328449250e95af61e5e92254665d4c1a43d835482cd2d159c1e8a08a1ad8c725

Analysis

max time kernel
58s
max time network
145s
platform
windows10_x64
resource
win10v20201028
submitted
24-11-2020 02:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
Size

1.1MB
MD5

0d2152118cc580db3dce7244c9ba9663
SHA1

8163955d3a9eb5e8be460da5b0a3b0d1fe8a3191
SHA256

a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8
SHA512

a8eb6ad994e9a1e26a37303cfee1ebd1ad58996909c12819daed19529d1c00c31e5c391362d48a9d4f10bec52c601326b4c0b06d7986cd2bc6bbe29b4abf0e5a

Score

9^/10

discovery spyware

Malware Config

Signatures

ServiceHost packer 8 IoCs

Detects ServiceHost packer used for .NET malware

resource	yara_rule
behavioral12/memory/876-28-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-29-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-30-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-32-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-33-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-34-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-35-0x000000000041CF3C-mapping.dmp	servicehost
behavioral12/memory/876-31-0x000000000041CF3C-mapping.dmp	servicehost

Executes dropped EXE 3 IoCs

pid	Process
3436	NisSrv.com
4428	NisSrv.com
876	nslookup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4428 set thread context of 876	4428	NisSrv.com	91

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4664	876	WerFault.exe	91

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
1664	PING.EXE
4188	PING.EXE

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe
4664	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4428	NisSrv.com

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4664	WerFault.exe
Token: SeBackupPrivilege	4664	WerFault.exe
Token: SeDebugPrivilege	4664	WerFault.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 320	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	74
PID 4768 wrote to memory of 320	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	74
PID 4768 wrote to memory of 320	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	74
PID 4768 wrote to memory of 4228	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	77
PID 4768 wrote to memory of 4228	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	77
PID 4768 wrote to memory of 4228	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	77
PID 4228 wrote to memory of 4300	4228	cmd.exe	80
PID 4228 wrote to memory of 4300	4228	cmd.exe	80
PID 4228 wrote to memory of 4300	4228	cmd.exe	80
PID 4300 wrote to memory of 4188	4300	cmd.exe	81
PID 4300 wrote to memory of 4188	4300	cmd.exe	81
PID 4300 wrote to memory of 4188	4300	cmd.exe	81
PID 4300 wrote to memory of 3744	4300	cmd.exe	82
PID 4300 wrote to memory of 3744	4300	cmd.exe	82
PID 4300 wrote to memory of 3744	4300	cmd.exe	82
PID 4300 wrote to memory of 3436	4300	cmd.exe	83
PID 4300 wrote to memory of 3436	4300	cmd.exe	83
PID 4300 wrote to memory of 3436	4300	cmd.exe	83
PID 4300 wrote to memory of 1664	4300	cmd.exe	84
PID 4300 wrote to memory of 1664	4300	cmd.exe	84
PID 4300 wrote to memory of 1664	4300	cmd.exe	84
PID 3436 wrote to memory of 4428	3436	NisSrv.com	85
PID 3436 wrote to memory of 4428	3436	NisSrv.com	85
PID 3436 wrote to memory of 4428	3436	NisSrv.com	85
PID 4768 wrote to memory of 4512	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	86
PID 4768 wrote to memory of 4512	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	86
PID 4768 wrote to memory of 4512	4768	a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe	86
PID 4428 wrote to memory of 876	4428	NisSrv.com	91
PID 4428 wrote to memory of 876	4428	NisSrv.com	91
PID 4428 wrote to memory of 876	4428	NisSrv.com	91
PID 4428 wrote to memory of 876	4428	NisSrv.com	91

C:\Users\Admin\AppData\Local\Temp\a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe
"C:\Users\Admin\AppData\Local\Temp\a31f1894f161f1005c00ad43235500691a4fd0cb7bd83945d47f16dbd7f62ab8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c echo qjRuHoTvG
  2⤵
  PID:320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cmd < pzoyjuWNTGixxnxHcGRQMVppcO.jEUBHZbtIgfCMSKASTkwzjfKYjkmhlZKbsKpYtmcWxL
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 NovDIn.ElaU
      4⤵
      Runs ping.exe
      PID:4188
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode hoMwFZhHyUcrWnpiYMSRVzuj.BWsHdkYEUyeLlWDXiAKiMtRBkGFNgjUwA hX
      4⤵
      PID:3744
  - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com
      NisSrv.com hX
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3436
    - - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\NisSrv.com hX
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\nslookup.exe
        6⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 1048
        7⤵
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:1664
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7ZSfx000.cmd" "
  2⤵
  PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/876-18-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/876-21-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/4664-27-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/4664-25-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/4664-36-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download