Analysis
-
max time kernel
148s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-01-2021 06:59
Static task
static1
Behavioral task
behavioral1
Sample
ORDER 33.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ORDER 33.exe
Resource
win10v20201028
General
-
Target
ORDER 33.exe
-
Size
456KB
-
MD5
093f7881caf5cb7a06058de4f4678590
-
SHA1
67d9b27fc723315444144cb30cd63e5062e8e496
-
SHA256
4c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742
-
SHA512
a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
cos.execos.exepid process 1380 cos.exe 1732 cos.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
ORDER 33.execos.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ ORDER 33.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\cos\\cos.exe\"" ORDER 33.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\ cos.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Remcos = "\"C:\\Users\\Admin\\AppData\\Roaming\\cos\\cos.exe\"" cos.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
ORDER 33.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings ORDER 33.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1132 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1132 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cos.exepid process 1732 cos.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
ORDER 33.execmd.exeWScript.execmd.execos.execos.exedescription pid process target process PID 1316 wrote to memory of 692 1316 ORDER 33.exe cmd.exe PID 1316 wrote to memory of 692 1316 ORDER 33.exe cmd.exe PID 1316 wrote to memory of 692 1316 ORDER 33.exe cmd.exe PID 692 wrote to memory of 3972 692 cmd.exe schtasks.exe PID 692 wrote to memory of 3972 692 cmd.exe schtasks.exe PID 692 wrote to memory of 3972 692 cmd.exe schtasks.exe PID 1316 wrote to memory of 812 1316 ORDER 33.exe WScript.exe PID 1316 wrote to memory of 812 1316 ORDER 33.exe WScript.exe PID 1316 wrote to memory of 812 1316 ORDER 33.exe WScript.exe PID 812 wrote to memory of 3656 812 WScript.exe cmd.exe PID 812 wrote to memory of 3656 812 WScript.exe cmd.exe PID 812 wrote to memory of 3656 812 WScript.exe cmd.exe PID 3656 wrote to memory of 1380 3656 cmd.exe cos.exe PID 3656 wrote to memory of 1380 3656 cmd.exe cos.exe PID 3656 wrote to memory of 1380 3656 cmd.exe cos.exe PID 1380 wrote to memory of 1732 1380 cos.exe cos.exe PID 1380 wrote to memory of 1732 1380 cos.exe cos.exe PID 1380 wrote to memory of 1732 1380 cos.exe cos.exe PID 1732 wrote to memory of 2944 1732 cos.exe svchost.exe PID 1732 wrote to memory of 2944 1732 cos.exe svchost.exe PID 1732 wrote to memory of 2944 1732 cos.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe"C:\Users\Admin\AppData\Local\Temp\ORDER 33.exe"1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /TN flies /XML "C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xml"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\cos\cos.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cos\cos.exeC:\Users\Admin\AppData\Roaming\cos\cos.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\cos\cos.exe"C:\Users\Admin\AppData\Roaming\cos\cos.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe6⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3d81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7b42f087c00e411bac6e43aba58552f2.xmlMD5
b362d71396554606927de2efedfc5241
SHA1d3c90e9a7b8ab2ec0b7b9035e075484edd8d03ea
SHA256331bd5a3066a33606e45a9ba66d7f0dc616542192dd6142ef87ff10f1549fcd7
SHA512998b67e295973833cc48e0f74cd39e98aefbc2f2b9395be3085590703be2e79a265d0dec7019546a5349f58cfc6282bd579a6a780267eb5e678fec05c5dc8f05
-
C:\Users\Admin\AppData\Local\Temp\install.vbsMD5
53b5b01ab6df628a783870090504f195
SHA14c175a9e57fba856c3926c6017aadb86316eb62a
SHA2567f45e4f97baaccd07b2134f61c5e702af72f8a0b39cea6b5b4955daa289ed701
SHA512fcc1948c81aa59ec6f391d47be7fa9160abb835dd584d14b057fbc057ea3ebf2918d660a859ab4b481260e5abee2aaf7fa5ee749097bff6a6f386e4389e1b3ba
-
C:\Users\Admin\AppData\Roaming\cos\cos.exeMD5
093f7881caf5cb7a06058de4f4678590
SHA167d9b27fc723315444144cb30cd63e5062e8e496
SHA2564c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742
SHA512a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823
-
C:\Users\Admin\AppData\Roaming\cos\cos.exeMD5
093f7881caf5cb7a06058de4f4678590
SHA167d9b27fc723315444144cb30cd63e5062e8e496
SHA2564c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742
SHA512a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823
-
C:\Users\Admin\AppData\Roaming\cos\cos.exeMD5
093f7881caf5cb7a06058de4f4678590
SHA167d9b27fc723315444144cb30cd63e5062e8e496
SHA2564c73230621e55c51c6e4a32e354dca5e8fd3aaaa2df450b73991e6e21257a742
SHA512a0d99614a0ca3bcfb0d3677d1bf2a60876c1c3d1ca257d0e610ac3d8fdfc78f2fd514f0c503d4d4868b6f6fd04866e7a2293ccd6df743d3a43928017c9555823
-
memory/692-2-0x0000000000000000-mapping.dmp
-
memory/812-4-0x0000000000000000-mapping.dmp
-
memory/1380-8-0x0000000000000000-mapping.dmp
-
memory/1732-11-0x0000000000000000-mapping.dmp
-
memory/3656-7-0x0000000000000000-mapping.dmp
-
memory/3972-3-0x0000000000000000-mapping.dmp