Analysis
-
max time kernel
129s -
max time network
23s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
AWB-746262783-3.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
AWB-746262783-3.exe
Resource
win10
General
-
Target
AWB-746262783-3.exe
-
Size
317KB
-
MD5
b12a47d8c210538c98d0bae4c80e3673
-
SHA1
7db0e6af04c83227a3553fd422a4c55833f6743c
-
SHA256
a64a6a0ae6521ef4dc140dcb3ea44f18c7cebe6ee6fee03c7b3ce1d125065aad
-
SHA512
0dcbbc05a8a5a8290446862bfebd4f8e86ca777e377bebd8758973ed250f752d4dbb9a415881f38e487a52fd8f6300f73bf6e50d45c8b6bb342d1e07a02cfd36
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
rundll32.exepid process 1100 rundll32.exe 1100 rundll32.exe 1100 rundll32.exe 1100 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1512 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1512 MSBuild.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 80 IoCs
Processes:
AWB-746262783-3.exerundll32.exedescription pid process target process PID 272 wrote to memory of 1100 272 AWB-746262783-3.exe rundll32.exe PID 272 wrote to memory of 1100 272 AWB-746262783-3.exe rundll32.exe PID 272 wrote to memory of 1100 272 AWB-746262783-3.exe rundll32.exe PID 272 wrote to memory of 1100 272 AWB-746262783-3.exe rundll32.exe PID 272 wrote to memory of 1100 272 AWB-746262783-3.exe rundll32.exe PID 272 wrote to memory of 1100 272 AWB-746262783-3.exe rundll32.exe PID 272 wrote to memory of 1100 272 AWB-746262783-3.exe rundll32.exe PID 1100 wrote to memory of 1092 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1092 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1092 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1092 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1092 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1092 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1092 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1092 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1092 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1092 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1528 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1528 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1528 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1528 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1528 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1528 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1528 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1528 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1528 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1528 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1524 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1524 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1524 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1524 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1524 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1524 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1524 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1524 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1524 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1524 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe PID 1100 wrote to memory of 1512 1100 rundll32.exe MSBuild.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1100 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rundll32.exeMSBuild.exepid process 1100 rundll32.exe 1100 rundll32.exe 1100 rundll32.exe 1100 rundll32.exe 1512 MSBuild.exe 1512 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB-746262783-3.exe"C:\Users\Admin\AppData\Local\Temp\AWB-746262783-3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe Fireside,Pretor2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fireside.DLL
-
C:\Users\Admin\AppData\Local\Temp\Mantel
-
\Users\Admin\AppData\Local\Temp\Fireside.dll
-
memory/1100-0-0x0000000000000000-mapping.dmp
-
memory/1512-4-0x0000000000000000-mapping.dmp
-
memory/1512-5-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1512-6-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1512-7-0x0000000000000000-mapping.dmp