Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
12-07-2020 08:25
Static task
static1
Behavioral task
behavioral1
Sample
nDpCRftIevGVro2.exe
Resource
win7
Behavioral task
behavioral2
Sample
nDpCRftIevGVro2.exe
Resource
win10v200430
General
-
Target
nDpCRftIevGVro2.exe
-
Size
909KB
-
MD5
99ee30484749b90ac5ca3e2a776a0198
-
SHA1
ac6b11d0a4ebf636008cf1d39f4889b2c55ae0bc
-
SHA256
ee82b7263174f6d14a23263058616fda1c4676cecf6d0003696d255147963e1b
-
SHA512
606727a606b7a95ff1ed285c9b9ac61c4c29e05b5fa48c337ba394e8151c9e96678109203f9df2e20d4bbe16be70674c58a673d4332af1b146e7f80784a36a31
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
nDpCRftIevGVro2.execmmon32.exepid process 2624 nDpCRftIevGVro2.exe 2624 nDpCRftIevGVro2.exe 2624 nDpCRftIevGVro2.exe 2868 cmmon32.exe 2868 cmmon32.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XVMPTBZPF = "C:\\Program Files (x86)\\Hczd\\6ljtqdywryl7.exe" cmmon32.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run cmmon32.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
nDpCRftIevGVro2.exeExplorer.EXEcmmon32.exedescription pid process target process PID 3848 wrote to memory of 2160 3848 nDpCRftIevGVro2.exe schtasks.exe PID 3848 wrote to memory of 2160 3848 nDpCRftIevGVro2.exe schtasks.exe PID 3848 wrote to memory of 2160 3848 nDpCRftIevGVro2.exe schtasks.exe PID 3848 wrote to memory of 2624 3848 nDpCRftIevGVro2.exe nDpCRftIevGVro2.exe PID 3848 wrote to memory of 2624 3848 nDpCRftIevGVro2.exe nDpCRftIevGVro2.exe PID 3848 wrote to memory of 2624 3848 nDpCRftIevGVro2.exe nDpCRftIevGVro2.exe PID 3848 wrote to memory of 2624 3848 nDpCRftIevGVro2.exe nDpCRftIevGVro2.exe PID 3848 wrote to memory of 2624 3848 nDpCRftIevGVro2.exe nDpCRftIevGVro2.exe PID 3848 wrote to memory of 2624 3848 nDpCRftIevGVro2.exe nDpCRftIevGVro2.exe PID 3004 wrote to memory of 2868 3004 Explorer.EXE cmmon32.exe PID 3004 wrote to memory of 2868 3004 Explorer.EXE cmmon32.exe PID 3004 wrote to memory of 2868 3004 Explorer.EXE cmmon32.exe PID 2868 wrote to memory of 3768 2868 cmmon32.exe cmd.exe PID 2868 wrote to memory of 3768 2868 cmmon32.exe cmd.exe PID 2868 wrote to memory of 3768 2868 cmmon32.exe cmd.exe PID 2868 wrote to memory of 3540 2868 cmmon32.exe cmd.exe PID 2868 wrote to memory of 3540 2868 cmmon32.exe cmd.exe PID 2868 wrote to memory of 3540 2868 cmmon32.exe cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
nDpCRftIevGVro2.exenDpCRftIevGVro2.execmmon32.exedescription pid process target process PID 3848 set thread context of 2624 3848 nDpCRftIevGVro2.exe nDpCRftIevGVro2.exe PID 2624 set thread context of 3004 2624 nDpCRftIevGVro2.exe Explorer.EXE PID 2868 set thread context of 3004 2868 cmmon32.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
nDpCRftIevGVro2.execmmon32.exepid process 2624 nDpCRftIevGVro2.exe 2624 nDpCRftIevGVro2.exe 2624 nDpCRftIevGVro2.exe 2624 nDpCRftIevGVro2.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe 2868 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
nDpCRftIevGVro2.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2624 nDpCRftIevGVro2.exe Token: SeDebugPrivilege 2868 cmmon32.exe Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\Hczd\6ljtqdywryl7.exe cmmon32.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\nDpCRftIevGVro2.exe"C:\Users\Admin\AppData\Local\Temp\nDpCRftIevGVro2.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wjmzDTcOC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp85A1.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\nDpCRftIevGVro2.exe"{path}"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Adds Run entry to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\nDpCRftIevGVro2.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Local\Temp\tmp85A1.tmp
-
memory/2160-0-0x0000000000000000-mapping.dmp
-
memory/2624-2-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2624-3-0x000000000041B6E0-mapping.dmp
-
memory/2868-5-0x0000000000000000-mapping.dmp
-
memory/2868-6-0x00000000012E0000-0x00000000012EC000-memory.dmpFilesize
48KB
-
memory/2868-7-0x00000000012E0000-0x00000000012EC000-memory.dmpFilesize
48KB
-
memory/2868-9-0x00000000054C0000-0x000000000558E000-memory.dmpFilesize
824KB
-
memory/3540-10-0x0000000000000000-mapping.dmp
-
memory/3768-8-0x0000000000000000-mapping.dmp