Overview

overview

7

Static

static

phy__1__31...12.exe

windows7_x64

7

phy__1__31...12.exe

windows10_x64

7

Analysis

  • max time kernel
    126s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-11-2020 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    phy__1__31629__2649094674__1605642612.exe

  • Size

    796KB

  • MD5

    6bcfa9f7cff3724c68ab9d9a5a7cfa61

  • SHA1

    56b9891386dd507afc6fa109feee6eb783abecb9

  • SHA256

    664ed6ed7e3992bdf022771e85f3ccf0930649b105cfe38c6fd1adad75f3b479

  • SHA512

    94eaf0cbd7eea9a6d412eb4ce6d88e83fcb33c50cf545d7a8aa281aca7ed074f34a91c8cdb03429ca11da6cf85bdd974f64f5cbc17246cc8c52e115f0960a776

Score
7/10
discoveryspyware

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 1 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\phy__1__31629__2649094674__1605642612.exe
    "C:\Users\Admin\AppData\Local\Temp\phy__1__31629__2649094674__1605642612.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    PID:1960
  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\CheckpointConvertTo.rtf"
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1644
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde /n
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:704

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/704-2-0x00000000004B0000-0x00000000004B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/704-4-0x0000000004ED0000-0x0000000004ED4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1644-1-0x00000000048C0000-0x00000000048C4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1668-0-0x000007FEF5DB0000-0x000007FEF602A000-memory.dmp
    Filesize

    2.5MB

    Download