e86fd29446566f02088cc93deb2449d5aa7febf4ced0a41d36095520737f0338

General

Target

DOC Scanned_0897506302020.exe
Size

608KB
MD5

ad535bbe748d1f76fe956281e186b195
SHA1

c1b622f311ffa1194194a66e3d922e58b6e9402d
SHA256

e86fd29446566f02088cc93deb2449d5aa7febf4ced0a41d36095520737f0338
SHA512

904d9712f5c683960b20b3dd79176db70ccb1c843e93ee05ebe38894f9ed4a18d44249de679d51f693fd83fa19e10e19495416bc236337dc536c4dcd28743406

Score

8^/10

spyware evasion trojan persistence

Malware Config

Signatures

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Drops file in Program Files directory 1 IoCs

Processes:

systray.exe

description ioc process

File opened for modification C:\Program Files (x86)\Msdv\ThumbCacheld5.exe systray.exe

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Msdv\ThumbCacheld5.exe	systray.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

DOC Scanned_0897506302020.exeAddInProcess32.exesystray.exe

pid	process
1464	DOC Scanned_0897506302020.exe
1464	DOC Scanned_0897506302020.exe
1464	DOC Scanned_0897506302020.exe
532	AddInProcess32.exe
532	AddInProcess32.exe
532	AddInProcess32.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe
928	systray.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

DOC Scanned_0897506302020.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 1464 wrote to memory of 532	1464	DOC Scanned_0897506302020.exe	AddInProcess32.exe
PID 1464 wrote to memory of 532	1464	DOC Scanned_0897506302020.exe	AddInProcess32.exe
PID 1464 wrote to memory of 532	1464	DOC Scanned_0897506302020.exe	AddInProcess32.exe
PID 1464 wrote to memory of 532	1464	DOC Scanned_0897506302020.exe	AddInProcess32.exe
PID 1464 wrote to memory of 532	1464	DOC Scanned_0897506302020.exe	AddInProcess32.exe
PID 1464 wrote to memory of 532	1464	DOC Scanned_0897506302020.exe	AddInProcess32.exe
PID 1464 wrote to memory of 532	1464	DOC Scanned_0897506302020.exe	AddInProcess32.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	systray.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	systray.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	systray.exe
PID 1228 wrote to memory of 928	1228	Explorer.EXE	systray.exe
PID 928 wrote to memory of 1676	928	systray.exe	cmd.exe
PID 928 wrote to memory of 1676	928	systray.exe	cmd.exe
PID 928 wrote to memory of 1676	928	systray.exe	cmd.exe
PID 928 wrote to memory of 1676	928	systray.exe	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

DOC Scanned_0897506302020.exeAddInProcess32.exesystray.exe

description	pid	process	target process
PID 1464 set thread context of 532	1464	DOC Scanned_0897506302020.exe	AddInProcess32.exe
PID 532 set thread context of 1228	532	AddInProcess32.exe	Explorer.EXE
PID 532 set thread context of 1228	532	AddInProcess32.exe	Explorer.EXE
PID 928 set thread context of 1228	928	systray.exe	Explorer.EXE

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

Explorer.EXE

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DOC Scanned_0897506302020.exeAddInProcess32.exesystray.exe

description	pid	process
Token: SeDebugPrivilege	1464	DOC Scanned_0897506302020.exe
Token: SeDebugPrivilege	532	AddInProcess32.exe
Token: SeDebugPrivilege	928	systray.exe

Loads dropped DLL 1 IoCs

Processes:

DOC Scanned_0897506302020.exe

pid process

1464 DOC Scanned_0897506302020.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

systray.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	systray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XJ5DJX5H52 = "C:\\Program Files (x86)\\Msdv\\ThumbCacheld5.exe"	systray.exe

Executes dropped EXE 1 IoCs

Processes:

AddInProcess32.exe

pid process

532 AddInProcess32.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

AddInProcess32.exesystray.exe

pid process

532 AddInProcess32.exe
532 AddInProcess32.exe
532 AddInProcess32.exe
532 AddInProcess32.exe
928 systray.exe
928 systray.exe

pid	process
532	AddInProcess32.exe

pid	process
532	AddInProcess32.exe
532	AddInProcess32.exe
532	AddInProcess32.exe
532	AddInProcess32.exe
928	systray.exe
928	systray.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
PID:1228

C:\Users\Admin\AppData\Local\Temp\DOC Scanned_0897506302020.exe
"C:\Users\Admin\AppData\Local\Temp\DOC Scanned_0897506302020.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Loads dropped DLL
PID:1464

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
PID:532

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
PID:928

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:1676

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Download Submit
C:\Users\Admin\AppData\Roaming\24R6R337\24Rlogim.jpeg

Download Submit
C:\Users\Admin\AppData\Roaming\24R6R337\24Rlogri.ini

Download Submit
C:\Users\Admin\AppData\Roaming\24R6R337\24Rlogrv.ini

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe

Download Submit
memory/532-4-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/532-5-0x000000000041E290-mapping.dmp

Download
memory/928-14-0x00000000753D0000-0x000000007552C000-memory.dmp

Filesize
1.4MB

Download
memory/928-11-0x0000000000B70000-0x0000000000C4D000-memory.dmp

Filesize
884KB

Download
memory/928-12-0x0000000076880000-0x000000007688C000-memory.dmp

Filesize
48KB

Download
memory/928-13-0x0000000076EC0000-0x0000000076FDD000-memory.dmp

Filesize
1.1MB

Download
memory/928-8-0x0000000000C50000-0x0000000000C55000-memory.dmp

Filesize
20KB

Download
memory/928-7-0x0000000000000000-mapping.dmp

Download
memory/1464-1-0x0000000000000000-0x0000000000000000-disk.dmp

Download
memory/1676-10-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads