Overview

overview

10

Static

static

order.exe

windows7_x64

10

order.exe

windows10_x64

3

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    16-07-2020 07:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order.exe

  • Size

    503KB

  • MD5

    a280142137b1aeb5e45c793e2ab317dc

  • SHA1

    ba95a539e94f0a82f2140522902d770730e76aaa

  • SHA256

    95574ab20f094a30ec1f5d3cd6694e6afd0a5c4809e0151f5bd2b427bbbb33df

  • SHA512

    c52605c490dce8d9e98bfa5a28d68a738e5ff3e817820439e0bb86c5d07a556c5df5df640e5527f0da33e8b0557ae547c2cc9b8d2d0460ceb6baf151764b6f37

Score
10/10
evasionspywaretrojanstealerformbookpersistence

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    • Suspicious use of SendNotifyMessage
    PID:1312
    • C:\Users\Admin\AppData\Local\Temp\order.exe
      "C:\Users\Admin\AppData\Local\Temp\order.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetThreadContext
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1432
      • C:\Users\Admin\AppData\Local\Temp\order.exe
        "{path}"
        3⤵
          PID:1864
        • C:\Users\Admin\AppData\Local\Temp\order.exe
          "{path}"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetThreadContext
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1752
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        2⤵
        • Drops file in Program Files directory
        • Modifies Internet Explorer settings
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetThreadContext
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:468
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\order.exe"
          3⤵
          • Deletes itself
          PID:1220
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1540

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/468-5-0x0000000000140000-0x00000000003C1000-memory.dmp

        Filesize

        2.5MB

        Download

      • memory/468-7-0x0000000003330000-0x00000000034A9000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/468-8-0x00000000775C0000-0x00000000775CC000-memory.dmp

        Filesize

        48KB

        Download

      • memory/468-9-0x0000000075960000-0x0000000075A7D000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/468-10-0x0000000003CC0000-0x0000000003E40000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/1540-12-0x000000013F710000-0x000000013F7A3000-memory.dmp

        Filesize

        588KB

        Download

      • memory/1752-2-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download