Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10_x64 -
resource
win10 -
submitted
08-07-2020 08:22
Static task
static1
Behavioral task
behavioral1
Sample
New Order & Product Specifications.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
New Order & Product Specifications.exe
Resource
win10
General
-
Target
New Order & Product Specifications.exe
-
Size
515KB
-
MD5
18a279d1c9a0dce2b813171d199c56d7
-
SHA1
b4357015e6f444389310f5afa0d2f9eb2fcc73e5
-
SHA256
263cc7d71099d7f9461b9fbd7fef381bab1b78bf0ecf30b51c27251f56f247f7
-
SHA512
fdcb4ee084edd6013b0eb484b9c8fe5e6c273002f00f6273e2717f7cb2f6bdd729e935e2d21efa29a29034498512503ac4988eaea8ec4970812a6997bc52daca
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
New Order & Product Specifications.exeExplorer.EXEwlanext.exedescription pid process target process PID 3828 wrote to memory of 3908 3828 New Order & Product Specifications.exe New Order & Product Specifications.EXE PID 3828 wrote to memory of 3908 3828 New Order & Product Specifications.exe New Order & Product Specifications.EXE PID 3828 wrote to memory of 3908 3828 New Order & Product Specifications.exe New Order & Product Specifications.EXE PID 3828 wrote to memory of 3908 3828 New Order & Product Specifications.exe New Order & Product Specifications.EXE PID 3828 wrote to memory of 3908 3828 New Order & Product Specifications.exe New Order & Product Specifications.EXE PID 3828 wrote to memory of 3908 3828 New Order & Product Specifications.exe New Order & Product Specifications.EXE PID 3028 wrote to memory of 2028 3028 Explorer.EXE wlanext.exe PID 3028 wrote to memory of 2028 3028 Explorer.EXE wlanext.exe PID 3028 wrote to memory of 2028 3028 Explorer.EXE wlanext.exe PID 2028 wrote to memory of 3924 2028 wlanext.exe cmd.exe PID 2028 wrote to memory of 3924 2028 wlanext.exe cmd.exe PID 2028 wrote to memory of 3924 2028 wlanext.exe cmd.exe PID 2028 wrote to memory of 3284 2028 wlanext.exe cmd.exe PID 2028 wrote to memory of 3284 2028 wlanext.exe cmd.exe PID 2028 wrote to memory of 3284 2028 wlanext.exe cmd.exe PID 2028 wrote to memory of 984 2028 wlanext.exe Firefox.exe PID 2028 wrote to memory of 984 2028 wlanext.exe Firefox.exe PID 2028 wrote to memory of 984 2028 wlanext.exe Firefox.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
New Order & Product Specifications.EXEwlanext.exepid process 3908 New Order & Product Specifications.EXE 3908 New Order & Product Specifications.EXE 3908 New Order & Product Specifications.EXE 3908 New Order & Product Specifications.EXE 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
New Order & Product Specifications.EXEwlanext.exepid process 3908 New Order & Product Specifications.EXE 3908 New Order & Product Specifications.EXE 3908 New Order & Product Specifications.EXE 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe 2028 wlanext.exe -
Adds Run entry to policy start application 2 TTPs 2 IoCs
Processes:
wlanext.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run wlanext.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IR-LOH4XX0-D = "C:\\Program Files (x86)\\Hrr5d\\uv8he6ulh.exe" wlanext.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New Order & Product Specifications.exepid process 3828 New Order & Product Specifications.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 3028 Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
wlanext.exedescription ioc process File opened for modification C:\Program Files (x86)\Hrr5d\uv8he6ulh.exe wlanext.exe -
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
New Order & Product Specifications.EXEwlanext.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3908 New Order & Product Specifications.EXE Token: SeDebugPrivilege 2028 wlanext.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Explorer.EXEpid process 3028 Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
wlanext.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer wlanext.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
New Order & Product Specifications.exeNew Order & Product Specifications.EXEwlanext.exedescription pid process target process PID 3828 set thread context of 3908 3828 New Order & Product Specifications.exe New Order & Product Specifications.EXE PID 3908 set thread context of 3028 3908 New Order & Product Specifications.EXE Explorer.EXE PID 2028 set thread context of 3028 2028 wlanext.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3028 -
C:\Users\Admin\AppData\Local\Temp\New Order & Product Specifications.exe"C:\Users\Admin\AppData\Local\Temp\New Order & Product Specifications.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of SetThreadContext
PID:3828 -
C:\Users\Admin\AppData\Local\Temp\New Order & Product Specifications.EXE"C:\Users\Admin\AppData\Local\Temp\New Order & Product Specifications.EXE"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
PID:3908 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Adds Run entry to policy start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- System policy modification
- Suspicious use of SetThreadContext
PID:2028 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\New Order & Product Specifications.EXE"3⤵PID:3924
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:3284
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:984