Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 11:49
Static task
static1
Behavioral task
behavioral1
Sample
Confirmation Copy 11.exe
Resource
win7
Behavioral task
behavioral2
Sample
Confirmation Copy 11.exe
Resource
win10v200722
General
-
Target
Confirmation Copy 11.exe
-
Size
520KB
-
MD5
9d317210a5afb36bb85856718b96e1ef
-
SHA1
e5cf4b696cb785b825322f84cf66c299c27f4068
-
SHA256
2ad4a02a1f907b8036b9bea0fd940bfb47435964b23ffae577080823c86500dd
-
SHA512
5d67f53a63d1cd20af6073b16dff41d41922a0b680c041d52364c08528280a399851612cfb7190f96e5788e94eec7d967e53bb4643db06cc475f380a8e02deba
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
Confirmation Copy 11.exeConfirmation Copy 11.exesvchost.exepid process 896 Confirmation Copy 11.exe 896 Confirmation Copy 11.exe 1076 Confirmation Copy 11.exe 1076 Confirmation Copy 11.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Confirmation Copy 11.exeConfirmation Copy 11.exesvchost.exedescription pid process target process PID 896 set thread context of 1076 896 Confirmation Copy 11.exe Confirmation Copy 11.exe PID 1076 set thread context of 1276 1076 Confirmation Copy 11.exe Explorer.EXE PID 1664 set thread context of 1276 1664 svchost.exe Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Confirmation Copy 11.exesvchost.exepid process 1076 Confirmation Copy 11.exe 1076 Confirmation Copy 11.exe 1076 Confirmation Copy 11.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe 1664 svchost.exe -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\Nohld5z\regsvczt80d.exe svchost.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Confirmation Copy 11.exeConfirmation Copy 11.exesvchost.exedescription pid process Token: SeDebugPrivilege 896 Confirmation Copy 11.exe Token: SeDebugPrivilege 1076 Confirmation Copy 11.exe Token: SeDebugPrivilege 1664 svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1848 cmd.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1076-3-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1076-3-0x0000000000400000-0x000000000042D000-memory.dmp formbook behavioral1/memory/1076-4-0x000000000041E350-mapping.dmp formbook behavioral1/memory/1664-5-0x0000000000000000-mapping.dmp formbook -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AJLHZLEH = "C:\\Program Files (x86)\\Nohld5z\\regsvczt80d.exe" svchost.exe -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Confirmation Copy 11.exeExplorer.EXEsvchost.exedescription pid process target process PID 896 wrote to memory of 1076 896 Confirmation Copy 11.exe Confirmation Copy 11.exe PID 896 wrote to memory of 1076 896 Confirmation Copy 11.exe Confirmation Copy 11.exe PID 896 wrote to memory of 1076 896 Confirmation Copy 11.exe Confirmation Copy 11.exe PID 896 wrote to memory of 1076 896 Confirmation Copy 11.exe Confirmation Copy 11.exe PID 896 wrote to memory of 1076 896 Confirmation Copy 11.exe Confirmation Copy 11.exe PID 896 wrote to memory of 1076 896 Confirmation Copy 11.exe Confirmation Copy 11.exe PID 896 wrote to memory of 1076 896 Confirmation Copy 11.exe Confirmation Copy 11.exe PID 1276 wrote to memory of 1664 1276 Explorer.EXE svchost.exe PID 1276 wrote to memory of 1664 1276 Explorer.EXE svchost.exe PID 1276 wrote to memory of 1664 1276 Explorer.EXE svchost.exe PID 1276 wrote to memory of 1664 1276 Explorer.EXE svchost.exe PID 1664 wrote to memory of 1848 1664 svchost.exe cmd.exe PID 1664 wrote to memory of 1848 1664 svchost.exe cmd.exe PID 1664 wrote to memory of 1848 1664 svchost.exe cmd.exe PID 1664 wrote to memory of 1848 1664 svchost.exe cmd.exe PID 1664 wrote to memory of 1608 1664 svchost.exe Firefox.exe PID 1664 wrote to memory of 1608 1664 svchost.exe Firefox.exe PID 1664 wrote to memory of 1608 1664 svchost.exe Firefox.exe PID 1664 wrote to memory of 1608 1664 svchost.exe Firefox.exe PID 1664 wrote to memory of 1608 1664 svchost.exe Firefox.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\Confirmation Copy 11.exe"C:\Users\Admin\AppData\Local\Temp\Confirmation Copy 11.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Confirmation Copy 11.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Confirmation Copy 11.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\4L7-RCTU\4L7logim.jpeg
-
C:\Users\Admin\AppData\Roaming\4L7-RCTU\4L7logrf.ini
-
C:\Users\Admin\AppData\Roaming\4L7-RCTU\4L7logri.ini
-
C:\Users\Admin\AppData\Roaming\4L7-RCTU\4L7logrv.ini
-
memory/896-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1076-3-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1076-4-0x000000000041E350-mapping.dmp
-
memory/1608-11-0x000000013FA70000-0x000000013FB03000-memory.dmpFilesize
588KB
-
memory/1608-10-0x0000000000000000-mapping.dmp
-
memory/1664-5-0x0000000000000000-mapping.dmp
-
memory/1664-9-0x0000000003860000-0x00000000039C5000-memory.dmpFilesize
1.4MB
-
memory/1664-8-0x00000000006D0000-0x0000000000846000-memory.dmpFilesize
1.5MB
-
memory/1664-6-0x00000000006C0000-0x00000000006C8000-memory.dmpFilesize
32KB
-
memory/1848-7-0x0000000000000000-mapping.dmp