Analysis
-
max time kernel
147s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 06:28
Static task
static1
Behavioral task
behavioral1
Sample
products inquiry.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
products inquiry.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
products inquiry.exe
-
Size
229KB
-
MD5
a53604e429dd528d745800b1b533a85e
-
SHA1
778ef3670b3a55dbdefaf4f5f756aa1964feb330
-
SHA256
63c1ce2aef3529012b5e2d4453754583f41b5aa0f1f8e12e8e08a8a8abc9470e
-
SHA512
5f56e7aaf702ed1db467cbb8fa0ec72af89cc4cb8cbff5bb96dbd41b71004d463685efb123093c95b03a00a2f7c12ff2657a3e1e87cec2ec6520856b0efc283a
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
products inquiry.exeExplorer.EXEipconfig.exedescription pid process target process PID 1768 wrote to memory of 1880 1768 products inquiry.exe schtasks.exe PID 1768 wrote to memory of 1880 1768 products inquiry.exe schtasks.exe PID 1768 wrote to memory of 1880 1768 products inquiry.exe schtasks.exe PID 1768 wrote to memory of 1880 1768 products inquiry.exe schtasks.exe PID 1768 wrote to memory of 1940 1768 products inquiry.exe products inquiry.exe PID 1768 wrote to memory of 1940 1768 products inquiry.exe products inquiry.exe PID 1768 wrote to memory of 1940 1768 products inquiry.exe products inquiry.exe PID 1768 wrote to memory of 1940 1768 products inquiry.exe products inquiry.exe PID 1768 wrote to memory of 1940 1768 products inquiry.exe products inquiry.exe PID 1768 wrote to memory of 1940 1768 products inquiry.exe products inquiry.exe PID 1768 wrote to memory of 1940 1768 products inquiry.exe products inquiry.exe PID 1216 wrote to memory of 1968 1216 Explorer.EXE ipconfig.exe PID 1216 wrote to memory of 1968 1216 Explorer.EXE ipconfig.exe PID 1216 wrote to memory of 1968 1216 Explorer.EXE ipconfig.exe PID 1216 wrote to memory of 1968 1216 Explorer.EXE ipconfig.exe PID 1968 wrote to memory of 1140 1968 ipconfig.exe cmd.exe PID 1968 wrote to memory of 1140 1968 ipconfig.exe cmd.exe PID 1968 wrote to memory of 1140 1968 ipconfig.exe cmd.exe PID 1968 wrote to memory of 1140 1968 ipconfig.exe cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
products inquiry.exeproducts inquiry.exeipconfig.exedescription pid process target process PID 1768 set thread context of 1940 1768 products inquiry.exe products inquiry.exe PID 1940 set thread context of 1216 1940 products inquiry.exe Explorer.EXE PID 1968 set thread context of 1216 1968 ipconfig.exe Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
products inquiry.exeproducts inquiry.exeipconfig.exedescription pid process Token: SeDebugPrivilege 1768 products inquiry.exe Token: SeDebugPrivilege 1940 products inquiry.exe Token: SeDebugPrivilege 1968 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
products inquiry.exeproducts inquiry.exeipconfig.exepid process 1768 products inquiry.exe 1940 products inquiry.exe 1940 products inquiry.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe 1968 ipconfig.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
Explorer.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
products inquiry.exeipconfig.exepid process 1940 products inquiry.exe 1940 products inquiry.exe 1940 products inquiry.exe 1968 ipconfig.exe 1968 ipconfig.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1140 cmd.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE 1216 Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Checks whether UAC is enabled
- Suspicious use of SendNotifyMessage
PID:1216 -
C:\Users\Admin\AppData\Local\Temp\products inquiry.exe"C:\Users\Admin\AppData\Local\Temp\products inquiry.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1768 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SFExzXR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp96A3.tmp"3⤵
- Creates scheduled task(s)
PID:1880 -
C:\Users\Admin\AppData\Local\Temp\products inquiry.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1940 -
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1968 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\products inquiry.exe"3⤵
- Deletes itself
PID:1140
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp96A3.tmp
-
memory/1140-8-0x0000000000000000-mapping.dmp
-
memory/1768-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1880-2-0x0000000000000000-mapping.dmp
-
memory/1940-4-0x0000000000400000-0x000000000042D000-memory.dmpFilesize
180KB
-
memory/1940-5-0x000000000041E350-mapping.dmp
-
memory/1968-6-0x0000000000000000-mapping.dmp
-
memory/1968-7-0x0000000000B10000-0x0000000000B1A000-memory.dmpFilesize
40KB
-
memory/1968-9-0x0000000001F20000-0x0000000002053000-memory.dmpFilesize
1.2MB