Analysis
-
max time kernel
117s -
max time network
147s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 05:17
Static task
static1
Behavioral task
behavioral1
Sample
purchase order.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
purchase order.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
purchase order.exe
-
Size
1.1MB
-
MD5
17b50e88df8606876ddb8a1b1d3d4277
-
SHA1
159610f02b62f09eef08dd9ec324016a66899df8
-
SHA256
d7a9047d6d19050866c5b5c7d08f4b45208d9b2a2a4f4179cadaf37ea92cfa89
-
SHA512
4beb2b70a649a075d0bc6cd02730152795840742f606e68506f6409a2146dda65264d57ccc1d13a091532b5214501cd974abb01df18d22662d0c1549b3be4d38
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
purchase order.exedescription pid process target process PID 284 wrote to memory of 752 284 purchase order.exe powershell.exe PID 284 wrote to memory of 752 284 purchase order.exe powershell.exe PID 284 wrote to memory of 752 284 purchase order.exe powershell.exe PID 284 wrote to memory of 752 284 purchase order.exe powershell.exe PID 284 wrote to memory of 1100 284 purchase order.exe cmd.exe PID 284 wrote to memory of 1100 284 purchase order.exe cmd.exe PID 284 wrote to memory of 1100 284 purchase order.exe cmd.exe PID 284 wrote to memory of 1100 284 purchase order.exe cmd.exe PID 284 wrote to memory of 1100 284 purchase order.exe cmd.exe PID 284 wrote to memory of 1100 284 purchase order.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 752 powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 752 powershell.exe 752 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
purchase order.exepid process 284 purchase order.exe -
Loads dropped DLL 6 IoCs
Processes:
purchase order.exepid process 284 purchase order.exe 284 purchase order.exe 284 purchase order.exe 284 purchase order.exe 284 purchase order.exe 284 purchase order.exe -
Drops startup file 2 IoCs
Processes:
purchase order.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat purchase order.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start purchase order.exe -
NTFS ADS 2 IoCs
Processes:
purchase order.exedescription ioc process File created C:\ProgramData:ApplicationData purchase order.exe File opened for modification C:\ProgramData:ApplicationData purchase order.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
Processes
-
C:\Users\Admin\AppData\Local\Temp\purchase order.exe"C:\Users\Admin\AppData\Local\Temp\purchase order.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Loads dropped DLL
- Drops startup file
- NTFS ADS
PID:284 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath C:\2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe"2⤵PID:1100