Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 13:34
Static task
static1
Behavioral task
behavioral1
Sample
FedExs AWB#5305323204643.exe
Resource
win7
Behavioral task
behavioral2
Sample
FedExs AWB#5305323204643.exe
Resource
win10
General
-
Target
FedExs AWB#5305323204643.exe
-
Size
327KB
-
MD5
4d535bf4723300864190a972b1d4f9ad
-
SHA1
eeb49ecc3842af963b1ab9eb017c5d672ea7fb37
-
SHA256
82a761b4157d1fa4e99dbf36c0f30935b19a1dd9875e330d81a70877aa07bc8a
-
SHA512
7991bcb4756e291d3618db2e1010a763bf3227e4015d160d9fd122d1ad401d67dc8cd1884dbf4f2853a29ceab1dd277e9c1b1526b941554586af608ba53c5f0b
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
FedExs AWB#5305323204643.exeFedExs AWB#5305323204643.execontrol.exedescription pid process target process PID 1060 set thread context of 1452 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1452 set thread context of 1324 1452 FedExs AWB#5305323204643.exe Explorer.EXE PID 908 set thread context of 1324 908 control.exe Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE -
Processes:
control.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 control.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
control.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer control.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
FedExs AWB#5305323204643.exeExplorer.EXEcontrol.exedescription pid process target process PID 1060 wrote to memory of 1440 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1060 wrote to memory of 1440 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1060 wrote to memory of 1440 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1060 wrote to memory of 1440 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1060 wrote to memory of 1452 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1060 wrote to memory of 1452 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1060 wrote to memory of 1452 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1060 wrote to memory of 1452 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1060 wrote to memory of 1452 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1060 wrote to memory of 1452 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1060 wrote to memory of 1452 1060 FedExs AWB#5305323204643.exe FedExs AWB#5305323204643.exe PID 1324 wrote to memory of 908 1324 Explorer.EXE control.exe PID 1324 wrote to memory of 908 1324 Explorer.EXE control.exe PID 1324 wrote to memory of 908 1324 Explorer.EXE control.exe PID 1324 wrote to memory of 908 1324 Explorer.EXE control.exe PID 908 wrote to memory of 788 908 control.exe cmd.exe PID 908 wrote to memory of 788 908 control.exe cmd.exe PID 908 wrote to memory of 788 908 control.exe cmd.exe PID 908 wrote to memory of 788 908 control.exe cmd.exe PID 908 wrote to memory of 1864 908 control.exe Firefox.exe PID 908 wrote to memory of 1864 908 control.exe Firefox.exe PID 908 wrote to memory of 1864 908 control.exe Firefox.exe PID 908 wrote to memory of 1864 908 control.exe Firefox.exe PID 908 wrote to memory of 1864 908 control.exe Firefox.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FedExs AWB#5305323204643.exeFedExs AWB#5305323204643.execontrol.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1060 FedExs AWB#5305323204643.exe Token: SeDebugPrivilege 1452 FedExs AWB#5305323204643.exe Token: SeDebugPrivilege 908 control.exe Token: SeShutdownPrivilege 1324 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
FedExs AWB#5305323204643.exeFedExs AWB#5305323204643.execontrol.exepid process 1060 FedExs AWB#5305323204643.exe 1060 FedExs AWB#5305323204643.exe 1452 FedExs AWB#5305323204643.exe 1452 FedExs AWB#5305323204643.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 788 cmd.exe -
Drops file in Program Files directory 1 IoCs
Processes:
control.exedescription ioc process File opened for modification C:\Program Files (x86)\Nmrb00rg8\ThumbCacheohltq4ix.exe control.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
FedExs AWB#5305323204643.execontrol.exepid process 1452 FedExs AWB#5305323204643.exe 1452 FedExs AWB#5305323204643.exe 1452 FedExs AWB#5305323204643.exe 908 control.exe 908 control.exe 908 control.exe 908 control.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE 1324 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
control.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JXH4VZIX_FP = "C:\\Program Files (x86)\\Nmrb00rg8\\ThumbCacheohltq4ix.exe" control.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run control.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1324 -
C:\Users\Admin\AppData\Local\Temp\FedExs AWB#5305323204643.exe"C:\Users\Admin\AppData\Local\Temp\FedExs AWB#5305323204643.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\FedExs AWB#5305323204643.exe"{path}"3⤵PID:1440
-
C:\Users\Admin\AppData\Local\Temp\FedExs AWB#5305323204643.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1452 -
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- System policy modification
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Adds Run entry to policy start application
PID:908 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\FedExs AWB#5305323204643.exe"3⤵
- Deletes itself
PID:788 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1864