\System32\rfxvmt.dll Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exedescription pid process target process PID 1124 set thread context of 1320 1124 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exedescription pid process Token: SeDebugPrivilege 1320 Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe -
Modifies WinLogon 2 TTPs 4 IoCs
Processes:
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\ru.gnqK = "0" Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
Processes:
Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Microsoft DN1\\sqlmap.dll" Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe"C:\Users\Admin\AppData\Local\Temp\Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe"{path}"2⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Modifies WinLogon
- Sets DLL path for service in the registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Program Files\Microsoft DN1\sqlmap.dll
-
\Users\Admin\AppData\Local\Temp\freebl3.dll
-
\Users\Admin\AppData\Local\Temp\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\nss3.dll
-
\Users\Admin\AppData\Local\Temp\softokn3.dll
-
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
-
memory/1320-1-0x0000000000405A3D-mapping.dmp
-
memory/1320-0-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1320-2-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB