Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 07:12
Static task
static1
Behavioral task
behavioral1
Sample
order list.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
order list.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
order list.exe
-
Size
296KB
-
MD5
76bb6a33ec5f8f6bd9defe4341871e98
-
SHA1
0ec9277d8c2e410440485c7cd2202ef877d49230
-
SHA256
7910fbd27cb1e4fd04a3356d45036821ed924ef1b8de3117d677be4938cb5140
-
SHA512
806dade1f74874d3c6cb3acdabee50ebc3a6cd4927d57e83e7136b448fe0a207a3a0e440be3668b2116e2043452cf1f0327aedc1e7542a7e8684b53eda7d10d9
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
order list.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1496 wrote to memory of 736 1496 order list.exe vbc.exe PID 1496 wrote to memory of 736 1496 order list.exe vbc.exe PID 1496 wrote to memory of 736 1496 order list.exe vbc.exe PID 1496 wrote to memory of 736 1496 order list.exe vbc.exe PID 1496 wrote to memory of 324 1496 order list.exe vbc.exe PID 1496 wrote to memory of 324 1496 order list.exe vbc.exe PID 1496 wrote to memory of 324 1496 order list.exe vbc.exe PID 1496 wrote to memory of 324 1496 order list.exe vbc.exe PID 1496 wrote to memory of 324 1496 order list.exe vbc.exe PID 1496 wrote to memory of 324 1496 order list.exe vbc.exe PID 1496 wrote to memory of 324 1496 order list.exe vbc.exe PID 1228 wrote to memory of 732 1228 Explorer.EXE chkdsk.exe PID 1228 wrote to memory of 732 1228 Explorer.EXE chkdsk.exe PID 1228 wrote to memory of 732 1228 Explorer.EXE chkdsk.exe PID 1228 wrote to memory of 732 1228 Explorer.EXE chkdsk.exe PID 732 wrote to memory of 1500 732 chkdsk.exe cmd.exe PID 732 wrote to memory of 1500 732 chkdsk.exe cmd.exe PID 732 wrote to memory of 1500 732 chkdsk.exe cmd.exe PID 732 wrote to memory of 1500 732 chkdsk.exe cmd.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
order list.exevbc.exechkdsk.exepid process 1496 order list.exe 324 vbc.exe 324 vbc.exe 324 vbc.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe 732 chkdsk.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE 1228 Explorer.EXE -
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
order list.exevbc.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1496 order list.exe Token: SeDebugPrivilege 324 vbc.exe Token: SeDebugPrivilege 732 chkdsk.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
order list.exevbc.exechkdsk.exedescription pid process target process PID 1496 set thread context of 324 1496 order list.exe vbc.exe PID 324 set thread context of 1228 324 vbc.exe Explorer.EXE PID 324 set thread context of 1228 324 vbc.exe Explorer.EXE PID 732 set thread context of 1228 732 chkdsk.exe Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
vbc.exechkdsk.exepid process 324 vbc.exe 324 vbc.exe 324 vbc.exe 324 vbc.exe 732 chkdsk.exe 732 chkdsk.exe -
Uses the VBS compiler for execution 1 TTPs
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Checks whether UAC is enabled
-
C:\Users\Admin\AppData\Local\Temp\order list.exe"C:\Users\Admin\AppData\Local\Temp\order list.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Enumerates system info in registry
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/324-2-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/324-3-0x000000000041C160-mapping.dmp
-
memory/732-4-0x0000000000000000-mapping.dmp
-
memory/732-5-0x0000000000AA0000-0x0000000000AA7000-memory.dmpFilesize
28KB
-
memory/732-7-0x0000000001EB0000-0x000000000201C000-memory.dmpFilesize
1.4MB
-
memory/1496-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1500-6-0x0000000000000000-mapping.dmp