8f60548d2cde9e0681d8609aef71f51c820073a2a70e75bfa0fa56e3890d94e0

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7v200430
submitted
13/07/2020, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase_Order.exe
Size

638KB
MD5

6a2a8086b34fbd0dfe9dd3dc433d77d6
SHA1

d2b6c5b889844e685c64322c11d86b22a005b165
SHA256

8f60548d2cde9e0681d8609aef71f51c820073a2a70e75bfa0fa56e3890d94e0
SHA512

b84db37efc9d329d17b893effa14188be4b244e0e1451a04623faeb0bb592f7b60fcefbc7bf483b0651202262dde532ae3f72e8fb809aff733fe346767aa6a7e

Score

8^/10

spyware evasion trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1052	avd.exe
1820	svchosts.sfx.exe
1640	svchosts.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	1640	svchosts.exe
Token: SeShutdownPrivilege	1304	Explorer.EXE
Token: SeShutdownPrivilege	1304	Explorer.EXE
Token: SeShutdownPrivilege	1304	Explorer.EXE
Token: SeShutdownPrivilege	1304	Explorer.EXE
Token: SeShutdownPrivilege	1304	Explorer.EXE
Token: SeDebugPrivilege	1904	cscript.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1640	svchosts.exe
1640	svchosts.exe
1640	svchosts.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1640 set thread context of 1304	1640	svchosts.exe	20
PID 1904 set thread context of 1304	1904	cscript.exe	20

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Explorer.EXE

Loads dropped DLL 10 IoCs

pid	Process
892	Purchase_Order.exe
892	Purchase_Order.exe
892	Purchase_Order.exe
892	Purchase_Order.exe
892	Purchase_Order.exe
892	Purchase_Order.exe
1820	svchosts.sfx.exe
1820	svchosts.sfx.exe
1820	svchosts.sfx.exe
1820	svchosts.sfx.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1640	svchosts.exe
1640	svchosts.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe
1904	cscript.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE
1304	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 1052	892	Purchase_Order.exe	24
PID 892 wrote to memory of 1052	892	Purchase_Order.exe	24
PID 892 wrote to memory of 1052	892	Purchase_Order.exe	24
PID 892 wrote to memory of 1052	892	Purchase_Order.exe	24
PID 1052 wrote to memory of 1336	1052	avd.exe	26
PID 1052 wrote to memory of 1336	1052	avd.exe	26
PID 1052 wrote to memory of 1336	1052	avd.exe	26
PID 1052 wrote to memory of 1336	1052	avd.exe	26
PID 1336 wrote to memory of 1228	1336	cmd.exe	27
PID 1336 wrote to memory of 1228	1336	cmd.exe	27
PID 1336 wrote to memory of 1228	1336	cmd.exe	27
PID 892 wrote to memory of 1796	892	Purchase_Order.exe	28
PID 892 wrote to memory of 1796	892	Purchase_Order.exe	28
PID 892 wrote to memory of 1796	892	Purchase_Order.exe	28
PID 892 wrote to memory of 1796	892	Purchase_Order.exe	28
PID 892 wrote to memory of 1820	892	Purchase_Order.exe	30
PID 892 wrote to memory of 1820	892	Purchase_Order.exe	30
PID 892 wrote to memory of 1820	892	Purchase_Order.exe	30
PID 892 wrote to memory of 1820	892	Purchase_Order.exe	30
PID 1820 wrote to memory of 1640	1820	svchosts.sfx.exe	31
PID 1820 wrote to memory of 1640	1820	svchosts.sfx.exe	31
PID 1820 wrote to memory of 1640	1820	svchosts.sfx.exe	31
PID 1820 wrote to memory of 1640	1820	svchosts.sfx.exe	31
PID 1304 wrote to memory of 1904	1304	Explorer.EXE	32
PID 1304 wrote to memory of 1904	1304	Explorer.EXE	32
PID 1304 wrote to memory of 1904	1304	Explorer.EXE	32
PID 1304 wrote to memory of 1904	1304	Explorer.EXE	32
PID 1904 wrote to memory of 1892	1904	cscript.exe	33
PID 1904 wrote to memory of 1892	1904	cscript.exe	33
PID 1904 wrote to memory of 1892	1904	cscript.exe	33
PID 1904 wrote to memory of 1892	1904	cscript.exe	33
PID 1904 wrote to memory of 1772	1904	cscript.exe	38
PID 1904 wrote to memory of 1772	1904	cscript.exe	38
PID 1904 wrote to memory of 1772	1904	cscript.exe	38
PID 1904 wrote to memory of 1772	1904	cscript.exe	38
PID 1904 wrote to memory of 1772	1904	cscript.exe	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase_Order.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:892
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\893B.tmp\893C.tmp\893D.bat C:\Users\Admin\AppData\Local\Temp\RarSFX0\avd.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t "REG_DWORD" /d "1" /f
        5⤵
        
        PID:1228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\op.bat" "
    3⤵
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchosts.sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\svchosts.sfx.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\svchosts.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\svchosts.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:1640
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\svchosts.exe"
    3⤵
    PID:1892
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1772

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-0-0x00000000024B0000-0x00000000025B1000-memory.dmp

Filesize
1.0MB

Download
memory/1772-32-0x000000013FE00000-0x000000013FE93000-memory.dmp

Filesize
588KB

Download
memory/1904-29-0x0000000074E20000-0x0000000074F3D000-memory.dmp

Filesize
1.1MB

Download
memory/1904-30-0x00000000041F0000-0x000000000433F000-memory.dmp

Filesize
1.3MB

Download
memory/1904-28-0x0000000076890000-0x000000007689C000-memory.dmp

Filesize
48KB

Download
memory/1904-27-0x0000000003040000-0x0000000003136000-memory.dmp

Filesize
984KB

Download
memory/1904-25-0x00000000005C0000-0x00000000005E2000-memory.dmp

Filesize
136KB

Download