Analysis
-
max time kernel
116s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 00:06
Static task
static1
Behavioral task
behavioral1
Sample
Production order list1.exe
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
Production order list1.exe
-
Size
202KB
-
MD5
bfbcba72ce61ead3bf4bc35002846856
-
SHA1
8e99c47e0c5ea0a839ef63e19527dcb9f755d6a0
-
SHA256
38f5c4a1a5be8e02b3898f125313cb34f8b686fd8c83f2192252f529c21cd47c
-
SHA512
7151c60093019b9ca9cf0d034108027ed291ee44abe98787565ec74168b3dfaa6387614b4ac17671711a27a36c734ba4a428bc3d431692631a89da5dec53bedd
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Production order list1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" Production order list1.exe -
Processes:
Production order list1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Production order list1.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Production order list1.exedescription ioc process File created C:\Program Files (x86)\WPA Host\wpahost.exe Production order list1.exe File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe Production order list1.exe -
Suspicious behavior: EnumeratesProcesses 17 IoCs
Processes:
Production order list1.exepid process 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe 776 Production order list1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Production order list1.exepid process 776 Production order list1.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
Production order list1.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 776 Production order list1.exe Token: 33 656 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 656 AUDIODG.EXE Token: 33 656 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 656 AUDIODG.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\Production order list1.exe"C:\Users\Admin\AppData\Local\Temp\Production order list1.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2ec1⤵
- Suspicious use of AdjustPrivilegeToken