Analysis
-
max time kernel
146s -
max time network
132s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-07-2020 10:28
Static task
static1
Behavioral task
behavioral1
Sample
July Approved Order_PDF.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
July Approved Order_PDF.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
July Approved Order_PDF.exe
-
Size
364KB
-
MD5
82fd63f045b5afd0834a9b1b579318fb
-
SHA1
7df3257d74c240f440c8ef001a414f6372a84724
-
SHA256
25e2619309515f2a7953682e8d4ea6d13b9c7030159aefbb8521d4316a58c19d
-
SHA512
7ea44d652f5ecfaafb141090aff32f3bc14b5c0acf2ad5457ebf4d7c1cc74aed8a16bda245b75fd105893c0a8deef9fff1555acf336adc7009106b6b3ff4cdd9
Score
8/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Zphsdufw\ThumbCacheopr.exe msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1400 July Approved Order_PDF.exe Token: SeDebugPrivilege 1792 July Approved Order_PDF.exe Token: SeDebugPrivilege 1828 msiexec.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1400 wrote to memory of 1792 1400 July Approved Order_PDF.exe 26 PID 1400 wrote to memory of 1792 1400 July Approved Order_PDF.exe 26 PID 1400 wrote to memory of 1792 1400 July Approved Order_PDF.exe 26 PID 1400 wrote to memory of 1792 1400 July Approved Order_PDF.exe 26 PID 1400 wrote to memory of 1792 1400 July Approved Order_PDF.exe 26 PID 1400 wrote to memory of 1792 1400 July Approved Order_PDF.exe 26 PID 1400 wrote to memory of 1792 1400 July Approved Order_PDF.exe 26 PID 1284 wrote to memory of 1828 1284 Explorer.EXE 27 PID 1284 wrote to memory of 1828 1284 Explorer.EXE 27 PID 1284 wrote to memory of 1828 1284 Explorer.EXE 27 PID 1284 wrote to memory of 1828 1284 Explorer.EXE 27 PID 1284 wrote to memory of 1828 1284 Explorer.EXE 27 PID 1284 wrote to memory of 1828 1284 Explorer.EXE 27 PID 1284 wrote to memory of 1828 1284 Explorer.EXE 27 PID 1828 wrote to memory of 1712 1828 msiexec.exe 28 PID 1828 wrote to memory of 1712 1828 msiexec.exe 28 PID 1828 wrote to memory of 1712 1828 msiexec.exe 28 PID 1828 wrote to memory of 1712 1828 msiexec.exe 28 PID 1828 wrote to memory of 1544 1828 msiexec.exe 31 PID 1828 wrote to memory of 1544 1828 msiexec.exe 31 PID 1828 wrote to memory of 1544 1828 msiexec.exe 31 PID 1828 wrote to memory of 1544 1828 msiexec.exe 31 PID 1828 wrote to memory of 1544 1828 msiexec.exe 31 -
Executes dropped EXE 1 IoCs
pid Process 1792 July Approved Order_PDF.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 1792 July Approved Order_PDF.exe 1792 July Approved Order_PDF.exe 1792 July Approved Order_PDF.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
pid Process 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1400 July Approved Order_PDF.exe 1792 July Approved Order_PDF.exe 1792 July Approved Order_PDF.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe 1828 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 1400 July Approved Order_PDF.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Adds Run entry to policy start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\AX4H_RU = "C:\\Program Files (x86)\\Zphsdufw\\ThumbCacheopr.exe" msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1400 set thread context of 1792 1400 July Approved Order_PDF.exe 26 PID 1792 set thread context of 1284 1792 July Approved Order_PDF.exe 20 PID 1828 set thread context of 1284 1828 msiexec.exe 20 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer msiexec.exe -
description ioc Process Key created \Registry\User\S-1-5-21-910373003-3952921535-3480519689-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 msiexec.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
- Suspicious use of FindShellTrayWindow
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\July Approved Order_PDF.exe"C:\Users\Admin\AppData\Local\Temp\July Approved Order_PDF.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\July Approved Order_PDF.exe"C:\Users\Admin\AppData\Local\Temp\July Approved Order_PDF.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
PID:1792
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
- Adds Run entry to policy start application
- Suspicious use of SetThreadContext
- System policy modification
- Modifies Internet Explorer settings
PID:1828 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\July Approved Order_PDF.exe"3⤵PID:1712
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1544
-
-