Analysis
-
max time kernel
147s -
max time network
145s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
12-07-2020 08:15
Static task
static1
Behavioral task
behavioral1
Sample
kWxZdhzhxdbryQa.exe
Resource
win7
Behavioral task
behavioral2
Sample
kWxZdhzhxdbryQa.exe
Resource
win10v200430
General
-
Target
kWxZdhzhxdbryQa.exe
-
Size
857KB
-
MD5
564298d99ec96cb82b246a8794de9b9b
-
SHA1
179c18e7891b967f9048e87362e21b26c73dc9d3
-
SHA256
95e40490a7ab8bc996d2a8a42233563ed067317e7b54a4083808a0d77ee2a5f5
-
SHA512
b1b012794842ae9cd72aca78679de8bd0b2c60a7cc0b6f0b4f69ca7a9c4b9210c28c4978d21dc33f5fef948f5ed7eb63302c4e0e822802aaac4d5b73d4920425
Malware Config
Signatures
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
kWxZdhzhxdbryQa.exekWxZdhzhxdbryQa.exemsiexec.exedescription pid process target process PID 3768 set thread context of 2680 3768 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 2680 set thread context of 3004 2680 kWxZdhzhxdbryQa.exe Explorer.EXE PID 2872 set thread context of 3004 2872 msiexec.exe Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\HPPDVFZXPJC = "C:\\Program Files (x86)\\Bd2kdh\\px4mhupl8lx.exe" msiexec.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msiexec.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
kWxZdhzhxdbryQa.exeExplorer.EXEmsiexec.exedescription pid process target process PID 3768 wrote to memory of 2220 3768 kWxZdhzhxdbryQa.exe schtasks.exe PID 3768 wrote to memory of 2220 3768 kWxZdhzhxdbryQa.exe schtasks.exe PID 3768 wrote to memory of 2220 3768 kWxZdhzhxdbryQa.exe schtasks.exe PID 3768 wrote to memory of 2680 3768 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 3768 wrote to memory of 2680 3768 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 3768 wrote to memory of 2680 3768 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 3768 wrote to memory of 2680 3768 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 3768 wrote to memory of 2680 3768 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 3768 wrote to memory of 2680 3768 kWxZdhzhxdbryQa.exe kWxZdhzhxdbryQa.exe PID 3004 wrote to memory of 2872 3004 Explorer.EXE msiexec.exe PID 3004 wrote to memory of 2872 3004 Explorer.EXE msiexec.exe PID 3004 wrote to memory of 2872 3004 Explorer.EXE msiexec.exe PID 2872 wrote to memory of 3736 2872 msiexec.exe cmd.exe PID 2872 wrote to memory of 3736 2872 msiexec.exe cmd.exe PID 2872 wrote to memory of 3736 2872 msiexec.exe cmd.exe PID 2872 wrote to memory of 3980 2872 msiexec.exe cmd.exe PID 2872 wrote to memory of 3980 2872 msiexec.exe cmd.exe PID 2872 wrote to memory of 3980 2872 msiexec.exe cmd.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
kWxZdhzhxdbryQa.exemsiexec.exepid process 2680 kWxZdhzhxdbryQa.exe 2680 kWxZdhzhxdbryQa.exe 2680 kWxZdhzhxdbryQa.exe 2872 msiexec.exe 2872 msiexec.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Drops file in Program Files directory 1 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\Bd2kdh\px4mhupl8lx.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
kWxZdhzhxdbryQa.exemsiexec.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2680 kWxZdhzhxdbryQa.exe Token: SeDebugPrivilege 2872 msiexec.exe Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE Token: SeShutdownPrivilege 3004 Explorer.EXE Token: SeCreatePagefilePrivilege 3004 Explorer.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 3004 Explorer.EXE -
Processes:
msiexec.exedescription ioc process Key created \Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
kWxZdhzhxdbryQa.exemsiexec.exepid process 2680 kWxZdhzhxdbryQa.exe 2680 kWxZdhzhxdbryQa.exe 2680 kWxZdhzhxdbryQa.exe 2680 kWxZdhzhxdbryQa.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe 2872 msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\kWxZdhzhxdbryQa.exe"C:\Users\Admin\AppData\Local\Temp\kWxZdhzhxdbryQa.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jdjIVjDa" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1591.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\kWxZdhzhxdbryQa.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Adds Run entry to policy start application
- System policy modification
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\kWxZdhzhxdbryQa.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Local\Temp\tmp1591.tmp
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logim.jpeg
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logrg.ini
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logri.ini
-
C:\Users\Admin\AppData\Roaming\JN052U35\JN0logrv.ini
-
memory/2220-0-0x0000000000000000-mapping.dmp
-
memory/2680-2-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/2680-3-0x000000000041B6E0-mapping.dmp
-
memory/2872-6-0x0000000000FA0000-0x0000000000FB2000-memory.dmpFilesize
72KB
-
memory/2872-5-0x0000000000FA0000-0x0000000000FB2000-memory.dmpFilesize
72KB
-
memory/2872-4-0x0000000000000000-mapping.dmp
-
memory/3004-9-0x00000000056B0000-0x0000000005815000-memory.dmpFilesize
1.4MB
-
memory/3736-7-0x0000000000000000-mapping.dmp
-
memory/3980-10-0x0000000000000000-mapping.dmp