Analysis
-
max time kernel
115s -
max time network
20s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 07:03
Static task
static1
Behavioral task
behavioral1
Sample
ORDER7946ERA-LBT.exe
Resource
win7v20201028
General
-
Target
ORDER7946ERA-LBT.exe
-
Size
664KB
-
MD5
b36e69f884b74fe568bdb7fdb06362cb
-
SHA1
e17782339164117645128597cfd22152c80cf229
-
SHA256
9f578e7bf0375c366223406cd1504c79feb2f2408f88ffbccc22cd1bc3237389
-
SHA512
ab22ad98a9a14be9607e7205384cf77e937715fcbd90f2dad240d0992094c6f0e945db0eca96081dc4728b22fe658cfb6936e123ebf1b802e045e433e2ea7792
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
ORDER7946ERA-LBT.exepid process 1856 ORDER7946ERA-LBT.exe 1856 ORDER7946ERA-LBT.exe 1856 ORDER7946ERA-LBT.exe 1856 ORDER7946ERA-LBT.exe 1856 ORDER7946ERA-LBT.exe 1856 ORDER7946ERA-LBT.exe 1856 ORDER7946ERA-LBT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ORDER7946ERA-LBT.exedescription pid process Token: SeDebugPrivilege 1856 ORDER7946ERA-LBT.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
ORDER7946ERA-LBT.exedescription pid process target process PID 1856 wrote to memory of 304 1856 ORDER7946ERA-LBT.exe schtasks.exe PID 1856 wrote to memory of 304 1856 ORDER7946ERA-LBT.exe schtasks.exe PID 1856 wrote to memory of 304 1856 ORDER7946ERA-LBT.exe schtasks.exe PID 1856 wrote to memory of 304 1856 ORDER7946ERA-LBT.exe schtasks.exe PID 1856 wrote to memory of 1544 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1544 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1544 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1544 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1036 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1036 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1036 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1036 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 240 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 240 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 240 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 240 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1052 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1052 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1052 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 1052 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 756 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 756 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 756 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe PID 1856 wrote to memory of 756 1856 ORDER7946ERA-LBT.exe ORDER7946ERA-LBT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QRUZjOQK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"C:\Users\Admin\AppData\Local\Temp\ORDER7946ERA-LBT.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2F98.tmpMD5
68360eda3c82110d4dd5b0c55a41a9b5
SHA1567ce1ed0975972c0b5a1229ae13b6fe6b207703
SHA256497f1f7adfa57a12c7f5745e7ec9a728d4a23717a05dc521b637678f26021b29
SHA51249bd46b2bcca6d2193cea013e8b7ec33ba1b4ef1827671d0c2c07a4dc66669de213dabe3cbbae667e3460532d5a1e6cf336c7cac271bc82b0bcc90514d596a77
-
memory/304-10-0x0000000000000000-mapping.dmp
-
memory/1856-2-0x0000000074590000-0x0000000074C7E000-memory.dmpFilesize
6MB
-
memory/1856-3-0x0000000000360000-0x0000000000361000-memory.dmpFilesize
4KB
-
memory/1856-5-0x0000000004DE0000-0x0000000004DE1000-memory.dmpFilesize
4KB
-
memory/1856-6-0x0000000000490000-0x0000000000494000-memory.dmpFilesize
16KB
-
memory/1856-7-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1856-8-0x0000000004870000-0x00000000048E8000-memory.dmpFilesize
480KB
-
memory/1856-9-0x00000000008B0000-0x00000000008E3000-memory.dmpFilesize
204KB