Analysis
-
max time kernel
147s -
max time network
137s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 08:49
Static task
static1
Behavioral task
behavioral1
Sample
7vQQ4HU4QUhXLUo.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
7vQQ4HU4QUhXLUo.exe
Resource
win10
General
-
Target
7vQQ4HU4QUhXLUo.exe
-
Size
431KB
-
MD5
8854b20dd7f9769458e78ae6ebbe156d
-
SHA1
ab2b32ba44e6774af61bf165ac4b8259de8eeb90
-
SHA256
001af3efb9fa637cf4b597d86ec925a4283efb482417861aacabb46a848ec84d
-
SHA512
6b7760101d721185457820a0832d914be0519e6c09710c2c7b71cc98a69ddc252d541cf0c2bced509719681f7398914461027461e9b65c06cf58164e5fd89efc
Malware Config
Signatures
-
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\P62PAHT = "C:\\Program Files (x86)\\J9rfxon4h\\ad40dfkedo8ft.exe" msiexec.exe -
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\J9rfxon4h\ad40dfkedo8ft.exe msiexec.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msiexec.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
7vQQ4HU4QUhXLUo.exemsiexec.exepid process 3772 7vQQ4HU4QUhXLUo.exe 3772 7vQQ4HU4QUhXLUo.exe 3772 7vQQ4HU4QUhXLUo.exe 3772 7vQQ4HU4QUhXLUo.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe 3612 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
7vQQ4HU4QUhXLUo.exemsiexec.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3772 7vQQ4HU4QUhXLUo.exe Token: SeDebugPrivilege 3612 msiexec.exe Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
7vQQ4HU4QUhXLUo.exemsiexec.exepid process 3772 7vQQ4HU4QUhXLUo.exe 3772 7vQQ4HU4QUhXLUo.exe 3772 7vQQ4HU4QUhXLUo.exe 3612 msiexec.exe 3612 msiexec.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE 2988 Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
7vQQ4HU4QUhXLUo.exeExplorer.EXEmsiexec.exedescription pid process target process PID 2460 wrote to memory of 3820 2460 7vQQ4HU4QUhXLUo.exe schtasks.exe PID 2460 wrote to memory of 3820 2460 7vQQ4HU4QUhXLUo.exe schtasks.exe PID 2460 wrote to memory of 3820 2460 7vQQ4HU4QUhXLUo.exe schtasks.exe PID 2460 wrote to memory of 3772 2460 7vQQ4HU4QUhXLUo.exe 7vQQ4HU4QUhXLUo.exe PID 2460 wrote to memory of 3772 2460 7vQQ4HU4QUhXLUo.exe 7vQQ4HU4QUhXLUo.exe PID 2460 wrote to memory of 3772 2460 7vQQ4HU4QUhXLUo.exe 7vQQ4HU4QUhXLUo.exe PID 2460 wrote to memory of 3772 2460 7vQQ4HU4QUhXLUo.exe 7vQQ4HU4QUhXLUo.exe PID 2460 wrote to memory of 3772 2460 7vQQ4HU4QUhXLUo.exe 7vQQ4HU4QUhXLUo.exe PID 2460 wrote to memory of 3772 2460 7vQQ4HU4QUhXLUo.exe 7vQQ4HU4QUhXLUo.exe PID 2988 wrote to memory of 3612 2988 Explorer.EXE msiexec.exe PID 2988 wrote to memory of 3612 2988 Explorer.EXE msiexec.exe PID 2988 wrote to memory of 3612 2988 Explorer.EXE msiexec.exe PID 3612 wrote to memory of 3456 3612 msiexec.exe cmd.exe PID 3612 wrote to memory of 3456 3612 msiexec.exe cmd.exe PID 3612 wrote to memory of 3456 3612 msiexec.exe cmd.exe PID 3612 wrote to memory of 1228 3612 msiexec.exe cmd.exe PID 3612 wrote to memory of 1228 3612 msiexec.exe cmd.exe PID 3612 wrote to memory of 1228 3612 msiexec.exe cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
7vQQ4HU4QUhXLUo.exe7vQQ4HU4QUhXLUo.exemsiexec.exedescription pid process target process PID 2460 set thread context of 3772 2460 7vQQ4HU4QUhXLUo.exe 7vQQ4HU4QUhXLUo.exe PID 3772 set thread context of 2988 3772 7vQQ4HU4QUhXLUo.exe Explorer.EXE PID 3612 set thread context of 2988 3612 msiexec.exe Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE 2988 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\7vQQ4HU4QUhXLUo.exe"C:\Users\Admin\AppData\Local\Temp\7vQQ4HU4QUhXLUo.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BJtzFOHlPaUN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp69D1.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\7vQQ4HU4QUhXLUo.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Adds Run entry to policy start application
- Modifies Internet Explorer settings
- Drops file in Program Files directory
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\7vQQ4HU4QUhXLUo.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Local\Temp\tmp69D1.tmp
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logim.jpeg
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logrg.ini
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logri.ini
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logrv.ini
-
memory/1228-9-0x0000000000000000-mapping.dmp
-
memory/3456-7-0x0000000000000000-mapping.dmp
-
memory/3612-6-0x0000000001300000-0x0000000001312000-memory.dmpFilesize
72KB
-
memory/3612-8-0x0000000005580000-0x000000000565F000-memory.dmpFilesize
892KB
-
memory/3612-5-0x0000000001300000-0x0000000001312000-memory.dmpFilesize
72KB
-
memory/3612-4-0x0000000000000000-mapping.dmp
-
memory/3772-3-0x000000000041B6E0-mapping.dmp
-
memory/3772-2-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3820-0-0x0000000000000000-mapping.dmp