d2f4642282933b92336508b254613f20a9db1f8a443669f56f6c354d8b319e1e

General

Target

IMG-07072020.exe
Size

858KB
MD5

2cf6e0df55846c81ee2f985fbfb6ebf6
SHA1

9cbc8b1dc3480ee5a1df5aa81a24f22225137309
SHA256

d2f4642282933b92336508b254613f20a9db1f8a443669f56f6c354d8b319e1e
SHA512

b962604fd3db93914e1760e94129ca6531591e89f6695382275332ebf1297eadde470664c710afd9c0a1c19413ab93eefe115f0359c758899df0703ef1472e71

Score

7^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1008 set thread context of 644	1008	IMG-07072020.exe	66
PID 644 set thread context of 2992	644	ieinstal.exe	56
PID 860 set thread context of 2992	860	wscript.exe	56

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
644	ieinstal.exe
644	ieinstal.exe
644	ieinstal.exe
644	ieinstal.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	ieinstal.exe
Token: SeDebugPrivilege	860	wscript.exe
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE
Token: SeShutdownPrivilege	2992	Explorer.EXE
Token: SeCreatePagefilePrivilege	2992	Explorer.EXE

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	IMG-07072020.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	IMG-07072020.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ords = "C:\\Users\\Admin\\AppData\\Local\\Ords\\Ords.hta"	IMG-07072020.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 644	1008	IMG-07072020.exe	66
PID 1008 wrote to memory of 644	1008	IMG-07072020.exe	66
PID 1008 wrote to memory of 644	1008	IMG-07072020.exe	66
PID 1008 wrote to memory of 644	1008	IMG-07072020.exe	66
PID 1008 wrote to memory of 644	1008	IMG-07072020.exe	66
PID 2992 wrote to memory of 860	2992	Explorer.EXE	67
PID 2992 wrote to memory of 860	2992	Explorer.EXE	67
PID 2992 wrote to memory of 860	2992	Explorer.EXE	67
PID 860 wrote to memory of 2132	860	wscript.exe	70
PID 860 wrote to memory of 2132	860	wscript.exe	70
PID 860 wrote to memory of 2132	860	wscript.exe	70
PID 860 wrote to memory of 3912	860	wscript.exe	76
PID 860 wrote to memory of 3912	860	wscript.exe	76
PID 860 wrote to memory of 3912	860	wscript.exe	76

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
644	ieinstal.exe
644	ieinstal.exe
644	ieinstal.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe
860	wscript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wscript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Users\Admin\AppData\Local\Temp\IMG-07072020.exe
  "C:\Users\Admin\AppData\Local\Temp\IMG-07072020.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies system certificate store
  - Adds Run entry to start application
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: MapViewOfSection
    PID:644
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - Suspicious behavior: MapViewOfSection
  - Modifies Internet Explorer settings
  PID:860
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:2132
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/860-4-0x0000000000FC0000-0x0000000000FE7000-memory.dmp

Filesize
156KB

Download
memory/860-3-0x0000000000FC0000-0x0000000000FE7000-memory.dmp

Filesize
156KB

Download
memory/3912-11-0x00007FF6A9CC0000-0x00007FF6A9D53000-memory.dmp

Filesize
588KB

Download
memory/3912-12-0x00007FF6A9CC0000-0x00007FF6A9D53000-memory.dmp

Filesize
588KB

Download
memory/3912-10-0x00007FF6A9CC0000-0x00007FF6A9D53000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads