Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 01:25
Static task
static1
Behavioral task
behavioral1
Sample
Payment details.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment details.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Payment details.exe
-
Size
332KB
-
MD5
8506c6d3fa727e58e1c3fbea3e948bf4
-
SHA1
0e6eec497a34434090c3112aee93fdac2b0b8c77
-
SHA256
c5049b79f66303da5f8f91e527b7f182a765c54c075f134b1779fc5802ad6b1b
-
SHA512
57e373825abcd65de5907ffd1d9f835bebd9e82e59f404553a3f8168f6a9979ce9a52627f6982858b0a2b7a0a288ccf15f1a3fa0b6688073118e826167dc163f
Score
7/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
RegAsm.exehelp.exepid process 1056 RegAsm.exe 1056 RegAsm.exe 1056 RegAsm.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exehelp.exedescription pid process Token: SeDebugPrivilege 1056 RegAsm.exe Token: SeDebugPrivilege 1808 help.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Drops startup file 1 IoCs
Processes:
Payment details.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Payment details.exe -
Drops file in Program Files directory 1 IoCs
Processes:
help.exedescription ioc process File opened for modification C:\Program Files (x86)\O_hld90\IconCacheulodufwx.exe help.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Payment details.exeRegAsm.exehelp.exedescription pid process target process PID 1152 wrote to memory of 1056 1152 Payment details.exe RegAsm.exe PID 1152 wrote to memory of 1056 1152 Payment details.exe RegAsm.exe PID 1152 wrote to memory of 1056 1152 Payment details.exe RegAsm.exe PID 1152 wrote to memory of 1056 1152 Payment details.exe RegAsm.exe PID 1152 wrote to memory of 1056 1152 Payment details.exe RegAsm.exe PID 1152 wrote to memory of 1056 1152 Payment details.exe RegAsm.exe PID 1152 wrote to memory of 1056 1152 Payment details.exe RegAsm.exe PID 1152 wrote to memory of 1056 1152 Payment details.exe RegAsm.exe PID 1056 wrote to memory of 1808 1056 RegAsm.exe help.exe PID 1056 wrote to memory of 1808 1056 RegAsm.exe help.exe PID 1056 wrote to memory of 1808 1056 RegAsm.exe help.exe PID 1056 wrote to memory of 1808 1056 RegAsm.exe help.exe PID 1808 wrote to memory of 1880 1808 help.exe cmd.exe PID 1808 wrote to memory of 1880 1808 help.exe cmd.exe PID 1808 wrote to memory of 1880 1808 help.exe cmd.exe PID 1808 wrote to memory of 1880 1808 help.exe cmd.exe PID 1808 wrote to memory of 1992 1808 help.exe Firefox.exe PID 1808 wrote to memory of 1992 1808 help.exe Firefox.exe PID 1808 wrote to memory of 1992 1808 help.exe Firefox.exe PID 1808 wrote to memory of 1992 1808 help.exe Firefox.exe PID 1808 wrote to memory of 1992 1808 help.exe Firefox.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
Payment details.exeRegAsm.exehelp.exepid process 1152 Payment details.exe 1056 RegAsm.exe 1056 RegAsm.exe 1056 RegAsm.exe 1056 RegAsm.exe 1808 help.exe 1808 help.exe 1808 help.exe 1808 help.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Payment details.exeRegAsm.exehelp.exedescription pid process target process PID 1152 set thread context of 1056 1152 Payment details.exe RegAsm.exe PID 1056 set thread context of 1224 1056 RegAsm.exe Explorer.EXE PID 1056 set thread context of 1224 1056 RegAsm.exe Explorer.EXE PID 1808 set thread context of 1224 1808 help.exe Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
help.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Z2KDMLUH5V = "C:\\Program Files (x86)\\O_hld90\\IconCacheulodufwx.exe" help.exe Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run help.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
PID:1224 -
C:\Users\Admin\AppData\Local\Temp\Payment details.exe"C:\Users\Admin\AppData\Local\Temp\Payment details.exe"2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1152 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1056 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Adds Run entry to start application
PID:1808 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"5⤵PID:1880
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"5⤵PID:1992
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1508
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1480
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1724
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1296
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1820
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1840