Analysis
-
max time kernel
35s -
max time network
140s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-07-2020 07:41
Static task
static1
Behavioral task
behavioral1
Sample
Payment_details.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment_details.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Payment_details.exe
-
Size
1.5MB
-
MD5
c0418cf3c3252f74c1fb01e273c1fb12
-
SHA1
0dda517deda93a3fd0657284857d001ad8572d43
-
SHA256
90d5792fd0a2ab859f120bef8f12a28c8f7e4119a43054c22db57e76c7b386a0
-
SHA512
4f4ef54cc3380234330c8962cc97913782dac7bd948e50a32501c84d493ff923796ac1822b6e5ba0465f0903f4d221af0fb9bf92595165df78f68937158cd1bc
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Payment_details.exedescription pid process target process PID 272 wrote to memory of 1892 272 Payment_details.exe ieinstal.exe PID 272 wrote to memory of 1892 272 Payment_details.exe ieinstal.exe PID 272 wrote to memory of 1892 272 Payment_details.exe ieinstal.exe PID 272 wrote to memory of 1892 272 Payment_details.exe ieinstal.exe PID 272 wrote to memory of 1892 272 Payment_details.exe ieinstal.exe PID 272 wrote to memory of 1892 272 Payment_details.exe ieinstal.exe PID 272 wrote to memory of 1892 272 Payment_details.exe ieinstal.exe PID 272 wrote to memory of 1892 272 Payment_details.exe ieinstal.exe PID 272 wrote to memory of 1892 272 Payment_details.exe ieinstal.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment_details.exedescription pid process target process PID 272 set thread context of 1892 272 Payment_details.exe ieinstal.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ieinstal.exepid process 1892 ieinstal.exe -
Loads dropped DLL 6 IoCs
Processes:
ieinstal.exepid process 1892 ieinstal.exe 1892 ieinstal.exe 1892 ieinstal.exe 1892 ieinstal.exe 1892 ieinstal.exe 1892 ieinstal.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
Processes:
Payment_details.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Gkrr = "C:\\Users\\Admin\\AppData\\Local\\Gkrr\\Gkrr.hta" Payment_details.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment_details.exe"C:\Users\Admin\AppData\Local\Temp\Payment_details.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Adds Run entry to start application
PID:272 -
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"2⤵
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
PID:1892