Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 13:42
Static task
static1
Behavioral task
behavioral1
Sample
shipping document INV+PL.exe
Resource
win7
Behavioral task
behavioral2
Sample
shipping document INV+PL.exe
Resource
win10
General
-
Target
shipping document INV+PL.exe
-
Size
414KB
-
MD5
ca4fbf42b3da386f10f5c82afe65a0bf
-
SHA1
8fd29038564832e3f356db1a7d6cf3464c3e07cc
-
SHA256
ce4764b6234abdbe6f67d1f7c8a54fc7908208a2aec45b6135407cf2e87e67c2
-
SHA512
7b9d3b52811b870862f708577ecf1301634d15c43e23d205be13f57891504b0fc5b2bc10d207afeb9e9c0f035b04f6eab7d2252e6009d28ca51f23bc69ff588f
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
shipping document INV+PL.exeshipping document INV+PL.exenetsh.exepid process 1108 shipping document INV+PL.exe 1108 shipping document INV+PL.exe 1108 shipping document INV+PL.exe 1620 shipping document INV+PL.exe 1620 shipping document INV+PL.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
shipping document INV+PL.exeshipping document INV+PL.exenetsh.exedescription pid process target process PID 1108 set thread context of 1620 1108 shipping document INV+PL.exe shipping document INV+PL.exe PID 1620 set thread context of 1284 1620 shipping document INV+PL.exe Explorer.EXE PID 388 set thread context of 1284 388 netsh.exe Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
netsh.exedescription ioc process File opened for modification C:\Program Files (x86)\Cabc\gdijlzx.exe netsh.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shipping document INV+PL.exeshipping document INV+PL.exenetsh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1108 shipping document INV+PL.exe Token: SeDebugPrivilege 1620 shipping document INV+PL.exe Token: SeDebugPrivilege 388 netsh.exe Token: SeShutdownPrivilege 1284 Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1044 cmd.exe -
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-1131729243-447456001-3632642222-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
shipping document INV+PL.exeExplorer.EXEnetsh.exedescription pid process target process PID 1108 wrote to memory of 1620 1108 shipping document INV+PL.exe shipping document INV+PL.exe PID 1108 wrote to memory of 1620 1108 shipping document INV+PL.exe shipping document INV+PL.exe PID 1108 wrote to memory of 1620 1108 shipping document INV+PL.exe shipping document INV+PL.exe PID 1108 wrote to memory of 1620 1108 shipping document INV+PL.exe shipping document INV+PL.exe PID 1108 wrote to memory of 1620 1108 shipping document INV+PL.exe shipping document INV+PL.exe PID 1108 wrote to memory of 1620 1108 shipping document INV+PL.exe shipping document INV+PL.exe PID 1108 wrote to memory of 1620 1108 shipping document INV+PL.exe shipping document INV+PL.exe PID 1284 wrote to memory of 388 1284 Explorer.EXE netsh.exe PID 1284 wrote to memory of 388 1284 Explorer.EXE netsh.exe PID 1284 wrote to memory of 388 1284 Explorer.EXE netsh.exe PID 1284 wrote to memory of 388 1284 Explorer.EXE netsh.exe PID 388 wrote to memory of 1044 388 netsh.exe cmd.exe PID 388 wrote to memory of 1044 388 netsh.exe cmd.exe PID 388 wrote to memory of 1044 388 netsh.exe cmd.exe PID 388 wrote to memory of 1044 388 netsh.exe cmd.exe PID 388 wrote to memory of 1940 388 netsh.exe Firefox.exe PID 388 wrote to memory of 1940 388 netsh.exe Firefox.exe PID 388 wrote to memory of 1940 388 netsh.exe Firefox.exe PID 388 wrote to memory of 1940 388 netsh.exe Firefox.exe PID 388 wrote to memory of 1940 388 netsh.exe Firefox.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
shipping document INV+PL.exenetsh.exepid process 1620 shipping document INV+PL.exe 1620 shipping document INV+PL.exe 1620 shipping document INV+PL.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe 388 netsh.exe -
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1620-2-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1620-2-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1620-3-0x000000000041ED40-mapping.dmp formbook behavioral1/memory/388-4-0x0000000000000000-mapping.dmp formbook -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
netsh.exedescription ioc process Key created \Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run netsh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\XZWT4RBPT = "C:\\Program Files (x86)\\Cabc\\gdijlzx.exe" netsh.exe -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\shipping document INV+PL.exe"C:\Users\Admin\AppData\Local\Temp\shipping document INV+PL.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shipping document INV+PL.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\shipping document INV+PL.exe"3⤵
- Deletes itself
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\6N481R46\6N4logim.jpeg
-
C:\Users\Admin\AppData\Roaming\6N481R46\6N4logrf.ini
-
C:\Users\Admin\AppData\Roaming\6N481R46\6N4logri.ini
-
C:\Users\Admin\AppData\Roaming\6N481R46\6N4logrv.ini
-
memory/388-7-0x0000000003120000-0x0000000003294000-memory.dmpFilesize
1.5MB
-
memory/388-8-0x0000000075DC0000-0x0000000075DCC000-memory.dmpFilesize
48KB
-
memory/388-9-0x00000000754C0000-0x00000000755DD000-memory.dmpFilesize
1.1MB
-
memory/388-5-0x0000000001330000-0x000000000134B000-memory.dmpFilesize
108KB
-
memory/388-4-0x0000000000000000-mapping.dmp
-
memory/1044-6-0x0000000000000000-mapping.dmp
-
memory/1108-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1620-3-0x000000000041ED40-mapping.dmp
-
memory/1620-2-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1940-10-0x0000000000000000-mapping.dmp
-
memory/1940-11-0x000000013F6F0000-0x000000013F783000-memory.dmpFilesize
588KB