Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 06:27
Static task
static1
Behavioral task
behavioral1
Sample
GRP Production drawing Order confrimation 0022.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
GRP Production drawing Order confrimation 0022.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
GRP Production drawing Order confrimation 0022.exe
-
Size
258KB
-
MD5
ac9fa9d4866f1ac20a24463942ea7189
-
SHA1
292ac8c75a35f04e86b021e6ca3b284eb27fa870
-
SHA256
885c0db8dce61efe0b93c41f8eaf4e42f0180ba4b9045d8ca6978298d81bebec
-
SHA512
d6abd43e4b6ca2036701a19a202710798802eeeab07dc55b2ec6ff14e97a9dd355cf48e801c624e40fe5b503af4a1ce0872a6b565c5a77de3252ac8c57a09125
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
GRP Production drawing Order confrimation 0022.exedescription pid process target process PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe PID 3768 wrote to memory of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
GRP Production drawing Order confrimation 0022.exedescription pid process target process PID 3768 set thread context of 2172 3768 GRP Production drawing Order confrimation 0022.exe GRP Production drawing Order confrimation 0022.exe -
Loads dropped DLL 6 IoCs
Processes:
GRP Production drawing Order confrimation 0022.exepid process 2172 GRP Production drawing Order confrimation 0022.exe 2172 GRP Production drawing Order confrimation 0022.exe 2172 GRP Production drawing Order confrimation 0022.exe 2172 GRP Production drawing Order confrimation 0022.exe 2172 GRP Production drawing Order confrimation 0022.exe 2172 GRP Production drawing Order confrimation 0022.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\GRP Production drawing Order confrimation 0022.exe"C:\Users\Admin\AppData\Local\Temp\GRP Production drawing Order confrimation 0022.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\GRP Production drawing Order confrimation 0022.exe"{path}"2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\freebl3.dll
-
\Users\Admin\AppData\Local\Temp\mozglue.dll
-
\Users\Admin\AppData\Local\Temp\msvcp140.dll
-
\Users\Admin\AppData\Local\Temp\nss3.dll
-
\Users\Admin\AppData\Local\Temp\softokn3.dll
-
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
-
memory/2172-0-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB
-
memory/2172-1-0x0000000000405A3D-mapping.dmp
-
memory/2172-2-0x0000000000400000-0x0000000000554000-memory.dmpFilesize
1.3MB