Overview

overview

8

Static

static

Product Sp...0).exe

windows7_x64

8

Product Sp...0).exe

windows10_x64

8

Analysis

  • max time kernel
    114s
  • max time network
    127s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    30-06-2020 06:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe

  • Size

    258KB

  • MD5

    05865820025c38359bb2f51c1e6a5ce6

  • SHA1

    4b8c9a275dcf3992839703a95d03e3acb75ac5a5

  • SHA256

    37d250d71a687db0e2c094fd5932bd32a6198a94b86553580d495cbb592d0f96

  • SHA512

    bbe6e903505611f8f769dc391485f6ed41df56ef5fde3f95eeb509b2427424f562d9bcb82fe1162a00f9762b9efa3120e431dfd655919288a3ccb4ae5deb620c

Score
8/10
persistencespyware

Malware Config

Signatures

  • Suspicious behavior: LoadsDriver 1 IoCs
  • Modifies WinLogon 2 TTPs 4 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Sets DLL path for service in the registry 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of SetThreadContext 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe
    "C:\Users\Admin\AppData\Local\Temp\Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetThreadContext
    PID:2728
    • C:\Users\Admin\AppData\Local\Temp\Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe
      "{path}"
      2⤵
        PID:3880
      • C:\Users\Admin\AppData\Local\Temp\Product Specification 58 (iv) Qty 45,000 KG (CuZn 30).exe
        "{path}"
        2⤵
        • Modifies WinLogon
        • Drops file in System32 directory
        • Suspicious use of AdjustPrivilegeToken
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Sets DLL path for service in the registry
        PID:3928
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k networkservice -s TermService
      1⤵
        PID:3816
      • C:\Windows\System32\svchost.exe
        C:\Windows\System32\svchost.exe -k NetworkService -s TermService
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:3356

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Winlogon Helper DLL

      1
      T1004

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\program files\microsoft dn1\rdpwrap.ini
        Download Submit
      • \??\c:\program files\microsoft dn1\sqlmap.dll
        Download Submit
      • \Program Files\Microsoft DN1\sqlmap.dll
        Download Submit
      • \Users\Admin\AppData\Local\Temp\freebl3.dll
        Download Submit
      • \Users\Admin\AppData\Local\Temp\mozglue.dll
        Download Submit
      • \Users\Admin\AppData\Local\Temp\msvcp140.dll
        Download Submit
      • \Users\Admin\AppData\Local\Temp\nss3.dll
        Download Submit
      • \Users\Admin\AppData\Local\Temp\softokn3.dll
        Download Submit
      • \Users\Admin\AppData\Local\Temp\vcruntime140.dll
        Download Submit
      • memory/3928-0-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/3928-1-0x0000000000405A3D-mapping.dmp
        Download
      • memory/3928-2-0x0000000000400000-0x0000000000554000-memory.dmp
        Filesize

        1.3MB

        Download