Analysis
-
max time kernel
147s -
max time network
129s -
platform
windows7_x64 -
resource
win7 -
submitted
12-07-2020 08:15
Static task
static1
Behavioral task
behavioral1
Sample
kWxZdhzhxdbryQa.exe
Resource
win7
Behavioral task
behavioral2
Sample
kWxZdhzhxdbryQa.exe
Resource
win10v200430
General
-
Target
kWxZdhzhxdbryQa.exe
-
Size
857KB
-
MD5
564298d99ec96cb82b246a8794de9b9b
-
SHA1
179c18e7891b967f9048e87362e21b26c73dc9d3
-
SHA256
95e40490a7ab8bc996d2a8a42233563ed067317e7b54a4083808a0d77ee2a5f5
-
SHA512
b1b012794842ae9cd72aca78679de8bd0b2c60a7cc0b6f0b4f69ca7a9c4b9210c28c4978d21dc33f5fef948f5ed7eb63302c4e0e822802aaac4d5b73d4920425
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
kWxZdhzhxdbryQa.exesystray.exepid process 1088 kWxZdhzhxdbryQa.exe 1088 kWxZdhzhxdbryQa.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe 1064 systray.exe -
Drops file in Program Files directory 1 IoCs
Processes:
systray.exedescription ioc process File opened for modification C:\Program Files (x86)\Gkpxp3zix\configmr80nt28.exe systray.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
kWxZdhzhxdbryQa.exesystray.exepid process 1088 kWxZdhzhxdbryQa.exe 1088 kWxZdhzhxdbryQa.exe 1088 kWxZdhzhxdbryQa.exe 1064 systray.exe 1064 systray.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1512 cmd.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
systray.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run systray.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\H4D0B4P8DLX = "C:\\Program Files (x86)\\Gkpxp3zix\\configmr80nt28.exe" systray.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kWxZdhzhxdbryQa.exekWxZdhzhxdbryQa.exesystray.exedescription pid process target process PID 1312 set thread context of 1088 1312 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 1088 set thread context of 1284 1088 kWxZdhzhxdbryQa.exe Explorer.EXE PID 1064 set thread context of 1284 1064 systray.exe Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
kWxZdhzhxdbryQa.exeExplorer.EXEsystray.exedescription pid process target process PID 1312 wrote to memory of 912 1312 kWxZdhzhxdbryQa.exe schtasks.exe PID 1312 wrote to memory of 912 1312 kWxZdhzhxdbryQa.exe schtasks.exe PID 1312 wrote to memory of 912 1312 kWxZdhzhxdbryQa.exe schtasks.exe PID 1312 wrote to memory of 912 1312 kWxZdhzhxdbryQa.exe schtasks.exe PID 1312 wrote to memory of 1088 1312 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 1312 wrote to memory of 1088 1312 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 1312 wrote to memory of 1088 1312 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 1312 wrote to memory of 1088 1312 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 1312 wrote to memory of 1088 1312 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 1312 wrote to memory of 1088 1312 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 1312 wrote to memory of 1088 1312 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 1284 wrote to memory of 1064 1284 Explorer.EXE systray.exe PID 1284 wrote to memory of 1064 1284 Explorer.EXE systray.exe PID 1284 wrote to memory of 1064 1284 Explorer.EXE systray.exe PID 1284 wrote to memory of 1064 1284 Explorer.EXE systray.exe PID 1064 wrote to memory of 1512 1064 systray.exe cmd.exe PID 1064 wrote to memory of 1512 1064 systray.exe cmd.exe PID 1064 wrote to memory of 1512 1064 systray.exe cmd.exe PID 1064 wrote to memory of 1512 1064 systray.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
kWxZdhzhxdbryQa.exesystray.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1088 kWxZdhzhxdbryQa.exe Token: SeDebugPrivilege 1064 systray.exe Token: SeShutdownPrivilege 1284 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
systray.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 systray.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\kWxZdhzhxdbryQa.exe"C:\Users\Admin\AppData\Local\Temp\kWxZdhzhxdbryQa.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdjIVjDa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83A0.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\kWxZdhzhxdbryQa.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
- Suspicious behavior: MapViewOfSection
- Adds Run entry to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\kWxZdhzhxdbryQa.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp83A0.tmp
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logim.jpeg
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logri.ini
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logrv.ini
-
memory/912-0-0x0000000000000000-mapping.dmp
-
memory/1064-4-0x0000000000000000-mapping.dmp
-
memory/1064-5-0x0000000000640000-0x0000000000645000-memory.dmpFilesize
20KB
-
memory/1064-7-0x0000000001EA0000-0x0000000001FE9000-memory.dmpFilesize
1.3MB
-
memory/1064-8-0x00000000750E0000-0x00000000750EC000-memory.dmpFilesize
48KB
-
memory/1088-2-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/1088-3-0x000000000041B6E0-mapping.dmp
-
memory/1512-6-0x0000000000000000-mapping.dmp