Overview

overview

10

Static

static

R220917549.exe

windows7_x64

8

R220917549.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    91s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    13-07-2020 11:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    R220917549.exe

  • Size

    923KB

  • MD5

    65e707bd6d53922eed2f27b35bd5355a

  • SHA1

    8e2cb2687357567045584ed5cb36c11cc928f4a4

  • SHA256

    ca2474c82643817c50106479f991ae282b9bb24fde98721dc5f99fe9a5eb3300

  • SHA512

    606f8a9fab4b19fc43ed233f62fcefc3758e1e8fd6358b9fecbd8a3e3a43027ddded905ad2fc185eec7c3e14c1ad563ce007cb35f61797846807757b2ac1447a

Score
8/10
persistencespywareevasiontrojan

Malware Config

Signatures

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Adds Run entry to policy start application 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Checks whether UAC is enabled
    • Suspicious use of SendNotifyMessage
    PID:1228
    • C:\Users\Admin\AppData\Local\Temp\R220917549.exe
      "C:\Users\Admin\AppData\Local\Temp\R220917549.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      PID:1492
      • C:\Users\Admin\AppData\Local\Temp\R220917549.exe
        "C:\Users\Admin\AppData\Local\Temp\R220917549.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious behavior: MapViewOfSection
        PID:276
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:484
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:1600
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:800
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:756
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:1104
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:324
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:1056
                  • C:\Windows\SysWOW64\autofmt.exe
                    "C:\Windows\SysWOW64\autofmt.exe"
                    2⤵
                      PID:1052
                    • C:\Windows\SysWOW64\autofmt.exe
                      "C:\Windows\SysWOW64\autofmt.exe"
                      2⤵
                        PID:1044
                      • C:\Windows\SysWOW64\autofmt.exe
                        "C:\Windows\SysWOW64\autofmt.exe"
                        2⤵
                          PID:1036
                        • C:\Windows\SysWOW64\autofmt.exe
                          "C:\Windows\SysWOW64\autofmt.exe"
                          2⤵
                            PID:1512
                          • C:\Windows\SysWOW64\autofmt.exe
                            "C:\Windows\SysWOW64\autofmt.exe"
                            2⤵
                              PID:1508
                            • C:\Windows\SysWOW64\autofmt.exe
                              "C:\Windows\SysWOW64\autofmt.exe"
                              2⤵
                                PID:1496
                              • C:\Windows\SysWOW64\autofmt.exe
                                "C:\Windows\SysWOW64\autofmt.exe"
                                2⤵
                                  PID:1668
                                • C:\Windows\SysWOW64\systray.exe
                                  "C:\Windows\SysWOW64\systray.exe"
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of WriteProcessMemory
                                  • Suspicious use of SetThreadContext
                                  • System policy modification
                                  • Suspicious use of AdjustPrivilegeToken
                                  • Drops file in Program Files directory
                                  • Modifies Internet Explorer settings
                                  • Suspicious behavior: MapViewOfSection
                                  • Adds Run entry to policy start application
                                  PID:1316
                                  • C:\Windows\SysWOW64\cmd.exe
                                    /c del "C:\Users\Admin\AppData\Local\Temp\R220917549.exe"
                                    3⤵
                                    • Deletes itself
                                    PID:1804

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/276-0-0x0000000000400000-0x000000000042A000-memory.dmp

                                Filesize

                                168KB

                                Download

                              • memory/1316-3-0x0000000000D00000-0x0000000000D05000-memory.dmp

                                Filesize

                                20KB

                                Download

                              • memory/1316-5-0x0000000000C30000-0x0000000000CE0000-memory.dmp

                                Filesize

                                704KB

                                Download

                              • memory/1316-6-0x00000000750B0000-0x00000000750BC000-memory.dmp

                                Filesize

                                48KB

                                Download

                              • memory/1316-7-0x0000000074BB0000-0x0000000074CCD000-memory.dmp

                                Filesize

                                1.1MB

                                Download

                              • memory/1316-8-0x0000000076820000-0x000000007697C000-memory.dmp

                                Filesize

                                1.4MB

                                Download