b8fb24fed506f2b66406af4f29a8a0522564d337d9f374c3936b369e10a69437

General

Target

PO_2020-JANUGHU.exe
Size

804KB
MD5

67c9976e236f532d67bfc92b7ce96d77
SHA1

31a1f3dbeed7e359ad0115eb133aa348383a4f5b
SHA256

b8fb24fed506f2b66406af4f29a8a0522564d337d9f374c3936b369e10a69437
SHA512

1c3e24e34653f0f2497da7c8971b242e2d560d61d7b38626eaa4cc1ddcb655fe1fdc16eabab7197e03c9d35118e6e3e746a6166ae7949d1ab419c78b22be8f68

Score

7^/10

Malware Config

Signatures

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3788 wrote to memory of 3868	3788	PO_2020-JANUGHU.exe	67
PID 3788 wrote to memory of 3868	3788	PO_2020-JANUGHU.exe	67
PID 3788 wrote to memory of 3868	3788	PO_2020-JANUGHU.exe	67
PID 3788 wrote to memory of 3340	3788	PO_2020-JANUGHU.exe	69
PID 3788 wrote to memory of 3340	3788	PO_2020-JANUGHU.exe	69
PID 3788 wrote to memory of 3340	3788	PO_2020-JANUGHU.exe	69
PID 3788 wrote to memory of 3568	3788	PO_2020-JANUGHU.exe	70
PID 3788 wrote to memory of 3568	3788	PO_2020-JANUGHU.exe	70
PID 3788 wrote to memory of 3568	3788	PO_2020-JANUGHU.exe	70
PID 3788 wrote to memory of 3568	3788	PO_2020-JANUGHU.exe	70
PID 3788 wrote to memory of 3568	3788	PO_2020-JANUGHU.exe	70
PID 3788 wrote to memory of 3568	3788	PO_2020-JANUGHU.exe	70
PID 2980 wrote to memory of 3572	2980	Explorer.EXE	71
PID 2980 wrote to memory of 3572	2980	Explorer.EXE	71
PID 2980 wrote to memory of 3572	2980	Explorer.EXE	71
PID 3572 wrote to memory of 3496	3572	systray.exe	72
PID 3572 wrote to memory of 3496	3572	systray.exe	72
PID 3572 wrote to memory of 3496	3572	systray.exe	72
PID 3572 wrote to memory of 1320	3572	systray.exe	80
PID 3572 wrote to memory of 1320	3572	systray.exe	80
PID 3572 wrote to memory of 1320	3572	systray.exe	80
PID 3572 wrote to memory of 1624	3572	systray.exe	82
PID 3572 wrote to memory of 1624	3572	systray.exe	82
PID 3572 wrote to memory of 1624	3572	systray.exe	82

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Yu8nl_ro\cvulefbvhftbp.exe	systray.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3568	PO_2020-JANUGHU.exe
3568	PO_2020-JANUGHU.exe
3568	PO_2020-JANUGHU.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3868	schtasks.exe

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	systray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DZG4D = "C:\\Program Files (x86)\\Yu8nl_ro\\cvulefbvhftbp.exe"	systray.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	systray.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	PO_2020-JANUGHU.exe
Token: SeDebugPrivilege	3568	PO_2020-JANUGHU.exe
Token: SeDebugPrivilege	3572	systray.exe
Token: SeShutdownPrivilege	2980	Explorer.EXE
Token: SeCreatePagefilePrivilege	2980	Explorer.EXE
Token: SeShutdownPrivilege	2980	Explorer.EXE
Token: SeCreatePagefilePrivilege	2980	Explorer.EXE
Token: SeShutdownPrivilege	2980	Explorer.EXE
Token: SeCreatePagefilePrivilege	2980	Explorer.EXE
Token: SeShutdownPrivilege	2980	Explorer.EXE
Token: SeCreatePagefilePrivilege	2980	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3788	PO_2020-JANUGHU.exe
3788	PO_2020-JANUGHU.exe
3568	PO_2020-JANUGHU.exe
3568	PO_2020-JANUGHU.exe
3568	PO_2020-JANUGHU.exe
3568	PO_2020-JANUGHU.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe
3572	systray.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3788 set thread context of 3568	3788	PO_2020-JANUGHU.exe	70
PID 3568 set thread context of 2980	3568	PO_2020-JANUGHU.exe	56
PID 3572 set thread context of 2980	3572	systray.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2980
- C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe
  "C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetThreadContext
  PID:3788
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\weHQlHIhGn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5464.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:3868
- - C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe
    "{path}"
    3⤵
    PID:3340
- - C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe
    "{path}"
    3⤵
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetThreadContext
    PID:3568
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Drops file in Program Files directory
  - Suspicious behavior: MapViewOfSection
  - Adds Run entry to start application
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetThreadContext
  PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PO_2020-JANUGHU.exe"
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:1320
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-13-0x00007FF67AE80000-0x00007FF67AF13000-memory.dmp

Filesize
588KB

Download
memory/1624-14-0x00007FF67AE80000-0x00007FF67AF13000-memory.dmp

Filesize
588KB

Download
memory/1624-15-0x00007FF67AE80000-0x00007FF67AF13000-memory.dmp

Filesize
588KB

Download
memory/3568-2-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3572-8-0x0000000005610000-0x0000000005741000-memory.dmp

Filesize
1.2MB

Download
memory/3572-5-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download
memory/3572-6-0x00000000002C0000-0x00000000002C6000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads