5962532a97c0efd1227d42aeddeacf09c0f8c8787e476e650d71ceed4ed52d97

General

Target

order.exe
Size

399KB
MD5

d3f4595f210be5a466132637036d72c3
SHA1

980d63586e5116fdcbe87fe4e5914429a96f8655
SHA256

5962532a97c0efd1227d42aeddeacf09c0f8c8787e476e650d71ceed4ed52d97
SHA512

f263c92b4a966c1a5d916ec130a44eb75f87800165a81d9752248eede5f519cad9589e0a597a1249b9c36f2ed0ae0fa6eef445113b86ef934ca19c49b2b392f5

Score

8^/10

Malware Config

Signatures

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Enz7d\trylwhfdwtyrl.exe	netsh.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	netsh.exe

Adds Run entry to policy start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	netsh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YL8XNVKXLXL = "C:\\Program Files (x86)\\Enz7d\\trylwhfdwtyrl.exe"	netsh.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
3696	order.exe
3696	order.exe
3696	order.exe
3696	order.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	order.exe
Token: SeDebugPrivilege	4036	netsh.exe
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	netsh.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 3696	1820	order.exe	71
PID 1820 wrote to memory of 3696	1820	order.exe	71
PID 1820 wrote to memory of 3696	1820	order.exe	71
PID 1820 wrote to memory of 3696	1820	order.exe	71
PID 1820 wrote to memory of 3696	1820	order.exe	71
PID 1820 wrote to memory of 3696	1820	order.exe	71
PID 3012 wrote to memory of 4036	3012	Explorer.EXE	73
PID 3012 wrote to memory of 4036	3012	Explorer.EXE	73
PID 3012 wrote to memory of 4036	3012	Explorer.EXE	73
PID 4036 wrote to memory of 3960	4036	netsh.exe	74
PID 4036 wrote to memory of 3960	4036	netsh.exe	74
PID 4036 wrote to memory of 3960	4036	netsh.exe	74
PID 4036 wrote to memory of 3836	4036	netsh.exe	76
PID 4036 wrote to memory of 3836	4036	netsh.exe	76
PID 4036 wrote to memory of 3836	4036	netsh.exe	76
PID 4036 wrote to memory of 3864	4036	netsh.exe	78
PID 4036 wrote to memory of 3864	4036	netsh.exe	78
PID 4036 wrote to memory of 3864	4036	netsh.exe	78

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 3696	1820	order.exe	71
PID 3696 set thread context of 3012	3696	order.exe	55
PID 4036 set thread context of 3012	4036	netsh.exe	55

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3696	order.exe
3696	order.exe
3696	order.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe
4036	netsh.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Users\Admin\AppData\Local\Temp\order.exe
  "C:\Users\Admin\AppData\Local\Temp\order.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  PID:1820
- - C:\Users\Admin\AppData\Local\Temp\order.exe
    "C:\Users\Admin\AppData\Local\Temp\order.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    PID:3696
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3648
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\SysWOW64\netsh.exe"
  2⤵
  - Drops file in Program Files directory
  - System policy modification
  - Adds Run entry to policy start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  PID:4036
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\order.exe"
    3⤵
    PID:3960
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:3836
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:3864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3696-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3864-11-0x00007FF7C4700000-0x00007FF7C4793000-memory.dmp

Filesize
588KB

Download
memory/3864-12-0x00007FF7C4700000-0x00007FF7C4793000-memory.dmp

Filesize
588KB

Download
memory/3864-13-0x00007FF7C4700000-0x00007FF7C4793000-memory.dmp

Filesize
588KB

Download
memory/4036-4-0x0000000000B60000-0x0000000000B7E000-memory.dmp

Filesize
120KB

Download
memory/4036-9-0x00000000057B0000-0x000000000584A000-memory.dmp

Filesize
616KB

Download
memory/4036-3-0x0000000000B60000-0x0000000000B7E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads