Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 17:46
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order- 932.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Purchase order- 932.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
Purchase order- 932.exe
-
Size
551KB
-
MD5
21c6a2f2c3517d9180799fc892758630
-
SHA1
231126b687dfc1d0c9a433ced44a0ff500670a64
-
SHA256
12027e9572326109ce9621432da2ff4b5f170ffaec2aa118a492349f2c320c4e
-
SHA512
c86516123f7ac464cf7d7027ce5ad889a38d5c8b4f7ad34fd3c3cf3cc300fdee53b6e9839a638725b773ff29cafd1f70147b42187fa15ca7acae8db00884b6ce
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Purchase order- 932.exeExplorer.EXEwlanext.exedescription pid process target process PID 1108 wrote to memory of 1020 1108 Purchase order- 932.exe Purchase order- 932.exe PID 1108 wrote to memory of 1020 1108 Purchase order- 932.exe Purchase order- 932.exe PID 1108 wrote to memory of 1020 1108 Purchase order- 932.exe Purchase order- 932.exe PID 1108 wrote to memory of 1020 1108 Purchase order- 932.exe Purchase order- 932.exe PID 1108 wrote to memory of 1020 1108 Purchase order- 932.exe Purchase order- 932.exe PID 1108 wrote to memory of 1020 1108 Purchase order- 932.exe Purchase order- 932.exe PID 1108 wrote to memory of 1020 1108 Purchase order- 932.exe Purchase order- 932.exe PID 1284 wrote to memory of 368 1284 Explorer.EXE wlanext.exe PID 1284 wrote to memory of 368 1284 Explorer.EXE wlanext.exe PID 1284 wrote to memory of 368 1284 Explorer.EXE wlanext.exe PID 1284 wrote to memory of 368 1284 Explorer.EXE wlanext.exe PID 368 wrote to memory of 1088 368 wlanext.exe cmd.exe PID 368 wrote to memory of 1088 368 wlanext.exe cmd.exe PID 368 wrote to memory of 1088 368 wlanext.exe cmd.exe PID 368 wrote to memory of 1088 368 wlanext.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Purchase order- 932.exewlanext.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1020 Purchase order- 932.exe Token: SeDebugPrivilege 368 wlanext.exe Token: SeShutdownPrivilege 1284 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Purchase order- 932.exePurchase order- 932.exewlanext.exedescription pid process target process PID 1108 set thread context of 1020 1108 Purchase order- 932.exe Purchase order- 932.exe PID 1020 set thread context of 1284 1020 Purchase order- 932.exe Explorer.EXE PID 368 set thread context of 1284 368 wlanext.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Purchase order- 932.exewlanext.exepid process 1020 Purchase order- 932.exe 1020 Purchase order- 932.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe 368 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Purchase order- 932.exewlanext.exepid process 1020 Purchase order- 932.exe 1020 Purchase order- 932.exe 1020 Purchase order- 932.exe 368 wlanext.exe 368 wlanext.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1088 cmd.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE 1284 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\Purchase order- 932.exe"C:\Users\Admin\AppData\Local\Temp\Purchase order- 932.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Purchase order- 932.exe"{path}"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Purchase order- 932.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/368-4-0x0000000000000000-mapping.dmp
-
memory/368-5-0x0000000000F80000-0x0000000000F96000-memory.dmpFilesize
88KB
-
memory/368-7-0x00000000009E0000-0x0000000000B30000-memory.dmpFilesize
1.3MB
-
memory/1020-2-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1020-3-0x000000000041E340-mapping.dmp
-
memory/1088-6-0x0000000000000000-mapping.dmp
-
memory/1108-1-0x0000000000000000-0x0000000000000000-disk.dmp