e59b0eb4edd5ddce6a7ae424d02824304f69db0444b8eb520f0cd7a3bbba4a4b

General

Target

ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe
Size

747KB
MD5

e74cf8c11ef1ebe473276c71b52b31ef
SHA1

8af325b046994a64adf4e16329255fb31e7f1821
SHA256

e59b0eb4edd5ddce6a7ae424d02824304f69db0444b8eb520f0cd7a3bbba4a4b
SHA512

4b0ab9e5c663b3a841899d5fd80e6c9d70fdfe50374ea9c60ee511f8d6f86c2314f68cb5439abbc8b9ec48233d026091ca4e14de510ef8e18892ae48b5add75d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

856 PING.EXE
272 PING.EXE
1368 PING.EXE
1080 PING.EXE

pid	process
856	PING.EXE
272	PING.EXE
1368	PING.EXE
1080	PING.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
796	powershell.exe
796	powershell.exe
1052	powershell.exe
1052	powershell.exe
1536	powershell.exe
1536	powershell.exe
360	powershell.exe
360	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe

description	pid	process
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeDebugPrivilege	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 1888 wrote to memory of 796	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 796	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 796	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 796	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 796 wrote to memory of 856	796	powershell.exe	PING.EXE
PID 796 wrote to memory of 856	796	powershell.exe	PING.EXE
PID 796 wrote to memory of 856	796	powershell.exe	PING.EXE
PID 796 wrote to memory of 856	796	powershell.exe	PING.EXE
PID 1888 wrote to memory of 1052	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 1052	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 1052	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 1052	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1052 wrote to memory of 272	1052	powershell.exe	PING.EXE
PID 1052 wrote to memory of 272	1052	powershell.exe	PING.EXE
PID 1052 wrote to memory of 272	1052	powershell.exe	PING.EXE
PID 1052 wrote to memory of 272	1052	powershell.exe	PING.EXE
PID 1888 wrote to memory of 1536	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 1536	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 1536	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 1536	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1536 wrote to memory of 1368	1536	powershell.exe	PING.EXE
PID 1536 wrote to memory of 1368	1536	powershell.exe	PING.EXE
PID 1536 wrote to memory of 1368	1536	powershell.exe	PING.EXE
PID 1536 wrote to memory of 1368	1536	powershell.exe	PING.EXE
PID 1888 wrote to memory of 360	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 360	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 360	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1888 wrote to memory of 360	1888	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 360 wrote to memory of 1080	360	powershell.exe	PING.EXE
PID 360 wrote to memory of 1080	360	powershell.exe	PING.EXE
PID 360 wrote to memory of 1080	360	powershell.exe	PING.EXE
PID 360 wrote to memory of 1080	360	powershell.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:856

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:1368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:1080

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3a088f5faee6f60c7a23cdef2ef117e7

SHA1
9b4f100974952e5087b7f61625299e03f9d0dac9

SHA256
3ffb9ecc3aa93e5797e2b8c75e117d22dc32786bb9b1dc7571802fccdc341ff4

SHA512
cbf8d345beef0e59356f574573dcaff1fab0196249d241b8bcff115f1531ef06dd1ba4f8ecb42612ebedba2ae0eeed32123f49769ff7253e5b64728f706b76b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3a088f5faee6f60c7a23cdef2ef117e7

SHA1
9b4f100974952e5087b7f61625299e03f9d0dac9

SHA256
3ffb9ecc3aa93e5797e2b8c75e117d22dc32786bb9b1dc7571802fccdc341ff4

SHA512
cbf8d345beef0e59356f574573dcaff1fab0196249d241b8bcff115f1531ef06dd1ba4f8ecb42612ebedba2ae0eeed32123f49769ff7253e5b64728f706b76b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD5
3a088f5faee6f60c7a23cdef2ef117e7

SHA1
9b4f100974952e5087b7f61625299e03f9d0dac9

SHA256
3ffb9ecc3aa93e5797e2b8c75e117d22dc32786bb9b1dc7571802fccdc341ff4

SHA512
cbf8d345beef0e59356f574573dcaff1fab0196249d241b8bcff115f1531ef06dd1ba4f8ecb42612ebedba2ae0eeed32123f49769ff7253e5b64728f706b76b1

Download Submit
memory/272-82-0x0000000000000000-mapping.dmp

Download
memory/360-101-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/360-100-0x0000000004892000-0x0000000004893000-memory.dmp

Filesize
4KB

Download
memory/360-99-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/360-97-0x00000000048D0000-0x00000000048D1000-memory.dmp

Filesize
4KB

Download
memory/360-96-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/360-93-0x0000000000000000-mapping.dmp

Download
memory/796-70-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/796-64-0x0000000000000000-mapping.dmp

Download
memory/796-71-0x0000000005240000-0x0000000005241000-memory.dmp

Filesize
4KB

Download
memory/796-68-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/796-67-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/796-66-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/796-65-0x0000000075161000-0x0000000075163000-memory.dmp

Filesize
8KB

Download
memory/796-69-0x0000000000BF2000-0x0000000000BF3000-memory.dmp

Filesize
4KB

Download
memory/856-72-0x0000000000000000-mapping.dmp

Download
memory/1052-78-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/1052-81-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/1052-80-0x0000000004992000-0x0000000004993000-memory.dmp

Filesize
4KB

Download
memory/1052-79-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/1052-73-0x0000000000000000-mapping.dmp

Download
memory/1080-102-0x0000000000000000-mapping.dmp

Download
memory/1368-92-0x0000000000000000-mapping.dmp

Download
memory/1536-90-0x00000000049A2000-0x00000000049A3000-memory.dmp

Filesize
4KB

Download
memory/1536-91-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/1536-89-0x00000000049A0000-0x00000000049A1000-memory.dmp

Filesize
4KB

Download
memory/1536-88-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/1536-87-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/1536-86-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/1536-83-0x0000000000000000-mapping.dmp

Download
memory/1888-63-0x00000000048B5000-0x00000000048C6000-memory.dmp

Filesize
68KB

Download
memory/1888-62-0x00000000048B0000-0x00000000048B1000-memory.dmp

Filesize
4KB

Download
memory/1888-60-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1888-103-0x0000000004680000-0x00000000046DF000-memory.dmp

Filesize
380KB

Download
memory/1888-108-0x0000000007C90000-0x0000000007D0C000-memory.dmp

Filesize
496KB

Download
memory/1888-109-0x00000000048C6000-0x00000000048C7000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads