Overview

overview

3

Static

static

ORDER_2021...ST.exe

windows7_x64

3

ORDER_2021...ST.exe

windows10_x64

3

Resubmissions

22-07-2021 09:31

210722-mrlq6b1dsn 3

22-07-2021 09:27

210722-5nmvp5y3ax 3

Analysis

  • max time kernel
    272s
  • max time network
    274s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    22-07-2021 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe

  • Size

    747KB

  • MD5

    e74cf8c11ef1ebe473276c71b52b31ef

  • SHA1

    8af325b046994a64adf4e16329255fb31e7f1821

  • SHA256

    e59b0eb4edd5ddce6a7ae424d02824304f69db0444b8eb520f0cd7a3bbba4a4b

  • SHA512

    4b0ab9e5c663b3a841899d5fd80e6c9d70fdfe50374ea9c60ee511f8d6f86c2314f68cb5439abbc8b9ec48233d026091ca4e14de510ef8e18892ae48b5add75d

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER_2021KL-119_Arve_Nr_2021001637_COTTON_TRADERS_LTD_PO_AUGUST.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3908
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3920
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:2400
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:1916
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3700
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:2108
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" ping gooogle.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2072
      • C:\Windows\SysWOW64\PING.EXE
        "C:\Windows\system32\PING.EXE" gooogle.com
        3⤵
        • Runs ping.exe
        PID:4028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    0f5cbdca905beb13bebdcf43fb0716bd

    SHA1

    9e136131389fde83297267faf6c651d420671b3f

    SHA256

    a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060

    SHA512

    a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    21694d79a4d52eb804ec2a0d8bb89f33

    SHA1

    b19bff691add4c56510a8ce6ad3fa95280f82fce

    SHA256

    a697721d224aff81059201ff9b3ce75f87b4575e1322979655cdf206497b7329

    SHA512

    f4b8d44d1d620eb678a0dc5fb7c2aa1a64e8672e253e84d1a19eaada44d124568da743738f75872f7bf37938cbdb71ca52a27aa43ffe714f9bfe591e63568b56

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    c578aa0500ac350f09a8ee65ba28780b

    SHA1

    3720ee76bbbbd2e7bd73aece149486766f7d7989

    SHA256

    a198bbf206d541735da7d3ae9fd0d197601c97784f99e1fb25460294c0b3ed61

    SHA512

    c5ee5579f48872dba2610e71554902b54d2ea09e034baa2496123676cfec2666522272b639de801be9d480e8c677ba361440718a9ba07b776ea723534b6801a3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    3ed13c338614b01efd945078fb2b5cb2

    SHA1

    b1348571362849210cc5011cf5ee42ce65523233

    SHA256

    a028ff8c65e8e644f032c4921b12e21a42c0552c1be44f97d6977185bfc6d203

    SHA512

    6d9e61b660ab571bd0b730d80710276b3481d99f167cc29e6979a5b32c62bc27d8d52c5f0c8240b71a1d48d0d5f0ede89b60a31ccdec7fbc07f48e418db850a8

    Download Submit
  • memory/1916-155-0x0000000000000000-mapping.dmp
    Download
  • memory/2052-158-0x0000000001104000-0x0000000001106000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2052-157-0x0000000001103000-0x0000000001104000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2052-150-0x0000000001102000-0x0000000001103000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2052-149-0x0000000001100000-0x0000000001101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2052-136-0x0000000000000000-mapping.dmp
    Download
  • memory/2072-201-0x00000000012A3000-0x00000000012A4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2072-188-0x00000000012A0000-0x00000000012A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2072-189-0x00000000012A2000-0x00000000012A3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2072-178-0x0000000000000000-mapping.dmp
    Download
  • memory/2072-202-0x00000000012A4000-0x00000000012A6000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2108-174-0x0000000000000000-mapping.dmp
    Download
  • memory/2400-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3700-176-0x0000000004B63000-0x0000000004B64000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-177-0x0000000004B64000-0x0000000004B66000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3700-168-0x0000000004B60000-0x0000000004B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-169-0x0000000004B62000-0x0000000004B63000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3700-159-0x0000000000000000-mapping.dmp
    Download
  • memory/3908-194-0x0000000006520000-0x000000000657F000-memory.dmp
    Filesize

    380KB

    Download
  • memory/3908-199-0x0000000008B90000-0x0000000008C0C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/3908-114-0x0000000000180000-0x0000000000181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3908-120-0x00000000049B0000-0x0000000004EAE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3908-119-0x00000000049B0000-0x0000000004EAE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3908-118-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3908-117-0x0000000004A70000-0x0000000004A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3908-116-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-128-0x0000000007630000-0x0000000007631000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-130-0x0000000007FB0000-0x0000000007FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-148-0x0000000004C04000-0x0000000004C06000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3920-134-0x0000000008760000-0x0000000008761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-133-0x00000000088F0000-0x00000000088F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-132-0x0000000007F90000-0x0000000007F91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-131-0x0000000008020000-0x0000000008021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-147-0x0000000004C03000-0x0000000004C04000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-129-0x0000000007D60000-0x0000000007D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-127-0x0000000004C02000-0x0000000004C03000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-121-0x0000000000000000-mapping.dmp
    Download
  • memory/3920-126-0x0000000004C00000-0x0000000004C01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-125-0x00000000076C0000-0x00000000076C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3920-124-0x0000000004C10000-0x0000000004C11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4028-193-0x0000000000000000-mapping.dmp
    Download