Analysis
-
max time kernel
150s -
max time network
63s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 14:20
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Purchase Order.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Purchase Order.exe
-
Size
796KB
-
MD5
9c855254c998da988ee359119c6bfbcd
-
SHA1
4e673163f312fb8334c93c5ab1bf7fd7e7f81f9c
-
SHA256
8100b701682e9fb7c4165631216913054e2e201f4cd63274ff1151ade42098c9
-
SHA512
715d61ab364cd879c4da76732a8cdafcf2ccd80be2330a00b1dc6580c62a5996b85b4469c9ca6bbb276208118114f1f1b5bf77f7cd6dc0023a92f8633cbb62a4
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
Purchase Order.exePurchase Order.exeexplorer.exepid process 1116 Purchase Order.exe 1504 Purchase Order.exe 1504 Purchase Order.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe 304 explorer.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 540 cmd.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE 1308 Explorer.EXE -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Purchase Order.exeExplorer.EXEexplorer.exedescription pid process target process PID 1116 wrote to memory of 1436 1116 Purchase Order.exe Purchase Order.exe PID 1116 wrote to memory of 1436 1116 Purchase Order.exe Purchase Order.exe PID 1116 wrote to memory of 1436 1116 Purchase Order.exe Purchase Order.exe PID 1116 wrote to memory of 1436 1116 Purchase Order.exe Purchase Order.exe PID 1116 wrote to memory of 1504 1116 Purchase Order.exe Purchase Order.exe PID 1116 wrote to memory of 1504 1116 Purchase Order.exe Purchase Order.exe PID 1116 wrote to memory of 1504 1116 Purchase Order.exe Purchase Order.exe PID 1116 wrote to memory of 1504 1116 Purchase Order.exe Purchase Order.exe PID 1116 wrote to memory of 1504 1116 Purchase Order.exe Purchase Order.exe PID 1116 wrote to memory of 1504 1116 Purchase Order.exe Purchase Order.exe PID 1116 wrote to memory of 1504 1116 Purchase Order.exe Purchase Order.exe PID 1308 wrote to memory of 304 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 304 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 304 1308 Explorer.EXE explorer.exe PID 1308 wrote to memory of 304 1308 Explorer.EXE explorer.exe PID 304 wrote to memory of 540 304 explorer.exe cmd.exe PID 304 wrote to memory of 540 304 explorer.exe cmd.exe PID 304 wrote to memory of 540 304 explorer.exe cmd.exe PID 304 wrote to memory of 540 304 explorer.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Purchase Order.exePurchase Order.exeexplorer.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1116 Purchase Order.exe Token: SeDebugPrivilege 1504 Purchase Order.exe Token: SeDebugPrivilege 304 explorer.exe Token: SeShutdownPrivilege 1308 Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Purchase Order.exePurchase Order.exeexplorer.exedescription pid process target process PID 1116 set thread context of 1504 1116 Purchase Order.exe Purchase Order.exe PID 1504 set thread context of 1308 1504 Purchase Order.exe Explorer.EXE PID 304 set thread context of 1308 304 explorer.exe Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Purchase Order.exeexplorer.exepid process 1504 Purchase Order.exe 1504 Purchase Order.exe 1504 Purchase Order.exe 304 explorer.exe 304 explorer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/304-4-0x0000000000000000-mapping.dmp
-
memory/304-5-0x0000000000C90000-0x0000000000F11000-memory.dmpFilesize
2.5MB
-
memory/304-7-0x0000000003400000-0x0000000003562000-memory.dmpFilesize
1.4MB
-
memory/540-6-0x0000000000000000-mapping.dmp
-
memory/1116-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1504-2-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1504-3-0x000000000041E360-mapping.dmp