70ddb3ba767338a506e8753c7a1f51ad0bb9b452a2e62b434154cb9540d70dec

General

Target

NEW order.exe
Size

798KB
MD5

622f89217d5c630c8493f356a3ed5e23
SHA1

c8275a16747ae7c550f1b14e71c91dc06eb1ceef
SHA256

f1be45f58c89c8b3b77fda6341568c4388d95ded7597304a04b98c57ddfc4a6c
SHA512

e0ecf783296afac12ce6ac7567721f5ae9542047f145fd4f40703840781cf34e5b19229f3df9ffc07981e4b085881ca4a41d3c7076abdc31180fdaf5588d335e

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1432 schtasks.exe

pid	process
1432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

NEW order.exe

pid	process
1776	NEW order.exe
1776	NEW order.exe
1776	NEW order.exe
1776	NEW order.exe
1776	NEW order.exe
1776	NEW order.exe
1776	NEW order.exe
1776	NEW order.exe
1776	NEW order.exe
1776	NEW order.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEW order.exe

description pid process

Token: SeDebugPrivilege 1776 NEW order.exe

description	pid	process
Token: SeDebugPrivilege	1776	NEW order.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

NEW order.exe

description	pid	process	target process
PID 1776 wrote to memory of 1432	1776	NEW order.exe	schtasks.exe
PID 1776 wrote to memory of 1432	1776	NEW order.exe	schtasks.exe
PID 1776 wrote to memory of 1432	1776	NEW order.exe	schtasks.exe
PID 1776 wrote to memory of 1432	1776	NEW order.exe	schtasks.exe
PID 1776 wrote to memory of 1540	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1540	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1540	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1540	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 608	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 608	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 608	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 608	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1524	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1524	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1524	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1524	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1548	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1548	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1548	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1548	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1004	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1004	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1004	1776	NEW order.exe	NEW order.exe
PID 1776 wrote to memory of 1004	1776	NEW order.exe	NEW order.exe

C:\Users\Admin\AppData\Local\Temp\NEW order.exe
"C:\Users\Admin\AppData\Local\Temp\NEW order.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KBwCphfzgiBQUi" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F90.tmp"
2⤵
- Creates scheduled task(s)
PID:1432

C:\Users\Admin\AppData\Local\Temp\NEW order.exe
"{path}"
2⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\NEW order.exe
"{path}"
2⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\NEW order.exe
"{path}"
2⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\NEW order.exe
"{path}"
2⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\NEW order.exe
"{path}"
2⤵
PID:1004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3F90.tmp

MD5
ee391be57ccfbf258c493fc061dc58f6

SHA1
7855e2149526d579f2b8f15a4880c3302bf47b8c

SHA256
eec3236d38e77804926a7fa85b7459c958d7bc1be2a6778326068f8c170fbcab

SHA512
6a835f638c1b936efc7a7ee00d3fd4586c326c5c3165bc26a2dc83bb60ebca29434a938c472e875af45ca34961dbc8e534a4f167e5f3c40f6a2e623985a8269e

Download Submit
memory/1432-65-0x0000000000000000-mapping.dmp

Download
memory/1776-59-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1776-61-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/1776-62-0x00000000007B0000-0x00000000007B5000-memory.dmp

Filesize
20KB

Download
memory/1776-63-0x0000000007D50000-0x0000000007DCE000-memory.dmp

Filesize
504KB

Download
memory/1776-64-0x00000000008D0000-0x0000000000908000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads