Overview

overview

10

Static

static

รูปà...¸š.exe

windows7_x64

7

รูปà...¸š.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    30-06-2020 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    รูปภาพที่ต้องลบ.exe

  • Size

    24.4MB

  • MD5

    60e8c8216af0a6c159364a3cfebc1f1b

  • SHA1

    ffd81aa28975dfd4f8e09aa55863c569f6c37037

  • SHA256

    12d14cc1f1d29e131b94659bd8830ce0afe855973f36648929f6bdc7dab4b87f

  • SHA512

    8852553899c83a5d922ca78048b8a37f0a014501796044f1c826b68599365cde0f9046351bffe1f09d07707b2f5049c12dd0dc5a949da076160d7ef44562f403

Score
10/10

Malware Config

Signatures

  • Program crash 1 IoCs
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Loads dropped DLL 37 IoCs
  • Checks whether UAC is enabled 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies control panel 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 113 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Enumerates system info in registry 2 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\รูปภาพที่ต้องลบ.exe
    "C:\Users\Admin\AppData\Local\Temp\รูปภาพที่ต้องลบ.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\รูปภาพที่ต้องลบ.exe
      "C:\Users\Admin\AppData\Local\Temp\รูปภาพที่ต้องลบ.exe"
      2⤵
      • Loads dropped DLL
      PID:1576
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Checks whether UAC is enabled
    • Drops file in Windows directory
    • Modifies control panel
    • Suspicious use of AdjustPrivilegeToken
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2044
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2044 -s 3448
      2⤵
      • Program crash
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of AdjustPrivilegeToken
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Enumerates system info in registry
      PID:4040
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_Salsa20.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_aes.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_cbc.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_cfb.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_ctr.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_ecb.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_ocb.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_ofb.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Hash\_BLAKE2s.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Hash\_MD5.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Hash\_SHA1.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Hash\_SHA256.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Hash\_ghash_portable.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Protocol\_scrypt.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Util\_cpuid_c.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Util\_strxor.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\VCRUNTIME140.dll
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\_bz2.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\_cffi_backend.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\_ctypes.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\_hashlib.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\_lzma.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\_queue.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\_socket.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\_ssl.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\base_library.zip
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\certifi\cacert.pem
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\cryptography\hazmat\bindings\_constant_time.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\cryptography\hazmat\bindings\_openssl.cp38-win32.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\libcrypto-1_1.dll
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\libffi-7.dll
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\libssl-1_1.dll
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\pyexpat.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\python38.dll
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\pythoncom38.dll
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\pywintypes38.dll
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\select.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\unicodedata.pyd
    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI9922\win32api.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_Salsa20.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_aes.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_cbc.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_cfb.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_ctr.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_ecb.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_ocb.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Cipher\_raw_ofb.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Hash\_BLAKE2s.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Hash\_MD5.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Hash\_SHA1.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Hash\_SHA256.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Hash\_ghash_portable.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Protocol\_scrypt.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Util\_cpuid_c.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\Crypto\Util\_strxor.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\VCRUNTIME140.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\_bz2.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\_cffi_backend.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\_ctypes.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\_hashlib.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\_lzma.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\_queue.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\_socket.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\_ssl.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\cryptography\hazmat\bindings\_constant_time.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\cryptography\hazmat\bindings\_openssl.cp38-win32.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\libcrypto-1_1.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\libffi-7.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\libssl-1_1.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\pyexpat.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\python38.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\pythoncom38.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\pywintypes38.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\select.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\unicodedata.pyd
    Download Submit
  • \Users\Admin\AppData\Local\Temp\_MEI9922\win32api.pyd
    Download Submit
  • memory/1576-0-0x0000000000000000-mapping.dmp
    Download
  • memory/4040-77-0x000001EF4E780000-0x000001EF4E781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-78-0x000001EF4E780000-0x000001EF4E781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-80-0x000001EF4F6A0000-0x000001EF4F6A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-83-0x000001EF4F6A0000-0x000001EF4F6A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-84-0x000001EF4F820000-0x000001EF4F821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-85-0x000001EF4F5E0000-0x000001EF4F5E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4040-89-0x000001EF4F590000-0x000001EF4F591000-memory.dmp
    Filesize

    4KB

    Download