Overview

overview

3

Static

static

ORDER_2021...ST.exe

windows7_x64

3

ORDER_2021...ST.exe

windows10_x64

3

Resubmissions

22-07-2021 09:31

210722-mrlq6b1dsn 3

22-07-2021 09:27

210722-5nmvp5y3ax 3

Analysis

  • max time kernel
    123s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-07-2021 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe

  • Size

    747KB

  • MD5

    e74cf8c11ef1ebe473276c71b52b31ef

  • SHA1

    8af325b046994a64adf4e16329255fb31e7f1821

  • SHA256

    e59b0eb4edd5ddce6a7ae424d02824304f69db0444b8eb520f0cd7a3bbba4a4b

  • SHA512

    4b0ab9e5c663b3a841899d5fd80e6c9d70fdfe50374ea9c60ee511f8d6f86c2314f68cb5439abbc8b9ec48233d026091ca4e14de510ef8e18892ae48b5add75d

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1032
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:1124
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:1968
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:1664
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:332
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:1484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    9ce4cfd542f76a1f913ae12a4a9655e6

    SHA1

    92eb80035fca695fe4817469a5752b29827b39cb

    SHA256

    4dd8f523425a8abd4b5b6f7910d6492d7e56bfc188dcd737e2457966d445735b

    SHA512

    8b0bd9c72afb4bcee0709210c2eb77571a9e2a6759bc53de7c3d87cd6a2ccb2910f0ec635841c92c848ca7c16f49cf8c15d6ca39da78cac52885e1fe0a06af4e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    9ce4cfd542f76a1f913ae12a4a9655e6

    SHA1

    92eb80035fca695fe4817469a5752b29827b39cb

    SHA256

    4dd8f523425a8abd4b5b6f7910d6492d7e56bfc188dcd737e2457966d445735b

    SHA512

    8b0bd9c72afb4bcee0709210c2eb77571a9e2a6759bc53de7c3d87cd6a2ccb2910f0ec635841c92c848ca7c16f49cf8c15d6ca39da78cac52885e1fe0a06af4e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    MD5

    9ce4cfd542f76a1f913ae12a4a9655e6

    SHA1

    92eb80035fca695fe4817469a5752b29827b39cb

    SHA256

    4dd8f523425a8abd4b5b6f7910d6492d7e56bfc188dcd737e2457966d445735b

    SHA512

    8b0bd9c72afb4bcee0709210c2eb77571a9e2a6759bc53de7c3d87cd6a2ccb2910f0ec635841c92c848ca7c16f49cf8c15d6ca39da78cac52885e1fe0a06af4e

    Download Submit
  • memory/332-93-0x0000000000000000-mapping.dmp
    Download
  • memory/332-100-0x0000000004900000-0x0000000004901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/332-101-0x0000000004902000-0x0000000004903000-memory.dmp
    Filesize

    4KB

    Download
  • memory/332-97-0x0000000004940000-0x0000000004941000-memory.dmp
    Filesize

    4KB

    Download
  • memory/332-98-0x0000000001110000-0x0000000001111000-memory.dmp
    Filesize

    4KB

    Download
  • memory/332-99-0x0000000005300000-0x0000000005301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1020-83-0x0000000000000000-mapping.dmp
    Download
  • memory/1020-87-0x0000000004B10000-0x0000000004B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1020-91-0x0000000004AD2000-0x0000000004AD3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1020-89-0x0000000004A90000-0x0000000004A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1020-88-0x0000000002690000-0x0000000002691000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1020-86-0x0000000000A00000-0x0000000000A01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1020-90-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1032-67-0x00000000048B0000-0x00000000048B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1032-66-0x0000000000810000-0x0000000000811000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1032-68-0x0000000002450000-0x0000000002451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1032-65-0x0000000076A81000-0x0000000076A83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1032-70-0x0000000004872000-0x0000000004873000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1032-71-0x0000000004850000-0x0000000004851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1032-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1032-69-0x0000000004870000-0x0000000004871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1124-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1484-102-0x0000000000000000-mapping.dmp
    Download
  • memory/1664-92-0x0000000000000000-mapping.dmp
    Download
  • memory/1904-81-0x0000000004822000-0x0000000004823000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1904-80-0x0000000004820000-0x0000000004821000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1904-79-0x0000000005300000-0x0000000005301000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1904-78-0x0000000002680000-0x0000000002681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1904-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1968-82-0x0000000000000000-mapping.dmp
    Download
  • memory/2016-60-0x0000000000E00000-0x0000000000E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2016-63-0x0000000004725000-0x0000000004736000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2016-62-0x0000000004720000-0x0000000004721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2016-103-0x0000000000DA0000-0x0000000000DFF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2016-108-0x0000000005DA0000-0x0000000005E1C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/2016-109-0x0000000004736000-0x0000000004737000-memory.dmp
    Filesize

    4KB

    Download