Analysis
-
max time kernel
147s -
max time network
144s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 06:04
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip_GS2004011507 & GS2005014760_pdf.exe
Resource
win7
Behavioral task
behavioral2
Sample
Payment Slip_GS2004011507 & GS2005014760_pdf.exe
Resource
win10v200430
General
-
Target
Payment Slip_GS2004011507 & GS2005014760_pdf.exe
-
Size
304KB
-
MD5
724b0343f5f55aab914f610c1164cdcd
-
SHA1
b451c5667a1491a99e7c54e549fa89049beba10f
-
SHA256
8f4bb4bd0cff9da6a0aee3e0204732840f045fab3ae23020385646fc47aae9f4
-
SHA512
3e8898305f745fcf12735af7be23e780474377e6e16c1b401e783439ce1ecd10602da2f5eae8672d9d9ebe0d66215eeebe8eb46e1103fc6771d936c18ae81e47
Malware Config
Signatures
-
Processes:
cmstp.exedescription ioc process Key created \Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmstp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
Processes:
cmstp.exedescription ioc process File opened for modification C:\Program Files (x86)\Ghpp\mlt8stxwlr8c.exe cmstp.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmstp.exe -
Suspicious use of WriteProcessMemory 93 IoCs
Processes:
Payment Slip_GS2004011507 & GS2005014760_pdf.exerundll32.exedescription pid process target process PID 1732 wrote to memory of 1988 1732 Payment Slip_GS2004011507 & GS2005014760_pdf.exe rundll32.exe PID 1732 wrote to memory of 1988 1732 Payment Slip_GS2004011507 & GS2005014760_pdf.exe rundll32.exe PID 1732 wrote to memory of 1988 1732 Payment Slip_GS2004011507 & GS2005014760_pdf.exe rundll32.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe PID 1988 wrote to memory of 2908 1988 rundll32.exe cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1988 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
cmd.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2908 cmd.exe Token: SeDebugPrivilege 3904 cmstp.exe Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cmd.execmstp.exedescription pid process target process PID 2908 set thread context of 3000 2908 cmd.exe Explorer.EXE PID 3904 set thread context of 3000 3904 cmstp.exe Explorer.EXE -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
cmstp.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmstp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YTCLK4G = "C:\\Program Files (x86)\\Ghpp\\mlt8stxwlr8c.exe" cmstp.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
rundll32.execmd.execmstp.exepid process 1988 rundll32.exe 2908 cmd.exe 2908 cmd.exe 2908 cmd.exe 2908 cmd.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
rundll32.execmd.execmstp.exepid process 1988 rundll32.exe 2908 cmd.exe 2908 cmd.exe 2908 cmd.exe 3904 cmstp.exe 3904 cmstp.exe 3904 cmstp.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Payment Slip_GS2004011507 & GS2005014760_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Payment Slip_GS2004011507 & GS2005014760_pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe Fireside,Pretor3⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Modifies Internet Explorer settings
- Drops file in Program Files directory
- System policy modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Adds Run entry to policy start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\cmd.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Local\Temp\Fireside.DLL
-
C:\Users\Admin\AppData\Local\Temp\Mantel
-
\Users\Admin\AppData\Local\Temp\Fireside.dll
-
memory/700-10-0x0000000000000000-mapping.dmp
-
memory/1988-0-0x0000000000000000-mapping.dmp
-
memory/2908-4-0x0000000000000000-mapping.dmp
-
memory/3904-5-0x0000000000000000-mapping.dmp
-
memory/3904-6-0x0000000000E00000-0x0000000000E16000-memory.dmpFilesize
88KB
-
memory/3904-7-0x0000000000E00000-0x0000000000E16000-memory.dmpFilesize
88KB
-
memory/3904-9-0x00000000055E0000-0x00000000056FF000-memory.dmpFilesize
1.1MB
-
memory/4020-8-0x0000000000000000-mapping.dmp