4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742

General

Target

ORDER 33.exe
Size

456KB
MD5

093f7881caf5cb7a06058de4f4678590
SHA1

67d9b27fc723315444144cb30cd63e5062e8e496
SHA256

4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742
SHA512

a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ORDER 33.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ORDER 33.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\cos\\cos.exe\""	ORDER 33.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1544 schtasks.exe

pid	process
1544	schtasks.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

ORDER 33.execmd.exeORDER 33.exeORDER 33.exeORDER 33.exeORDER 33.exeWScript.exe

description	pid	process	target process
PID 1636 wrote to memory of 1852	1636	ORDER 33.exe	cmd.exe
PID 1636 wrote to memory of 1852	1636	ORDER 33.exe	cmd.exe
PID 1636 wrote to memory of 1852	1636	ORDER 33.exe	cmd.exe
PID 1636 wrote to memory of 1852	1636	ORDER 33.exe	cmd.exe
PID 1636 wrote to memory of 1240	1636	ORDER 33.exe	ORDER 33.exe
PID 1636 wrote to memory of 1240	1636	ORDER 33.exe	ORDER 33.exe
PID 1636 wrote to memory of 1240	1636	ORDER 33.exe	ORDER 33.exe
PID 1636 wrote to memory of 1240	1636	ORDER 33.exe	ORDER 33.exe
PID 1852 wrote to memory of 1544	1852	cmd.exe	schtasks.exe
PID 1852 wrote to memory of 1544	1852	cmd.exe	schtasks.exe
PID 1852 wrote to memory of 1544	1852	cmd.exe	schtasks.exe
PID 1852 wrote to memory of 1544	1852	cmd.exe	schtasks.exe
PID 1240 wrote to memory of 1664	1240	ORDER 33.exe	ORDER 33.exe
PID 1240 wrote to memory of 1664	1240	ORDER 33.exe	ORDER 33.exe
PID 1240 wrote to memory of 1664	1240	ORDER 33.exe	ORDER 33.exe
PID 1240 wrote to memory of 1664	1240	ORDER 33.exe	ORDER 33.exe
PID 1664 wrote to memory of 1604	1664	ORDER 33.exe	ORDER 33.exe
PID 1664 wrote to memory of 1604	1664	ORDER 33.exe	ORDER 33.exe
PID 1664 wrote to memory of 1604	1664	ORDER 33.exe	ORDER 33.exe
PID 1664 wrote to memory of 1604	1664	ORDER 33.exe	ORDER 33.exe
PID 1604 wrote to memory of 1652	1604	ORDER 33.exe	ORDER 33.exe
PID 1604 wrote to memory of 1652	1604	ORDER 33.exe	ORDER 33.exe
PID 1604 wrote to memory of 1652	1604	ORDER 33.exe	ORDER 33.exe
PID 1604 wrote to memory of 1652	1604	ORDER 33.exe	ORDER 33.exe
PID 1652 wrote to memory of 872	1652	ORDER 33.exe	WScript.exe
PID 1652 wrote to memory of 872	1652	ORDER 33.exe	WScript.exe
PID 1652 wrote to memory of 872	1652	ORDER 33.exe	WScript.exe
PID 1652 wrote to memory of 872	1652	ORDER 33.exe	WScript.exe
PID 872 wrote to memory of 1456	872	WScript.exe	cmd.exe
PID 872 wrote to memory of 1456	872	WScript.exe	cmd.exe
PID 872 wrote to memory of 1456	872	WScript.exe	cmd.exe
PID 872 wrote to memory of 1456	872	WScript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml"
3⤵
- Creates scheduled task(s)
PID:1544

C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe"
5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
6⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\cos\cos.exe"
7⤵
PID:1456

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml
MD5
7c98d787eb831e4838a731268336246b

SHA1
96c2f366786890fa75de5c64d6a0d203b8b59ac7

SHA256
4670aa8df266f964ed37deeb34cc9dcf98e47d05b625df8955eb569e50425d90

SHA512
0128682695ff456b9582baa903bb4aa6f5ffd998193625661ca280890381d2bdcb0a884e732a67eec41328461d386afa2eb9a504b06dac86a02481b95ba4041f

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
53b5b01ab6df628a783870090504f195

SHA1
4c175a9e57fba856c3926c6017aadb86316eb62a

SHA256
7f45e4f97baaccd07b2134f61c5e702af72f8a0b39cea6b5b4955daa289ed701

SHA512
fcc1948c81aa59ec6f391d47be7fa9160abb835dd584d14b057fbc057ea3ebf2918d660a859ab4b481260e5abee2aaf7fa5ee749097bff6a6f386e4389e1b3ba

Download Submit
memory/872-9-0x0000000000000000-mapping.dmp

Download
memory/1240-3-0x0000000000000000-mapping.dmp

Download
memory/1456-11-0x0000000000000000-mapping.dmp

Download
memory/1544-4-0x0000000000000000-mapping.dmp

Download
memory/1604-7-0x0000000000000000-mapping.dmp

Download
memory/1652-8-0x0000000000000000-mapping.dmp

Download
memory/1664-6-0x0000000000000000-mapping.dmp

Download
memory/1852-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads