Analysis
-
max time kernel
151s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
19-11-2020 15:38
Static task
static1
Behavioral task
behavioral1
Sample
phy__1__31629__2649094674__1605642612.exe
Resource
win7v20201028
General
-
Target
phy__1__31629__2649094674__1605642612.exe
-
Size
796KB
-
MD5
6bcfa9f7cff3724c68ab9d9a5a7cfa61
-
SHA1
56b9891386dd507afc6fa109feee6eb783abecb9
-
SHA256
664ed6ed7e3992bdf022771e85f3ccf0930649b105cfe38c6fd1adad75f3b479
-
SHA512
94eaf0cbd7eea9a6d412eb4ce6d88e83fcb33c50cf545d7a8aa281aca7ed074f34a91c8cdb03429ca11da6cf85bdd974f64f5cbc17246cc8c52e115f0960a776
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 api.ipify.org -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEWINWORD.EXEphy__1__31629__2649094674__1605642612.exeAcroRd32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 phy__1__31629__2649094674__1605642612.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString phy__1__31629__2649094674__1605642612.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
WINWORD.EXEEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Suspicious behavior: AddClipboardFormatListener 3 IoCs
Processes:
WINWORD.EXEEXCEL.EXEpid process 2908 WINWORD.EXE 2908 WINWORD.EXE 3380 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
phy__1__31629__2649094674__1605642612.exepid process 500 phy__1__31629__2649094674__1605642612.exe 500 phy__1__31629__2649094674__1605642612.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
Processes:
WINWORD.EXEEXCEL.EXEAcroRd32.exepid process 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 2908 WINWORD.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3380 EXCEL.EXE 3868 AcroRd32.exe 3868 AcroRd32.exe 3868 AcroRd32.exe 3868 AcroRd32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
AcroRd32.exedescription pid process target process PID 3868 wrote to memory of 688 3868 AcroRd32.exe RdrCEF.exe PID 3868 wrote to memory of 688 3868 AcroRd32.exe RdrCEF.exe PID 3868 wrote to memory of 688 3868 AcroRd32.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\phy__1__31629__2649094674__1605642612.exe"C:\Users\Admin\AppData\Local\Temp\phy__1__31629__2649094674__1605642612.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Desktop\MeasureStart.dot"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /n "C:\Users\Admin\Desktop\GetReset.xlt"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140432⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
ebbcc18c0779b96f2b98a99e9fc82309
SHA1545ae2a240b9a8460b56fddd4a79e57dfd13c908
SHA2567fdf354a1b5c7812c5e89c4770c156e572485c54d0fb8eb9554be7c803787216
SHA512d67149fcded8049c5956eef0c90ea657a948e568d1b4e1a1bc35c8c2394a18723447564d035a801d2e4820f24310d70e2e7fe9df1923c9700201893a9267f1eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868MD5
fe8edeb86cdbfe23a6429df208dab41f
SHA11b27259cdf74e4f8c6a9305f42e09af4b3ed1ee2
SHA256889eeadf4a5737abae9c8b3a5033b3385b992926a981e9bfe6fdad3443a6bc4a
SHA512f3f2b9792c40e617405c68be304b4fd016431178542a276ce9f02a22e7a2e1367cf41909d9439dd52a2a4df0f755e73051c0fd42500117e5ff78ad90d139c9fc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\906E65D8-8932-4C07-8C85-040E889A534BMD5
6b708cec09a215b397314fda8df629a4
SHA147748c958384b2952665768147a4a13f2f24bc71
SHA256c4a85fffaceb51ecf7c729cf31cd502611f0ae7dcb3dbf394d5308de23761045
SHA512281b4d3d59cc7113825f4e48a9d92ed5b5442339d25894385c1c0e60df86105c7cbb32e2d46164c1ba45d0e61fb267dfe35e4c72de59d0677f06352bbb0fcc97
-
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.datMD5
04875516e0a9f701534d47d00fabfabe
SHA1fc3444af11440919ed6edb22b5cd545fe0c74426
SHA256c5c132266a0577e489b2992767d412775cbb6c4dd11e6d039b18d6f2665b0cf3
SHA51203755b7c0f52924a26bb770ac34257a029ae2d1c59213a851875e53ef275e80816401e9dc1501577325db351dc811a32d7747df28c7be915141c570b4c079474
-
memory/688-21-0x0000000000000000-mapping.dmp
-
memory/2908-0-0x00007FFE9A740000-0x00007FFE9AD77000-memory.dmpFilesize
6.2MB
-
memory/2908-13-0x00007FFE96B30000-0x00007FFE99653000-memory.dmpFilesize
43.1MB
-
memory/2908-14-0x00007FFE96B30000-0x00007FFE99653000-memory.dmpFilesize
43.1MB
-
memory/2908-15-0x00007FFE96B30000-0x00007FFE99653000-memory.dmpFilesize
43.1MB
-
memory/3380-16-0x00007FFE9A740000-0x00007FFE9AD77000-memory.dmpFilesize
6.2MB