Analysis
-
max time kernel
74s -
max time network
148s -
platform
windows10_x64 -
resource
win10 -
submitted
14/07/2020, 18:23
Static task
static1
Behavioral task
behavioral1
Sample
L3PRj.dat.exe
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
L3PRj.dat.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
L3PRj.dat.exe
-
Size
836KB
-
MD5
3c0d0301f6db7f6aee371c163349838c
-
SHA1
1d0bd91e8fc2e6fb8bdefde8a315193d3d6b03e5
-
SHA256
ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e
-
SHA512
ddc3a72b0fd14956ba7e37c67e632669768b22ed946af65cbe9647f67f3b48f4c795ec5dd5c7bf4cdb180abd41d20d2a6ccc8aa38d7680c1af3c93c9ce4abbfb
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3776 SearchIndexer.com 3836 SearchIndexer.com -
Program crash 1 IoCs
pid pid_target Process procid_target 648 3236 WerFault.exe 73 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3236 attrib.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 1588 wrote to memory of 3992 1588 L3PRj.dat.exe 67 PID 1588 wrote to memory of 3992 1588 L3PRj.dat.exe 67 PID 1588 wrote to memory of 3992 1588 L3PRj.dat.exe 67 PID 3992 wrote to memory of 3792 3992 cmd.exe 69 PID 3992 wrote to memory of 3792 3992 cmd.exe 69 PID 3992 wrote to memory of 3792 3992 cmd.exe 69 PID 3992 wrote to memory of 3776 3992 cmd.exe 70 PID 3992 wrote to memory of 3776 3992 cmd.exe 70 PID 3992 wrote to memory of 3776 3992 cmd.exe 70 PID 3776 wrote to memory of 3836 3776 SearchIndexer.com 71 PID 3776 wrote to memory of 3836 3776 SearchIndexer.com 71 PID 3776 wrote to memory of 3836 3776 SearchIndexer.com 71 PID 3992 wrote to memory of 3348 3992 cmd.exe 72 PID 3992 wrote to memory of 3348 3992 cmd.exe 72 PID 3992 wrote to memory of 3348 3992 cmd.exe 72 PID 3836 wrote to memory of 3236 3836 SearchIndexer.com 73 PID 3836 wrote to memory of 3236 3836 SearchIndexer.com 73 PID 3836 wrote to memory of 3236 3836 SearchIndexer.com 73 PID 3836 wrote to memory of 3236 3836 SearchIndexer.com 73 -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 3776 SearchIndexer.com 3776 SearchIndexer.com 3776 SearchIndexer.com 3836 SearchIndexer.com 3836 SearchIndexer.com 3836 SearchIndexer.com -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3836 SearchIndexer.com -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 648 WerFault.exe Token: SeBackupPrivilege 648 WerFault.exe Token: SeDebugPrivilege 648 WerFault.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe 648 WerFault.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 3776 SearchIndexer.com 3776 SearchIndexer.com 3776 SearchIndexer.com 3836 SearchIndexer.com 3836 SearchIndexer.com 3836 SearchIndexer.com -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3836 set thread context of 3236 3836 SearchIndexer.com 73 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce L3PRj.dat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" L3PRj.dat.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3348 PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\L3PRj.dat.exe"C:\Users\Admin\AppData\Local\Temp\L3PRj.dat.exe"1⤵
- Suspicious use of WriteProcessMemory
- Adds Run key to start application
PID:1588 -
C:\Windows\SysWOW64\cmd.execmd /c <nul set /p ="M" > SearchIndexer.com & type RSAzhE.com >> SearchIndexer.com & del RSAzhE.com & certutil -decode TLW.com A & SearchIndexer.com A & ping 127.0.0.1 -n 32⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\certutil.execertutil -decode TLW.com A3⤵PID:3792
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SearchIndexer.comSearchIndexer.com A3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
PID:3776 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SearchIndexer.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SearchIndexer.com A4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetThreadContext
PID:3836 -
C:\Windows\SysWOW64\attrib.exe"C:\Windows\SysWOW64\attrib.exe"5⤵
- Views/modifies file attributes
PID:3236 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 16086⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:648
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 33⤵
- Runs ping.exe
PID:3348
-
-