0949306906e66bde29ccf24ecb82d85fb49a3ee3c502e632b1f114b164e7cc94

General

Target

PURCHASE ORDER.exe
Size

758KB
MD5

0c2b2237be9d61afea6f62cd4edff9e4
SHA1

18a3b3b9ebd80d8cb12ec18b749a9e843e0c3ea8
SHA256

c7be8b5b17f15893c49c1748052bee41cbbb574b2aa6ede4923e01ccdaded68d
SHA512

765bc8139fbc6f8c8b90eea9a9f3b9981051f4227ae2f8de40518cb4df9899e0755773f1a6f425dbfdfa6b203f88d02b6101d7cd58e9e316a64fa5636b4ac461

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1736 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

PURCHASE ORDER.exe

pid process

1628 PURCHASE ORDER.exe
1628 PURCHASE ORDER.exe
1628 PURCHASE ORDER.exe
1628 PURCHASE ORDER.exe
1628 PURCHASE ORDER.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

PURCHASE ORDER.exe

description pid process

Token: SeDebugPrivilege 1628 PURCHASE ORDER.exe

pid	process
1736	schtasks.exe

pid	process
1628	PURCHASE ORDER.exe
1628	PURCHASE ORDER.exe
1628	PURCHASE ORDER.exe
1628	PURCHASE ORDER.exe
1628	PURCHASE ORDER.exe

description	pid	process
Token: SeDebugPrivilege	1628	PURCHASE ORDER.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

PURCHASE ORDER.exe

description	pid	process	target process
PID 1628 wrote to memory of 1736	1628	PURCHASE ORDER.exe	schtasks.exe
PID 1628 wrote to memory of 1736	1628	PURCHASE ORDER.exe	schtasks.exe
PID 1628 wrote to memory of 1736	1628	PURCHASE ORDER.exe	schtasks.exe
PID 1628 wrote to memory of 1736	1628	PURCHASE ORDER.exe	schtasks.exe
PID 1628 wrote to memory of 1360	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1360	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1360	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1360	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1068	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1068	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1068	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1068	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1144	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1144	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1144	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1144	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1496	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1496	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1496	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 1496	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 792	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 792	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 792	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe
PID 1628 wrote to memory of 792	1628	PURCHASE ORDER.exe	PURCHASE ORDER.exe

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tbnuJUjuNEXt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8EB9.tmp"
2⤵
- Creates scheduled task(s)
PID:1736

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
2⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
2⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
2⤵
PID:1144

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
2⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"
2⤵
PID:792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8EB9.tmp

Filesize
1KB

MD5
e33398f5924b8e14d4a5b50d719b4bbd

SHA1
314199ed75c8c3a5d4555e56a91ed89395b3f6d9

SHA256
cc39e77a32652f275a63f85e15b8bd3137fcfb9b2ded24020ec10173549d798a

SHA512
b33629566aa8e9e0ffd95010a1cc0c60bbec1680ec142c2687098df9c4aa4b0192183597403002414aeb394e8a4922135fad849265f222292d7f9e66058e0a74

Download Submit
memory/1628-54-0x00000000003F0000-0x00000000004B4000-memory.dmp

Filesize
784KB

Download
memory/1628-55-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1628-56-0x0000000000500000-0x0000000000512000-memory.dmp

Filesize
72KB

Download
memory/1628-57-0x0000000005150000-0x00000000051C4000-memory.dmp

Filesize
464KB

Download
memory/1628-58-0x00000000051C0000-0x000000000521A000-memory.dmp

Filesize
360KB

Download
memory/1736-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads