Analysis
-
max time kernel
95s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 00:06
Static task
static1
Behavioral task
behavioral1
Sample
Production order list1.exe
Resource
win7v20201028
0 signatures
0 seconds
General
-
Target
Production order list1.exe
-
Size
202KB
-
MD5
bfbcba72ce61ead3bf4bc35002846856
-
SHA1
8e99c47e0c5ea0a839ef63e19527dcb9f755d6a0
-
SHA256
38f5c4a1a5be8e02b3898f125313cb34f8b686fd8c83f2192252f529c21cd47c
-
SHA512
7151c60093019b9ca9cf0d034108027ed291ee44abe98787565ec74168b3dfaa6387614b4ac17671711a27a36c734ba4a428bc3d431692631a89da5dec53bedd
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Production order list1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Manager = "C:\\Program Files (x86)\\SMTP Manager\\smtpmgr.exe" Production order list1.exe -
Processes:
Production order list1.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Production order list1.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Production order list1.exedescription ioc process File created C:\Program Files (x86)\SMTP Manager\smtpmgr.exe Production order list1.exe File opened for modification C:\Program Files (x86)\SMTP Manager\smtpmgr.exe Production order list1.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Production order list1.exepid process 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe 816 Production order list1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Production order list1.exepid process 816 Production order list1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Production order list1.exedescription pid process Token: SeDebugPrivilege 816 Production order list1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Production order list1.exe"C:\Users\Admin\AppData\Local\Temp\Production order list1.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/816-2-0x0000000002D90000-0x0000000002D91000-memory.dmpFilesize
4KB