Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows10_x64 -
resource
win10 -
submitted
12-07-2020 11:26
Static task
static1
Behavioral task
behavioral1
Sample
2Owjjl45F6zxq40.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
2Owjjl45F6zxq40.exe
Resource
win10
General
-
Target
2Owjjl45F6zxq40.exe
-
Size
475KB
-
MD5
5a27d64f2afc5755986ed501f2561f00
-
SHA1
017c299bc06a8631b0646b732824dc33f0f74566
-
SHA256
2f645ad832ecb3de614ff355e67bb7db84812294921a247f7ce1c8b9667f56d0
-
SHA512
7ae558dc146c971ed0457d0a006269c6431375f2fb2c2fea88376ff968aafd4361ffb48ee371a53584c6e7e18354714d8b40f9bc87344e8b3f552d3910ead481
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
2Owjjl45F6zxq40.exeExplorer.EXEcmmon32.exedescription pid process target process PID 3828 wrote to memory of 3856 3828 2Owjjl45F6zxq40.exe schtasks.exe PID 3828 wrote to memory of 3856 3828 2Owjjl45F6zxq40.exe schtasks.exe PID 3828 wrote to memory of 3856 3828 2Owjjl45F6zxq40.exe schtasks.exe PID 3828 wrote to memory of 3336 3828 2Owjjl45F6zxq40.exe 2Owjjl45F6zxq40.exe PID 3828 wrote to memory of 3336 3828 2Owjjl45F6zxq40.exe 2Owjjl45F6zxq40.exe PID 3828 wrote to memory of 3336 3828 2Owjjl45F6zxq40.exe 2Owjjl45F6zxq40.exe PID 3828 wrote to memory of 3336 3828 2Owjjl45F6zxq40.exe 2Owjjl45F6zxq40.exe PID 3828 wrote to memory of 3336 3828 2Owjjl45F6zxq40.exe 2Owjjl45F6zxq40.exe PID 3828 wrote to memory of 3336 3828 2Owjjl45F6zxq40.exe 2Owjjl45F6zxq40.exe PID 3028 wrote to memory of 1668 3028 Explorer.EXE cmmon32.exe PID 3028 wrote to memory of 1668 3028 Explorer.EXE cmmon32.exe PID 3028 wrote to memory of 1668 3028 Explorer.EXE cmmon32.exe PID 1668 wrote to memory of 3832 1668 cmmon32.exe cmd.exe PID 1668 wrote to memory of 3832 1668 cmmon32.exe cmd.exe PID 1668 wrote to memory of 3832 1668 cmmon32.exe cmd.exe PID 1668 wrote to memory of 1592 1668 cmmon32.exe cmd.exe PID 1668 wrote to memory of 1592 1668 cmmon32.exe cmd.exe PID 1668 wrote to memory of 1592 1668 cmmon32.exe cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
2Owjjl45F6zxq40.execmmon32.exepid process 3336 2Owjjl45F6zxq40.exe 3336 2Owjjl45F6zxq40.exe 3336 2Owjjl45F6zxq40.exe 1668 cmmon32.exe 1668 cmmon32.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmmon32.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
2Owjjl45F6zxq40.exe2Owjjl45F6zxq40.execmmon32.exedescription pid process target process PID 3828 set thread context of 3336 3828 2Owjjl45F6zxq40.exe 2Owjjl45F6zxq40.exe PID 3336 set thread context of 3028 3336 2Owjjl45F6zxq40.exe Explorer.EXE PID 1668 set thread context of 3028 1668 cmmon32.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
2Owjjl45F6zxq40.exe2Owjjl45F6zxq40.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3828 2Owjjl45F6zxq40.exe Token: SeDebugPrivilege 3336 2Owjjl45F6zxq40.exe Token: SeDebugPrivilege 1668 cmmon32.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 47 IoCs
Processes:
2Owjjl45F6zxq40.exe2Owjjl45F6zxq40.execmmon32.exepid process 3828 2Owjjl45F6zxq40.exe 3336 2Owjjl45F6zxq40.exe 3336 2Owjjl45F6zxq40.exe 3336 2Owjjl45F6zxq40.exe 3336 2Owjjl45F6zxq40.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe 1668 cmmon32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\Wojgtqdj\3fjhv4p4a.exe cmmon32.exe -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VBGTDXDHUFE = "C:\\Program Files (x86)\\Wojgtqdj\\3fjhv4p4a.exe" cmmon32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\2Owjjl45F6zxq40.exe"C:\Users\Admin\AppData\Local\Temp\2Owjjl45F6zxq40.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SZoiOuCCsbejrq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp78C5.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\2Owjjl45F6zxq40.exe"{path}"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- System policy modification
- Modifies Internet Explorer settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Adds Run entry to policy start application
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\2Owjjl45F6zxq40.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Local\Temp\tmp78C5.tmp
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logim.jpeg
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logrg.ini
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logri.ini
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logrv.ini
-
memory/1592-10-0x0000000000000000-mapping.dmp
-
memory/1668-7-0x0000000000CC0000-0x0000000000CCC000-memory.dmpFilesize
48KB
-
memory/1668-6-0x0000000000CC0000-0x0000000000CCC000-memory.dmpFilesize
48KB
-
memory/1668-5-0x0000000000000000-mapping.dmp
-
memory/3336-3-0x000000000041B6E0-mapping.dmp
-
memory/3336-2-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/3832-8-0x0000000000000000-mapping.dmp
-
memory/3856-0-0x0000000000000000-mapping.dmp