Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
28-08-2020 13:12
Static task
static1
Behavioral task
behavioral1
Sample
b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
General
-
Target
b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb.exe
-
Size
5.3MB
-
MD5
5308aacaa532afd76767bb6dbece3d10
-
SHA1
31588d24439c386740830ee4d32f9d389bcf6999
-
SHA256
b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb
-
SHA512
0aaaa0862d9b15b9ad423bde6f5edf95f1309924d0645305739004f072a3c2eba6cc66af1892a29af8b8c16424e89ab166b5f23860592f8d72726fe2883e45ee
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2380 frame.exe 2768 lphsi.exe 3424 hrss.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\script.lnk hrss.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\ServiceProfiles\LocalService\winhttp\cachev3.dat svchost.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecisionTime = 39f23a1b4d7dd601 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3e-6f-2c-c8-c7\WpadDecision = "0" svchost.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000_Classes\Local Settings b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2468 vlc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2468 vlc.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeShutdownPrivilege 1892 svchost.exe Token: SeCreatePagefilePrivilege 1892 svchost.exe Token: 33 3568 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3568 AUDIODG.EXE Token: 33 2468 vlc.exe Token: SeIncBasePriorityPrivilege 2468 vlc.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe -
Suspicious use of SendNotifyMessage 9 IoCs
pid Process 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe 2468 vlc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3816 wrote to memory of 2380 3816 b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb.exe 72 PID 3816 wrote to memory of 2380 3816 b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb.exe 72 PID 3816 wrote to memory of 2380 3816 b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb.exe 72 PID 3816 wrote to memory of 2468 3816 b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb.exe 73 PID 3816 wrote to memory of 2468 3816 b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb.exe 73 PID 2380 wrote to memory of 2768 2380 frame.exe 74 PID 2380 wrote to memory of 2768 2380 frame.exe 74 PID 2380 wrote to memory of 2768 2380 frame.exe 74 PID 2380 wrote to memory of 3424 2380 frame.exe 75 PID 2380 wrote to memory of 3424 2380 frame.exe 75 PID 2380 wrote to memory of 3424 2380 frame.exe 75
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb.exe"C:\Users\Admin\AppData\Local\Temp\b7f8233dafab45e3abbbb4f3cc76e6860fae8d5337fb0b750ea20058b56b0efb.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Users\Public\Video\frame.exe"C:\Users\Public\Video\frame.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Users\Public\Video\lphsi.exe"C:\Users\Public\Video\lphsi.exe"3⤵
- Executes dropped EXE
PID:2768
-
-
C:\Users\Public\Video\hrss.exe"C:\Users\Public\Video\hrss.exe"3⤵
- Executes dropped EXE
- Drops startup file
PID:3424
-
-
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Public\Video\movie.mp4"2⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1892
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3901⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568