Analysis
-
max time kernel
134s -
max time network
35s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
11-06-2020 07:42
Static task
static1
Behavioral task
behavioral1
Sample
00b2679e73e28343fd153df9858bc910.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
00b2679e73e28343fd153df9858bc910.exe
Resource
win10v200430
General
-
Target
00b2679e73e28343fd153df9858bc910.exe
-
Size
715KB
-
MD5
00b2679e73e28343fd153df9858bc910
-
SHA1
f27390cdca4afea0ffeda89f117931858e7f5a7f
-
SHA256
6396ea2ef48aa3d3a61fb2e1ca50ac3711c376ec2b67dbaf64eeba49f5dfa9df
-
SHA512
35b06555bd088bdcdd13f3377832073ebdae9053fe8a640c41470560da1f093abe65d6cfc4cfce30a9af708a8926ea646c801b6c155d0517e612f807472a7261
Malware Config
Extracted
C:\program files\7-zip\lang\!!FAQ for Decryption!!.txt
mrddnet_support@protonmail.ch
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
00b2679e73e28343fd153df9858bc910.exedescription pid process target process PID 1056 set thread context of 900 1056 00b2679e73e28343fd153df9858bc910.exe svchost.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1312 cmd.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
svchost.exepid process 900 svchost.exe 900 svchost.exe 900 svchost.exe 900 svchost.exe 900 svchost.exe 900 svchost.exe 900 svchost.exe -
Drops file in Program Files directory 5605 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\program files\common files\microsoft shared\stationery\pretty_peacock.jpg svchost.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\memories\btn-previous-static.png svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\images\cursors\win32_copynodrop32x32.gif svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.util_8.1.14.v20131031.jar svchost.exe File opened for modification C:\program files\java\jre7\lib\zi\america\indiana\tell_city svchost.exe File opened for modification C:\program files\java\jre7\lib\zi\etc\gmt-4 svchost.exe File created C:\program files\videolan\vlc\locale\zu\lc_messages\!!FAQ for Decryption!!.txt svchost.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\resource\linguistics\providers\proximity\11.00\can32.clx svchost.exe File opened for modification C:\program files (x86)\microsoft analysis services\as oledb\10\cartridges\sybase.xsl svchost.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\logo.png svchost.exe File opened for modification C:\program files\common files\microsoft shared\stationery\seyes.emf svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\america\dawson_creek svchost.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\cpu.gadget\en-us\css\cpu.css svchost.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\picturepuzzle.gadget\images\7.png svchost.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\undocked_black_moon-waning-gibbous.png svchost.exe File created C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_cn_5.5.0.165303\!!FAQ for Decryption!!.txt svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.ui.ja_5.5.0.165303.jar svchost.exe File opened for modification C:\program files\java\jre7\lib\zi\america\phoenix svchost.exe File opened for modification C:\program files\mozilla firefox\gmp-clearkey\0.1\clearkey.dll.sig svchost.exe File opened for modification C:\program files\7-zip\lang\eu.txt svchost.exe File opened for modification C:\program files\common files\microsoft shared\ink\fsdefinitions\main\base_heb.xml svchost.exe File created C:\program files\dvd maker\shared\dvdstyles\push\!!FAQ for Decryption!!.txt svchost.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\travel\header-background.png svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png svchost.exe File created C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\!!FAQ for Decryption!!.txt svchost.exe File opened for modification C:\program files\java\jre7\lib\zi\america\curacao svchost.exe File opened for modification C:\program files\videolan\vlc\lua\intf\modules\httprequests.luac svchost.exe File opened for modification C:\program files\windows sidebar\gadgets\picturepuzzle.gadget\images\tile16.png svchost.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\novelty_dot.png svchost.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\cpu.gadget\en-us\gadget.xml svchost.exe File opened for modification C:\program files\7-zip\lang\eo.txt svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\apia svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html svchost.exe File created C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\core\!!FAQ for Decryption!!.txt svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar svchost.exe File opened for modification C:\program files\java\jre7\lib\management\management.properties svchost.exe File created C:\program files\videolan\vlc\skins\fonts\!!FAQ for Decryption!!.txt svchost.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\reader\plug_ins\ebook.api svchost.exe File opened for modification C:\program files (x86)\common files\speechengines\microsoft\tts20\en-us\enu-dsk\m1033dsk.lts svchost.exe File opened for modification C:\program files (x86)\internet explorer\en-us\ieinstal.exe.mui svchost.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\clock.gadget\images\square.png svchost.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\btn_close_down.png svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\yekaterinburg svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\pacific\enderbury svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_zh_cn.jar svchost.exe File created C:\program files\videolan\vlc\locale\it\lc_messages\!!FAQ for Decryption!!.txt svchost.exe File created C:\program files (x86)\adobe\reader 9.0\reader\legal\enu\!!FAQ for Decryption!!.txt svchost.exe File opened for modification C:\program files (x86)\adobe\reader 9.0\reader\tracker\review_browser.gif svchost.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\weather.gadget\images\19.png svchost.exe File opened for modification C:\program files\common files\microsoft shared\themes14\evrgreen\evrgreen.elm svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\jre\lib\zi\asia\riyadh svchost.exe File created C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\meta-inf\!!FAQ for Decryption!!.txt svchost.exe File opened for modification C:\program files\java\jre7\lib\security\local_policy.jar svchost.exe File opened for modification C:\program files\videolan\vlc\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css svchost.exe File created C:\program files\windows media player\network sharing\!!FAQ for Decryption!!.txt svchost.exe File opened for modification C:\program files\windows sidebar\gadgets\clock.gadget\en-us\js\timezones.js svchost.exe File opened for modification C:\program files (x86)\windows sidebar\gadgets\slideshow.gadget\images\reveal_hov.png svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\db\bin\ij svchost.exe File opened for modification C:\program files\java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\meta-inf\eclipse_.sf svchost.exe File opened for modification C:\program files\java\jre7\lib\zi\etc\gmt+9 svchost.exe File opened for modification C:\program files\common files\system\ado\msado20.tlb svchost.exe File opened for modification C:\program files\dvd maker\shared\dvdstyles\travel\passportmask.wmv svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
00b2679e73e28343fd153df9858bc910.exedescription pid process target process PID 1056 wrote to memory of 900 1056 00b2679e73e28343fd153df9858bc910.exe svchost.exe PID 1056 wrote to memory of 900 1056 00b2679e73e28343fd153df9858bc910.exe svchost.exe PID 1056 wrote to memory of 900 1056 00b2679e73e28343fd153df9858bc910.exe svchost.exe PID 1056 wrote to memory of 900 1056 00b2679e73e28343fd153df9858bc910.exe svchost.exe PID 1056 wrote to memory of 900 1056 00b2679e73e28343fd153df9858bc910.exe svchost.exe PID 1056 wrote to memory of 900 1056 00b2679e73e28343fd153df9858bc910.exe svchost.exe PID 1056 wrote to memory of 1312 1056 00b2679e73e28343fd153df9858bc910.exe cmd.exe PID 1056 wrote to memory of 1312 1056 00b2679e73e28343fd153df9858bc910.exe cmd.exe PID 1056 wrote to memory of 1312 1056 00b2679e73e28343fd153df9858bc910.exe cmd.exe PID 1056 wrote to memory of 1312 1056 00b2679e73e28343fd153df9858bc910.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00b2679e73e28343fd153df9858bc910.exe"C:\Users\Admin\AppData\Local\Temp\00b2679e73e28343fd153df9858bc910.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\System32\svchost.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exe/c del C:\Users\Admin\AppData\Local\Temp\00b2679e73e28343fd153df9858bc910.exe >> NUL2⤵
- Deletes itself