Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 06:30
Static task
static1
Behavioral task
behavioral1
Sample
DOC Scanned_0897506302020.exe
Resource
win7
Behavioral task
behavioral2
Sample
DOC Scanned_0897506302020.exe
Resource
win10v200430
General
-
Target
DOC Scanned_0897506302020.exe
-
Size
608KB
-
MD5
ad535bbe748d1f76fe956281e186b195
-
SHA1
c1b622f311ffa1194194a66e3d922e58b6e9402d
-
SHA256
e86fd29446566f02088cc93deb2449d5aa7febf4ced0a41d36095520737f0338
-
SHA512
904d9712f5c683960b20b3dd79176db70ccb1c843e93ee05ebe38894f9ed4a18d44249de679d51f693fd83fa19e10e19495416bc236337dc536c4dcd28743406
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 8 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
Processes:
systray.exedescription ioc process File opened for modification C:\Program Files (x86)\Msdv\ThumbCacheld5.exe systray.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
DOC Scanned_0897506302020.exeAddInProcess32.exesystray.exepid process 1464 DOC Scanned_0897506302020.exe 1464 DOC Scanned_0897506302020.exe 1464 DOC Scanned_0897506302020.exe 532 AddInProcess32.exe 532 AddInProcess32.exe 532 AddInProcess32.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe 928 systray.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
DOC Scanned_0897506302020.exeExplorer.EXEsystray.exedescription pid process target process PID 1464 wrote to memory of 532 1464 DOC Scanned_0897506302020.exe AddInProcess32.exe PID 1464 wrote to memory of 532 1464 DOC Scanned_0897506302020.exe AddInProcess32.exe PID 1464 wrote to memory of 532 1464 DOC Scanned_0897506302020.exe AddInProcess32.exe PID 1464 wrote to memory of 532 1464 DOC Scanned_0897506302020.exe AddInProcess32.exe PID 1464 wrote to memory of 532 1464 DOC Scanned_0897506302020.exe AddInProcess32.exe PID 1464 wrote to memory of 532 1464 DOC Scanned_0897506302020.exe AddInProcess32.exe PID 1464 wrote to memory of 532 1464 DOC Scanned_0897506302020.exe AddInProcess32.exe PID 1228 wrote to memory of 928 1228 Explorer.EXE systray.exe PID 1228 wrote to memory of 928 1228 Explorer.EXE systray.exe PID 1228 wrote to memory of 928 1228 Explorer.EXE systray.exe PID 1228 wrote to memory of 928 1228 Explorer.EXE systray.exe PID 928 wrote to memory of 1676 928 systray.exe cmd.exe PID 928 wrote to memory of 1676 928 systray.exe cmd.exe PID 928 wrote to memory of 1676 928 systray.exe cmd.exe PID 928 wrote to memory of 1676 928 systray.exe cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
DOC Scanned_0897506302020.exeAddInProcess32.exesystray.exedescription pid process target process PID 1464 set thread context of 532 1464 DOC Scanned_0897506302020.exe AddInProcess32.exe PID 532 set thread context of 1228 532 AddInProcess32.exe Explorer.EXE PID 532 set thread context of 1228 532 AddInProcess32.exe Explorer.EXE PID 928 set thread context of 1228 928 systray.exe Explorer.EXE -
Suspicious use of SendNotifyMessage 7 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DOC Scanned_0897506302020.exeAddInProcess32.exesystray.exedescription pid process Token: SeDebugPrivilege 1464 DOC Scanned_0897506302020.exe Token: SeDebugPrivilege 532 AddInProcess32.exe Token: SeDebugPrivilege 928 systray.exe -
Loads dropped DLL 1 IoCs
Processes:
DOC Scanned_0897506302020.exepid process 1464 DOC Scanned_0897506302020.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XJ5DJX5H52 = "C:\\Program Files (x86)\\Msdv\\ThumbCacheld5.exe" systray.exe -
Executes dropped EXE 1 IoCs
Processes:
AddInProcess32.exepid process 532 AddInProcess32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
AddInProcess32.exesystray.exepid process 532 AddInProcess32.exe 532 AddInProcess32.exe 532 AddInProcess32.exe 532 AddInProcess32.exe 928 systray.exe 928 systray.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\DOC Scanned_0897506302020.exe"C:\Users\Admin\AppData\Local\Temp\DOC Scanned_0897506302020.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
-
C:\Users\Admin\AppData\Roaming\24R6R337\24Rlogim.jpeg
-
C:\Users\Admin\AppData\Roaming\24R6R337\24Rlogri.ini
-
C:\Users\Admin\AppData\Roaming\24R6R337\24Rlogrv.ini
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
-
memory/532-4-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/532-5-0x000000000041E290-mapping.dmp
-
memory/928-14-0x00000000753D0000-0x000000007552C000-memory.dmpFilesize
1.4MB
-
memory/928-11-0x0000000000B70000-0x0000000000C4D000-memory.dmpFilesize
884KB
-
memory/928-12-0x0000000076880000-0x000000007688C000-memory.dmpFilesize
48KB
-
memory/928-13-0x0000000076EC0000-0x0000000076FDD000-memory.dmpFilesize
1.1MB
-
memory/928-8-0x0000000000C50000-0x0000000000C55000-memory.dmpFilesize
20KB
-
memory/928-7-0x0000000000000000-mapping.dmp
-
memory/1464-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1676-10-0x0000000000000000-mapping.dmp