Analysis
-
max time kernel
80s -
max time network
73s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
AWB-746262783-3.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
AWB-746262783-3.exe
Resource
win10
General
-
Target
AWB-746262783-3.exe
-
Size
317KB
-
MD5
b12a47d8c210538c98d0bae4c80e3673
-
SHA1
7db0e6af04c83227a3553fd422a4c55833f6743c
-
SHA256
a64a6a0ae6521ef4dc140dcb3ea44f18c7cebe6ee6fee03c7b3ce1d125065aad
-
SHA512
0dcbbc05a8a5a8290446862bfebd4f8e86ca777e377bebd8758973ed250f752d4dbb9a415881f38e487a52fd8f6300f73bf6e50d45c8b6bb342d1e07a02cfd36
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of WriteProcessMemory 85 IoCs
Processes:
AWB-746262783-3.exerundll32.exedescription pid process target process PID 3104 wrote to memory of 3724 3104 AWB-746262783-3.exe rundll32.exe PID 3104 wrote to memory of 3724 3104 AWB-746262783-3.exe rundll32.exe PID 3104 wrote to memory of 3724 3104 AWB-746262783-3.exe rundll32.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe PID 3724 wrote to memory of 3948 3724 rundll32.exe MSBuild.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3724 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
rundll32.exeMSBuild.exepid process 3724 rundll32.exe 3948 MSBuild.exe 3948 MSBuild.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
rundll32.exepid process 3724 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3948 MSBuild.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 3948 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB-746262783-3.exe"C:\Users\Admin\AppData\Local\Temp\AWB-746262783-3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe Fireside,Pretor2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fireside.DLL
-
C:\Users\Admin\AppData\Local\Temp\Mantel
-
\Users\Admin\AppData\Local\Temp\Fireside.dll
-
memory/3724-0-0x0000000000000000-mapping.dmp
-
memory/3948-4-0x0000000000000000-mapping.dmp
-
memory/3948-5-0x0000000000000000-mapping.dmp