Overview

overview

10

Static

static

3

Order.exe

windows7-x64

1

Order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/10/2023, 13:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order.exe

  • Size

    320KB

  • MD5

    f1785da3dad811e0db801c060ddba932

  • SHA1

    4799dadc29cad53b8b63323505909a8bd4664a99

  • SHA256

    6490e5498bf6ca3c0b3cb40d581e019e8c4135fd8bc49580c30160f6b02450c6

  • SHA512

    1ac7127290d62559a127d89c33ae91f85dd42d65adf4638d19597a953bbdc264e4f1d63de991a7bedb6de88df005e35512c1dcf320a2b0cfdcab20a5fa25949d

  • SSDEEP

    6144:SRgc2lOrSZPpLO+zZ67VskJZqLQFkPP5iU5+WOqzqH8JpmWV6/3gEQ7u+qdKQh5K:nY7VskJqQyPxiU5+WOqzqH8Jpy/33Q6g

Score
10/10
persistencespywarestealer

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    premium89.web-hosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    bl e ss ing 2 0 2 3

Signatures

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order.exe
    "C:\Users\Admin\AppData\Local\Temp\Order.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Users\Admin\AppData\Local\Temp\Order.exe
      C:\Users\Admin\AppData\Local\Temp\Order.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4120

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order.exe.log
    Filesize

    1KB

    MD5

    489c7565f9b029ba9fadff774073cc98

    SHA1

    56c05089b33ee7e7dfa9e6a2d098164efd8e1150

    SHA256

    10bf6242da02dad8b2e1208b9dab9a7303cf986320e05e5ef20b99c9b71326d4

    SHA512

    ddea09c011a8d4f85905842c2f34c98add0110a0b6b3b2709718c3614a2c42dec5f4f5d5b9442cfd3c6c23e9a90c8c0b25c14c3dbd42faea9cc8dd232cace1ac

    Download Submit

  • memory/3788-1-0x00000000747F0000-0x0000000074FA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3788-0-0x0000000000EB0000-0x0000000000F06000-memory.dmp

    Filesize

    344KB

    Download

  • memory/3788-2-0x00000000059A0000-0x00000000059B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3788-3-0x0000000005800000-0x0000000005808000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3788-4-0x0000000006B90000-0x0000000006BE2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/3788-5-0x0000000006C10000-0x0000000006C50000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3788-6-0x0000000006CC0000-0x0000000006D0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3788-7-0x0000000007440000-0x00000000079E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3788-13-0x00000000747F0000-0x0000000074FA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4120-12-0x00000000747F0000-0x0000000074FA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4120-9-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4120-14-0x0000000005450000-0x0000000005460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4120-15-0x00000000054D0000-0x0000000005536000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4120-16-0x00000000069D0000-0x0000000006A20000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4120-17-0x0000000006AC0000-0x0000000006B5C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4120-18-0x0000000006C00000-0x0000000006C92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4120-19-0x0000000006B90000-0x0000000006B9A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4120-20-0x00000000747F0000-0x0000000074FA0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4120-21-0x0000000005450000-0x0000000005460000-memory.dmp

    Filesize

    64KB

    Download