Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 05:32
Static task
static1
Behavioral task
behavioral1
Sample
a48efe002e755fc23f7275abd4ce400b.exe
Resource
win7
Behavioral task
behavioral2
Sample
a48efe002e755fc23f7275abd4ce400b.exe
Resource
win10v200430
General
-
Target
a48efe002e755fc23f7275abd4ce400b.exe
-
Size
303KB
-
MD5
a48efe002e755fc23f7275abd4ce400b
-
SHA1
7cb214b2dc8b861e6ee26ac120e494d43035813b
-
SHA256
bf9fd5adc66ebd40de81eda76543a9b798ad480aab0d0316e7d13a6d51525816
-
SHA512
7b8bea89127a5584792e90de20fa8b72867065a3394c4f8065a312e9b273611a3d362c420ea1ea3210d523131e740bcdf7de7a847afba60d6dc98f58e70e178a
Malware Config
Signatures
-
System policy modification 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer rundll32.exe -
Processes:
rundll32.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 rundll32.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
cmd.exerundll32.exedescription pid process Token: SeDebugPrivilege 680 cmd.exe Token: SeDebugPrivilege 1064 rundll32.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 680 set thread context of 1312 680 cmd.exe Explorer.EXE PID 1064 set thread context of 1312 1064 rundll32.exe Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YNUTDNC0H = "C:\\Program Files (x86)\\Ldpalg\\servicespbc.exe" rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run rundll32.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
a48efe002e755fc23f7275abd4ce400b.exerundll32.exeExplorer.EXErundll32.exedescription pid process target process PID 1448 wrote to memory of 272 1448 a48efe002e755fc23f7275abd4ce400b.exe rundll32.exe PID 1448 wrote to memory of 272 1448 a48efe002e755fc23f7275abd4ce400b.exe rundll32.exe PID 1448 wrote to memory of 272 1448 a48efe002e755fc23f7275abd4ce400b.exe rundll32.exe PID 1448 wrote to memory of 272 1448 a48efe002e755fc23f7275abd4ce400b.exe rundll32.exe PID 1448 wrote to memory of 272 1448 a48efe002e755fc23f7275abd4ce400b.exe rundll32.exe PID 1448 wrote to memory of 272 1448 a48efe002e755fc23f7275abd4ce400b.exe rundll32.exe PID 1448 wrote to memory of 272 1448 a48efe002e755fc23f7275abd4ce400b.exe rundll32.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 272 wrote to memory of 680 272 rundll32.exe cmd.exe PID 1312 wrote to memory of 1064 1312 Explorer.EXE rundll32.exe PID 1312 wrote to memory of 1064 1312 Explorer.EXE rundll32.exe PID 1312 wrote to memory of 1064 1312 Explorer.EXE rundll32.exe PID 1312 wrote to memory of 1064 1312 Explorer.EXE rundll32.exe PID 1312 wrote to memory of 1064 1312 Explorer.EXE rundll32.exe PID 1312 wrote to memory of 1064 1312 Explorer.EXE rundll32.exe PID 1312 wrote to memory of 1064 1312 Explorer.EXE rundll32.exe PID 1064 wrote to memory of 1120 1064 rundll32.exe cmd.exe PID 1064 wrote to memory of 1120 1064 rundll32.exe cmd.exe PID 1064 wrote to memory of 1120 1064 rundll32.exe cmd.exe PID 1064 wrote to memory of 1120 1064 rundll32.exe cmd.exe PID 1064 wrote to memory of 1572 1064 rundll32.exe Firefox.exe PID 1064 wrote to memory of 1572 1064 rundll32.exe Firefox.exe PID 1064 wrote to memory of 1572 1064 rundll32.exe Firefox.exe PID 1064 wrote to memory of 1572 1064 rundll32.exe Firefox.exe PID 1064 wrote to memory of 1572 1064 rundll32.exe Firefox.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
rundll32.execmd.exerundll32.exepid process 272 rundll32.exe 680 cmd.exe 680 cmd.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
rundll32.execmd.exerundll32.exepid process 272 rundll32.exe 680 cmd.exe 680 cmd.exe 680 cmd.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe 1064 rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File opened for modification C:\Program Files (x86)\Ldpalg\servicespbc.exe rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 272 rundll32.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE 1312 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\a48efe002e755fc23f7275abd4ce400b.exe"C:\Users\Admin\AppData\Local\Temp\a48efe002e755fc23f7275abd4ce400b.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe Fireside,Pretor3⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"2⤵
- System policy modification
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Adds Run entry to policy start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\cmd.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Fireside.DLL
-
C:\Users\Admin\AppData\Local\Temp\Mantel
-
C:\Users\Admin\AppData\Roaming\3L2M-SQC\3L2logim.jpeg
-
C:\Users\Admin\AppData\Roaming\3L2M-SQC\3L2logrf.ini
-
C:\Users\Admin\AppData\Roaming\3L2M-SQC\3L2logri.ini
-
C:\Users\Admin\AppData\Roaming\3L2M-SQC\3L2logrv.ini
-
\Users\Admin\AppData\Local\Temp\Fireside.dll
-
memory/272-0-0x0000000000000000-mapping.dmp
-
memory/680-4-0x0000000000000000-mapping.dmp
-
memory/1064-8-0x0000000001E40000-0x0000000001F0F000-memory.dmpFilesize
828KB
-
memory/1064-10-0x00000000763D0000-0x00000000764ED000-memory.dmpFilesize
1.1MB
-
memory/1064-11-0x00000000038A0000-0x00000000039BC000-memory.dmpFilesize
1.1MB
-
memory/1064-9-0x00000000752D0000-0x00000000752DC000-memory.dmpFilesize
48KB
-
memory/1064-6-0x00000000002C0000-0x00000000002CE000-memory.dmpFilesize
56KB
-
memory/1064-5-0x0000000000000000-mapping.dmp
-
memory/1120-7-0x0000000000000000-mapping.dmp
-
memory/1572-12-0x0000000000000000-mapping.dmp
-
memory/1572-13-0x000000013FAF0000-0x000000013FB83000-memory.dmpFilesize
588KB