Analysis
-
max time kernel
151s -
max time network
126s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 06:55
Static task
static1
Behavioral task
behavioral1
Sample
STATEMENT OF ACCOUNT.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
STATEMENT OF ACCOUNT.exe
Resource
win10
General
-
Target
STATEMENT OF ACCOUNT.exe
-
Size
332KB
-
MD5
ee68d3b0f702077810bddec50179f75d
-
SHA1
e84957da433e6df765486f71391edf69f882f50a
-
SHA256
ee3971f3a905a7bd6126d3d02e0ecaa71bbe41136d3faa0680eec42a4cf20af9
-
SHA512
957eeeef26c139874fc7983078872b491f534ccc447f98d920ac43d11df7b36ffd3cfa1519fb178d6d103a04237b31f4cd5523cedbea778095a93fc0343cebe4
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
STATEMENT OF ACCOUNT.exeExplorer.EXEwlanext.exedescription pid process target process PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe RegAsm.exe PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe RegAsm.exe PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe RegAsm.exe PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe RegAsm.exe PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe RegAsm.exe PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe RegAsm.exe PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe RegAsm.exe PID 1232 wrote to memory of 1420 1232 STATEMENT OF ACCOUNT.exe RegAsm.exe PID 1348 wrote to memory of 1460 1348 Explorer.EXE wlanext.exe PID 1348 wrote to memory of 1460 1348 Explorer.EXE wlanext.exe PID 1348 wrote to memory of 1460 1348 Explorer.EXE wlanext.exe PID 1348 wrote to memory of 1460 1348 Explorer.EXE wlanext.exe PID 1460 wrote to memory of 744 1460 wlanext.exe cmd.exe PID 1460 wrote to memory of 744 1460 wlanext.exe cmd.exe PID 1460 wrote to memory of 744 1460 wlanext.exe cmd.exe PID 1460 wrote to memory of 744 1460 wlanext.exe cmd.exe PID 1460 wrote to memory of 1280 1460 wlanext.exe Firefox.exe PID 1460 wrote to memory of 1280 1460 wlanext.exe Firefox.exe PID 1460 wrote to memory of 1280 1460 wlanext.exe Firefox.exe PID 1460 wrote to memory of 1280 1460 wlanext.exe Firefox.exe PID 1460 wrote to memory of 1280 1460 wlanext.exe Firefox.exe -
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1348 Explorer.EXE 1348 Explorer.EXE 1348 Explorer.EXE 1348 Explorer.EXE 1348 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1348 Explorer.EXE 1348 Explorer.EXE 1348 Explorer.EXE 1348 Explorer.EXE -
Drops startup file 1 IoCs
Processes:
STATEMENT OF ACCOUNT.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe STATEMENT OF ACCOUNT.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
STATEMENT OF ACCOUNT.exeRegAsm.exewlanext.exepid process 1232 STATEMENT OF ACCOUNT.exe 1420 RegAsm.exe 1420 RegAsm.exe 1420 RegAsm.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
RegAsm.exewlanext.exepid process 1420 RegAsm.exe 1420 RegAsm.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe 1460 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegAsm.exewlanext.exedescription pid process Token: SeDebugPrivilege 1420 RegAsm.exe Token: SeDebugPrivilege 1460 wlanext.exe -
Drops file in Program Files directory 1 IoCs
Processes:
wlanext.exedescription ioc process File opened for modification C:\Program Files (x86)\W2d4\vgak6g4cfw.exe wlanext.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
STATEMENT OF ACCOUNT.exeRegAsm.exewlanext.exedescription pid process target process PID 1232 set thread context of 1420 1232 STATEMENT OF ACCOUNT.exe RegAsm.exe PID 1420 set thread context of 1348 1420 RegAsm.exe Explorer.EXE PID 1460 set thread context of 1348 1460 wlanext.exe Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
wlanext.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run wlanext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\8PTXHFWXGV = "C:\\Program Files (x86)\\W2d4\\vgak6g4cfw.exe" wlanext.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
PID:1348 -
C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"2⤵
- Suspicious use of WriteProcessMemory
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
PID:1232 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:1420 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of WriteProcessMemory
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Suspicious use of SetThreadContext
- Adds Run entry to start application
PID:1460 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵PID:744
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1280
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\5K-1P89C\5K-logim.jpeg
-
C:\Users\Admin\AppData\Roaming\5K-1P89C\5K-logrf.ini
-
C:\Users\Admin\AppData\Roaming\5K-1P89C\5K-logri.ini
-
C:\Users\Admin\AppData\Roaming\5K-1P89C\5K-logrv.ini
-
memory/744-4-0x0000000000000000-mapping.dmp
-
memory/1280-9-0x000000013FDA0000-0x000000013FE33000-memory.dmpFilesize
588KB
-
memory/1280-8-0x0000000000000000-mapping.dmp
-
memory/1420-1-0x000000000041E380-mapping.dmp
-
memory/1420-0-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1460-3-0x0000000000DB0000-0x0000000000DC6000-memory.dmpFilesize
88KB
-
memory/1460-7-0x0000000003950000-0x0000000003A7E000-memory.dmpFilesize
1.2MB
-
memory/1460-6-0x0000000077090000-0x00000000771EC000-memory.dmpFilesize
1.4MB
-
memory/1460-5-0x0000000002FA0000-0x0000000003133000-memory.dmpFilesize
1.6MB
-
memory/1460-2-0x0000000000000000-mapping.dmp