Analysis
-
max time kernel
148s -
max time network
29s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-07-2020 07:20
Static task
static1
Behavioral task
behavioral1
Sample
bulk orders.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
bulk orders.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
bulk orders.exe
-
Size
402KB
-
MD5
bbc3b10b87eb81003f7756ce4a7747bb
-
SHA1
3c80f55251b8f501a541f974403ab3f8ab6cd1a4
-
SHA256
319d0b2de48964ad79622ab5177bb6cd05bae9fa537cc8da575498be4b7eda0b
-
SHA512
53eea0fccf55223c4d1bc94f997fad30c6bac5bdc6a2c11ceeb75a529ac5345e5ddff3a7aac7655502cb01b9592a22a8cac16974ee1b488b59a9d3b7212fa581
Score
7/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
bulk orders.exedescription pid process target process PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe PID 1292 wrote to memory of 1516 1292 bulk orders.exe RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bulk orders.exedescription pid process target process PID 1292 set thread context of 1516 1292 bulk orders.exe RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1516 RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1516 RegSvcs.exe 1516 RegSvcs.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\bulk orders.exe"C:\Users\Admin\AppData\Local\Temp\bulk orders.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1292 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1516