Overview

overview

9

Static

static

hl3x.bin.exe

windows7_x64

7

hl3x.bin.exe

windows10_x64

9

Analysis

  • max time kernel
    92s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-11-2020 04:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hl3x.bin.exe

  • Size

    1.1MB

  • MD5

    aa353bc3e7a9c6551c630970bd539d7f

  • SHA1

    5466e81368431cc7d95d0e61ccad0532a7850a4b

  • SHA256

    98527afb21c16cf3c62da74174d10c01f49070772bf8108ecae708b2420a53f9

  • SHA512

    6bf7b873e9ed3acb6ea6f7782a67c549dadea0c33186767dd322818852193111a1f27a19dfd5c639f6c01bc73c9099d8327edd808d9c0509dd8ce91493c32349

Score
9/10
spyware

Malware Config

Signatures

  • ServiceHost packer 12 IoCs

    Detects ServiceHost packer used for .NET malware

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe"
      2⤵
        PID:3288
      • C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe
        "C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe"
        2⤵
          PID:3384
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 1576
            3⤵
            • Program crash
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3452

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3384-11-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-16-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-12-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-20-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-5-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

        Download
      • memory/3384-6-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-7-0x0000000000400000-0x0000000000430000-memory.dmp
        Filesize

        192KB

        Download
      • memory/3384-21-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-13-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-10-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-19-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-18-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-17-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-14-0x0000000000416223-mapping.dmp
        Download
      • memory/3384-15-0x0000000000416223-mapping.dmp
        Download
      • memory/3452-9-0x0000000004830000-0x0000000004831000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3452-22-0x0000000004F00000-0x0000000004F01000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3452-8-0x0000000004830000-0x0000000004831000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4760-1-0x00000000005A0000-0x00000000005A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4760-3-0x0000000005090000-0x00000000050BC000-memory.dmp
        Filesize

        176KB

        Download
      • memory/4760-4-0x00000000050C0000-0x00000000050CC000-memory.dmp
        Filesize

        48KB

        Download
      • memory/4760-0-0x0000000073370000-0x0000000073A5E000-memory.dmp
        Filesize

        6.9MB

        Download