Analysis
-
max time kernel
151s -
max time network
135s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09/07/2020, 18:28
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Order.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Order.exe
-
Size
455KB
-
MD5
5e2a18631c1939da9714b50ad9b7d714
-
SHA1
99671915c1e4a6316242e06dcb1398d4152d57fc
-
SHA256
eb6567e1510a2fbe48c640daf96b0301df0e969b09d3bbd8cd2093e91963efb1
-
SHA512
457786aae6864a93d196c045ebc6b43083359bf840726e2eef91ef4688cebe141673e13236885c8e176a5b73a51d4c4233a9e3b7b23bc7a624922e023b4851b5
Score
7/10
Malware Config
Signatures
-
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE 1300 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1292 wrote to memory of 1684 1292 Order.exe 26 PID 1292 wrote to memory of 1684 1292 Order.exe 26 PID 1292 wrote to memory of 1684 1292 Order.exe 26 PID 1292 wrote to memory of 1684 1292 Order.exe 26 PID 1292 wrote to memory of 1684 1292 Order.exe 26 PID 1292 wrote to memory of 1684 1292 Order.exe 26 PID 1292 wrote to memory of 1684 1292 Order.exe 26 PID 1300 wrote to memory of 1816 1300 Explorer.EXE 27 PID 1300 wrote to memory of 1816 1300 Explorer.EXE 27 PID 1300 wrote to memory of 1816 1300 Explorer.EXE 27 PID 1300 wrote to memory of 1816 1300 Explorer.EXE 27 PID 1816 wrote to memory of 1820 1816 svchost.exe 28 PID 1816 wrote to memory of 1820 1816 svchost.exe 28 PID 1816 wrote to memory of 1820 1816 svchost.exe 28 PID 1816 wrote to memory of 1820 1816 svchost.exe 28 -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1292 set thread context of 1684 1292 Order.exe 26 PID 1684 set thread context of 1300 1684 Order.exe 20 PID 1816 set thread context of 1300 1816 svchost.exe 20 -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1684 Order.exe 1684 Order.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe 1816 svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1684 Order.exe Token: SeDebugPrivilege 1816 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1684 Order.exe 1684 Order.exe 1684 Order.exe 1816 svchost.exe 1816 svchost.exe -
Deletes itself 1 IoCs
pid Process 1820 cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1292 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1684
-
-
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
PID:1816 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order.exe"3⤵
- Deletes itself
PID:1820
-
-