f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40

General

Target

Order.exe
Size

853KB
MD5

103362e59d9fd456e9ce47da23e14e4f
SHA1

5f557d79f1085f1e05da881204d341f2c82b20b9
SHA256

f1079cf4bfcc93d98a75ee56bac5fc02f9e8bbb2bf255f7c3d0b25504c539e40
SHA512

b20e271dfebd76f3353374026eb5b9633f75c3fe359d7c2e17af40b8470b91ff059b757148c11f0287e3d833db3523695035c3313230d8e6662456f928eead6e

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1528 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Order.exe

pid process

332 Order.exe
332 Order.exe
332 Order.exe
332 Order.exe
332 Order.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Order.exe

description pid process

Token: SeDebugPrivilege 332 Order.exe

pid	process
1528	schtasks.exe

pid	process
332	Order.exe
332	Order.exe
332	Order.exe
332	Order.exe
332	Order.exe

description	pid	process
Token: SeDebugPrivilege	332	Order.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Order.exe

description	pid	process	target process
PID 332 wrote to memory of 1528	332	Order.exe	schtasks.exe
PID 332 wrote to memory of 1528	332	Order.exe	schtasks.exe
PID 332 wrote to memory of 1528	332	Order.exe	schtasks.exe
PID 332 wrote to memory of 1528	332	Order.exe	schtasks.exe
PID 332 wrote to memory of 1852	332	Order.exe	Order.exe
PID 332 wrote to memory of 1852	332	Order.exe	Order.exe
PID 332 wrote to memory of 1852	332	Order.exe	Order.exe
PID 332 wrote to memory of 1852	332	Order.exe	Order.exe
PID 332 wrote to memory of 1600	332	Order.exe	Order.exe
PID 332 wrote to memory of 1600	332	Order.exe	Order.exe
PID 332 wrote to memory of 1600	332	Order.exe	Order.exe
PID 332 wrote to memory of 1600	332	Order.exe	Order.exe
PID 332 wrote to memory of 1388	332	Order.exe	Order.exe
PID 332 wrote to memory of 1388	332	Order.exe	Order.exe
PID 332 wrote to memory of 1388	332	Order.exe	Order.exe
PID 332 wrote to memory of 1388	332	Order.exe	Order.exe
PID 332 wrote to memory of 1700	332	Order.exe	Order.exe
PID 332 wrote to memory of 1700	332	Order.exe	Order.exe
PID 332 wrote to memory of 1700	332	Order.exe	Order.exe
PID 332 wrote to memory of 1700	332	Order.exe	Order.exe
PID 332 wrote to memory of 520	332	Order.exe	Order.exe
PID 332 wrote to memory of 520	332	Order.exe	Order.exe
PID 332 wrote to memory of 520	332	Order.exe	Order.exe
PID 332 wrote to memory of 520	332	Order.exe	Order.exe

C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vabtzuyh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A52.tmp"
2⤵
- Creates scheduled task(s)
PID:1528

C:\Users\Admin\AppData\Local\Temp\Order.exe
"{path}"
2⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\Order.exe
"{path}"
2⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\Order.exe
"{path}"
2⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\Order.exe
"{path}"
2⤵
PID:1700

C:\Users\Admin\AppData\Local\Temp\Order.exe
"{path}"
2⤵
PID:520

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp3A52.tmp
MD5
7ea6959c0d608f16409c383bda65bf6f

SHA1
5643c8fa7c7b2d073d68471d1df129ff88baa864

SHA256
756aac73b621b8c1fd4a4a8cd7cbeb4d2af677fa81a4230935e1fd4b8d98c6e7

SHA512
8737eae3ad0c8e4c3016845627b65e0d0305cce393781b7e26f72b81aab096b568e3278fd36318170f7d840dc6c5dbbb7abaf729702c77cfa6c3547fe1b52054

Download Submit
memory/332-59-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/332-61-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/332-62-0x0000000000560000-0x0000000000562000-memory.dmp

Filesize
8KB

Download
memory/332-63-0x0000000004E70000-0x0000000004F27000-memory.dmp

Filesize
732KB

Download
memory/332-64-0x0000000002240000-0x00000000022AB000-memory.dmp

Filesize
428KB

Download
memory/1528-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads