5d7c9b9657991323fccb7d26c4c33c9443b470242d76f84b175d46fc2fe1d7ae

General

Target

VM Accord, ORDER.exe
Size

1.1MB
MD5

3c306eae74d332ae0b65bb6c72119e83
SHA1

68caa2090296981984601d41c6a6bf851c695901
SHA256

c73072d530f242b4cc2b4e121f74f5a48304ef3271da33432b15bb43e8cebd73
SHA512

658bb8fda37c94bb39db2d98bfe1ddd7c83499ef274af5b25c7e21606ab207c052d394560678da98c4344ab398c5360c36aa7af78783741af4f00975e8740d4c
SSDEEP

24576:JAHnh+eWsN3skA4RV1Hom2KXMmHaKQynYdTUrUQU3EI5:Qh+ZkldoPK8YaKcpUrPU3b

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 4 IoCs

Processes:

VM Accord, ORDER.exesvchost.execertreq.exe

description	pid	process	target process
PID 1140 set thread context of 496	1140	VM Accord, ORDER.exe	svchost.exe
PID 496 set thread context of 3240	496	svchost.exe	Explorer.EXE
PID 496 set thread context of 1020	496	svchost.exe	certreq.exe
PID 1020 set thread context of 3240	1020	certreq.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

certreq.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	certreq.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

Processes:

svchost.execertreq.exe

pid	process
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
496	svchost.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe
1020	certreq.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

VM Accord, ORDER.exesvchost.exeExplorer.EXEcertreq.exe

pid process

1140 VM Accord, ORDER.exe
496 svchost.exe
3240 Explorer.EXE
3240 Explorer.EXE
1020 certreq.exe
1020 certreq.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

VM Accord, ORDER.exe

pid process

1140 VM Accord, ORDER.exe
1140 VM Accord, ORDER.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

VM Accord, ORDER.exe

pid process

1140 VM Accord, ORDER.exe
1140 VM Accord, ORDER.exe

pid	process
1140	VM Accord, ORDER.exe
496	svchost.exe
3240	Explorer.EXE
3240	Explorer.EXE
1020	certreq.exe
1020	certreq.exe

pid	process
1140	VM Accord, ORDER.exe
1140	VM Accord, ORDER.exe

pid	process
1140	VM Accord, ORDER.exe
1140	VM Accord, ORDER.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

VM Accord, ORDER.exeExplorer.EXE

description	pid	process	target process
PID 1140 wrote to memory of 496	1140	VM Accord, ORDER.exe	svchost.exe
PID 1140 wrote to memory of 496	1140	VM Accord, ORDER.exe	svchost.exe
PID 1140 wrote to memory of 496	1140	VM Accord, ORDER.exe	svchost.exe
PID 1140 wrote to memory of 496	1140	VM Accord, ORDER.exe	svchost.exe
PID 3240 wrote to memory of 1020	3240	Explorer.EXE	certreq.exe
PID 3240 wrote to memory of 1020	3240	Explorer.EXE	certreq.exe
PID 3240 wrote to memory of 1020	3240	Explorer.EXE	certreq.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\VM Accord, ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\VM Accord, ORDER.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\VM Accord, ORDER.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:496

C:\Windows\SysWOW64\certreq.exe
"C:\Windows\SysWOW64\certreq.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut20E1.tmp
Filesize
263KB

MD5
269bdb9c9c3db9b784e97ca01fbf5dd3

SHA1
ab5e0545c82fb2c9167e3819cf8738400a27a320

SHA256
7cc6a2e37aabec8c018093e8dd10a7bafec8b6f96009927b7edac8ef3c0268b4

SHA512
5630c46256923e3bd22f439de3f156e622b3e8ff2a3785d4b50967d4b73ffb7e0eec56535a8b225ff70fb32602b14df4420a73f2ab5a646a82621062a20a16f7

Download Submit
memory/496-22-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/496-13-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/496-14-0x0000000001700000-0x0000000001A4A000-memory.dmp

Filesize
3.3MB

Download
memory/496-15-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/496-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/496-17-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/496-18-0x0000000001540000-0x0000000001561000-memory.dmp

Filesize
132KB

Download
memory/496-23-0x0000000001540000-0x0000000001561000-memory.dmp

Filesize
132KB

Download
memory/1020-21-0x0000000000A10000-0x0000000000A4F000-memory.dmp

Filesize
252KB

Download
memory/1020-20-0x0000000000A10000-0x0000000000A4F000-memory.dmp

Filesize
252KB

Download
memory/1020-24-0x0000000002D90000-0x00000000030DA000-memory.dmp

Filesize
3.3MB

Download
memory/1020-25-0x0000000000A10000-0x0000000000A4F000-memory.dmp

Filesize
252KB

Download
memory/1020-26-0x0000000002BC0000-0x0000000002C60000-memory.dmp

Filesize
640KB

Download
memory/1020-28-0x0000000000A10000-0x0000000000A4F000-memory.dmp

Filesize
252KB

Download
memory/1020-29-0x0000000002BC0000-0x0000000002C60000-memory.dmp

Filesize
640KB

Download
memory/1140-12-0x0000000000C90000-0x0000000000C94000-memory.dmp

Filesize
16KB

Download
memory/3240-19-0x000000000D630000-0x000000000EFE5000-memory.dmp

Filesize
25.7MB

Download
memory/3240-27-0x000000000D630000-0x000000000EFE5000-memory.dmp

Filesize
25.7MB

Download
memory/3240-30-0x0000000008320000-0x0000000008408000-memory.dmp

Filesize
928KB

Download
memory/3240-31-0x0000000008320000-0x0000000008408000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads