Analysis
-
max time kernel
156s -
max time network
41s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-05-2020 04:42
Static task
static1
Behavioral task
behavioral1
Sample
mor.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
General
-
Target
mor.exe
-
Size
1.8MB
-
MD5
8047e6794185e04962dd0129578ad5fb
-
SHA1
eec92485bde641aaf2284c5bf39c2684a229af7c
-
SHA256
792a7e3d90b110f71d0c6e67a70866b72d06dd65189f4e3ba96a90813e093df8
-
SHA512
53599cf3a81dd33fa98aefb0ed9836fa2177f7c5eb72ca8deb3f79af18d6af583180eef2d58ef3aff5db09b2594e3ae818e913d4d3ed477f20e282979e57dd6a
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
Processes:
mor.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IQD6DIKV\desktop.ini mor.exe File opened for modification C:\Users\Admin\Music\desktop.ini mor.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini mor.exe File opened for modification C:\Users\Public\Videos\desktop.ini mor.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini mor.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini mor.exe File opened for modification C:\Users\Public\Libraries\desktop.ini mor.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini mor.exe File opened for modification C:\Users\Public\Downloads\desktop.ini mor.exe File opened for modification C:\Users\Public\Music\desktop.ini mor.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini mor.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZDAW0I3Y\desktop.ini mor.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini mor.exe File opened for modification C:\Users\Admin\Videos\desktop.ini mor.exe File opened for modification C:\Users\Public\Documents\desktop.ini mor.exe File opened for modification C:\Users\Public\Pictures\desktop.ini mor.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini mor.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5Q8AAMSB\desktop.ini mor.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini mor.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini mor.exe File opened for modification C:\Users\Admin\Searches\desktop.ini mor.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini mor.exe File opened for modification C:\Users\Public\desktop.ini mor.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\LUBVL9MG\desktop.ini mor.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini mor.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini mor.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini mor.exe File opened for modification C:\Users\Admin\Links\desktop.ini mor.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini mor.exe File opened for modification C:\Users\Public\Desktop\desktop.ini mor.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini mor.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini mor.exe File opened for modification C:\Users\Admin\Documents\desktop.ini mor.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini mor.exe -
Drops startup file 1 IoCs
Processes:
mor.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\# M0rphine Help #.hta mor.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
mor.exedescription pid process target process PID 1064 wrote to memory of 1392 1064 mor.exe cmd.exe PID 1064 wrote to memory of 1392 1064 mor.exe cmd.exe PID 1064 wrote to memory of 1392 1064 mor.exe cmd.exe PID 1064 wrote to memory of 1392 1064 mor.exe cmd.exe PID 1064 wrote to memory of 1812 1064 mor.exe cmd.exe PID 1064 wrote to memory of 1812 1064 mor.exe cmd.exe PID 1064 wrote to memory of 1812 1064 mor.exe cmd.exe PID 1064 wrote to memory of 1812 1064 mor.exe cmd.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1812 cmd.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
mshta.exepid process 276 mshta.exe -
Processes:
mshta.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Internet Explorer\Main mshta.exe -
Makes http(s) request 2 IoCs
Contacts server via http/https, possibly for C2 communication.
Processes:
description flow ioc HTTP URL 4 http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP URL 6 http://extreme-ip-lookup.com/json/ -
Go-http-client UserAgent 1 IoCs
Processes:
description flow ioc HTTP User-Agent header 6 Go-http-client/1.1
Processes
-
C:\Users\Admin\AppData\Local\Temp\mor.exe"C:\Users\Admin\AppData\Local\Temp\mor.exe"1⤵
- Drops desktop.ini file(s)
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ver2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C del C:\Users\Admin\AppData\Local\Temp\mor.exe2⤵
- Deletes itself
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\Desktop\# M0rphine Help #.hta"1⤵
- Suspicious use of FindShellTrayWindow
- Modifies Internet Explorer settings