Analysis

  • max time kernel
    74s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    14/07/2020, 18:23

General

  • Target

    L3PRj.dat.exe

  • Size

    836KB

  • MD5

    3c0d0301f6db7f6aee371c163349838c

  • SHA1

    1d0bd91e8fc2e6fb8bdefde8a315193d3d6b03e5

  • SHA256

    ce2644d2d9973ab0a3004942cef2d74d210882bea29d8b698c7af02d308b289e

  • SHA512

    ddc3a72b0fd14956ba7e37c67e632669768b22ed946af65cbe9647f67f3b48f4c795ec5dd5c7bf4cdb180abd41d20d2a6ccc8aa38d7680c1af3c93c9ce4abbfb

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Program crash 1 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\L3PRj.dat.exe
    "C:\Users\Admin\AppData\Local\Temp\L3PRj.dat.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Adds Run key to start application
    PID:1588
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c <nul set /p ="M" > SearchIndexer.com & type RSAzhE.com >> SearchIndexer.com & del RSAzhE.com & certutil -decode TLW.com A & SearchIndexer.com A & ping 127.0.0.1 -n 3
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3992
      • C:\Windows\SysWOW64\certutil.exe
        certutil -decode TLW.com A
        3⤵
          PID:3792
        • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SearchIndexer.com
          SearchIndexer.com A
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          • Suspicious use of SendNotifyMessage
          • Suspicious use of FindShellTrayWindow
          PID:3776
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SearchIndexer.com
            C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SearchIndexer.com A
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            • Suspicious use of SendNotifyMessage
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetThreadContext
            PID:3836
            • C:\Windows\SysWOW64\attrib.exe
              "C:\Windows\SysWOW64\attrib.exe"
              5⤵
              • Views/modifies file attributes
              PID:3236
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3236 -s 1608
                6⤵
                • Program crash
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious behavior: EnumeratesProcesses
                PID:648
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 3
          3⤵
          • Runs ping.exe
          PID:3348

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/648-30-0x0000000005140000-0x0000000005141000-memory.dmp

            Filesize

            4KB

          • memory/648-19-0x0000000004910000-0x0000000004911000-memory.dmp

            Filesize

            4KB

          • memory/3236-12-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB

          • memory/3236-14-0x0000000000400000-0x0000000000440000-memory.dmp

            Filesize

            256KB