Overview

overview

10

Static

static

order conf...01.exe

windows7_x64

10

order conf...01.exe

windows10_x64

10

Analysis

  • max time kernel
    45s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-02-2021 09:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order confirmation 6026022001.exe

  • Size

    20KB

  • MD5

    a9ebeb182dacaf7bce486a6057eca4b3

  • SHA1

    a120761190e19ea911ade534cfa5b306d23f1290

  • SHA256

    0466e95386b646ceb150b3e44533c0f20aef85ba49757b9ec1fd1c01a47d31eb

  • SHA512

    6fa85664bc6b43f1fbcd338c94a64355575e6a4c2f5ee699c72c2c1f7ae1b1c5221b8c0c12d6e17e671361d21495e68ab8c5682a09281bf01cee0e6e1338a613

Score
10/10
evasiontrojan

Malware Config

Signatures

  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • UAC bypass 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • Nirsoft 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\order confirmation 6026022001.exe
    "C:\Users\Admin\AppData\Local\Temp\order confirmation 6026022001.exe"
    1⤵
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3132
    • C:\Users\Admin\AppData\Local\Temp\ebff4cca-aa55-42a7-8150-f928c3e93d2d\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\ebff4cca-aa55-42a7-8150-f928c3e93d2d\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ebff4cca-aa55-42a7-8150-f928c3e93d2d\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Users\Admin\AppData\Local\Temp\ebff4cca-aa55-42a7-8150-f928c3e93d2d\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\ebff4cca-aa55-42a7-8150-f928c3e93d2d\AdvancedRun.exe" /SpecialRun 4101d8 8
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4064
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\order confirmation 6026022001.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3788
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\order confirmation 6026022001.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3836
    • C:\Users\Admin\AppData\Local\Temp\d1a3a835-d06f-45f5-9db9-1ef0fd389f9c\AdvancedRun.exe
      "C:\Users\Admin\AppData\Local\Temp\d1a3a835-d06f-45f5-9db9-1ef0fd389f9c\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\order confirmation 6026022001.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3872
      • C:\Users\Admin\AppData\Local\Temp\d1a3a835-d06f-45f5-9db9-1ef0fd389f9c\AdvancedRun.exe
        "C:\Users\Admin\AppData\Local\Temp\d1a3a835-d06f-45f5-9db9-1ef0fd389f9c\AdvancedRun.exe" /SpecialRun 4101d8 3872
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

1
T1088

Defense Evasion

Disabling Security Tools

4
T1089

Modify Registry

5
T1112

Bypass User Account Control

1
T1088

Credential Access

Discovery

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    7fceb2da7bc0c32510d440869d855518

    SHA1

    a42d6061013e56b1c60e6738ab900eca1bd4635d

    SHA256

    37c340b1e142edf2316ea9ad86966608607aab721759805bb440b941b9987460

    SHA512

    e63d7e49a8237b8e6f9879ff3ad12c5a98af646a2515d981e892f558d2cbb0f466b2848be85bde33e0aee211b159149ccf449d6788f815c97b9651932006e74e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\d1a3a835-d06f-45f5-9db9-1ef0fd389f9c\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\d1a3a835-d06f-45f5-9db9-1ef0fd389f9c\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\d1a3a835-d06f-45f5-9db9-1ef0fd389f9c\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ebff4cca-aa55-42a7-8150-f928c3e93d2d\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ebff4cca-aa55-42a7-8150-f928c3e93d2d\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\ebff4cca-aa55-42a7-8150-f928c3e93d2d\AdvancedRun.exe
    MD5

    17fc12902f4769af3a9271eb4e2dacce

    SHA1

    9a4a1581cc3971579574f837e110f3bd6d529dab

    SHA256

    29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

    SHA512

    036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

    Download Submit
  • memory/8-10-0x0000000000000000-mapping.dmp
    Download
  • memory/3132-9-0x00000000086A0000-0x00000000086A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3132-2-0x0000000073820000-0x0000000073F0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3132-8-0x0000000008BA0000-0x0000000008BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3132-7-0x0000000005080000-0x0000000005130000-memory.dmp
    Filesize

    704KB

    Download
  • memory/3132-6-0x0000000007600000-0x0000000007601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3132-5-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3132-19-0x0000000008950000-0x0000000008951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3132-3-0x0000000000070000-0x0000000000071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-27-0x0000000007662000-0x0000000007663000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-41-0x0000000007B80000-0x0000000007B81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-15-0x0000000000000000-mapping.dmp
    Download
  • memory/3788-72-0x0000000007663000-0x0000000007664000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-26-0x0000000007660000-0x0000000007661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-69-0x0000000009D30000-0x0000000009D31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-28-0x0000000007970000-0x0000000007971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-65-0x0000000009790000-0x0000000009791000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-32-0x0000000007AF0000-0x0000000007AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-34-0x00000000084B0000-0x00000000084B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-64-0x000000007F720000-0x000000007F721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3788-18-0x0000000073820000-0x0000000073F0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3788-43-0x0000000008AF0000-0x0000000008AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3820-39-0x0000000000000000-mapping.dmp
    Download
  • memory/3836-16-0x0000000000000000-mapping.dmp
    Download
  • memory/3836-30-0x00000000078F0000-0x00000000078F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-17-0x0000000073820000-0x0000000073F0E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3836-45-0x0000000008280000-0x0000000008281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-50-0x0000000009290000-0x00000000092C3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3836-61-0x000000007FC60000-0x000000007FC61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-24-0x0000000006C10000-0x0000000006C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-22-0x0000000007250000-0x0000000007251000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-68-0x00000000093C0000-0x00000000093C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-20-0x0000000006B50000-0x0000000006B51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-71-0x0000000006C13000-0x0000000006C14000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-25-0x0000000006C12000-0x0000000006C13000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-73-0x0000000009510000-0x0000000009511000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3836-75-0x0000000009500000-0x0000000009501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3872-36-0x0000000000000000-mapping.dmp
    Download
  • memory/4064-13-0x0000000000000000-mapping.dmp
    Download