Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 11:15
Static task
static1
Behavioral task
behavioral1
Sample
R7566091253.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
R7566091253.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
R7566091253.exe
-
Size
816KB
-
MD5
045898722f8be5ddea3bbd6532878cbe
-
SHA1
3c4f5196619e53c35c05cf8ace20cfbb2400cda1
-
SHA256
67586cd711a0de6176d2df1bde9bf36f024f893328ae9c447bdf5e636e99502b
-
SHA512
b881d43c40b9b1b2e273ff988acbd6c44e01ee8d5abfc4b7bed9f7e47def8d9308e619464e2970c0c68b0e23d4b78c0250daef2c68ed994b8ea09cc08900017b
Score
8/10
Malware Config
Signatures
-
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Gnnhlg\IconCache6ldhpr4.exe svchost.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
R7566091253.exeR7566091253.exesvchost.exepid process 1152 R7566091253.exe 1068 R7566091253.exe 1068 R7566091253.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe 1060 svchost.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
R7566091253.exeExplorer.EXEsvchost.exedescription pid process target process PID 1152 wrote to memory of 1068 1152 R7566091253.exe R7566091253.exe PID 1152 wrote to memory of 1068 1152 R7566091253.exe R7566091253.exe PID 1152 wrote to memory of 1068 1152 R7566091253.exe R7566091253.exe PID 1152 wrote to memory of 1068 1152 R7566091253.exe R7566091253.exe PID 1224 wrote to memory of 1060 1224 Explorer.EXE svchost.exe PID 1224 wrote to memory of 1060 1224 Explorer.EXE svchost.exe PID 1224 wrote to memory of 1060 1224 Explorer.EXE svchost.exe PID 1224 wrote to memory of 1060 1224 Explorer.EXE svchost.exe PID 1060 wrote to memory of 1500 1060 svchost.exe cmd.exe PID 1060 wrote to memory of 1500 1060 svchost.exe cmd.exe PID 1060 wrote to memory of 1500 1060 svchost.exe cmd.exe PID 1060 wrote to memory of 1500 1060 svchost.exe cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1500 cmd.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer svchost.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
R7566091253.exeR7566091253.exesvchost.exepid process 1152 R7566091253.exe 1068 R7566091253.exe 1068 R7566091253.exe 1068 R7566091253.exe 1060 svchost.exe 1060 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
R7566091253.exesvchost.exedescription pid process Token: SeDebugPrivilege 1068 R7566091253.exe Token: SeDebugPrivilege 1060 svchost.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
R7566091253.exeR7566091253.exesvchost.exedescription pid process target process PID 1152 set thread context of 1068 1152 R7566091253.exe R7566091253.exe PID 1068 set thread context of 1224 1068 R7566091253.exe Explorer.EXE PID 1060 set thread context of 1224 1060 svchost.exe Explorer.EXE -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\-Z_DD48XVHW = "C:\\Program Files (x86)\\Gnnhlg\\IconCache6ldhpr4.exe" svchost.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\R7566091253.exe"C:\Users\Admin\AppData\Local\Temp\R7566091253.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1152 -
C:\Users\Admin\AppData\Local\Temp\R7566091253.exe"C:\Users\Admin\AppData\Local\Temp\R7566091253.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1068 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious use of SetThreadContext
- Adds Run entry to policy start application
PID:1060 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\R7566091253.exe"3⤵
- Deletes itself
PID:1500