Analysis
-
max time kernel
151s -
max time network
140s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 02:08
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected]
Resource
win7v200430
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected]
Resource
win10
General
-
Target
SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected]
-
Size
249KB
-
MD5
eec0d052347c5d97f55d50a91c3a6c2d
-
SHA1
5baee3e1e2c3236eaa382a46f7919194626b4604
-
SHA256
047ff786f8bdd92bcf070f006d07ee6ca9bf63bd08213ec6b8807486c8b3f016
-
SHA512
ab0b23f28c548ffbdb456d4c8a4ad06725a371f1108d27a506c9fbd6ccde38916ecc0b2fc18099e6a3a5b657700b88caa90992a76bf995e16ed2f750fc5e84ba
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
RegSvcs.execmmon32.exepid process 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cmmon32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
RegSvcs.execmmon32.exepid process 1360 RegSvcs.exe 1360 RegSvcs.exe 1360 RegSvcs.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe 1828 cmmon32.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
description pid process target process PID 1296 set thread context of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1360 set thread context of 1304 1360 RegSvcs.exe Explorer.EXE PID 1360 set thread context of 1304 1360 RegSvcs.exe Explorer.EXE PID 1828 set thread context of 1304 1828 cmmon32.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.execmmon32.exedescription pid process Token: SeDebugPrivilege 1360 RegSvcs.exe Token: SeDebugPrivilege 1828 cmmon32.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
cmmon32.exedescription ioc process File opened for modification C:\Program Files (x86)\Gelu\regsvcerdd.exe cmmon32.exe -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
cmmon32.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cmmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DR4XDXNH = "C:\\Program Files (x86)\\Gelu\\regsvcerdd.exe" cmmon32.exe -
Processes:
cmmon32.exedescription ioc process Key created \Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmmon32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
description pid process target process PID 1296 wrote to memory of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1296 wrote to memory of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1296 wrote to memory of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1296 wrote to memory of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1296 wrote to memory of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1296 wrote to memory of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1296 wrote to memory of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1296 wrote to memory of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1296 wrote to memory of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1296 wrote to memory of 1360 1296 SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected] RegSvcs.exe PID 1304 wrote to memory of 1828 1304 Explorer.EXE cmmon32.exe PID 1304 wrote to memory of 1828 1304 Explorer.EXE cmmon32.exe PID 1304 wrote to memory of 1828 1304 Explorer.EXE cmmon32.exe PID 1304 wrote to memory of 1828 1304 Explorer.EXE cmmon32.exe PID 1828 wrote to memory of 1788 1828 cmmon32.exe cmd.exe PID 1828 wrote to memory of 1788 1828 cmmon32.exe cmd.exe PID 1828 wrote to memory of 1788 1828 cmmon32.exe cmd.exe PID 1828 wrote to memory of 1788 1828 cmmon32.exe cmd.exe PID 1828 wrote to memory of 1648 1828 cmmon32.exe Firefox.exe PID 1828 wrote to memory of 1648 1828 cmmon32.exe Firefox.exe PID 1828 wrote to memory of 1648 1828 cmmon32.exe Firefox.exe PID 1828 wrote to memory of 1648 1828 cmmon32.exe Firefox.exe PID 1828 wrote to memory of 1648 1828 cmmon32.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected]"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Gen.NN.ZemsilF.34132.pm0@[email protected]"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious behavior: MapViewOfSection
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Drops file in Program Files directory
- Adds Run entry to policy start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\63O29D0C\63Ologim.jpeg
-
C:\Users\Admin\AppData\Roaming\63O29D0C\63Ologrf.ini
-
C:\Users\Admin\AppData\Roaming\63O29D0C\63Ologri.ini
-
C:\Users\Admin\AppData\Roaming\63O29D0C\63Ologrv.ini
-
memory/1296-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1304-4-0x0000000006EA0000-0x0000000007019000-memory.dmpFilesize
1.5MB
-
memory/1360-2-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1360-3-0x000000000041E2D0-mapping.dmp
-
memory/1648-18-0x0000000000000000-mapping.dmp
-
memory/1648-19-0x000000013FCC0000-0x000000013FD53000-memory.dmpFilesize
588KB
-
memory/1788-7-0x0000000000000000-mapping.dmp
-
memory/1828-5-0x0000000000000000-mapping.dmp
-
memory/1828-17-0x0000000003AF0000-0x0000000003BF2000-memory.dmpFilesize
1.0MB
-
memory/1828-11-0x0000000076A10000-0x0000000076B6C000-memory.dmpFilesize
1.4MB
-
memory/1828-10-0x0000000074E20000-0x0000000074F3D000-memory.dmpFilesize
1.1MB
-
memory/1828-9-0x0000000076890000-0x000000007689C000-memory.dmpFilesize
48KB
-
memory/1828-8-0x0000000000980000-0x0000000000A48000-memory.dmpFilesize
800KB
-
memory/1828-6-0x0000000000AB0000-0x0000000000ABD000-memory.dmpFilesize
52KB