Analysis
-
max time kernel
39s -
max time network
155s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 14:39
Static task
static1
Behavioral task
behavioral1
Sample
Payment details.exe
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment details.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
Payment details.exe
-
Size
546KB
-
MD5
d580a1f4241f75ac8bf99ac6ca501977
-
SHA1
11a2d6e337c2a5830a918d206d475400d606c5b3
-
SHA256
b4d3bccc58e0a1222261fc91cf6c0b56db9116302c9aaf9d4ddf9273706d571f
-
SHA512
19ef34c65bacb0d0b38bd45126d989f2fbd510d91f844ab844e92d87b5380f749d5d89f6fc7ec16bbfcca97f40bf7d10d24d86186a402bb442f10fbb7c773ab5
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Payment details.exedescription pid process target process PID 804 wrote to memory of 1856 804 Payment details.exe ieinstal.exe PID 804 wrote to memory of 1856 804 Payment details.exe ieinstal.exe PID 804 wrote to memory of 1856 804 Payment details.exe ieinstal.exe PID 804 wrote to memory of 1856 804 Payment details.exe ieinstal.exe PID 804 wrote to memory of 1856 804 Payment details.exe ieinstal.exe PID 804 wrote to memory of 1856 804 Payment details.exe ieinstal.exe PID 804 wrote to memory of 1856 804 Payment details.exe ieinstal.exe PID 804 wrote to memory of 1856 804 Payment details.exe ieinstal.exe PID 804 wrote to memory of 1856 804 Payment details.exe ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment details.exedescription pid process target process PID 804 set thread context of 1856 804 Payment details.exe ieinstal.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 1856 ieinstal.exe -
Loads dropped DLL 6 IoCs
Processes:
ieinstal.exepid process 1856 ieinstal.exe 1856 ieinstal.exe 1856 ieinstal.exe 1856 ieinstal.exe 1856 ieinstal.exe 1856 ieinstal.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
Payment details.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Molt = "C:\\Users\\Admin\\AppData\\Local\\Molt\\Molt.hta" Payment details.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment details.exe"C:\Users\Admin\AppData\Local\Temp\Payment details.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Adds Run entry to start application
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\freebl3.dll
-
\Users\Admin\AppData\Local\Temp\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\nss3.dll
-
\Users\Admin\AppData\Local\Temp\softokn3.dll
-
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
-
memory/1856-0-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/1856-1-0x0000000000405A3D-mapping.dmp
-
memory/1856-2-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB