Analysis
-
max time kernel
146s -
max time network
140s -
platform
windows10_x64 -
resource
win10 -
submitted
09/07/2020, 18:28
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Order.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Order.exe
-
Size
455KB
-
MD5
5e2a18631c1939da9714b50ad9b7d714
-
SHA1
99671915c1e4a6316242e06dcb1398d4152d57fc
-
SHA256
eb6567e1510a2fbe48c640daf96b0301df0e969b09d3bbd8cd2093e91963efb1
-
SHA512
457786aae6864a93d196c045ebc6b43083359bf840726e2eef91ef4688cebe141673e13236885c8e176a5b73a51d4c4233a9e3b7b23bc7a624922e023b4851b5
Score
10/10
Malware Config
Signatures
-
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Cjnitihth\mfcwdflwlw.exe wlanext.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeDebugPrivilege 4000 Order.exe Token: SeDebugPrivilege 3968 wlanext.exe Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE Token: SeShutdownPrivilege 2988 Explorer.EXE Token: SeCreatePagefilePrivilege 2988 Explorer.EXE -
description ioc Process Key created \Registry\User\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: MapViewOfSection 7 IoCs
pid Process 4000 Order.exe 4000 Order.exe 4000 Order.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ABSXV4FPZD = "C:\\Program Files (x86)\\Cjnitihth\\mfcwdflwlw.exe" wlanext.exe Key created \Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wlanext.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 3588 wrote to memory of 4000 3588 Order.exe 67 PID 3588 wrote to memory of 4000 3588 Order.exe 67 PID 3588 wrote to memory of 4000 3588 Order.exe 67 PID 3588 wrote to memory of 4000 3588 Order.exe 67 PID 3588 wrote to memory of 4000 3588 Order.exe 67 PID 3588 wrote to memory of 4000 3588 Order.exe 67 PID 2988 wrote to memory of 3968 2988 Explorer.EXE 68 PID 2988 wrote to memory of 3968 2988 Explorer.EXE 68 PID 2988 wrote to memory of 3968 2988 Explorer.EXE 68 PID 3968 wrote to memory of 3844 3968 wlanext.exe 69 PID 3968 wrote to memory of 3844 3968 wlanext.exe 69 PID 3968 wrote to memory of 3844 3968 wlanext.exe 69 PID 3968 wrote to memory of 852 3968 wlanext.exe 77 PID 3968 wrote to memory of 852 3968 wlanext.exe 77 PID 3968 wrote to memory of 852 3968 wlanext.exe 77 PID 3968 wrote to memory of 1124 3968 wlanext.exe 79 PID 3968 wrote to memory of 1124 3968 wlanext.exe 79 PID 3968 wrote to memory of 1124 3968 wlanext.exe 79 -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3588 set thread context of 4000 3588 Order.exe 67 PID 4000 set thread context of 2988 4000 Order.exe 56 PID 3968 set thread context of 2988 3968 wlanext.exe 56 -
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 4000 Order.exe 4000 Order.exe 4000 Order.exe 4000 Order.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe 3968 wlanext.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\Order.exe"{path}"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4000
-
-
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Modifies Internet Explorer settings
- Suspicious behavior: MapViewOfSection
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3968 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order.exe"3⤵PID:3844
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵PID:852
-
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1124
-
-