20cc3f25b59d83cbfd3f6908726114e8b0442907fabfc58da5f1eee4ae2ece81

General

Target

orders2.exe
Size

456KB
MD5

3d4d8630f3f0080bed661797ad1f21a8
SHA1

7b307d1bf98764405ba713009f2b0d8a91e8976c
SHA256

20cc3f25b59d83cbfd3f6908726114e8b0442907fabfc58da5f1eee4ae2ece81
SHA512

0216345b4d5fdaab6697ee848e8e87e3cb9be39fd68b46856923a55f22bc05ed64762356c98500f5595d562c63c872b10a50dc8d3d4bc03cff5527f1148f0fa0

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

orders2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\	orders2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\costly = "\"C:\\Users\\Admin\\AppData\\Roaming\\costly\\costlyRemi.exe\""	orders2.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1564 schtasks.exe

pid	process
1564	schtasks.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

orders2.execmd.exeorders2.exeorders2.exeorders2.exeWScript.exe

description	pid	process	target process
PID 1828 wrote to memory of 2012	1828	orders2.exe	cmd.exe
PID 1828 wrote to memory of 2012	1828	orders2.exe	cmd.exe
PID 1828 wrote to memory of 2012	1828	orders2.exe	cmd.exe
PID 1828 wrote to memory of 2012	1828	orders2.exe	cmd.exe
PID 1828 wrote to memory of 280	1828	orders2.exe	orders2.exe
PID 1828 wrote to memory of 280	1828	orders2.exe	orders2.exe
PID 1828 wrote to memory of 280	1828	orders2.exe	orders2.exe
PID 1828 wrote to memory of 280	1828	orders2.exe	orders2.exe
PID 2012 wrote to memory of 1564	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1564	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1564	2012	cmd.exe	schtasks.exe
PID 2012 wrote to memory of 1564	2012	cmd.exe	schtasks.exe
PID 280 wrote to memory of 1560	280	orders2.exe	orders2.exe
PID 280 wrote to memory of 1560	280	orders2.exe	orders2.exe
PID 280 wrote to memory of 1560	280	orders2.exe	orders2.exe
PID 280 wrote to memory of 1560	280	orders2.exe	orders2.exe
PID 1560 wrote to memory of 1712	1560	orders2.exe	orders2.exe
PID 1560 wrote to memory of 1712	1560	orders2.exe	orders2.exe
PID 1560 wrote to memory of 1712	1560	orders2.exe	orders2.exe
PID 1560 wrote to memory of 1712	1560	orders2.exe	orders2.exe
PID 1712 wrote to memory of 1652	1712	orders2.exe	WScript.exe
PID 1712 wrote to memory of 1652	1712	orders2.exe	WScript.exe
PID 1712 wrote to memory of 1652	1712	orders2.exe	WScript.exe
PID 1712 wrote to memory of 1652	1712	orders2.exe	WScript.exe
PID 1652 wrote to memory of 1648	1652	WScript.exe	cmd.exe
PID 1652 wrote to memory of 1648	1652	WScript.exe	cmd.exe
PID 1652 wrote to memory of 1648	1652	WScript.exe	cmd.exe
PID 1652 wrote to memory of 1648	1652	WScript.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\orders2.exe
"C:\Users\Admin\AppData\Local\Temp\orders2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /Create /TN remmyflies /XML "C:\Users\Admin\AppData\Local\Temp\b15716d40a204d2893de5f2eeabebb99.xml"
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /TN remmyflies /XML "C:\Users\Admin\AppData\Local\Temp\b15716d40a204d2893de5f2eeabebb99.xml"
3⤵
- Creates scheduled task(s)
PID:1564

C:\Users\Admin\AppData\Local\Temp\orders2.exe
"C:\Users\Admin\AppData\Local\Temp\orders2.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Local\Temp\orders2.exe
"C:\Users\Admin\AppData\Local\Temp\orders2.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\orders2.exe
"C:\Users\Admin\AppData\Local\Temp\orders2.exe"
4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\costly\costlyRemi.exe"
6⤵
PID:1648

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b15716d40a204d2893de5f2eeabebb99.xml
MD5
926fc666e9fc014de47e99eb27ea5254

SHA1
cd47c9c49c5beb19444515bf195cff79a581a97c

SHA256
fd59cb1d5b4f61cdcf4ff97e966a63baa08152dea20b660889b7ebdb96fef67c

SHA512
05359c4440c3904cb1b96c40a1cd777de7c644cdac08c5126d9ac13b821bc98a102eb6555c1e67eac7b85178d815176efc1f60840c75d8b7fa8df43581853870

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs
MD5
b3cad4bc97f520d80eae6ab3703dcb63

SHA1
07055527f5722de8eca3bbd9b3aec7e45bdc31c1

SHA256
4bde2ee90dda6962e7c6547a9f787a616432b42ec779f2f7a8cfcc725b112fbe

SHA512
b35f57a4279fb0737dfc0f6ed4cdf304b0800c494b473c03b4ffedd13985d6c1e108ee5822d6afb4ef65105b76796ba3cc37ef43d1b53cdc4945e6db4b02d18e

Download Submit
memory/280-3-0x0000000000000000-mapping.dmp

Download
memory/1560-6-0x0000000000000000-mapping.dmp

Download
memory/1564-4-0x0000000000000000-mapping.dmp

Download
memory/1648-10-0x0000000000000000-mapping.dmp

Download
memory/1652-8-0x0000000000000000-mapping.dmp

Download
memory/1652-11-0x0000000002840000-0x0000000002844000-memory.dmp

Filesize
16KB

Download
memory/1712-7-0x0000000000000000-mapping.dmp

Download
memory/2012-2-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads