General
Target

New purchase Order.exe

Filesize

477KB

Completed

21-05-2022 01:42

Task

behavioral1

Score
3/10
MD5

dd481272bd8f9e8ca40868e4a90db854

SHA1

8871b4d7173d89b539aa1b3e91139cb4c0ce744e

SHA256

8edf8a8b1972c8dd05a960b7a79a7a87c8977b69b700ab9db28bab9207b8b267

SHA256

168ed59d8f6edd7b37b44441480e59fdef67beb35487974aec59aa36852407c75d5537532f6cd0104327516fd2e0359fadb6fe56a8def782864413df341761a8

Malware Config
Signatures 5

Filter: none

Discovery
Persistence
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Creates scheduled task(s)
    schtasks.exe

    Description

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    TTPs

    Scheduled Task

    Reported IOCs

    pidprocess
    1708schtasks.exe
  • Suspicious behavior: EnumeratesProcesses
    New purchase Order.exe

    Reported IOCs

    pidprocess
    1556New purchase Order.exe
    1556New purchase Order.exe
    1556New purchase Order.exe
    1556New purchase Order.exe
    1556New purchase Order.exe
  • Suspicious use of AdjustPrivilegeToken
    New purchase Order.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1556New purchase Order.exe
  • Suspicious use of WriteProcessMemory
    New purchase Order.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1556 wrote to memory of 17081556New purchase Order.exeschtasks.exe
    PID 1556 wrote to memory of 17081556New purchase Order.exeschtasks.exe
    PID 1556 wrote to memory of 17081556New purchase Order.exeschtasks.exe
    PID 1556 wrote to memory of 17081556New purchase Order.exeschtasks.exe
    PID 1556 wrote to memory of 14641556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 14641556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 14641556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 14641556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 8441556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 8441556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 8441556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 8441556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 20281556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 20281556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 20281556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 20281556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 20201556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 20201556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 20201556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 20201556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 17441556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 17441556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 17441556New purchase Order.exeNew purchase Order.exe
    PID 1556 wrote to memory of 17441556New purchase Order.exeNew purchase Order.exe
Processes 7
  • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NADfrJFSUbwNu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6DE1.tmp"
      Creates scheduled task(s)
      PID:1708
    • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
      "{path}"
      PID:1464
    • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
      "{path}"
      PID:844
    • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
      "{path}"
      PID:2028
    • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
      "{path}"
      PID:2020
    • C:\Users\Admin\AppData\Local\Temp\New purchase Order.exe
      "{path}"
      PID:1744
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Local\Temp\tmp6DE1.tmp

                        MD5

                        231f63059ec3c0ee73572994bde4bfed

                        SHA1

                        d14200c81c501834b7c21345cee8097d08e07bda

                        SHA256

                        fe3b361ce3bdf2b2deb9e3592190b1ac6ff487ad9966fb111189b6fd8fc53353

                        SHA512

                        9eabd4d37e6b0f7e21c0bb9a934ab85e9324a2d19243ed759bc0e9443c6431f9a76c47eb6ba65b9192abe9e8e50714741854b9fc312f7ad2a89db3e8d722fc2e

                      • memory/1556-55-0x0000000075541000-0x0000000075543000-memory.dmp

                      • memory/1556-56-0x0000000000420000-0x000000000042A000-memory.dmp

                      • memory/1556-57-0x0000000005AA0000-0x0000000005B22000-memory.dmp

                      • memory/1556-58-0x00000000020F0000-0x0000000002122000-memory.dmp

                      • memory/1556-54-0x0000000000390000-0x000000000040E000-memory.dmp

                      • memory/1708-59-0x0000000000000000-mapping.dmp