Analysis

  • max time kernel
    147s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    09-07-2020 08:27

General

  • Target

    order.exe

  • Size

    399KB

  • MD5

    d3f4595f210be5a466132637036d72c3

  • SHA1

    980d63586e5116fdcbe87fe4e5914429a96f8655

  • SHA256

    5962532a97c0efd1227d42aeddeacf09c0f8c8787e476e650d71ceed4ed52d97

  • SHA512

    f263c92b4a966c1a5d916ec130a44eb75f87800165a81d9752248eede5f519cad9589e0a597a1249b9c36f2ed0ae0fa6eef445113b86ef934ca19c49b2b392f5

Score
7/10

Malware Config

Signatures

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Checks whether UAC is enabled
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Users\Admin\AppData\Local\Temp\order.exe
      "C:\Users\Admin\AppData\Local\Temp\order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Users\Admin\AppData\Local\Temp\order.exe
        "C:\Users\Admin\AppData\Local\Temp\order.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1428
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:872
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\order.exe"
        3⤵
        • Deletes itself
        PID:660

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/660-4-0x0000000000000000-mapping.dmp

  • memory/872-2-0x0000000000000000-mapping.dmp

  • memory/872-3-0x0000000000890000-0x0000000000984000-memory.dmp

    Filesize

    976KB

  • memory/872-5-0x0000000002100000-0x00000000021DA000-memory.dmp

    Filesize

    872KB

  • memory/1428-0-0x0000000000400000-0x000000000042D000-memory.dmp

    Filesize

    180KB

  • memory/1428-1-0x000000000041E370-mapping.dmp