Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    25/05/2024, 20:04 UTC

General

  • Target

    Purchase order list.JPG.scr

  • Size

    674KB

  • MD5

    732666aebcfaa043adcf0435c25c2a63

  • SHA1

    7063a25f0d956ac54fdf83b5842f750c18d214e7

  • SHA256

    1a5f70e81feddef080a6913baa2c46e2098cc0dec52c66a0f6632084d7ba983e

  • SHA512

    0d0eb7aaa8c0033e3e6e84316eb3b095b47cfea00c8e8adcc12525f628966e8de39e891bb6f55de8991536912fe746fd6f27892c4aa0fbacc9842295714dce79

  • SSDEEP

    12288:S5ciWsuCCFz+srS6lBeMS8YOUKaENFgI9ttuZC7vWEY:STMFCO5lmOUKaXINuK2

Score
7/10

Malware Config

Signatures

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase order list.JPG.scr
    "C:\Users\Admin\AppData\Local\Temp\Purchase order list.JPG.scr" /S
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Users\Admin\AppData\Local\Temp\Purchase order list.JPG.scr
      "C:\Users\Admin\AppData\Local\Temp\Purchase order list.JPG.scr"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2552
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 764
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2128
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\example.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\example.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2704
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\example.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\example.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2408
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 764
          4⤵
          • Loads dropped DLL
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1568
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\example.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\example.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\example.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\example.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1228
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 772
            5⤵
            • Loads dropped DLL
            PID:2088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\example.exe

    Filesize

    674KB

    MD5

    732666aebcfaa043adcf0435c25c2a63

    SHA1

    7063a25f0d956ac54fdf83b5842f750c18d214e7

    SHA256

    1a5f70e81feddef080a6913baa2c46e2098cc0dec52c66a0f6632084d7ba983e

    SHA512

    0d0eb7aaa8c0033e3e6e84316eb3b095b47cfea00c8e8adcc12525f628966e8de39e891bb6f55de8991536912fe746fd6f27892c4aa0fbacc9842295714dce79

  • memory/1624-0-0x0000000074951000-0x0000000074952000-memory.dmp

    Filesize

    4KB

  • memory/1624-1-0x0000000074950000-0x0000000074EFB000-memory.dmp

    Filesize

    5.7MB

  • memory/1624-2-0x0000000074950000-0x0000000074EFB000-memory.dmp

    Filesize

    5.7MB

  • memory/1624-3-0x0000000074950000-0x0000000074EFB000-memory.dmp

    Filesize

    5.7MB

  • memory/1624-19-0x0000000074950000-0x0000000074EFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2552-6-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2552-9-0x0000000074950000-0x0000000074EFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2552-10-0x0000000074950000-0x0000000074EFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2552-11-0x0000000074950000-0x0000000074EFB000-memory.dmp

    Filesize

    5.7MB

  • memory/2552-8-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2552-4-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

  • memory/2552-35-0x0000000074950000-0x0000000074EFB000-memory.dmp

    Filesize

    5.7MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.