Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10 -
submitted
09/07/2020, 08:01
Static task
static1
Behavioral task
behavioral1
Sample
Purchase advice and details.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Purchase advice and details.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
Purchase advice and details.exe
-
Size
663KB
-
MD5
8c49a740ef92731629ce744ca1fece7b
-
SHA1
db2d80f5deba46f40be9357c3576e72aaed73ce5
-
SHA256
aea480ebd5777e840f0b988267554fe1d35f70238bed009231b24475fdc0b0d9
-
SHA512
eb78fcea1a1e5ceb762f620f21cf9e86eac873f1f27a6337e4d41a37396e79bf8bdbe46830e032f899df7d97aeca940d16b70255a4bcfa94430c8b78056c8c35
Score
10/10
Malware Config
Signatures
-
Adds Run entry to start application 2 TTPs 2 IoCs
description ioc Process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wlanext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9RMLSTBPRLR = "C:\\Program Files (x86)\\Fxpmd8tbp\\nb2plx4x2kdp.exe" wlanext.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
pid Process 3588 Purchase advice and details.exe 2996 Purchase advice and details.exe 2996 Purchase advice and details.exe 2996 Purchase advice and details.exe 2996 Purchase advice and details.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3588 set thread context of 2996 3588 Purchase advice and details.exe 67 PID 2996 set thread context of 2972 2996 Purchase advice and details.exe 56 PID 2996 set thread context of 2972 2996 Purchase advice and details.exe 56 PID 3936 set thread context of 2972 3936 wlanext.exe 56 -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2972 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2972 Explorer.EXE -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Fxpmd8tbp\nb2plx4x2kdp.exe wlanext.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
pid Process 3588 Purchase advice and details.exe 3588 Purchase advice and details.exe 2996 Purchase advice and details.exe 2996 Purchase advice and details.exe 2996 Purchase advice and details.exe 2996 Purchase advice and details.exe 2996 Purchase advice and details.exe 2996 Purchase advice and details.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe 3936 wlanext.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 3588 wrote to memory of 2996 3588 Purchase advice and details.exe 67 PID 3588 wrote to memory of 2996 3588 Purchase advice and details.exe 67 PID 3588 wrote to memory of 2996 3588 Purchase advice and details.exe 67 PID 2972 wrote to memory of 3936 2972 Explorer.EXE 71 PID 2972 wrote to memory of 3936 2972 Explorer.EXE 71 PID 2972 wrote to memory of 3936 2972 Explorer.EXE 71 PID 3936 wrote to memory of 3784 3936 wlanext.exe 72 PID 3936 wrote to memory of 3784 3936 wlanext.exe 72 PID 3936 wrote to memory of 3784 3936 wlanext.exe 72 PID 3936 wrote to memory of 3412 3936 wlanext.exe 74 PID 3936 wrote to memory of 3412 3936 wlanext.exe 74 PID 3936 wrote to memory of 3412 3936 wlanext.exe 74 PID 3936 wrote to memory of 1812 3936 wlanext.exe 76 PID 3936 wrote to memory of 1812 3936 wlanext.exe 76 PID 3936 wrote to memory of 1812 3936 wlanext.exe 76 -
Suspicious use of AdjustPrivilegeToken 12 IoCs
description pid Process Token: SeDebugPrivilege 2996 Purchase advice and details.exe Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE Token: SeDebugPrivilege 3936 wlanext.exe Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE Token: SeShutdownPrivilege 2972 Explorer.EXE Token: SeCreatePagefilePrivilege 2972 Explorer.EXE -
description ioc Process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\Purchase advice and details.exe"C:\Users\Admin\AppData\Local\Temp\Purchase advice and details.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\Purchase advice and details.exe"C:\Users\Admin\AppData\Local\Temp\Purchase advice and details.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2996
-
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3856
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:3900
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:4012
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Adds Run entry to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
PID:3936 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Purchase advice and details.exe"3⤵PID:3784
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3412
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1812
-
-