Overview

overview

10

Static

static

MT103 PAYM...DF.exe

windows7_x64

8

MT103 PAYM...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    15-07-2020 13:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MT103 PAYMENT COPY_PDF.exe

  • Size

    369KB

  • MD5

    20a2543a7a37a75b93924dd83c03743d

  • SHA1

    dacf53a9ae5c29a1d33fb2bf064ede984a0ad379

  • SHA256

    8c55df1fdc1ac49e2c0a3b5b77bd044d842d2f6e38bd5f782d93853a560140fb

  • SHA512

    3c49d4b09b5510e9a2ea24e75c9bf694a006cd31b9d06546aa08ac369cb8464916c40c7d0db566ef82d4b147e265582f5d081c26f3b6ad9e99f6c792c9be0d10

Score
8/10
evasiontrojanpersistencespyware

Malware Config

Signatures

  • Loads dropped DLL 1 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • System policy modification 1 TTPs 1 IoCs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Drops file in Program Files directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Checks whether UAC is enabled
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1212
    • C:\Users\Admin\AppData\Local\Temp\MT103 PAYMENT COPY_PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\MT103 PAYMENT COPY_PDF.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Users\Admin\AppData\Local\Temp\MT103 PAYMENT COPY_PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\MT103 PAYMENT COPY_PDF.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        PID:1752
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:1872
      • C:\Windows\SysWOW64\autoconv.exe
        "C:\Windows\SysWOW64\autoconv.exe"
        2⤵
          PID:1864
        • C:\Windows\SysWOW64\autoconv.exe
          "C:\Windows\SysWOW64\autoconv.exe"
          2⤵
            PID:1888
          • C:\Windows\SysWOW64\autoconv.exe
            "C:\Windows\SysWOW64\autoconv.exe"
            2⤵
              PID:1880
            • C:\Windows\SysWOW64\autoconv.exe
              "C:\Windows\SysWOW64\autoconv.exe"
              2⤵
                PID:1896
              • C:\Windows\SysWOW64\autoconv.exe
                "C:\Windows\SysWOW64\autoconv.exe"
                2⤵
                  PID:1912
                • C:\Windows\SysWOW64\autoconv.exe
                  "C:\Windows\SysWOW64\autoconv.exe"
                  2⤵
                    PID:1908
                  • C:\Windows\SysWOW64\autoconv.exe
                    "C:\Windows\SysWOW64\autoconv.exe"
                    2⤵
                      PID:1928
                    • C:\Windows\SysWOW64\autoconv.exe
                      "C:\Windows\SysWOW64\autoconv.exe"
                      2⤵
                        PID:1920
                      • C:\Windows\SysWOW64\autoconv.exe
                        "C:\Windows\SysWOW64\autoconv.exe"
                        2⤵
                          PID:1944
                        • C:\Windows\SysWOW64\cmstp.exe
                          "C:\Windows\SysWOW64\cmstp.exe"
                          2⤵
                          • System policy modification
                          • Adds policy Run key to start application
                          • Suspicious use of AdjustPrivilegeToken
                          • Modifies Internet Explorer settings
                          • Drops file in Program Files directory
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of SetThreadContext
                          • Suspicious use of WriteProcessMemory
                          • Suspicious behavior: MapViewOfSection
                          PID:1936
                          • C:\Windows\SysWOW64\cmd.exe
                            /c del "C:\Users\Admin\AppData\Local\Temp\MT103 PAYMENT COPY_PDF.exe"
                            3⤵
                              PID:1952
                            • C:\Program Files\Mozilla Firefox\Firefox.exe
                              "C:\Program Files\Mozilla Firefox\Firefox.exe"
                              3⤵
                                PID:1020

                          Network

                          MITRE ATT&CK Matrix ATT&CK v6

                          Initial Access

                          Execution

                          Persistence

                          Registry Run Keys / Startup Folder

                          1
                          T1060

                          Privilege Escalation

                          Defense Evasion

                          Modify Registry

                          3
                          T1112

                          Credential Access

                          Credentials in Files

                          1
                          T1081

                          Discovery

                          System Information Discovery

                          1
                          T1082

                          Lateral Movement

                          Collection

                          Data from Local System

                          1
                          T1005

                          Exfiltration

                          Command and Control

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\MT103 PAYMENT COPY_PDF.exe
                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\4L946DRT\4L9logim.jpeg
                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\4L946DRT\4L9logrf.ini
                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\4L946DRT\4L9logri.ini
                            Download Submit
                          • C:\Users\Admin\AppData\Roaming\4L946DRT\4L9logrv.ini
                            Download Submit
                          • \Users\Admin\AppData\Local\Temp\MT103 PAYMENT COPY_PDF.exe
                            Download Submit
                          • memory/1020-11-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1020-12-0x000000013F290000-0x000000013F323000-memory.dmp
                            Filesize

                            588KB

                            Download
                          • memory/1752-1-0x0000000000400000-0x000000000042D000-memory.dmp
                            Filesize

                            180KB

                            Download
                          • memory/1752-2-0x000000000041E2D0-mapping.dmp
                            Download
                          • memory/1936-4-0x0000000000000000-mapping.dmp
                            Download
                          • memory/1936-10-0x0000000003240000-0x000000000330E000-memory.dmp
                            Filesize

                            824KB

                            Download
                          • memory/1936-9-0x0000000076A70000-0x0000000076B8D000-memory.dmp
                            Filesize

                            1.1MB

                            Download
                          • memory/1936-8-0x0000000077030000-0x000000007703C000-memory.dmp
                            Filesize

                            48KB

                            Download
                          • memory/1936-7-0x0000000003010000-0x0000000003148000-memory.dmp
                            Filesize

                            1.2MB

                            Download
                          • memory/1936-5-0x0000000000E20000-0x0000000000E38000-memory.dmp
                            Filesize

                            96KB

                            Download
                          • memory/1952-6-0x0000000000000000-mapping.dmp
                            Download