8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

General

Target

New purchase Order.exe
Size

477KB
MD5

dd481272bd8f9e8ca40868e4a90db854
SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e
SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267
SHA512

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1708 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

New purchase Order.exe

pid process

1556 New purchase Order.exe
1556 New purchase Order.exe
1556 New purchase Order.exe
1556 New purchase Order.exe
1556 New purchase Order.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New purchase Order.exe

description pid process

Token: SeDebugPrivilege 1556 New purchase Order.exe

pid	process
1708	schtasks.exe

pid	process
1556	New purchase Order.exe
1556	New purchase Order.exe
1556	New purchase Order.exe
1556	New purchase Order.exe
1556	New purchase Order.exe

description	pid	process
Token: SeDebugPrivilege	1556	New purchase Order.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

New purchase Order.exe

description	pid	process	target process
PID 1556 wrote to memory of 1708	1556	New purchase Order.exe	schtasks.exe
PID 1556 wrote to memory of 1708	1556	New purchase Order.exe	schtasks.exe
PID 1556 wrote to memory of 1708	1556	New purchase Order.exe	schtasks.exe
PID 1556 wrote to memory of 1708	1556	New purchase Order.exe	schtasks.exe
PID 1556 wrote to memory of 1464	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1464	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1464	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1464	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 844	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 844	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 844	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 844	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2028	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2028	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2028	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2028	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2020	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2020	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2020	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 2020	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1744	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1744	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1744	1556	New purchase Order.exe	New purchase Order.exe
PID 1556 wrote to memory of 1744	1556	New purchase Order.exe	New purchase Order.exe

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NADfrJFSUbwNu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6DE1.tmp"
2⤵
- Creates scheduled task(s)
PID:1708

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"{path}"
2⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"{path}"
2⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"{path}"
2⤵
PID:2028

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"{path}"
2⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
"{path}"
2⤵
PID:1744

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6DE1.tmp
Filesize
1KB

MD5
231f63059ec3c0ee73572994bde4bfed

SHA1
d14200c81c501834b7c21345cee8097d08e07bda

SHA256
fe3b361ce3bdf2b2deb9e3592190b1ac6ff487ad9966fb111189b6fd8fc53353

SHA512
9eabd4d37e6b0f7e21c0bb9a934ab85e9324a2d19243ed759bc0e9443c6431f9a76c47eb6ba65b9192abe9e8e50714741854b9fc312f7ad2a89db3e8d722fc2e

Download Submit
memory/1556-54-0x0000000000390000-0x000000000040E000-memory.dmp

Filesize
504KB

Download
memory/1556-55-0x0000000075541000-0x0000000075543000-memory.dmp

Filesize
8KB

Download
memory/1556-56-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/1556-57-0x0000000005AA0000-0x0000000005B22000-memory.dmp

Filesize
520KB

Download
memory/1556-58-0x00000000020F0000-0x0000000002122000-memory.dmp

Filesize
200KB

Download
memory/1708-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads