Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 10:00
Static task
static1
Behavioral task
behavioral1
Sample
IMG-07072020.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
IMG-07072020.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
IMG-07072020.exe
-
Size
858KB
-
MD5
2cf6e0df55846c81ee2f985fbfb6ebf6
-
SHA1
9cbc8b1dc3480ee5a1df5aa81a24f22225137309
-
SHA256
d2f4642282933b92336508b254613f20a9db1f8a443669f56f6c354d8b319e1e
-
SHA512
b962604fd3db93914e1760e94129ca6531591e89f6695382275332ebf1297eadde470664c710afd9c0a1c19413ab93eefe115f0359c758899df0703ef1472e71
Score
7/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
IMG-07072020.exeieinstal.exewscript.exedescription pid process target process PID 1008 set thread context of 644 1008 IMG-07072020.exe ieinstal.exe PID 644 set thread context of 2992 644 ieinstal.exe Explorer.EXE PID 860 set thread context of 2992 860 wscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 50 IoCs
Processes:
ieinstal.exewscript.exepid process 644 ieinstal.exe 644 ieinstal.exe 644 ieinstal.exe 644 ieinstal.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
ieinstal.exewscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 644 ieinstal.exe Token: SeDebugPrivilege 860 wscript.exe Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE Token: SeShutdownPrivilege 2992 Explorer.EXE Token: SeCreatePagefilePrivilege 2992 Explorer.EXE -
Processes:
IMG-07072020.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 IMG-07072020.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b06010505070308060a2b0601040182370a030406082b0601050507030606082b0601050507030106082b0601050507030706082b0601050507030206082b0601050507030406082b0601050507030353000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e IMG-07072020.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
IMG-07072020.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ords = "C:\\Users\\Admin\\AppData\\Local\\Ords\\Ords.hta" IMG-07072020.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
IMG-07072020.exeExplorer.EXEwscript.exedescription pid process target process PID 1008 wrote to memory of 644 1008 IMG-07072020.exe ieinstal.exe PID 1008 wrote to memory of 644 1008 IMG-07072020.exe ieinstal.exe PID 1008 wrote to memory of 644 1008 IMG-07072020.exe ieinstal.exe PID 1008 wrote to memory of 644 1008 IMG-07072020.exe ieinstal.exe PID 1008 wrote to memory of 644 1008 IMG-07072020.exe ieinstal.exe PID 2992 wrote to memory of 860 2992 Explorer.EXE wscript.exe PID 2992 wrote to memory of 860 2992 Explorer.EXE wscript.exe PID 2992 wrote to memory of 860 2992 Explorer.EXE wscript.exe PID 860 wrote to memory of 2132 860 wscript.exe cmd.exe PID 860 wrote to memory of 2132 860 wscript.exe cmd.exe PID 860 wrote to memory of 2132 860 wscript.exe cmd.exe PID 860 wrote to memory of 3912 860 wscript.exe Firefox.exe PID 860 wrote to memory of 3912 860 wscript.exe Firefox.exe PID 860 wrote to memory of 3912 860 wscript.exe Firefox.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ieinstal.exewscript.exepid process 644 ieinstal.exe 644 ieinstal.exe 644 ieinstal.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe 860 wscript.exe -
Processes:
wscript.exedescription ioc process Key created \Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Users\Admin\AppData\Local\Temp\IMG-07072020.exe"C:\Users\Admin\AppData\Local\Temp\IMG-07072020.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:644 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Modifies Internet Explorer settings
PID:860 -
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:2132
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3912