Behavioral Report

max time kernel43s
max time network46s
platformwindows7_x64
resourcewin7-20220414-en
submitted21-05-2022 01:39

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

New purchase Order.exe

Filesize

477KB

Completed

21-05-2022 01:42

Task

behavioral1

Score

3^/10

MD5

dd481272bd8f9e8ca40868e4a90db854

SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e

SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

SHA256

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Discovery

Persistence

Enumerates physical storage devices

Description

Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

TTPs

System Information Discovery
Creates scheduled task(s)
schtasks.exe

Description

Schtasks is often used by malware for persistence or to perform post-infection execution.

Tags

persistence

TTPs

Scheduled Task

Reported IOCs

pid process

1708 schtasks.exe

pid	process
1708	schtasks.exe

Suspicious behavior: EnumeratesProcesses

New purchase Order.exe

Reported IOCs

pid	process
1556	New purchase Order.exe
1556	New purchase Order.exe
1556	New purchase Order.exe
1556	New purchase Order.exe
1556	New purchase Order.exe

Suspicious use of AdjustPrivilegeToken
New purchase Order.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1556 New purchase Order.exe

description	pid	process
Token: SeDebugPrivilege	1556	New purchase Order.exe

Suspicious use of WriteProcessMemory

New purchase Order.exe

Reported IOCs

description	pid	process	target process
PID 1556 wrote to memory of 1708	1556	New purchase Order.exe	schtasks.exe
PID 1556 wrote to memory of 1708	1556	New purchase Order.exe	schtasks.exe
PID 1556 wrote to memory of 1708	1556	New purchase Order.exe	schtasks.exe
PID 1556 wrote to memory of 1708	1556	New purchase Order.exe	schtasks.exe
PID 1556 wrote to memory of 1464	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1464	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1464	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1464	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 844	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 844	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 844	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 844	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2028	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2028	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2028	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2028	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2020	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2020	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2020	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2020	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1744	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1744	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1744	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1744	1556	New purchase Order.exe	New purchase Order.exe

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe

"C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"

Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:1556

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NADfrJFSUbwNu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6DE1.tmp"

Creates scheduled task(s)

PID:1708

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe

"{path}"

PID:1464

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe

"{path}"

PID:844

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe

"{path}"

PID:2028

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe

"{path}"

PID:2020

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe

"{path}"

PID:1744

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

System Information Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Scheduled Task

Privilege Escalation

00:00 00:00

C:\Users\Admin\AppData\Local\Temp\tmp6DE1.tmp
MD5
231f63059ec3c0ee73572994bde4bfed

SHA1
d14200c81c501834b7c21345cee8097d08e07bda

SHA256
fe3b361ce3bdf2b2deb9e3592190b1ac6ff487ad9966fb111189b6fd8fc53353

SHA512
9eabd4d37e6b0f7e21c0bb9a934ab85e9324a2d19243ed759bc0e9443c6431f9a76c47eb6ba65b9192abe9e8e50714741854b9fc312f7ad2a89db3e8d722fc2e

Download Submit
memory/1556-55-0x0000000075541000-0x0000000075543000-memory.dmp

Download
memory/1556-56-0x0000000000420000-0x000000000042A000-memory.dmp

Download
memory/1556-57-0x0000000005AA0000-0x0000000005B22000-memory.dmp

Download
memory/1556-58-0x00000000020F0000-0x0000000002122000-memory.dmp

Download
memory/1556-54-0x0000000000390000-0x000000000040E000-memory.dmp

Download
memory/1708-59-0x0000000000000000-mapping.dmp

Download

Filter: none

Description

TTPs

Description

Tags

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title