Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 01:25
Static task
static1
Behavioral task
behavioral1
Sample
Payment details.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payment details.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Payment details.exe
-
Size
332KB
-
MD5
8506c6d3fa727e58e1c3fbea3e948bf4
-
SHA1
0e6eec497a34434090c3112aee93fdac2b0b8c77
-
SHA256
c5049b79f66303da5f8f91e527b7f182a765c54c075f134b1779fc5802ad6b1b
-
SHA512
57e373825abcd65de5907ffd1d9f835bebd9e82e59f404553a3f8168f6a9979ce9a52627f6982858b0a2b7a0a288ccf15f1a3fa0b6688073118e826167dc163f
Score
10/10
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
Payment details.exeRegAsm.exeexplorer.exepid process 2536 Payment details.exe 2536 Payment details.exe 1248 RegAsm.exe 1248 RegAsm.exe 1248 RegAsm.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
RegAsm.exeexplorer.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1248 RegAsm.exe Token: SeDebugPrivilege 1440 explorer.exe Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops startup file 1 IoCs
Processes:
Payment details.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe Payment details.exe -
Drops file in Program Files directory 1 IoCs
Processes:
explorer.exedescription ioc process File opened for modification C:\Program Files (x86)\Tbj4pin\1be4qhs.exe explorer.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CNI8R08PGVE = "C:\\Program Files (x86)\\Tbj4pin\\1be4qhs.exe" explorer.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Payment details.exeExplorer.EXEexplorer.exedescription pid process target process PID 2536 wrote to memory of 1236 2536 Payment details.exe RegAsm.exe PID 2536 wrote to memory of 1236 2536 Payment details.exe RegAsm.exe PID 2536 wrote to memory of 1236 2536 Payment details.exe RegAsm.exe PID 2536 wrote to memory of 1248 2536 Payment details.exe RegAsm.exe PID 2536 wrote to memory of 1248 2536 Payment details.exe RegAsm.exe PID 2536 wrote to memory of 1248 2536 Payment details.exe RegAsm.exe PID 2536 wrote to memory of 1248 2536 Payment details.exe RegAsm.exe PID 3012 wrote to memory of 1440 3012 Explorer.EXE explorer.exe PID 3012 wrote to memory of 1440 3012 Explorer.EXE explorer.exe PID 3012 wrote to memory of 1440 3012 Explorer.EXE explorer.exe PID 1440 wrote to memory of 1860 1440 explorer.exe cmd.exe PID 1440 wrote to memory of 1860 1440 explorer.exe cmd.exe PID 1440 wrote to memory of 1860 1440 explorer.exe cmd.exe PID 1440 wrote to memory of 3716 1440 explorer.exe cmd.exe PID 1440 wrote to memory of 3716 1440 explorer.exe cmd.exe PID 1440 wrote to memory of 3716 1440 explorer.exe cmd.exe PID 1440 wrote to memory of 3024 1440 explorer.exe Firefox.exe PID 1440 wrote to memory of 3024 1440 explorer.exe Firefox.exe PID 1440 wrote to memory of 3024 1440 explorer.exe Firefox.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
RegAsm.exeexplorer.exepid process 1248 RegAsm.exe 1248 RegAsm.exe 1248 RegAsm.exe 1248 RegAsm.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe 1440 explorer.exe -
Processes:
explorer.exedescription ioc process Key created \Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 explorer.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Payment details.exeRegAsm.exeexplorer.exedescription pid process target process PID 2536 set thread context of 1248 2536 Payment details.exe RegAsm.exe PID 1248 set thread context of 3012 1248 RegAsm.exe Explorer.EXE PID 1440 set thread context of 3012 1440 explorer.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\Payment details.exe"C:\Users\Admin\AppData\Local\Temp\Payment details.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Drops startup file
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:2536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1236
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1248 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Modifies Internet Explorer settings
- Suspicious use of SetThreadContext
PID:1440 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:1860
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3716
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:3024