Overview

overview

8

Static

static

PacketTrac...up.exe

windows7_x64

8

PacketTrac...up.exe

windows10_x64

8

Resubmissions

10-07-2020 07:16

200710-3ftd7gk4t6 8

Analysis

  • max time kernel
    137s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10-07-2020 07:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PacketTracer-7.3.0-win64-setup.exe

  • Size

    146.9MB

  • MD5

    9a5fffcd7fa373a0ee94fdc490664e83

  • SHA1

    1edae57082ac9aad5062be08030a376b5e2b545a

  • SHA256

    6ded73b437e967c9ff6508c0fa853f45abd7fe97f430d53a139834c9a9ebb778

  • SHA512

    7f26fa07880f57cad2877bc1a2413e8afe75a14855d38d42926f930cc91c8d426aec8886d30dd9c74c900f7ea35aebdccbb8372d2b013056fd2388166bc2427b

Score
8/10
spywareevasiontrojan

Malware Config

Signatures

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Modifies registry class 37 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Modifies system certificate store 2 TTPs 8 IoCs
    evasionspywaretrojan
  • Drops file in Program Files directory 3484 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Loads dropped DLL 66 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PacketTracer-7.3.0-win64-setup.exe
    "C:\Users\Admin\AppData\Local\Temp\PacketTracer-7.3.0-win64-setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\AppData\Local\Temp\is-8R6RP.tmp\PacketTracer-7.3.0-win64-setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-8R6RP.tmp\PacketTracer-7.3.0-win64-setup.tmp" /SL5="$401CC,153500553,121344,C:\Users\Admin\AppData\Local\Temp\PacketTracer-7.3.0-win64-setup.exe"
      2⤵
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      • Executes dropped EXE
      • Modifies registry class
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:1980
      • C:\Program Files\Cisco Packet Tracer 7.3.0\bin\PacketTracer7.exe
        "C:\Program Files\Cisco Packet Tracer 7.3.0\bin\PacketTracer7.exe"
        3⤵
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: GetForegroundWindowSpam
        • Identifies Wine through registry keys
        • Suspicious use of WriteProcessMemory
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Loads dropped DLL
        PID:2040
        • C:\Program Files\Cisco Packet Tracer 7.3.0\bin\QtWebEngineProcess.exe
          "C:\Program Files\Cisco Packet Tracer 7.3.0\bin\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=11084752400623001912 --lang=en-US --webengine-schemes=this-sm:sLC;pt-sm:sLC;file-sm:sLC;user-app:sLC;wlc-3504:sLC;qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=11084752400623001912 --renderer-client-id=2 --mojo-platform-channel-handle=3504 /prefetch:1
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Loads dropped DLL
          PID:3920
        • C:\Program Files\Cisco Packet Tracer 7.3.0\bin\QtWebEngineProcess.exe
          "C:\Program Files\Cisco Packet Tracer 7.3.0\bin\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-gpu-memory-buffer-video-frames --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations --disable-features=MojoVideoCapture,SurfaceSynchronization,UseModernMediaControls,UseVideoCaptureApiForDevToolsSnapshots --disable-gpu-compositing --service-pipe-token=2828766095224358687 --lang=en-US --webengine-schemes=this-sm:sLC;pt-sm:sLC;file-sm:sLC;user-app:sLC;wlc-3504:sLC;qrc:sLV --device-scale-factor=1 --num-raster-threads=1 --service-request-channel-token=2828766095224358687 --renderer-client-id=3 --mojo-platform-channel-handle=3552 /prefetch:1
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Loads dropped DLL
          PID:3888

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2040-79-0x0000000008C60000-0x0000000008C61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-80-0x0000000009460000-0x0000000009461000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-81-0x0000000008C60000-0x0000000008C61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2040-87-0x0000000008C60000-0x0000000008C61000-memory.dmp

    Filesize

    4KB

    Download