Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
30-06-2020 06:23
Static task
static1
Behavioral task
behavioral1
Sample
Order557780.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Order557780.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Order557780.exe
-
Size
243KB
-
MD5
dd519c0d1e2e1a3e5a08a64adaab1f02
-
SHA1
64b925f35c298589ea8aaef72988aae5b2cda640
-
SHA256
f3d5008245805011d86543821b4f62b50e5e5800aec8d949a5f605e9e17836af
-
SHA512
c39ef6ee8da08aa803e538a1645456111d5e0dc58efc5244739814d7707c66d0b691af875b514022f9efa9773c699ac91377581c88af31b510d184f61429bd02
Score
10/10
Malware Config
Signatures
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
Order557780.exeOrder557780.exesvchost.exedescription pid process target process PID 2536 set thread context of 1232 2536 Order557780.exe Order557780.exe PID 1232 set thread context of 3012 1232 Order557780.exe Explorer.EXE PID 1232 set thread context of 3012 1232 Order557780.exe Explorer.EXE PID 2196 set thread context of 3012 2196 svchost.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 54 IoCs
Processes:
Order557780.exesvchost.exepid process 1232 Order557780.exe 1232 Order557780.exe 1232 Order557780.exe 1232 Order557780.exe 1232 Order557780.exe 1232 Order557780.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
Order557780.exesvchost.exepid process 1232 Order557780.exe 1232 Order557780.exe 1232 Order557780.exe 1232 Order557780.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe 2196 svchost.exe -
Processes:
svchost.exedescription ioc process Key created \Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 svchost.exe -
Drops file in Program Files directory 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Program Files (x86)\B1by\zzqlywx4lv.exe svchost.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Order557780.exeExplorer.EXEsvchost.exedescription pid process target process PID 2536 wrote to memory of 1232 2536 Order557780.exe Order557780.exe PID 2536 wrote to memory of 1232 2536 Order557780.exe Order557780.exe PID 2536 wrote to memory of 1232 2536 Order557780.exe Order557780.exe PID 2536 wrote to memory of 1232 2536 Order557780.exe Order557780.exe PID 2536 wrote to memory of 1232 2536 Order557780.exe Order557780.exe PID 2536 wrote to memory of 1232 2536 Order557780.exe Order557780.exe PID 2536 wrote to memory of 1232 2536 Order557780.exe Order557780.exe PID 3012 wrote to memory of 2196 3012 Explorer.EXE svchost.exe PID 3012 wrote to memory of 2196 3012 Explorer.EXE svchost.exe PID 3012 wrote to memory of 2196 3012 Explorer.EXE svchost.exe PID 2196 wrote to memory of 2312 2196 svchost.exe cmd.exe PID 2196 wrote to memory of 2312 2196 svchost.exe cmd.exe PID 2196 wrote to memory of 2312 2196 svchost.exe cmd.exe PID 2196 wrote to memory of 3924 2196 svchost.exe cmd.exe PID 2196 wrote to memory of 3924 2196 svchost.exe cmd.exe PID 2196 wrote to memory of 3924 2196 svchost.exe cmd.exe PID 2196 wrote to memory of 3932 2196 svchost.exe Firefox.exe PID 2196 wrote to memory of 3932 2196 svchost.exe Firefox.exe PID 2196 wrote to memory of 3932 2196 svchost.exe Firefox.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
svchost.exedescription ioc process Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\K8IHZL5H = "C:\\Program Files (x86)\\B1by\\zzqlywx4lv.exe" svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Order557780.exesvchost.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1232 Order557780.exe Token: SeDebugPrivilege 2196 svchost.exe Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE Token: SeShutdownPrivilege 3012 Explorer.EXE Token: SeCreatePagefilePrivilege 3012 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Order557780.exe"C:\Users\Admin\AppData\Local\Temp\Order557780.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order557780.exe"C:\Users\Admin\AppData\Local\Temp\Order557780.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Modifies Internet Explorer settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
- Adds Run entry to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order557780.exe"3⤵
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1
-
C:\Users\Admin\AppData\Roaming\25R-4D3F\25Rlogim.jpeg
-
C:\Users\Admin\AppData\Roaming\25R-4D3F\25Rlogrf.ini
-
C:\Users\Admin\AppData\Roaming\25R-4D3F\25Rlogrg.ini
-
C:\Users\Admin\AppData\Roaming\25R-4D3F\25Rlogri.ini
-
C:\Users\Admin\AppData\Roaming\25R-4D3F\25Rlogrv.ini
-
memory/1232-1-0x000000000041E300-mapping.dmp
-
memory/1232-0-0x0000000000400000-0x0000000000433000-memory.dmpFilesize
204KB
-
memory/2196-11-0x0000000007090000-0x00000000071F4000-memory.dmpFilesize
1.4MB
-
memory/2196-7-0x0000000003940000-0x0000000003A16000-memory.dmpFilesize
856KB
-
memory/2196-5-0x0000000001100000-0x000000000110C000-memory.dmpFilesize
48KB
-
memory/2196-4-0x0000000001100000-0x000000000110C000-memory.dmpFilesize
48KB
-
memory/2196-3-0x0000000000000000-mapping.dmp
-
memory/2312-6-0x0000000000000000-mapping.dmp
-
memory/3012-8-0x0000000004C80000-0x0000000004E1A000-memory.dmpFilesize
1.6MB
-
memory/3924-9-0x0000000000000000-mapping.dmp
-
memory/3932-12-0x0000000000000000-mapping.dmp
-
memory/3932-13-0x00007FF7F2D60000-0x00007FF7F2DF3000-memory.dmpFilesize
588KB
-
memory/3932-14-0x00007FF7F2D60000-0x00007FF7F2DF3000-memory.dmpFilesize
588KB
-
memory/3932-15-0x00007FF7F2D60000-0x00007FF7F2DF3000-memory.dmpFilesize
588KB