Analysis
-
max time kernel
92s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 04:07
Static task
static1
Behavioral task
behavioral1
Sample
hl3x.bin.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
hl3x.bin.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
hl3x.bin.exe
-
Size
1.1MB
-
MD5
aa353bc3e7a9c6551c630970bd539d7f
-
SHA1
5466e81368431cc7d95d0e61ccad0532a7850a4b
-
SHA256
98527afb21c16cf3c62da74174d10c01f49070772bf8108ecae708b2420a53f9
-
SHA512
6bf7b873e9ed3acb6ea6f7782a67c549dadea0c33186767dd322818852193111a1f27a19dfd5c639f6c01bc73c9099d8327edd808d9c0509dd8ce91493c32349
Score
9/10
Malware Config
Signatures
-
ServiceHost packer 12 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/3384-10-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-11-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-12-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-13-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-14-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-15-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-17-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-16-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-18-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-19-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-21-0x0000000000416223-mapping.dmp servicehost behavioral2/memory/3384-20-0x0000000000416223-mapping.dmp servicehost -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
hl3x.bin.exedescription pid process target process PID 4760 set thread context of 3384 4760 hl3x.bin.exe hl3x.bin.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3452 3384 WerFault.exe hl3x.bin.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
hl3x.bin.exeWerFault.exepid process 4760 hl3x.bin.exe 4760 hl3x.bin.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe 3452 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
hl3x.bin.exeWerFault.exedescription pid process Token: SeDebugPrivilege 4760 hl3x.bin.exe Token: SeRestorePrivilege 3452 WerFault.exe Token: SeBackupPrivilege 3452 WerFault.exe Token: SeDebugPrivilege 3452 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
hl3x.bin.exedescription pid process target process PID 4760 wrote to memory of 3288 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3288 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3288 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3384 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3384 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3384 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3384 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3384 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3384 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3384 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3384 4760 hl3x.bin.exe hl3x.bin.exe PID 4760 wrote to memory of 3384 4760 hl3x.bin.exe hl3x.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe"C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4760 -
C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe"C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe"2⤵PID:3288
-
C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe"C:\Users\Admin\AppData\Local\Temp\hl3x.bin.exe"2⤵PID:3384
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3384 -s 15763⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3384-11-0x0000000000416223-mapping.dmp
-
memory/3384-16-0x0000000000416223-mapping.dmp
-
memory/3384-12-0x0000000000416223-mapping.dmp
-
memory/3384-20-0x0000000000416223-mapping.dmp
-
memory/3384-5-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3384-6-0x0000000000416223-mapping.dmp
-
memory/3384-7-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/3384-21-0x0000000000416223-mapping.dmp
-
memory/3384-13-0x0000000000416223-mapping.dmp
-
memory/3384-10-0x0000000000416223-mapping.dmp
-
memory/3384-19-0x0000000000416223-mapping.dmp
-
memory/3384-18-0x0000000000416223-mapping.dmp
-
memory/3384-17-0x0000000000416223-mapping.dmp
-
memory/3384-14-0x0000000000416223-mapping.dmp
-
memory/3384-15-0x0000000000416223-mapping.dmp
-
memory/3452-9-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/3452-22-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/3452-8-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/4760-1-0x00000000005A0000-0x00000000005A1000-memory.dmpFilesize
4KB
-
memory/4760-3-0x0000000005090000-0x00000000050BC000-memory.dmpFilesize
176KB
-
memory/4760-4-0x00000000050C0000-0x00000000050CC000-memory.dmpFilesize
48KB
-
memory/4760-0-0x0000000073370000-0x0000000073A5E000-memory.dmpFilesize
6.9MB