Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 13:03
Static task
static1
Behavioral task
behavioral1
Sample
order30JUN2020.exe
Resource
win7
General
-
Target
order30JUN2020.exe
-
Size
917KB
-
MD5
4bc018a505cbe56b05f093a268cf5614
-
SHA1
02ee790415992ecc24a38057f8007be2738492b8
-
SHA256
536aabc78e3dd5a4577cdbacacb57fb38984e125393c4f3e6d11ae40e5a1bbf7
-
SHA512
d19d24100a1501cb67ab4d7f6efc0a53191a1cba091c369a8622ba1dd74974c2b10bde3dec3ad9caa4947fb25346a8aeda0e3e7a1ec5bf1717cef85f256aa9a4
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
order30JUN2020.exeWindows Update.exevbc.exeWindows Update.exepid process 1612 order30JUN2020.exe 1612 order30JUN2020.exe 2072 Windows Update.exe 2072 Windows Update.exe 2224 vbc.exe 2224 vbc.exe 2512 Windows Update.exe -
Deletes itself 1 IoCs
Processes:
Windows Update.exepid process 2512 Windows Update.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
Windows Update.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
order30JUN2020.exeorder30JUN2020.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1612 wrote to memory of 1712 1612 order30JUN2020.exe order30JUN2020.exe PID 1612 wrote to memory of 1712 1612 order30JUN2020.exe order30JUN2020.exe PID 1612 wrote to memory of 1712 1612 order30JUN2020.exe order30JUN2020.exe PID 1712 wrote to memory of 2072 1712 order30JUN2020.exe Windows Update.exe PID 1712 wrote to memory of 2072 1712 order30JUN2020.exe Windows Update.exe PID 1712 wrote to memory of 2072 1712 order30JUN2020.exe Windows Update.exe PID 2072 wrote to memory of 2512 2072 Windows Update.exe Windows Update.exe PID 2072 wrote to memory of 2512 2072 Windows Update.exe Windows Update.exe PID 2072 wrote to memory of 2512 2072 Windows Update.exe Windows Update.exe PID 2512 wrote to memory of 3484 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 3484 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 3484 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 3484 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 3484 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 3484 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 3484 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 3484 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 3484 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 2224 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 2224 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 2224 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 2224 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 2224 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 2224 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 2224 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 2224 2512 Windows Update.exe vbc.exe PID 2512 wrote to memory of 2224 2512 Windows Update.exe vbc.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
order30JUN2020.exeWindows Update.exepid process 1612 order30JUN2020.exe 2072 Windows Update.exe -
Executes dropped EXE 2 IoCs
Processes:
Windows Update.exeWindows Update.exepid process 2072 Windows Update.exe 2512 Windows Update.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral2/memory/1712-0-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral2/memory/1712-2-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral2/memory/1712-3-0x0000000000400000-0x000000000051D000-memory.dmp upx -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 whatismyipaddress.com 6 whatismyipaddress.com 3 whatismyipaddress.com -
Suspicious use of SetThreadContext 4 IoCs
Processes:
order30JUN2020.exeWindows Update.exeWindows Update.exedescription pid process target process PID 1612 set thread context of 1712 1612 order30JUN2020.exe order30JUN2020.exe PID 2072 set thread context of 2512 2072 Windows Update.exe Windows Update.exe PID 2512 set thread context of 3484 2512 Windows Update.exe vbc.exe PID 2512 set thread context of 2224 2512 Windows Update.exe vbc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Windows Update.exedescription pid process Token: SeDebugPrivilege 2512 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Windows Update.exepid process 2512 Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\order30JUN2020.exe"C:\Users\Admin\AppData\Local\Temp\order30JUN2020.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\order30JUN2020.exe"C:\Users\Admin\AppData\Local\Temp\order30JUN2020.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Deletes itself
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt
-
C:\Users\Admin\AppData\Local\Temp\holderwb.txt
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe
-
C:\Users\Admin\AppData\Roaming\Windows Update.exe
-
memory/1712-5-0x0000000002462000-0x0000000002463000-memory.dmpFilesize
4KB
-
memory/1712-0-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/1712-4-0x00000000022B0000-0x0000000002338000-memory.dmpFilesize
544KB
-
memory/1712-1-0x000000000051B4C0-mapping.dmp
-
memory/1712-3-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/1712-2-0x0000000000400000-0x000000000051D000-memory.dmpFilesize
1.1MB
-
memory/2072-6-0x0000000000000000-mapping.dmp
-
memory/2224-20-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2224-22-0x0000000000400000-0x0000000000458000-memory.dmpFilesize
352KB
-
memory/2224-21-0x0000000000442628-mapping.dmp
-
memory/2512-15-0x0000000000A92000-0x0000000000A93000-memory.dmpFilesize
4KB
-
memory/2512-14-0x0000000002320000-0x00000000023A8000-memory.dmpFilesize
544KB
-
memory/2512-10-0x000000000051B4C0-mapping.dmp
-
memory/3484-19-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB
-
memory/3484-18-0x0000000000411654-mapping.dmp
-
memory/3484-17-0x0000000000400000-0x000000000041B000-memory.dmpFilesize
108KB