b8baaf727f8da89fe81122fd5c93c3d34b7f3f78ae90403309d7d335e0bb3792

General

Target

New Order4687334.exe
Size

792KB
MD5

abc0d5990e243c73bcb0ef52f113c9c8
SHA1

a62d9e6614ab925a6ec5ec1d8c8abeb44cf51ef0
SHA256

b8baaf727f8da89fe81122fd5c93c3d34b7f3f78ae90403309d7d335e0bb3792
SHA512

c33cdb17d07af0b51b4dfdf1a4626ec94ad87d24aef2e4ac8cc17eecdfdfe246224a28e448d321feb4ea70d83a349f822ed46abad7ec1913566b83a2c9bc4fa5

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1672 1932 WerFault.exe New Order4687334.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2004 schtasks.exe

pid	pid_target	process	target process
1672	1932	WerFault.exe	New Order4687334.exe

pid	process
2004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

New Order4687334.exeWerFault.exepowershell.exe

pid	process
1932	New Order4687334.exe
1932	New Order4687334.exe
1932	New Order4687334.exe
1932	New Order4687334.exe
1932	New Order4687334.exe
1932	New Order4687334.exe
1932	New Order4687334.exe
1932	New Order4687334.exe
1932	New Order4687334.exe
1932	New Order4687334.exe
1932	New Order4687334.exe
1932	New Order4687334.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1672	WerFault.exe
1952	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

New Order4687334.exeWerFault.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1932 New Order4687334.exe
Token: SeDebugPrivilege 1672 WerFault.exe
Token: SeDebugPrivilege 1952 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1932	New Order4687334.exe
Token: SeDebugPrivilege	1672	WerFault.exe
Token: SeDebugPrivilege	1952	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

New Order4687334.exe

description	pid	process	target process
PID 1932 wrote to memory of 1952	1932	New Order4687334.exe	powershell.exe
PID 1932 wrote to memory of 1952	1932	New Order4687334.exe	powershell.exe
PID 1932 wrote to memory of 1952	1932	New Order4687334.exe	powershell.exe
PID 1932 wrote to memory of 1952	1932	New Order4687334.exe	powershell.exe
PID 1932 wrote to memory of 2004	1932	New Order4687334.exe	schtasks.exe
PID 1932 wrote to memory of 2004	1932	New Order4687334.exe	schtasks.exe
PID 1932 wrote to memory of 2004	1932	New Order4687334.exe	schtasks.exe
PID 1932 wrote to memory of 2004	1932	New Order4687334.exe	schtasks.exe
PID 1932 wrote to memory of 1672	1932	New Order4687334.exe	WerFault.exe
PID 1932 wrote to memory of 1672	1932	New Order4687334.exe	WerFault.exe
PID 1932 wrote to memory of 1672	1932	New Order4687334.exe	WerFault.exe
PID 1932 wrote to memory of 1672	1932	New Order4687334.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\New Order4687334.exe
"C:\Users\Admin\AppData\Local\Temp\New Order4687334.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lGBqbwYsd.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lGBqbwYsd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5D8B.tmp"
2⤵
- Creates scheduled task(s)
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 1004
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1672

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5D8B.tmp
MD5
4ca49e42e8ae1a967639d7e4133a8f92

SHA1
ccc1c557407801eb2ca3f8e83c2759a5384fabdd

SHA256
29e1f61fe4dfb82681ed44fbf5b002ffd47c6531d621a21298a3f708474e8ad4

SHA512
73b8e02fcaa82e3a94be521953ce42e5c3c2d3a0791d28de96c57afd68889bdf2eff56febfb11496cd46153c9ffb3a8ccd44d131b7e3d579bbba658a3760ae0c

Download Submit
memory/1672-65-0x0000000000000000-mapping.dmp

Download
memory/1672-67-0x0000000000270000-0x00000000002D0000-memory.dmp

Filesize
384KB

Download
memory/1932-57-0x0000000075901000-0x0000000075903000-memory.dmp

Filesize
8KB

Download
memory/1932-58-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

Filesize
4KB

Download
memory/1932-59-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/1932-60-0x00000000050B0000-0x0000000005148000-memory.dmp

Filesize
608KB

Download
memory/1932-55-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/1952-66-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/1952-68-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/1952-61-0x0000000000000000-mapping.dmp

Download
memory/1952-69-0x0000000002430000-0x000000000307A000-memory.dmp

Filesize
12.3MB

Download
memory/2004-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads