Analysis
-
max time kernel
133s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
07-12-2020 01:52
Static task
static1
Behavioral task
behavioral1
Sample
gye1.cab.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
gye1.cab.dll
Resource
win10v20201028
General
-
Target
gye1.cab.dll
-
Size
632KB
-
MD5
e78b3e5f216b0fc21a528a1a4de83a39
-
SHA1
91d536c3667177f95b1713b563d54a1437bf27d5
-
SHA256
4eed17645ed997121a95459508067a23459d1e36f43d50f672f198e9d117cc2c
-
SHA512
b56548d765c9f0fcc0f65b4f283b406ce8b4f70c8b6b3a0845299075b8bc7ae1b60032cd7fb40f69ba855767e3304904c8ce413bbdb4cc4773df439256deadeb
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\esentcls = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ApirPQEC\\bitsaext.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 4 IoCs
Processes:
regsvr32.execontrol.exeExplorer.EXEdescription pid process target process PID 1136 set thread context of 1656 1136 regsvr32.exe control.exe PID 1656 set thread context of 1260 1656 control.exe Explorer.EXE PID 1656 set thread context of 940 1656 control.exe rundll32.exe PID 1260 set thread context of 544 1260 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regsvr32.exeExplorer.EXEpid process 1136 regsvr32.exe 1260 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
regsvr32.execontrol.exeExplorer.EXEpid process 1136 regsvr32.exe 1656 control.exe 1656 control.exe 1260 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 1260 Explorer.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
regsvr32.exeregsvr32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 1680 wrote to memory of 1136 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1136 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1136 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1136 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1136 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1136 1680 regsvr32.exe regsvr32.exe PID 1680 wrote to memory of 1136 1680 regsvr32.exe regsvr32.exe PID 1136 wrote to memory of 1656 1136 regsvr32.exe control.exe PID 1136 wrote to memory of 1656 1136 regsvr32.exe control.exe PID 1136 wrote to memory of 1656 1136 regsvr32.exe control.exe PID 1136 wrote to memory of 1656 1136 regsvr32.exe control.exe PID 1136 wrote to memory of 1656 1136 regsvr32.exe control.exe PID 1136 wrote to memory of 1656 1136 regsvr32.exe control.exe PID 1136 wrote to memory of 1656 1136 regsvr32.exe control.exe PID 1656 wrote to memory of 1260 1656 control.exe Explorer.EXE PID 1656 wrote to memory of 1260 1656 control.exe Explorer.EXE PID 1656 wrote to memory of 1260 1656 control.exe Explorer.EXE PID 1656 wrote to memory of 940 1656 control.exe rundll32.exe PID 1656 wrote to memory of 940 1656 control.exe rundll32.exe PID 1656 wrote to memory of 940 1656 control.exe rundll32.exe PID 1656 wrote to memory of 940 1656 control.exe rundll32.exe PID 1656 wrote to memory of 940 1656 control.exe rundll32.exe PID 1656 wrote to memory of 940 1656 control.exe rundll32.exe PID 1260 wrote to memory of 300 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 300 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 300 1260 Explorer.EXE cmd.exe PID 300 wrote to memory of 548 300 cmd.exe nslookup.exe PID 300 wrote to memory of 548 300 cmd.exe nslookup.exe PID 300 wrote to memory of 548 300 cmd.exe nslookup.exe PID 1260 wrote to memory of 1444 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 1444 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 1444 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 544 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 544 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 544 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 544 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 544 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 544 1260 Explorer.EXE cmd.exe PID 1260 wrote to memory of 544 1260 Explorer.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\gye1.cab.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\gye1.cab.dll3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\D370.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\D370.bi1"2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D370.bi1MD5
c4f77466fa6bb3b7b587745fd51eb73e
SHA1c9ee49b895e2cec4483b9e3d84e32f0d650edcbb
SHA25637d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8
SHA51251c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7
-
C:\Users\Admin\AppData\Local\Temp\D370.bi1MD5
c4f77466fa6bb3b7b587745fd51eb73e
SHA1c9ee49b895e2cec4483b9e3d84e32f0d650edcbb
SHA25637d5f9a9a4db772e5bcc6a0211a3092049c09f438067bc36cde152e10b79eeb8
SHA51251c1ddeac48567d106cbcc5bad19b31639b73ec66d11ed83dbc90da880792df0b6bd6c6e28a712e854ceeb6bd96a3985e521cb9d666b0ccd087e96f4a90fc7d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\ApirPQEC\bitsaext.dllMD5
e78b3e5f216b0fc21a528a1a4de83a39
SHA191d536c3667177f95b1713b563d54a1437bf27d5
SHA2564eed17645ed997121a95459508067a23459d1e36f43d50f672f198e9d117cc2c
SHA512b56548d765c9f0fcc0f65b4f283b406ce8b4f70c8b6b3a0845299075b8bc7ae1b60032cd7fb40f69ba855767e3304904c8ce413bbdb4cc4773df439256deadeb
-
memory/300-13-0x0000000000000000-mapping.dmp
-
memory/544-20-0x0000000000000000-mapping.dmp
-
memory/544-18-0x0000000000000000-mapping.dmp
-
memory/548-14-0x0000000000000000-mapping.dmp
-
memory/940-10-0x0000000000000000-mapping.dmp
-
memory/940-12-0x000007FFFFFD7000-mapping.dmp
-
memory/1136-2-0x0000000000000000-mapping.dmp
-
memory/1136-6-0x0000000002830000-0x00000000028E3000-memory.dmpFilesize
716KB
-
memory/1136-4-0x0000000000110000-0x000000000011D000-memory.dmpFilesize
52KB
-
memory/1136-3-0x0000000000140000-0x000000000018A000-memory.dmpFilesize
296KB
-
memory/1260-19-0x0000000006240000-0x00000000062E5000-memory.dmpFilesize
660KB
-
memory/1444-15-0x0000000000000000-mapping.dmp
-
memory/1656-11-0x00000000025D0000-0x0000000002683000-memory.dmpFilesize
716KB
-
memory/1656-8-0x0000000001C40000-0x0000000001CF3000-memory.dmpFilesize
716KB
-
memory/1656-7-0x000007FFFFFD5000-mapping.dmp
-
memory/1656-5-0x0000000000000000-mapping.dmp