bd2bf7c79dda8208f9ec0c2199d1ec61058aa43bbe6f8548623444fc143a3aec

Analysis

max time kernel
143s
max time network
110s
platform
windows7_x64
resource
win7v200430
submitted
09-07-2020 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fenc_General Presentation.exe
Size

447KB
MD5

6550d5ad0410e634c7bab8e161fadf88
SHA1

8819193d0ad3e5c5717107aca3920ed283c53e80
SHA256

bd2bf7c79dda8208f9ec0c2199d1ec61058aa43bbe6f8548623444fc143a3aec
SHA512

57eb107f455af652096ea9bef547c90e460216a948883bf70564651d058b039ad62ad4e80c1c52ec15218d58dcb4bb8b2b48830b37bde30962a5c676838bd39c

Score

10^/10

evasion trojan persistence spyware

Malware Config

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Fenc_General Presentation.exe

Adds Run entry to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8 = "C:\\Users\\Admin\\AppData\\Roaming\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8.exe"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8 = "C:\\Users\\Admin\\AppData\\Roaming\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8.exe"	iexplore.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
240	Fenc_General Presentation.exe
1760	Fenc_General Presentation.exe
1760	Fenc_General Presentation.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 240 set thread context of 1760	240	Fenc_General Presentation.exe	29
PID 1760 set thread context of 916	1760	Fenc_General Presentation.exe	30
PID 916 set thread context of 1352	916	iexplore.exe	31
PID 916 set thread context of 1708	916	iexplore.exe	32
PID 916 set thread context of 1568	916	iexplore.exe	33
PID 916 set thread context of 1524	916	iexplore.exe	34
PID 916 set thread context of 1976	916	iexplore.exe	35

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/1352-16-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1352-18-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1352-19-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1524-27-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1524-29-0x0000000000400000-0x0000000000416000-memory.dmp	upx
behavioral1/memory/1524-30-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Fenc_General Presentation.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1860	schtasks.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0"	Fenc_General Presentation.exe

Suspicious use of WriteProcessMemory 73 IoCs

description	pid	Process	procid_target
PID 240 wrote to memory of 1860	240	Fenc_General Presentation.exe	26
PID 240 wrote to memory of 1860	240	Fenc_General Presentation.exe	26
PID 240 wrote to memory of 1860	240	Fenc_General Presentation.exe	26
PID 240 wrote to memory of 1860	240	Fenc_General Presentation.exe	26
PID 240 wrote to memory of 1752	240	Fenc_General Presentation.exe	28
PID 240 wrote to memory of 1752	240	Fenc_General Presentation.exe	28
PID 240 wrote to memory of 1752	240	Fenc_General Presentation.exe	28
PID 240 wrote to memory of 1752	240	Fenc_General Presentation.exe	28
PID 240 wrote to memory of 1760	240	Fenc_General Presentation.exe	29
PID 240 wrote to memory of 1760	240	Fenc_General Presentation.exe	29
PID 240 wrote to memory of 1760	240	Fenc_General Presentation.exe	29
PID 240 wrote to memory of 1760	240	Fenc_General Presentation.exe	29
PID 240 wrote to memory of 1760	240	Fenc_General Presentation.exe	29
PID 240 wrote to memory of 1760	240	Fenc_General Presentation.exe	29
PID 240 wrote to memory of 1760	240	Fenc_General Presentation.exe	29
PID 240 wrote to memory of 1760	240	Fenc_General Presentation.exe	29
PID 1760 wrote to memory of 916	1760	Fenc_General Presentation.exe	30
PID 1760 wrote to memory of 916	1760	Fenc_General Presentation.exe	30
PID 1760 wrote to memory of 916	1760	Fenc_General Presentation.exe	30
PID 1760 wrote to memory of 916	1760	Fenc_General Presentation.exe	30
PID 1760 wrote to memory of 916	1760	Fenc_General Presentation.exe	30
PID 1760 wrote to memory of 916	1760	Fenc_General Presentation.exe	30
PID 1760 wrote to memory of 916	1760	Fenc_General Presentation.exe	30
PID 1760 wrote to memory of 916	1760	Fenc_General Presentation.exe	30
PID 1760 wrote to memory of 916	1760	Fenc_General Presentation.exe	30
PID 916 wrote to memory of 1352	916	iexplore.exe	31
PID 916 wrote to memory of 1352	916	iexplore.exe	31
PID 916 wrote to memory of 1352	916	iexplore.exe	31
PID 916 wrote to memory of 1352	916	iexplore.exe	31
PID 916 wrote to memory of 1352	916	iexplore.exe	31
PID 916 wrote to memory of 1352	916	iexplore.exe	31
PID 916 wrote to memory of 1352	916	iexplore.exe	31
PID 916 wrote to memory of 1352	916	iexplore.exe	31
PID 916 wrote to memory of 1352	916	iexplore.exe	31
PID 916 wrote to memory of 1708	916	iexplore.exe	32
PID 916 wrote to memory of 1708	916	iexplore.exe	32
PID 916 wrote to memory of 1708	916	iexplore.exe	32
PID 916 wrote to memory of 1708	916	iexplore.exe	32
PID 916 wrote to memory of 1708	916	iexplore.exe	32
PID 916 wrote to memory of 1708	916	iexplore.exe	32
PID 916 wrote to memory of 1708	916	iexplore.exe	32
PID 916 wrote to memory of 1708	916	iexplore.exe	32
PID 916 wrote to memory of 1708	916	iexplore.exe	32
PID 916 wrote to memory of 1708	916	iexplore.exe	32
PID 916 wrote to memory of 1568	916	iexplore.exe	33
PID 916 wrote to memory of 1568	916	iexplore.exe	33
PID 916 wrote to memory of 1568	916	iexplore.exe	33
PID 916 wrote to memory of 1568	916	iexplore.exe	33
PID 916 wrote to memory of 1568	916	iexplore.exe	33
PID 916 wrote to memory of 1568	916	iexplore.exe	33
PID 916 wrote to memory of 1568	916	iexplore.exe	33
PID 916 wrote to memory of 1568	916	iexplore.exe	33
PID 916 wrote to memory of 1568	916	iexplore.exe	33
PID 916 wrote to memory of 1568	916	iexplore.exe	33
PID 916 wrote to memory of 1524	916	iexplore.exe	34
PID 916 wrote to memory of 1524	916	iexplore.exe	34
PID 916 wrote to memory of 1524	916	iexplore.exe	34
PID 916 wrote to memory of 1524	916	iexplore.exe	34
PID 916 wrote to memory of 1524	916	iexplore.exe	34
PID 916 wrote to memory of 1524	916	iexplore.exe	34
PID 916 wrote to memory of 1524	916	iexplore.exe	34
PID 916 wrote to memory of 1524	916	iexplore.exe	34
PID 916 wrote to memory of 1524	916	iexplore.exe	34
PID 916 wrote to memory of 1976	916	iexplore.exe	35
PID 916 wrote to memory of 1976	916	iexplore.exe	35
PID 916 wrote to memory of 1976	916	iexplore.exe	35
PID 916 wrote to memory of 1976	916	iexplore.exe	35
PID 916 wrote to memory of 1976	916	iexplore.exe	35
PID 916 wrote to memory of 1976	916	iexplore.exe	35
PID 916 wrote to memory of 1976	916	iexplore.exe	35
PID 916 wrote to memory of 1976	916	iexplore.exe	35
PID 916 wrote to memory of 1976	916	iexplore.exe	35
PID 916 wrote to memory of 1976	916	iexplore.exe	35

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	240	Fenc_General Presentation.exe
Token: SeDebugPrivilege	916	iexplore.exe
Token: SeDebugPrivilege	1352	iexplore.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1760	Fenc_General Presentation.exe
916	iexplore.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8 = "C:\\Users\\Admin\\AppData\\Roaming\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8.exe"	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\Fenc_General Presentation.exe
"C:\Users\Admin\AppData\Local\Temp\Fenc_General Presentation.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:240
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RfIFvdphuiI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44FB.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:1860
- C:\Users\Admin\AppData\Local\Temp\Fenc_General Presentation.exe
  "{path}"
  2⤵
  PID:1752
- C:\Users\Admin\AppData\Local\Temp\Fenc_General Presentation.exe
  "{path}"
  2⤵
  - UAC bypass
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetThreadContext
  - Checks whether UAC is enabled
  - Windows security bypass
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetWindowsHookEx
  PID:1760
- - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    C:\Users\Admin\AppData\Local\Temp\Fenc_General Presentation.exe
    3⤵
    - Adds Run entry to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Adds Run entry to policy start application
    PID:916
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\dcjjtmsjy0.txt"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1352
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\dcjjtmsjy1.txt"
      4⤵
      PID:1708
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\dcjjtmsjy2.txt"
      4⤵
      PID:1568
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\dcjjtmsjy3.txt"
      4⤵
      PID:1524
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      /stext "C:\Users\Admin\AppData\Roaming\G2G228Q5-P8H1-G1U7-U4L6-D1K007E3Y0Y8\dcjjtmsjy4.txt"
      4⤵
      PID:1976

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/916-9-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/916-11-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1352-19-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1352-18-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1352-16-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1524-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1524-30-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1524-29-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1568-25-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1568-23-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1708-22-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1708-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1760-15-0x0000000002900000-0x0000000002904000-memory.dmp

Filesize
16KB

Download
memory/1760-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1760-14-0x00000000001F0000-0x00000000001F4000-memory.dmp

Filesize
16KB

Download
memory/1976-31-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1976-33-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download