Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
12-07-2020 08:16
Static task
static1
Behavioral task
behavioral1
Sample
contract supply list.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
contract supply list.exe
Resource
win10
General
-
Target
contract supply list.exe
-
Size
311KB
-
MD5
1c8f2480d5bfe4d9bbe8bc432ccc5c97
-
SHA1
5ff74ec7bd4d10582ce2c949ade827b1ccb23d21
-
SHA256
24f64f0f4a0f7b860db4e664e4f4c76a08f20d3490966de4637958bbecc618ac
-
SHA512
158ec88cc3d9ee15c2a96402e58547bd58896be18cc9502c8e204a21e85e3657cd4d07be03fba888911ff4d26e40b882afbc97ab6d04f8f1a67260205126acfe
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
contract supply list.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions contract supply list.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
contract supply list.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools contract supply list.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
contract supply list.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum contract supply list.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 contract supply list.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
contract supply list.execontract supply list.exehelp.exepid process 240 contract supply list.exe 240 contract supply list.exe 1052 contract supply list.exe 1052 contract supply list.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe 1612 help.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
contract supply list.execontract supply list.exehelp.exedescription pid process target process PID 240 set thread context of 1052 240 contract supply list.exe contract supply list.exe PID 1052 set thread context of 1304 1052 contract supply list.exe Explorer.EXE PID 1612 set thread context of 1304 1612 help.exe Explorer.EXE -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1580 cmd.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
contract supply list.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion contract supply list.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion contract supply list.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
contract supply list.exeExplorer.EXEhelp.exedescription pid process target process PID 240 wrote to memory of 508 240 contract supply list.exe schtasks.exe PID 240 wrote to memory of 508 240 contract supply list.exe schtasks.exe PID 240 wrote to memory of 508 240 contract supply list.exe schtasks.exe PID 240 wrote to memory of 508 240 contract supply list.exe schtasks.exe PID 240 wrote to memory of 872 240 contract supply list.exe contract supply list.exe PID 240 wrote to memory of 872 240 contract supply list.exe contract supply list.exe PID 240 wrote to memory of 872 240 contract supply list.exe contract supply list.exe PID 240 wrote to memory of 872 240 contract supply list.exe contract supply list.exe PID 240 wrote to memory of 1052 240 contract supply list.exe contract supply list.exe PID 240 wrote to memory of 1052 240 contract supply list.exe contract supply list.exe PID 240 wrote to memory of 1052 240 contract supply list.exe contract supply list.exe PID 240 wrote to memory of 1052 240 contract supply list.exe contract supply list.exe PID 240 wrote to memory of 1052 240 contract supply list.exe contract supply list.exe PID 240 wrote to memory of 1052 240 contract supply list.exe contract supply list.exe PID 240 wrote to memory of 1052 240 contract supply list.exe contract supply list.exe PID 1304 wrote to memory of 1612 1304 Explorer.EXE help.exe PID 1304 wrote to memory of 1612 1304 Explorer.EXE help.exe PID 1304 wrote to memory of 1612 1304 Explorer.EXE help.exe PID 1304 wrote to memory of 1612 1304 Explorer.EXE help.exe PID 1612 wrote to memory of 1580 1612 help.exe cmd.exe PID 1612 wrote to memory of 1580 1612 help.exe cmd.exe PID 1612 wrote to memory of 1580 1612 help.exe cmd.exe PID 1612 wrote to memory of 1580 1612 help.exe cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
contract supply list.execontract supply list.exehelp.exedescription pid process Token: SeDebugPrivilege 240 contract supply list.exe Token: SeDebugPrivilege 1052 contract supply list.exe Token: SeDebugPrivilege 1612 help.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
contract supply list.exehelp.exepid process 1052 contract supply list.exe 1052 contract supply list.exe 1052 contract supply list.exe 1612 help.exe 1612 help.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE 1304 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\contract supply list.exe"C:\Users\Admin\AppData\Local\Temp\contract supply list.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Checks BIOS information in registry
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RvBHdj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAAAF.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\contract supply list.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\contract supply list.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\contract supply list.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAAAF.tmp
-
memory/240-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/508-2-0x0000000000000000-mapping.dmp
-
memory/1052-4-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1052-5-0x000000000041E2E0-mapping.dmp
-
memory/1580-8-0x0000000000000000-mapping.dmp
-
memory/1612-6-0x0000000000000000-mapping.dmp
-
memory/1612-7-0x00000000000C0000-0x00000000000C6000-memory.dmpFilesize
24KB
-
memory/1612-9-0x00000000006E0000-0x0000000000836000-memory.dmpFilesize
1.3MB