Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
1747s -
max time network
1762s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 13:42
General
-
Target
api.exe
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 1 IoCs
-
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in Windows directory 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\api.exe"C:\Users\Admin\AppData\Local\Temp\api.exe"1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Modifies system certificate store
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://adlice.com/thanks-downloading-diag/?utm_campaign=diag&utm_source=soft&utm_medium=btn"2⤵
-
C:\Windows\SysWOW64\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://adflux.adlice.com/api.php?action=adclicked&id=1&token=067158767e2655e9c5e298626d209619&lang=en"2⤵
-
C:\Windows\SysWOW64\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://adflux.adlice.com/api.php?action=adclicked&id=1&token=067158767e2655e9c5e298626d209619&lang=en"2⤵
-
C:\Windows\SysWOW64\LaunchWinApp.exe"C:\Windows\system32\LaunchWinApp.exe" "https://adflux.adlice.com/api.php?action=adclicked&id=1&token=067158767e2655e9c5e298626d209619&lang=en"2⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3f01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x44c1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x44c1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2CQ9LSBJ\gtm-e15279a7503452dff88ad4d180b48788[1].js
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2CQ9LSBJ\jquery[1].js
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5RUQT92E\css[1].css
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5RUQT92E\lazyload.min[1].js
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_5AEAB4580B46F694CB8F283487E371AF
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CC197601BE0898B7B0FCC91FA15D8A69_7BF093847A14BC288AAB1EC3BF52B032
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_5AEAB4580B46F694CB8F283487E371AF
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_7BF093847A14BC288AAB1EC3BF52B032
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288B
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{BFCC5832-9E42-418C-B2A6-831347E16177}.dat
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{81F21843-FB7F-4D8B-A72B-EE0042E38876}.dat
-
memory/500-50-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-24-0x00000000102A0000-0x00000000102A1000-memory.dmpFilesize
4KB
-
memory/500-114-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-128-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-129-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-152-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-182-0x0000000010480000-0x0000000010481000-memory.dmpFilesize
4KB
-
memory/500-183-0x0000000010480000-0x0000000010481000-memory.dmpFilesize
4KB
-
memory/500-197-0x0000000010480000-0x0000000010481000-memory.dmpFilesize
4KB
-
memory/500-198-0x0000000010480000-0x0000000010481000-memory.dmpFilesize
4KB
-
memory/500-233-0x0000000010480000-0x0000000010481000-memory.dmpFilesize
4KB
-
memory/500-234-0x0000000010480000-0x0000000010481000-memory.dmpFilesize
4KB
-
memory/500-272-0x0000000011490000-0x0000000011491000-memory.dmpFilesize
4KB
-
memory/500-273-0x0000000011490000-0x0000000011491000-memory.dmpFilesize
4KB
-
memory/500-290-0x0000000011490000-0x0000000011491000-memory.dmpFilesize
4KB
-
memory/500-295-0x0000000011490000-0x0000000011491000-memory.dmpFilesize
4KB
-
memory/500-296-0x0000000011490000-0x0000000011491000-memory.dmpFilesize
4KB
-
memory/500-297-0x0000000011490000-0x0000000011491000-memory.dmpFilesize
4KB
-
memory/500-1-0x00000000055D0000-0x00000000055D1000-memory.dmpFilesize
4KB
-
memory/500-4-0x0000000007D80000-0x0000000007D81000-memory.dmpFilesize
4KB
-
memory/500-5-0x0000000007D80000-0x0000000007D81000-memory.dmpFilesize
4KB
-
memory/500-107-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-101-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-76-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-68-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-0-0x00000000052D0000-0x00000000052D1000-memory.dmpFilesize
4KB
-
memory/500-45-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-44-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-108-0x00000000103A0000-0x00000000103A1000-memory.dmpFilesize
4KB
-
memory/500-18-0x00000000102A0000-0x00000000102A1000-memory.dmpFilesize
4KB
-
memory/500-17-0x00000000102A0000-0x00000000102A1000-memory.dmpFilesize
4KB
-
memory/500-12-0x00000000102A0000-0x00000000102A1000-memory.dmpFilesize
4KB
-
memory/500-10-0x00000000102A0000-0x00000000102A1000-memory.dmpFilesize
4KB
-
memory/500-8-0x00000000102A0000-0x00000000102A1000-memory.dmpFilesize
4KB
-
memory/500-6-0x0000000004200000-0x0000000004202000-memory.dmpFilesize
8KB
-
memory/2968-2-0x0000000000000000-mapping.dmp
-
memory/4344-328-0x0000000000000000-mapping.dmp
-
memory/4360-329-0x0000000000000000-mapping.dmp
-
memory/4384-330-0x0000000000000000-mapping.dmp