Analysis
-
max time kernel
149s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 13:22
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order (#16062020).exe
Resource
win7-20220414-en
General
-
Target
Purchase Order (#16062020).exe
-
Size
464KB
-
MD5
9fbf3d861158629cfd1c65cf8425c8b6
-
SHA1
b9ac6bdaed6db2a4c62754b897a625f9b6efa188
-
SHA256
7ef7ff0660d406b237fd3253738d60a294c0273ca1436cf9ba87d5b2ea8d62d8
-
SHA512
f8810d51c4673c3dee8209e5e4df0a3d482ef51b15d5d5a2d0bc8a4d264865306803a37b7a741f27595a361763b352bab370d1af26f2d1005ac3cd242ebd8496
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile explorer.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" explorer.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile explorer.exe -
Sets file execution options in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 272 rundll32.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Google Updater 2.0 = "C:\\ProgramData\\Google Updater 2.0\\9y7eio13.exe" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Google Updater 2.0 = "\"C:\\ProgramData\\Google Updater 2.0\\9y7eio13.exe\"" explorer.exe Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce explorer.exe -
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cmd.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
cmd.exeexplorer.exepid process 948 cmd.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cmd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cmd.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe -
Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" explorer.exe -
Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
Processes:
explorer.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main explorer.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
rundll32.exeexplorer.exepid process 272 rundll32.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe 1368 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
rundll32.execmd.exeexplorer.exepid process 272 rundll32.exe 948 cmd.exe 948 cmd.exe 1368 explorer.exe 1368 explorer.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
Processes:
cmd.exeexplorer.exedescription pid process Token: SeDebugPrivilege 948 cmd.exe Token: SeRestorePrivilege 948 cmd.exe Token: SeBackupPrivilege 948 cmd.exe Token: SeLoadDriverPrivilege 948 cmd.exe Token: SeCreatePagefilePrivilege 948 cmd.exe Token: SeShutdownPrivilege 948 cmd.exe Token: SeTakeOwnershipPrivilege 948 cmd.exe Token: SeChangeNotifyPrivilege 948 cmd.exe Token: SeCreateTokenPrivilege 948 cmd.exe Token: SeMachineAccountPrivilege 948 cmd.exe Token: SeSecurityPrivilege 948 cmd.exe Token: SeAssignPrimaryTokenPrivilege 948 cmd.exe Token: SeCreateGlobalPrivilege 948 cmd.exe Token: 33 948 cmd.exe Token: SeDebugPrivilege 1368 explorer.exe Token: SeRestorePrivilege 1368 explorer.exe Token: SeBackupPrivilege 1368 explorer.exe Token: SeLoadDriverPrivilege 1368 explorer.exe Token: SeCreatePagefilePrivilege 1368 explorer.exe Token: SeShutdownPrivilege 1368 explorer.exe Token: SeTakeOwnershipPrivilege 1368 explorer.exe Token: SeChangeNotifyPrivilege 1368 explorer.exe Token: SeCreateTokenPrivilege 1368 explorer.exe Token: SeMachineAccountPrivilege 1368 explorer.exe Token: SeSecurityPrivilege 1368 explorer.exe Token: SeAssignPrimaryTokenPrivilege 1368 explorer.exe Token: SeCreateGlobalPrivilege 1368 explorer.exe Token: 33 1368 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Purchase Order (#16062020).exerundll32.execmd.exeexplorer.exedescription pid process target process PID 1784 wrote to memory of 272 1784 Purchase Order (#16062020).exe rundll32.exe PID 1784 wrote to memory of 272 1784 Purchase Order (#16062020).exe rundll32.exe PID 1784 wrote to memory of 272 1784 Purchase Order (#16062020).exe rundll32.exe PID 1784 wrote to memory of 272 1784 Purchase Order (#16062020).exe rundll32.exe PID 1784 wrote to memory of 272 1784 Purchase Order (#16062020).exe rundll32.exe PID 1784 wrote to memory of 272 1784 Purchase Order (#16062020).exe rundll32.exe PID 1784 wrote to memory of 272 1784 Purchase Order (#16062020).exe rundll32.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 272 wrote to memory of 948 272 rundll32.exe cmd.exe PID 948 wrote to memory of 1368 948 cmd.exe explorer.exe PID 948 wrote to memory of 1368 948 cmd.exe explorer.exe PID 948 wrote to memory of 1368 948 cmd.exe explorer.exe PID 948 wrote to memory of 1368 948 cmd.exe explorer.exe PID 948 wrote to memory of 1368 948 cmd.exe explorer.exe PID 948 wrote to memory of 1368 948 cmd.exe explorer.exe PID 948 wrote to memory of 1368 948 cmd.exe explorer.exe PID 1368 wrote to memory of 1332 1368 explorer.exe Dwm.exe PID 1368 wrote to memory of 1332 1368 explorer.exe Dwm.exe PID 1368 wrote to memory of 1332 1368 explorer.exe Dwm.exe PID 1368 wrote to memory of 1332 1368 explorer.exe Dwm.exe PID 1368 wrote to memory of 1332 1368 explorer.exe Dwm.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Purchase Order (#16062020).exe"C:\Users\Admin\AppData\Local\Temp\Purchase Order (#16062020).exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe ProfilePricket,Pretor3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- Modifies firewall policy service
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ProfilePricket.DLLFilesize
45KB
MD50bf7b531f22a6bbbac9daf40684622dc
SHA120c4e2cf99c54134756fcec23a842b46395dc0e0
SHA256649a79f09a854a305237b9ee571f457d029029fcaef195717f748fb9ab1e24dd
SHA51201ae028362e586e265750eaf84a5290d518dc6d5d6609556d6349dd78359724ef97ae2e07d630f4922f979e9a3c91229274a6d42710c61ec7f82de91853b9081
-
C:\Users\Admin\AppData\Local\Temp\TrialFilesize
346KB
MD509480579084e493aa58bd591e549f9d8
SHA150e86141376b2334e9872e47b499bf2dbf689a66
SHA2560670f2019e0aa3016c4a6759e57fe4c00daece19ac7d7844533450bacff52dd2
SHA512e3e21dc3fb967ca566ee718e3b556d89abe11a5ac1282a98ac7d255759d5a6722a33693922b8fed5b22be80196162085cb33f3e4aa15a9bc23f1dc51e454cf2b
-
\Users\Admin\AppData\Local\Temp\ProfilePricket.dllFilesize
45KB
MD50bf7b531f22a6bbbac9daf40684622dc
SHA120c4e2cf99c54134756fcec23a842b46395dc0e0
SHA256649a79f09a854a305237b9ee571f457d029029fcaef195717f748fb9ab1e24dd
SHA51201ae028362e586e265750eaf84a5290d518dc6d5d6609556d6349dd78359724ef97ae2e07d630f4922f979e9a3c91229274a6d42710c61ec7f82de91853b9081
-
memory/272-63-0x0000000076E90000-0x0000000077039000-memory.dmpFilesize
1.7MB
-
memory/272-55-0x0000000000000000-mapping.dmp
-
memory/272-60-0x0000000074220000-0x0000000074278000-memory.dmpFilesize
352KB
-
memory/272-62-0x0000000075000000-0x0000000075035000-memory.dmpFilesize
212KB
-
memory/948-66-0x0000000000090000-0x0000000000096000-memory.dmpFilesize
24KB
-
memory/948-76-0x00000000002E0000-0x00000000002ED000-memory.dmpFilesize
52KB
-
memory/948-65-0x0000000076E90000-0x0000000077039000-memory.dmpFilesize
1.7MB
-
memory/948-77-0x0000000000530000-0x000000000053C000-memory.dmpFilesize
48KB
-
memory/948-72-0x0000000002430000-0x0000000002496000-memory.dmpFilesize
408KB
-
memory/948-74-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/948-75-0x0000000002430000-0x0000000002496000-memory.dmpFilesize
408KB
-
memory/948-64-0x0000000000000000-mapping.dmp
-
memory/1368-78-0x0000000000000000-mapping.dmp
-
memory/1368-80-0x0000000074121000-0x0000000074123000-memory.dmpFilesize
8KB
-
memory/1368-81-0x0000000077070000-0x00000000771F0000-memory.dmpFilesize
1.5MB
-
memory/1368-82-0x0000000000150000-0x0000000000203000-memory.dmpFilesize
716KB
-
memory/1368-83-0x0000000000940000-0x000000000094C000-memory.dmpFilesize
48KB
-
memory/1376-84-0x00000000026C0000-0x00000000026C6000-memory.dmpFilesize
24KB
-
memory/1784-54-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB