57d5c01633ef2f845946bf397ef571ba5c0e0afaafce8756d7811d7569f4b024

General

Target

P-Order.scr.exe
Size

876KB
MD5

6cf82e76161361d385c53652fdba1992
SHA1

642276d01e7d4c7fc2fa8202025173b8abb3c221
SHA256

57d5c01633ef2f845946bf397ef571ba5c0e0afaafce8756d7811d7569f4b024
SHA512

939b26dc20dde77729f9d1ecfb9495b6bcce5a7514a44e87b2bee3dd427b967e568162b2c18e6850bbb92616452739b247e102b74f8c40bda8cad1fcc8277331

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1108 schtasks.exe

pid	process
1108	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

P-Order.scr.exe

pid	process
1072	P-Order.scr.exe
1072	P-Order.scr.exe
1072	P-Order.scr.exe
1072	P-Order.scr.exe
1072	P-Order.scr.exe
1072	P-Order.scr.exe
1072	P-Order.scr.exe
1072	P-Order.scr.exe
1072	P-Order.scr.exe
1072	P-Order.scr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

P-Order.scr.exe

description pid process

Token: SeDebugPrivilege 1072 P-Order.scr.exe

description	pid	process
Token: SeDebugPrivilege	1072	P-Order.scr.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

P-Order.scr.exe

description	pid	process	target process
PID 1072 wrote to memory of 1108	1072	P-Order.scr.exe	schtasks.exe
PID 1072 wrote to memory of 1108	1072	P-Order.scr.exe	schtasks.exe
PID 1072 wrote to memory of 1108	1072	P-Order.scr.exe	schtasks.exe
PID 1072 wrote to memory of 1108	1072	P-Order.scr.exe	schtasks.exe
PID 1072 wrote to memory of 1696	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1696	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1696	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1696	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1500	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1500	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1500	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1500	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1492	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1492	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1492	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1492	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1892	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1892	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1892	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1892	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1740	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1740	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1740	1072	P-Order.scr.exe	P-Order.scr.exe
PID 1072 wrote to memory of 1740	1072	P-Order.scr.exe	P-Order.scr.exe

C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe
"C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xEjeDK" /XML "C:\Users\Admin\AppData\Local\Temp\tmp18AF.tmp"
2⤵
- Creates scheduled task(s)
PID:1108

C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe
"{path}"
2⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe
"{path}"
2⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe
"{path}"
2⤵
PID:1492

C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe
"{path}"
2⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\P-Order.scr.exe
"{path}"
2⤵
PID:1740

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp18AF.tmp
MD5
e04beb166e69d649409cacfdb94b2018

SHA1
e49cd00122b1834bcba9497b5d0618925f81de4d

SHA256
b565e01c8d9c846d9df44dc19d2261f81fc8462631919748888df7e992cfe662

SHA512
7c4fa75a825a3b35229ac93233de3b02c88672ea225202b60943424fcab8b9ad0df47648134fd77fe82ab327658ffb5ea2dc1096dcb8f4ee4ba739704d7ebcb2

Download Submit
memory/1072-59-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1072-61-0x0000000007310000-0x0000000007311000-memory.dmp

Filesize
4KB

Download
memory/1072-62-0x0000000000350000-0x0000000000352000-memory.dmp

Filesize
8KB

Download
memory/1072-63-0x000000000A480000-0x000000000A510000-memory.dmp

Filesize
576KB

Download
memory/1072-64-0x0000000000480000-0x00000000004C3000-memory.dmp

Filesize
268KB

Download
memory/1108-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads