Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 10:24
Behavioral task
behavioral1
Sample
qkuriw.jpg.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
qkuriw.jpg.exe
-
Size
182KB
-
MD5
7af33570ec886974f5513b46e999b988
-
SHA1
6b9e35f3131fdc4bd8ea66cd44303cb1004b2019
-
SHA256
da4647425789cc5a32d2719815367c8c21d2279a77a3179e609e1db9844ef15a
-
SHA512
2c8cd12d2ed3f0e62358e696115d6422fa808c89dee0b9d0f157b54806d4796f84d7a7b0208a6c295cf368d777d2ad83a9908d2137842c749d6807bc926265d7
Malware Config
Signatures
-
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE -
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3940-1-0x0000000000000000-mapping.dmp formbook -
Processes:
mstsc.exedescription ioc process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 mstsc.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
qkuriw.jpg.exemstsc.exepid process 3612 qkuriw.jpg.exe 3612 qkuriw.jpg.exe 3612 qkuriw.jpg.exe 3612 qkuriw.jpg.exe 3612 qkuriw.jpg.exe 3612 qkuriw.jpg.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
qkuriw.jpg.exemstsc.exepid process 3612 qkuriw.jpg.exe 3612 qkuriw.jpg.exe 3612 qkuriw.jpg.exe 3612 qkuriw.jpg.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe 3940 mstsc.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Explorer.EXEmstsc.exedescription pid process target process PID 2988 wrote to memory of 3940 2988 Explorer.EXE mstsc.exe PID 2988 wrote to memory of 3940 2988 Explorer.EXE mstsc.exe PID 2988 wrote to memory of 3940 2988 Explorer.EXE mstsc.exe PID 3940 wrote to memory of 3896 3940 mstsc.exe cmd.exe PID 3940 wrote to memory of 3896 3940 mstsc.exe cmd.exe PID 3940 wrote to memory of 3896 3940 mstsc.exe cmd.exe PID 3940 wrote to memory of 3760 3940 mstsc.exe Firefox.exe PID 3940 wrote to memory of 3760 3940 mstsc.exe Firefox.exe PID 3940 wrote to memory of 3760 3940 mstsc.exe Firefox.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 2988 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
qkuriw.jpg.exeExplorer.EXEmstsc.exedescription pid process Token: SeDebugPrivilege 3612 qkuriw.jpg.exe Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeDebugPrivilege 3940 mstsc.exe Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
qkuriw.jpg.exemstsc.exedescription pid process target process PID 3612 set thread context of 2988 3612 qkuriw.jpg.exe Explorer.EXE PID 3612 set thread context of 2988 3612 qkuriw.jpg.exe Explorer.EXE PID 3940 set thread context of 2988 3940 mstsc.exe Explorer.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\qkuriw.jpg.exe"C:\Users\Admin\AppData\Local\Temp\qkuriw.jpg.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Roaming\419RB7D7\419logim.jpeg
-
C:\Users\Admin\AppData\Roaming\419RB7D7\419logrf.ini
-
C:\Users\Admin\AppData\Roaming\419RB7D7\419logrg.ini
-
C:\Users\Admin\AppData\Roaming\419RB7D7\419logri.ini
-
C:\Users\Admin\AppData\Roaming\419RB7D7\419logrv.ini
-
memory/2988-6-0x00000000053F0000-0x0000000005569000-memory.dmpFilesize
1.5MB
-
memory/3760-8-0x0000000000000000-mapping.dmp
-
memory/3760-9-0x00007FF617570000-0x00007FF617603000-memory.dmpFilesize
588KB
-
memory/3760-10-0x00007FF617570000-0x00007FF617603000-memory.dmpFilesize
588KB
-
memory/3760-11-0x00007FF617570000-0x00007FF617603000-memory.dmpFilesize
588KB
-
memory/3896-4-0x0000000000000000-mapping.dmp
-
memory/3940-7-0x0000000006470000-0x0000000006506000-memory.dmpFilesize
600KB
-
memory/3940-1-0x0000000000000000-mapping.dmp
-
memory/3940-3-0x00000000013C0000-0x00000000016BC000-memory.dmpFilesize
3.0MB
-
memory/3940-2-0x00000000013C0000-0x00000000016BC000-memory.dmpFilesize
3.0MB