Analysis
-
max time kernel
151s -
max time network
127s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 18:09
Static task
static1
Behavioral task
behavioral1
Sample
Order07JUL2020-5-40HQ.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
Order07JUL2020-5-40HQ.exe
-
Size
909KB
-
MD5
e003ceeef6a45f3fe2d6b652d77816c8
-
SHA1
96fbeecc72ace768f544b7e574b996171b8d02a0
-
SHA256
8d8236eed9973c50c80b31c7aed1bab0a46dfdcc9b1f1ce749aa7d88963abe1b
-
SHA512
e61fe04a71d50903e78f0b7dcbb8a01ea25b6424c32464e068d5bc38b60d008ce340b26137b15b25e652d108440a78d335367f83f273c8cdd9c6c5d5a55a3a50
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
webmail.tos-thailand.com - Port:
587 - Username:
[email protected] - Password:
P@ssw0rd
Signatures
-
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1400 set thread context of 1432 1400 Order07JUL2020-5-40HQ.exe 24 PID 1508 set thread context of 1768 1508 Windows Update.exe 26 PID 1768 set thread context of 1948 1768 Windows Update.exe 30 PID 1768 set thread context of 1952 1768 Windows Update.exe 31 -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 whatismyipaddress.com 5 whatismyipaddress.com 6 whatismyipaddress.com -
Uses the VBS compiler for execution 1 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" Windows Update.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1400 Order07JUL2020-5-40HQ.exe 1508 Windows Update.exe 1768 Windows Update.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1400 Order07JUL2020-5-40HQ.exe 1508 Windows Update.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1768 Windows Update.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1768 Windows Update.exe -
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
resource yara_rule behavioral1/memory/1432-0-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/1432-2-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/1432-3-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/1768-23-0x0000000000400000-0x000000000051D000-memory.dmp upx behavioral1/memory/1768-24-0x0000000000400000-0x000000000051D000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1768 Windows Update.exe -
Suspicious use of WriteProcessMemory 44 IoCs
description pid Process procid_target PID 1400 wrote to memory of 1432 1400 Order07JUL2020-5-40HQ.exe 24 PID 1400 wrote to memory of 1432 1400 Order07JUL2020-5-40HQ.exe 24 PID 1400 wrote to memory of 1432 1400 Order07JUL2020-5-40HQ.exe 24 PID 1400 wrote to memory of 1432 1400 Order07JUL2020-5-40HQ.exe 24 PID 1432 wrote to memory of 1508 1432 Order07JUL2020-5-40HQ.exe 25 PID 1432 wrote to memory of 1508 1432 Order07JUL2020-5-40HQ.exe 25 PID 1432 wrote to memory of 1508 1432 Order07JUL2020-5-40HQ.exe 25 PID 1432 wrote to memory of 1508 1432 Order07JUL2020-5-40HQ.exe 25 PID 1432 wrote to memory of 1508 1432 Order07JUL2020-5-40HQ.exe 25 PID 1432 wrote to memory of 1508 1432 Order07JUL2020-5-40HQ.exe 25 PID 1432 wrote to memory of 1508 1432 Order07JUL2020-5-40HQ.exe 25 PID 1508 wrote to memory of 1768 1508 Windows Update.exe 26 PID 1508 wrote to memory of 1768 1508 Windows Update.exe 26 PID 1508 wrote to memory of 1768 1508 Windows Update.exe 26 PID 1508 wrote to memory of 1768 1508 Windows Update.exe 26 PID 1508 wrote to memory of 1768 1508 Windows Update.exe 26 PID 1508 wrote to memory of 1768 1508 Windows Update.exe 26 PID 1508 wrote to memory of 1768 1508 Windows Update.exe 26 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1948 1768 Windows Update.exe 30 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 PID 1768 wrote to memory of 1952 1768 Windows Update.exe 31 -
Loads dropped DLL 8 IoCs
pid Process 1432 Order07JUL2020-5-40HQ.exe 1508 Windows Update.exe 1508 Windows Update.exe 1508 Windows Update.exe 1508 Windows Update.exe 1768 Windows Update.exe 1768 Windows Update.exe 1768 Windows Update.exe -
Executes dropped EXE 2 IoCs
pid Process 1508 Windows Update.exe 1768 Windows Update.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order07JUL2020-5-40HQ.exe"C:\Users\Admin\AppData\Local\Temp\Order07JUL2020-5-40HQ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\Order07JUL2020-5-40HQ.exe"C:\Users\Admin\AppData\Local\Temp\Order07JUL2020-5-40HQ.exe"2⤵
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
PID:1432 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
PID:1508 -
C:\Users\Admin\AppData\Roaming\Windows Update.exe"C:\Users\Admin\AppData\Roaming\Windows Update.exe"4⤵
- Suspicious use of SetThreadContext
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Deletes itself
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Executes dropped EXE
PID:1768 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"5⤵PID:1948
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"5⤵PID:1952
-
-
-
-