Analysis
-
max time kernel
138s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
07-12-2020 01:52
Static task
static1
Behavioral task
behavioral1
Sample
gye1.cab.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
gye1.cab.dll
Resource
win10v20201028
General
-
Target
gye1.cab.dll
-
Size
632KB
-
MD5
e78b3e5f216b0fc21a528a1a4de83a39
-
SHA1
91d536c3667177f95b1713b563d54a1437bf27d5
-
SHA256
4eed17645ed997121a95459508067a23459d1e36f43d50f672f198e9d117cc2c
-
SHA512
b56548d765c9f0fcc0f65b4f283b406ce8b4f70c8b6b3a0845299075b8bc7ae1b60032cd7fb40f69ba855767e3304904c8ce413bbdb4cc4773df439256deadeb
Malware Config
Signatures
-
ServiceHost packer 2 IoCs
Detects ServiceHost packer used for .NET malware
Processes:
resource yara_rule behavioral2/memory/2940-6-0x000000869D1F9000-mapping.dmp servicehost behavioral2/memory/3924-26-0x0000000000BB6CD0-mapping.dmp servicehost -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\adrcProv = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\AuthgLib\\accerLib.dll\",DllRegisterServer" Explorer.EXE -
Suspicious use of SetThreadContext 6 IoCs
Processes:
regsvr32.execontrol.exeExplorer.EXEdescription pid process target process PID 1052 set thread context of 2940 1052 regsvr32.exe control.exe PID 2940 set thread context of 2828 2940 control.exe Explorer.EXE PID 2828 set thread context of 3556 2828 Explorer.EXE RuntimeBroker.exe PID 2940 set thread context of 3124 2940 control.exe rundll32.exe PID 2828 set thread context of 2536 2828 Explorer.EXE WinMail.exe PID 2828 set thread context of 3924 2828 Explorer.EXE cmd.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
regsvr32.exeExplorer.EXEpid process 1052 regsvr32.exe 1052 regsvr32.exe 2828 Explorer.EXE 2828 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
regsvr32.execontrol.exeExplorer.EXEpid process 1052 regsvr32.exe 2940 control.exe 2828 Explorer.EXE 2940 control.exe 2828 Explorer.EXE 2828 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Explorer.EXEdescription pid process Token: SeShutdownPrivilege 2828 Explorer.EXE Token: SeCreatePagefilePrivilege 2828 Explorer.EXE Token: SeShutdownPrivilege 2828 Explorer.EXE Token: SeCreatePagefilePrivilege 2828 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Explorer.EXEpid process 2828 Explorer.EXE -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
regsvr32.exeregsvr32.execontrol.exeExplorer.EXEcmd.exedescription pid process target process PID 3372 wrote to memory of 1052 3372 regsvr32.exe regsvr32.exe PID 3372 wrote to memory of 1052 3372 regsvr32.exe regsvr32.exe PID 3372 wrote to memory of 1052 3372 regsvr32.exe regsvr32.exe PID 1052 wrote to memory of 2940 1052 regsvr32.exe control.exe PID 1052 wrote to memory of 2940 1052 regsvr32.exe control.exe PID 1052 wrote to memory of 2940 1052 regsvr32.exe control.exe PID 1052 wrote to memory of 2940 1052 regsvr32.exe control.exe PID 1052 wrote to memory of 2940 1052 regsvr32.exe control.exe PID 2940 wrote to memory of 2828 2940 control.exe Explorer.EXE PID 2940 wrote to memory of 2828 2940 control.exe Explorer.EXE PID 2940 wrote to memory of 2828 2940 control.exe Explorer.EXE PID 2940 wrote to memory of 3124 2940 control.exe rundll32.exe PID 2940 wrote to memory of 3124 2940 control.exe rundll32.exe PID 2940 wrote to memory of 3124 2940 control.exe rundll32.exe PID 2828 wrote to memory of 3556 2828 Explorer.EXE RuntimeBroker.exe PID 2828 wrote to memory of 3556 2828 Explorer.EXE RuntimeBroker.exe PID 2828 wrote to memory of 3556 2828 Explorer.EXE RuntimeBroker.exe PID 2940 wrote to memory of 3124 2940 control.exe rundll32.exe PID 2940 wrote to memory of 3124 2940 control.exe rundll32.exe PID 2828 wrote to memory of 2180 2828 Explorer.EXE cmd.exe PID 2828 wrote to memory of 2180 2828 Explorer.EXE cmd.exe PID 2180 wrote to memory of 3908 2180 cmd.exe nslookup.exe PID 2180 wrote to memory of 3908 2180 cmd.exe nslookup.exe PID 2828 wrote to memory of 1404 2828 Explorer.EXE cmd.exe PID 2828 wrote to memory of 1404 2828 Explorer.EXE cmd.exe PID 2828 wrote to memory of 2536 2828 Explorer.EXE WinMail.exe PID 2828 wrote to memory of 2536 2828 Explorer.EXE WinMail.exe PID 2828 wrote to memory of 2536 2828 Explorer.EXE WinMail.exe PID 2828 wrote to memory of 2536 2828 Explorer.EXE WinMail.exe PID 2828 wrote to memory of 2536 2828 Explorer.EXE WinMail.exe PID 2828 wrote to memory of 3924 2828 Explorer.EXE cmd.exe PID 2828 wrote to memory of 3924 2828 Explorer.EXE cmd.exe PID 2828 wrote to memory of 3924 2828 Explorer.EXE cmd.exe PID 2828 wrote to memory of 3924 2828 Explorer.EXE cmd.exe PID 2828 wrote to memory of 3924 2828 Explorer.EXE cmd.exe PID 2828 wrote to memory of 3924 2828 Explorer.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\gye1.cab.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\gye1.cab.dll3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\control.exeC:\Windows\system32\control.exe /?4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL /?5⤵
-
C:\Windows\system32\cmd.execmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\Admin\AppData\Local\Temp\534C.bi1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\nslookup.exenslookup myip.opendns.com resolver1.opendns.com3⤵
-
C:\Windows\system32\cmd.execmd /C "echo -------- >> C:\Users\Admin\AppData\Local\Temp\534C.bi1"2⤵
-
C:\Program Files\Windows Mail\WinMail.exe"C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE2⤵
-
C:\Windows\syswow64\cmd.exe"C:\Windows\syswow64\cmd.exe" /C pause dll mail, ,2⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\534C.bi1MD5
67a173408db29be821b9fe2421000340
SHA171faba974dc8fbbb67fa955142c30fbe0cd149a4
SHA256b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8
SHA512e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671
-
C:\Users\Admin\AppData\Local\Temp\534C.bi1MD5
67a173408db29be821b9fe2421000340
SHA171faba974dc8fbbb67fa955142c30fbe0cd149a4
SHA256b087d5699a034d5a48b918a3aec8b8d8551569332f1f109d5c92177fcceaada8
SHA512e969d9e43819fdf55ed7588a7df6e2e0a1d8c9ea91444975f5fefaa77155fb7728a94f0ab1bb4a1897e699201c2b1128ae9065c06e1cd57246dd3ae3c7c71671
-
C:\Users\Admin\AppData\Roaming\Microsoft\AuthgLib\accerLib.dllMD5
e78b3e5f216b0fc21a528a1a4de83a39
SHA191d536c3667177f95b1713b563d54a1437bf27d5
SHA2564eed17645ed997121a95459508067a23459d1e36f43d50f672f198e9d117cc2c
SHA512b56548d765c9f0fcc0f65b4f283b406ce8b4f70c8b6b3a0845299075b8bc7ae1b60032cd7fb40f69ba855767e3304904c8ce413bbdb4cc4773df439256deadeb
-
memory/1052-3-0x0000000000C50000-0x0000000000C9A000-memory.dmpFilesize
296KB
-
memory/1052-2-0x0000000000000000-mapping.dmp
-
memory/1052-5-0x0000000004900000-0x00000000049B3000-memory.dmpFilesize
716KB
-
memory/1404-16-0x0000000000000000-mapping.dmp
-
memory/2180-14-0x0000000000000000-mapping.dmp
-
memory/2536-21-0x0000003648E01000-mapping.dmp
-
memory/2536-19-0x0000000000000000-mapping.dmp
-
memory/2828-20-0x0000000005790000-0x0000000005843000-memory.dmpFilesize
716KB
-
memory/2828-11-0x0000000005790000-0x0000000005843000-memory.dmpFilesize
716KB
-
memory/2828-25-0x0000000003450000-0x00000000034F5000-memory.dmpFilesize
660KB
-
memory/2940-6-0x000000869D1F9000-mapping.dmp
-
memory/2940-12-0x00000222E4EF0000-0x00000222E4FA3000-memory.dmpFilesize
716KB
-
memory/2940-7-0x00000222E2C90000-0x00000222E2D43000-memory.dmpFilesize
716KB
-
memory/2940-4-0x0000000000000000-mapping.dmp
-
memory/3124-10-0x0000000000000000-mapping.dmp
-
memory/3124-13-0x000000EF89A14000-mapping.dmp
-
memory/3908-15-0x0000000000000000-mapping.dmp
-
memory/3924-22-0x0000000000000000-mapping.dmp
-
memory/3924-23-0x0000000000000000-mapping.dmp
-
memory/3924-24-0x0000000000BB6CD0-0x0000000000BB6CD4-memory.dmpFilesize
4B
-
memory/3924-26-0x0000000000BB6CD0-mapping.dmp