Analysis
-
max time kernel
146s -
max time network
61s -
platform
windows7_x64 -
resource
win7 -
submitted
13/07/2020, 13:33
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER APPROVED_PDF.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
NEW ORDER APPROVED_PDF.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
NEW ORDER APPROVED_PDF.exe
-
Size
368KB
-
MD5
c3782f33095e240a6c570b8d1265eaa4
-
SHA1
e40c6809253127c918848e2db3173205c12d3def
-
SHA256
6023812166224ffe7f3ff3efacddccd27c4ae1f09aa2dc9e2f5c8557d6bb4382
-
SHA512
9138e8059fe1b00d9a6522b984a5134a39508a45f2d4b4bfb89c9843cc8ca161f2960ab2aa4fee25c8cc8fc6398b9d00beddccf126432233d75fd40792681677
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 276 NEW ORDER APPROVED_PDF.exe Token: SeDebugPrivilege 556 NEW ORDER APPROVED_PDF.exe Token: SeDebugPrivilege 1044 msiexec.exe Token: SeShutdownPrivilege 1228 Explorer.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 276 set thread context of 556 276 NEW ORDER APPROVED_PDF.exe 24 PID 556 set thread context of 1228 556 NEW ORDER APPROVED_PDF.exe 20 PID 556 set thread context of 1228 556 NEW ORDER APPROVED_PDF.exe 20 PID 1044 set thread context of 1228 1044 msiexec.exe 20 -
Executes dropped EXE 1 IoCs
pid Process 556 NEW ORDER APPROVED_PDF.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 276 NEW ORDER APPROVED_PDF.exe 556 NEW ORDER APPROVED_PDF.exe 556 NEW ORDER APPROVED_PDF.exe 556 NEW ORDER APPROVED_PDF.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe 1044 msiexec.exe -
Loads dropped DLL 1 IoCs
pid Process 276 NEW ORDER APPROVED_PDF.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 276 wrote to memory of 556 276 NEW ORDER APPROVED_PDF.exe 24 PID 276 wrote to memory of 556 276 NEW ORDER APPROVED_PDF.exe 24 PID 276 wrote to memory of 556 276 NEW ORDER APPROVED_PDF.exe 24 PID 276 wrote to memory of 556 276 NEW ORDER APPROVED_PDF.exe 24 PID 276 wrote to memory of 556 276 NEW ORDER APPROVED_PDF.exe 24 PID 276 wrote to memory of 556 276 NEW ORDER APPROVED_PDF.exe 24 PID 276 wrote to memory of 556 276 NEW ORDER APPROVED_PDF.exe 24 PID 1228 wrote to memory of 1044 1228 Explorer.EXE 25 PID 1228 wrote to memory of 1044 1228 Explorer.EXE 25 PID 1228 wrote to memory of 1044 1228 Explorer.EXE 25 PID 1228 wrote to memory of 1044 1228 Explorer.EXE 25 PID 1228 wrote to memory of 1044 1228 Explorer.EXE 25 PID 1228 wrote to memory of 1044 1228 Explorer.EXE 25 PID 1228 wrote to memory of 1044 1228 Explorer.EXE 25 PID 1044 wrote to memory of 1516 1044 msiexec.exe 26 PID 1044 wrote to memory of 1516 1044 msiexec.exe 26 PID 1044 wrote to memory of 1516 1044 msiexec.exe 26 PID 1044 wrote to memory of 1516 1044 msiexec.exe 26 -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 556 NEW ORDER APPROVED_PDF.exe 556 NEW ORDER APPROVED_PDF.exe 556 NEW ORDER APPROVED_PDF.exe 556 NEW ORDER APPROVED_PDF.exe 1044 msiexec.exe 1044 msiexec.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- Suspicious use of SendNotifyMessage
PID:1228 -
C:\Users\Admin\AppData\Local\Temp\NEW ORDER APPROVED_PDF.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER APPROVED_PDF.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Users\Admin\AppData\Local\Temp\NEW ORDER APPROVED_PDF.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER APPROVED_PDF.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:556
-
-
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious behavior: MapViewOfSection
PID:1044 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\NEW ORDER APPROVED_PDF.exe"3⤵PID:1516
-
-