Analysis
-
max time kernel
146s -
max time network
141s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 08:41
Static task
static1
Behavioral task
behavioral1
Sample
TRUNG VIET IMPORT & EXPORT - products_list.excel.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
TRUNG VIET IMPORT & EXPORT - products_list.excel.exe
Resource
win10
General
-
Target
TRUNG VIET IMPORT & EXPORT - products_list.excel.exe
-
Size
849KB
-
MD5
08ddeda4b15b6401f717cf37dfad1fda
-
SHA1
db3eda62b4b84eb8828fe15bf469796cd8864209
-
SHA256
5e93b449a80beffbe61f82bfab9042149156227e74efb7e39c95d0044e4a0ab3
-
SHA512
16bb8e5935cc8f5d7719d2c724123057f4d4f270b058e098d0e324b2c81fc36ab2235b8c1cb8fb9530cef9ffdd6ac685a4dd2f232a3e2c1e72bf26282eefbbd8
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
ieinstal.exeNETSTAT.EXEExplorer.EXEdescription pid process Token: SeDebugPrivilege 3976 ieinstal.exe Token: SeDebugPrivilege 3804 NETSTAT.EXE Token: SeShutdownPrivilege 2964 Explorer.EXE Token: SeCreatePagefilePrivilege 2964 Explorer.EXE Token: SeShutdownPrivilege 2964 Explorer.EXE Token: SeCreatePagefilePrivilege 2964 Explorer.EXE Token: SeShutdownPrivilege 2964 Explorer.EXE Token: SeCreatePagefilePrivilege 2964 Explorer.EXE Token: SeShutdownPrivilege 2964 Explorer.EXE Token: SeCreatePagefilePrivilege 2964 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
TRUNG VIET IMPORT & EXPORT - products_list.excel.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\Afxy = "C:\\Users\\Admin\\AppData\\Local\\Afxy\\Afxy.hta" TRUNG VIET IMPORT & EXPORT - products_list.excel.exe -
Processes:
NETSTAT.EXEdescription ioc process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
TRUNG VIET IMPORT & EXPORT - products_list.excel.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 3904 wrote to memory of 3976 3904 TRUNG VIET IMPORT & EXPORT - products_list.excel.exe ieinstal.exe PID 3904 wrote to memory of 3976 3904 TRUNG VIET IMPORT & EXPORT - products_list.excel.exe ieinstal.exe PID 3904 wrote to memory of 3976 3904 TRUNG VIET IMPORT & EXPORT - products_list.excel.exe ieinstal.exe PID 3904 wrote to memory of 3976 3904 TRUNG VIET IMPORT & EXPORT - products_list.excel.exe ieinstal.exe PID 3904 wrote to memory of 3976 3904 TRUNG VIET IMPORT & EXPORT - products_list.excel.exe ieinstal.exe PID 2964 wrote to memory of 3804 2964 Explorer.EXE NETSTAT.EXE PID 2964 wrote to memory of 3804 2964 Explorer.EXE NETSTAT.EXE PID 2964 wrote to memory of 3804 2964 Explorer.EXE NETSTAT.EXE PID 3804 wrote to memory of 3152 3804 NETSTAT.EXE cmd.exe PID 3804 wrote to memory of 3152 3804 NETSTAT.EXE cmd.exe PID 3804 wrote to memory of 3152 3804 NETSTAT.EXE cmd.exe PID 3804 wrote to memory of 3896 3804 NETSTAT.EXE Firefox.exe PID 3804 wrote to memory of 3896 3804 NETSTAT.EXE Firefox.exe PID 3804 wrote to memory of 3896 3804 NETSTAT.EXE Firefox.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
TRUNG VIET IMPORT & EXPORT - products_list.excel.exeieinstal.exeNETSTAT.EXEdescription pid process target process PID 3904 set thread context of 3976 3904 TRUNG VIET IMPORT & EXPORT - products_list.excel.exe ieinstal.exe PID 3976 set thread context of 2964 3976 ieinstal.exe Explorer.EXE PID 3804 set thread context of 2964 3804 NETSTAT.EXE Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
ieinstal.exeNETSTAT.EXEpid process 3976 ieinstal.exe 3976 ieinstal.exe 3976 ieinstal.exe 3976 ieinstal.exe 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ieinstal.exeNETSTAT.EXEpid process 3976 ieinstal.exe 3976 ieinstal.exe 3976 ieinstal.exe 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE 3804 NETSTAT.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\TRUNG VIET IMPORT & EXPORT - products_list.excel.exe"C:\Users\Admin\AppData\Local\Temp\TRUNG VIET IMPORT & EXPORT - products_list.excel.exe"2⤵
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3904 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3976 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3804 -
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3152
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3896