Analysis

  • max time kernel
    115s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-04-2021 07:03

General

  • Target

    ORDER7946ERA-LBT.exe

  • Size

    664KB

  • MD5

    b36e69f884b74fe568bdb7fdb06362cb

  • SHA1

    e17782339164117645128597cfd22152c80cf229

  • SHA256

    9f578e7bf0375c366223406cd1504c79feb2f2408f88ffbccc22cd1bc3237389

  • SHA512

    ab22ad98a9a14be9607e7205384cf77e937715fcbd90f2dad240d0992094c6f0e945db0eca96081dc4728b22fe658cfb6936e123ebf1b802e045e433e2ea7792

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1856
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QRUZjOQK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:304
    • C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe
      "C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"
      2⤵
        PID:1544
      • C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe
        "C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"
        2⤵
          PID:1036
        • C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe
          "C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"
          2⤵
            PID:240
          • C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe
            "C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"
            2⤵
              PID:1052
            • C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe
              "C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"
              2⤵
                PID:756

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Discovery

            System Information Discovery

            1
            T1082

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp
              MD5

              68360eda3c82110d4dd5b0c55a41a9b5

              SHA1

              567ce1ed0975972c0b5a1229ae13b6fe6b207703

              SHA256

              497f1f7adfa57a12c7f5745e7ec9a728d4a23717a05dc521b637678f26021b29

              SHA512

              49bd46b2bcca6d2193cea013e8b7ec33ba1b4ef1827671d0c2c07a4dc66669de213dabe3cbbae667e3460532d5a1e6cf336c7cac271bc82b0bcc90514d596a77

            • memory/304-10-0x0000000000000000-mapping.dmp
            • memory/1856-2-0x0000000074590000-0x0000000074C7E000-memory.dmp
              Filesize

              6MB

            • memory/1856-3-0x0000000000360000-0x0000000000361000-memory.dmp
              Filesize

              4KB

            • memory/1856-5-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
              Filesize

              4KB

            • memory/1856-6-0x0000000000490000-0x0000000000494000-memory.dmp
              Filesize

              16KB

            • memory/1856-7-0x000000007EF40000-0x000000007EF41000-memory.dmp
              Filesize

              4KB

            • memory/1856-8-0x0000000004870000-0x00000000048E8000-memory.dmp
              Filesize

              480KB

            • memory/1856-9-0x00000000008B0000-0x00000000008E3000-memory.dmp
              Filesize

              204KB