e59b0eb4edd5ddce6a7ae424d02824304f69db0444b8eb520f0cd7a3bbba4a4b

General

Target

ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe
Size

747KB
MD5

e74cf8c11ef1ebe473276c71b52b31ef
SHA1

8af325b046994a64adf4e16329255fb31e7f1821
SHA256

e59b0eb4edd5ddce6a7ae424d02824304f69db0444b8eb520f0cd7a3bbba4a4b
SHA512

4b0ab9e5c663b3a841899d5fd80e6c9d70fdfe50374ea9c60ee511f8d6f86c2314f68cb5439abbc8b9ec48233d026091ca4e14de510ef8e18892ae48b5add75d

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 4 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXEPING.EXE

pid process

4196 PING.EXE
1128 PING.EXE
2428 PING.EXE
4284 PING.EXE

pid	process
4196	PING.EXE
1128	PING.EXE
2428	PING.EXE
4284	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3744	powershell.exe
3744	powershell.exe
3744	powershell.exe
4264	powershell.exe
4264	powershell.exe
4264	powershell.exe
1376	powershell.exe
1376	powershell.exe
1376	powershell.exe
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe

description	pid	process
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeDebugPrivilege	4264	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 4440 wrote to memory of 3744	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 4440 wrote to memory of 3744	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 4440 wrote to memory of 3744	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 3744 wrote to memory of 4196	3744	powershell.exe	PING.EXE
PID 3744 wrote to memory of 4196	3744	powershell.exe	PING.EXE
PID 3744 wrote to memory of 4196	3744	powershell.exe	PING.EXE
PID 4440 wrote to memory of 4264	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 4440 wrote to memory of 4264	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 4440 wrote to memory of 4264	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 4264 wrote to memory of 1128	4264	powershell.exe	PING.EXE
PID 4264 wrote to memory of 1128	4264	powershell.exe	PING.EXE
PID 4264 wrote to memory of 1128	4264	powershell.exe	PING.EXE
PID 4440 wrote to memory of 1376	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 4440 wrote to memory of 1376	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 4440 wrote to memory of 1376	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 1376 wrote to memory of 2428	1376	powershell.exe	PING.EXE
PID 1376 wrote to memory of 2428	1376	powershell.exe	PING.EXE
PID 1376 wrote to memory of 2428	1376	powershell.exe	PING.EXE
PID 4440 wrote to memory of 2704	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 4440 wrote to memory of 2704	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 4440 wrote to memory of 2704	4440	ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe	powershell.exe
PID 2704 wrote to memory of 4284	2704	powershell.exe	PING.EXE
PID 2704 wrote to memory of 4284	2704	powershell.exe	PING.EXE
PID 2704 wrote to memory of 4284	2704	powershell.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:4196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:1128

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:2428

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\PING.EXE
"C:\Windows\system32\PING.EXE" gooogle.com
3⤵
- Runs ping.exe
PID:4284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
e33ed3d4cc9b2e5a08ae25747ef47620

SHA1
e2f4cfdd39bcb2eb1c05648a37a3d8536eaf19b7

SHA256
0e7093450fb6bb5201b4291033daf6099881421ab47b122972e0249ef5b45a4f

SHA512
9e990f7ca202c7ecc7a21dd2433055b71bd62f2e524f4702b674316effeb8fa37e891d40f3e6a960380dd7967033c7a7f235e73a3c434e97495e532309b4f95e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
272645135a546c73c340f0f045066845

SHA1
92c6bc46850c0dbcd27a9c46d0c5c3929c8fbb9f

SHA256
f31dfeb63544e27e82080370af08c9c612f328bafc0e7dddeafa6ba932da38e1

SHA512
df780036d7825ec1658f9013835760d3480bea2b4a82feb6d1566ec50276c728988e7d3d543b07f369b889c47f28fc0b443b895a2e44205128bb8591ff49a1f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
c13ba17a065f16b9afe82342d6e0a3d6

SHA1
a5248740635ac26266f44ee85dccd5715f1e11a8

SHA256
033642b8c0ac7712cffd138a956140f4ea58c64d0084efa4db078cf1d0937ed6

SHA512
2d5a94765bbd6faec191ae70ec2e84073ab150c8ab89965ac8633b28b51b0d90047a77c70e247971bc43bca65f20f61ecbd33f8a0b41fa31014a8e082c5977c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
04e08c7b9558b40be7c26e5d584a7209

SHA1
b968e0cba2683aff1d1150c29c36dd083e9f5d6b

SHA256
6e27826e8d251b0a047496f23c029842df45c36a028fc40fb55ae7c9bd8b6afe

SHA512
44a5780680bdc5d0dcac737036f487adac827ff215349370eb8d05613b45916eb72277a19eda164f16d9b5cabe1f5dc6cd2936f2388da82cb7db88709a0af48d

Download Submit
memory/1128-155-0x0000000000000000-mapping.dmp

Download
memory/1376-177-0x00000000065B4000-0x00000000065B6000-memory.dmp

Filesize
8KB

Download
memory/1376-176-0x00000000065B3000-0x00000000065B4000-memory.dmp

Filesize
4KB

Download
memory/1376-173-0x00000000065B2000-0x00000000065B3000-memory.dmp

Filesize
4KB

Download
memory/1376-172-0x00000000065B0000-0x00000000065B1000-memory.dmp

Filesize
4KB

Download
memory/1376-159-0x0000000000000000-mapping.dmp

Download
memory/2428-174-0x0000000000000000-mapping.dmp

Download
memory/2704-178-0x0000000000000000-mapping.dmp

Download
memory/2704-191-0x0000000006C00000-0x0000000006C01000-memory.dmp

Filesize
4KB

Download
memory/2704-192-0x0000000006C02000-0x0000000006C03000-memory.dmp

Filesize
4KB

Download
memory/2704-201-0x0000000006C03000-0x0000000006C04000-memory.dmp

Filesize
4KB

Download
memory/2704-202-0x0000000006C04000-0x0000000006C06000-memory.dmp

Filesize
8KB

Download
memory/3744-128-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/3744-127-0x0000000007DE0000-0x0000000007DE1000-memory.dmp

Filesize
4KB

Download
memory/3744-121-0x0000000000000000-mapping.dmp

Download
memory/3744-124-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/3744-133-0x00000000089B0000-0x00000000089B1000-memory.dmp

Filesize
4KB

Download
memory/3744-132-0x0000000007EC0000-0x0000000007EC1000-memory.dmp

Filesize
4KB

Download
memory/3744-151-0x0000000004CD3000-0x0000000004CD4000-memory.dmp

Filesize
4KB

Download
memory/3744-152-0x0000000004CD4000-0x0000000004CD6000-memory.dmp

Filesize
8KB

Download
memory/3744-125-0x00000000076E0000-0x00000000076E1000-memory.dmp

Filesize
4KB

Download
memory/3744-126-0x0000000007D40000-0x0000000007D41000-memory.dmp

Filesize
4KB

Download
memory/3744-131-0x0000000004CD2000-0x0000000004CD3000-memory.dmp

Filesize
4KB

Download
memory/3744-134-0x0000000008790000-0x0000000008791000-memory.dmp

Filesize
4KB

Download
memory/3744-129-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/3744-130-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

Filesize
4KB

Download
memory/4196-135-0x0000000000000000-mapping.dmp

Download
memory/4264-158-0x0000000006FA4000-0x0000000006FA6000-memory.dmp

Filesize
8KB

Download
memory/4264-157-0x0000000006FA3000-0x0000000006FA4000-memory.dmp

Filesize
4KB

Download
memory/4264-154-0x0000000006FA2000-0x0000000006FA3000-memory.dmp

Filesize
4KB

Download
memory/4264-153-0x0000000006FA0000-0x0000000006FA1000-memory.dmp

Filesize
4KB

Download
memory/4264-137-0x0000000000000000-mapping.dmp

Download
memory/4284-193-0x0000000000000000-mapping.dmp

Download
memory/4440-114-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/4440-119-0x0000000004BA0000-0x000000000509E000-memory.dmp

Filesize
5.0MB

Download
memory/4440-118-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/4440-120-0x0000000004BA0000-0x000000000509E000-memory.dmp

Filesize
5.0MB

Download
memory/4440-194-0x00000000082B0000-0x000000000830F000-memory.dmp

Filesize
380KB

Download
memory/4440-199-0x0000000008DD0000-0x0000000008E4C000-memory.dmp

Filesize
496KB

Download
memory/4440-117-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/4440-116-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads