b178cc14b83a2ccd52bfe7665abf7d50ee14f7169896f0a68ea700f5aa506b25

General

Target

New Purchase Order.exe
Size

1.9MB
MD5

445c5601b974d8f957ab67c055a2223e
SHA1

e6df9f893dfed8264157ba52edfc5d2bbb864132
SHA256

b178cc14b83a2ccd52bfe7665abf7d50ee14f7169896f0a68ea700f5aa506b25
SHA512

54dcfe68b0a5d4fe6904ce0c17cfbb1544bd3586dce82f14d162464a3bdc289f12c64c469767292d0a67b006a965c03767377748e6b0f4b9ea56cd9a3bccb7e0

Score

8^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1340-15-0x0000000000400000-0x00000000007E3000-memory.dmp	upx
behavioral2/memory/1340-17-0x0000000000400000-0x00000000007E3000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 5 IoCs

Processes:

RegSvcs.exe

pid process

1340 RegSvcs.exe
1340 RegSvcs.exe
1340 RegSvcs.exe
1340 RegSvcs.exe
1340 RegSvcs.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

New Purchase Order.exe

description pid process target process

PID 724 set thread context of 1340 724 New Purchase Order.exe RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1308 schtasks.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RegSvcs.exe

description pid process

Token: SeShutdownPrivilege 1340 RegSvcs.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RegSvcs.exe

pid process

1340 RegSvcs.exe
1340 RegSvcs.exe

pid	process
1340	RegSvcs.exe
1340	RegSvcs.exe
1340	RegSvcs.exe
1340	RegSvcs.exe
1340	RegSvcs.exe

description	pid	process	target process
PID 724 set thread context of 1340	724	New Purchase Order.exe	RegSvcs.exe

pid	process
1308	schtasks.exe

description	pid	process
Token: SeShutdownPrivilege	1340	RegSvcs.exe

pid	process
1340	RegSvcs.exe
1340	RegSvcs.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

New Purchase Order.exe

description	pid	process	target process
PID 724 wrote to memory of 1308	724	New Purchase Order.exe	schtasks.exe
PID 724 wrote to memory of 1308	724	New Purchase Order.exe	schtasks.exe
PID 724 wrote to memory of 1308	724	New Purchase Order.exe	schtasks.exe
PID 724 wrote to memory of 1340	724	New Purchase Order.exe	RegSvcs.exe
PID 724 wrote to memory of 1340	724	New Purchase Order.exe	RegSvcs.exe
PID 724 wrote to memory of 1340	724	New Purchase Order.exe	RegSvcs.exe
PID 724 wrote to memory of 1340	724	New Purchase Order.exe	RegSvcs.exe
PID 724 wrote to memory of 1340	724	New Purchase Order.exe	RegSvcs.exe
PID 724 wrote to memory of 1340	724	New Purchase Order.exe	RegSvcs.exe
PID 724 wrote to memory of 1340	724	New Purchase Order.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Purchase Order.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:724

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TUUAQSjgGirn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF0.tmp"
2⤵
- Creates scheduled task(s)
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEF0.tmp
MD5
b07a5039ca2b88568828b11eef1830a0

SHA1
19f044b42d216a3228efc3c1395f8ccfb520da66

SHA256
da1ee83170b8af13f1ea2e42a51c3a186a5449f65bc20ed410cf374cb6a8ae43

SHA512
590d52a61f6dab86ba47c60a6d0a9d137b5abd030c3f2d76cf0ae8e77d3e66f86e5d2f806f104dc09ad38638c3ed160f5a8894d220cfde897ec4ceb394797d87

Download Submit
memory/724-9-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/724-11-0x0000000004F80000-0x0000000004F87000-memory.dmp

Filesize
28KB

Download
memory/724-6-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/724-7-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/724-8-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/724-2-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/724-10-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/724-5-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/724-12-0x0000000005FD0000-0x000000000616A000-memory.dmp

Filesize
1.6MB

Download
memory/724-3-0x00000000004C0000-0x00000000004C1000-memory.dmp

Filesize
4KB

Download
memory/1308-13-0x0000000000000000-mapping.dmp

Download
memory/1340-15-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/1340-16-0x00000000007E1310-mapping.dmp

Download
memory/1340-17-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads