Analysis
-
max time kernel
91s -
max time network
84s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-07-2020 07:01
Static task
static1
Behavioral task
behavioral1
Sample
ORDER _# 6WHQ492788G.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
ORDER _# 6WHQ492788G.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
ORDER _# 6WHQ492788G.exe
-
Size
841KB
-
MD5
abc4f95a5cda04a4c1e3c0a1e0a7eb92
-
SHA1
885bc02ac8295c7cb601df9520f63d0c35b11af5
-
SHA256
7204eac3f08e94c2330bb47f7caf2464c9b04863bd4f52b67d4e166171165b90
-
SHA512
1dd983c5b0b183a3526288ccc57837739ff96268117805737796a83c03953129474e1170b31f0e0fe661e483f8e6d86231fee4e1a58cc992de37a28e6f711518
Score
1/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
ORDER _# 6WHQ492788G.exedescription pid process target process PID 1296 wrote to memory of 1764 1296 ORDER _# 6WHQ492788G.exe schtasks.exe PID 1296 wrote to memory of 1764 1296 ORDER _# 6WHQ492788G.exe schtasks.exe PID 1296 wrote to memory of 1764 1296 ORDER _# 6WHQ492788G.exe schtasks.exe PID 1296 wrote to memory of 1764 1296 ORDER _# 6WHQ492788G.exe schtasks.exe PID 1296 wrote to memory of 1824 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1824 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1824 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1824 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1788 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1788 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1788 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1788 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1772 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1772 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1772 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1772 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1784 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1784 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1784 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1784 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1776 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1776 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1776 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe PID 1296 wrote to memory of 1776 1296 ORDER _# 6WHQ492788G.exe ORDER _# 6WHQ492788G.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ORDER _# 6WHQ492788G.exedescription pid process Token: SeDebugPrivilege 1296 ORDER _# 6WHQ492788G.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
ORDER _# 6WHQ492788G.exepid process 1296 ORDER _# 6WHQ492788G.exe 1296 ORDER _# 6WHQ492788G.exe 1296 ORDER _# 6WHQ492788G.exe 1296 ORDER _# 6WHQ492788G.exe 1296 ORDER _# 6WHQ492788G.exe 1296 ORDER _# 6WHQ492788G.exe 1296 ORDER _# 6WHQ492788G.exe 1296 ORDER _# 6WHQ492788G.exe 1296 ORDER _# 6WHQ492788G.exe 1296 ORDER _# 6WHQ492788G.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER _# 6WHQ492788G.exe"C:\Users\Admin\AppData\Local\Temp\ORDER _# 6WHQ492788G.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1296 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QAFjvvyrFrV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBCB.tmp"2⤵
- Creates scheduled task(s)
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\ORDER _# 6WHQ492788G.exe"{path}"2⤵PID:1824
-
C:\Users\Admin\AppData\Local\Temp\ORDER _# 6WHQ492788G.exe"{path}"2⤵PID:1788
-
C:\Users\Admin\AppData\Local\Temp\ORDER _# 6WHQ492788G.exe"{path}"2⤵PID:1772
-
C:\Users\Admin\AppData\Local\Temp\ORDER _# 6WHQ492788G.exe"{path}"2⤵PID:1784
-
C:\Users\Admin\AppData\Local\Temp\ORDER _# 6WHQ492788G.exe"{path}"2⤵PID:1776