Analysis
-
max time kernel
122s -
max time network
233s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 01:32
Static task
static1
Behavioral task
behavioral1
Sample
INV_2020.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
INV_2020.exe
Resource
win10v2004-20220414-en
General
-
Target
INV_2020.exe
-
Size
311KB
-
MD5
032e8660388186848cda8c3955f53202
-
SHA1
356a668840a4dc5fc9a209189ffed7a462c8633a
-
SHA256
24b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8
-
SHA512
042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30
Malware Config
Signatures
-
404 Keylogger
Information stealer and keylogger first seen in 2019.
-
404 Keylogger Main Executable 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1528-66-0x0000000000400000-0x0000000000422000-memory.dmp family_404keylogger behavioral1/memory/1528-67-0x0000000000400000-0x0000000000422000-memory.dmp family_404keylogger behavioral1/memory/1528-65-0x0000000000400000-0x0000000000422000-memory.dmp family_404keylogger behavioral1/memory/1528-68-0x000000000041CC4E-mapping.dmp family_404keylogger behavioral1/memory/1528-71-0x0000000000400000-0x0000000000422000-memory.dmp family_404keylogger behavioral1/memory/1528-73-0x0000000000400000-0x0000000000422000-memory.dmp family_404keylogger -
Executes dropped EXE 1 IoCs
Processes:
INV_2020.exepid process 1528 INV_2020.exe -
Loads dropped DLL 6 IoCs
Processes:
INV_2020.exeWerFault.exepid process 1672 INV_2020.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe 1012 WerFault.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
INV_2020.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\KulintunHost = "\"C:\\Users\\Admin\\KulintunHost.exe\"" INV_2020.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
INV_2020.exedescription pid process target process PID 1672 set thread context of 1528 1672 INV_2020.exe INV_2020.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1012 1528 WerFault.exe INV_2020.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
INV_2020.exepid process 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe 1672 INV_2020.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INV_2020.exeINV_2020.exedescription pid process Token: SeDebugPrivilege 1672 INV_2020.exe Token: SeDebugPrivilege 1528 INV_2020.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
INV_2020.exeINV_2020.exedescription pid process target process PID 1672 wrote to memory of 1528 1672 INV_2020.exe INV_2020.exe PID 1672 wrote to memory of 1528 1672 INV_2020.exe INV_2020.exe PID 1672 wrote to memory of 1528 1672 INV_2020.exe INV_2020.exe PID 1672 wrote to memory of 1528 1672 INV_2020.exe INV_2020.exe PID 1672 wrote to memory of 1528 1672 INV_2020.exe INV_2020.exe PID 1672 wrote to memory of 1528 1672 INV_2020.exe INV_2020.exe PID 1672 wrote to memory of 1528 1672 INV_2020.exe INV_2020.exe PID 1672 wrote to memory of 1528 1672 INV_2020.exe INV_2020.exe PID 1672 wrote to memory of 1528 1672 INV_2020.exe INV_2020.exe PID 1528 wrote to memory of 1012 1528 INV_2020.exe WerFault.exe PID 1528 wrote to memory of 1012 1528 INV_2020.exe WerFault.exe PID 1528 wrote to memory of 1012 1528 INV_2020.exe WerFault.exe PID 1528 wrote to memory of 1012 1528 INV_2020.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV_2020.exe"C:\Users\Admin\AppData\Local\Temp\INV_2020.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Users\Admin\AppData\Local\Temp\INV_2020.exe"C:\Users\Admin\AppData\Local\Temp\INV_2020.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 10963⤵
- Loads dropped DLL
- Program crash
PID:1012
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\INV_2020.exeFilesize
311KB
MD5032e8660388186848cda8c3955f53202
SHA1356a668840a4dc5fc9a209189ffed7a462c8633a
SHA25624b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8
SHA512042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30
-
\Users\Admin\AppData\Local\Temp\INV_2020.exeFilesize
311KB
MD5032e8660388186848cda8c3955f53202
SHA1356a668840a4dc5fc9a209189ffed7a462c8633a
SHA25624b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8
SHA512042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30
-
\Users\Admin\AppData\Local\Temp\INV_2020.exeFilesize
311KB
MD5032e8660388186848cda8c3955f53202
SHA1356a668840a4dc5fc9a209189ffed7a462c8633a
SHA25624b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8
SHA512042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30
-
\Users\Admin\AppData\Local\Temp\INV_2020.exeFilesize
311KB
MD5032e8660388186848cda8c3955f53202
SHA1356a668840a4dc5fc9a209189ffed7a462c8633a
SHA25624b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8
SHA512042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30
-
\Users\Admin\AppData\Local\Temp\INV_2020.exeFilesize
311KB
MD5032e8660388186848cda8c3955f53202
SHA1356a668840a4dc5fc9a209189ffed7a462c8633a
SHA25624b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8
SHA512042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30
-
\Users\Admin\AppData\Local\Temp\INV_2020.exeFilesize
311KB
MD5032e8660388186848cda8c3955f53202
SHA1356a668840a4dc5fc9a209189ffed7a462c8633a
SHA25624b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8
SHA512042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30
-
\Users\Admin\AppData\Local\Temp\INV_2020.exeFilesize
311KB
MD5032e8660388186848cda8c3955f53202
SHA1356a668840a4dc5fc9a209189ffed7a462c8633a
SHA25624b2017e1fe4fa3f2616c1465cdb707abf300800da51ca3158580be6207876d8
SHA512042ebc16e9f0c1b3ad55278b9a5f095415aef6266d3a6ce7047450fb2e3479294435ec544b7eee542427feb160cc1700c6a62babd9664fb14aa546146f4d9e30
-
memory/1012-75-0x0000000000000000-mapping.dmp
-
memory/1528-71-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1528-73-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1528-67-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1528-65-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1528-63-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1528-68-0x000000000041CC4E-mapping.dmp
-
memory/1528-62-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1528-66-0x0000000000400000-0x0000000000422000-memory.dmpFilesize
136KB
-
memory/1672-54-0x0000000000B10000-0x0000000000B64000-memory.dmpFilesize
336KB
-
memory/1672-60-0x0000000001F70000-0x0000000001F82000-memory.dmpFilesize
72KB
-
memory/1672-59-0x0000000000AD0000-0x0000000000AE6000-memory.dmpFilesize
88KB
-
memory/1672-58-0x00000000008F0000-0x0000000000906000-memory.dmpFilesize
88KB
-
memory/1672-57-0x0000000000440000-0x000000000046A000-memory.dmpFilesize
168KB
-
memory/1672-56-0x00000000003E0000-0x00000000003E8000-memory.dmpFilesize
32KB
-
memory/1672-55-0x00000000753B1000-0x00000000753B3000-memory.dmpFilesize
8KB