29a2494b73b9775e4dbaa708d8584f1ce1e6aae6c49d5589b18dbe066e4cb708

General

Target

ORDER INQUIRY.exe
Size

279KB
MD5

6bd95e18dbd55ab2bb32d2bdef0c88e6
SHA1

5fb95f1577c4d4c810a2a663db4a87704031126e
SHA256

27379cbd39dae5d145ff292ffd71387a5508bba83997177272742b486cb4e662
SHA512

483301dd5b6198feab4dbaf0b17039a7b99e423a0c2eeaff609a1973d9b66cb3f22c1afab28769fb9a4530a2e3bb5b19ab3b2a62233807630db3ec6ffcb4fb32

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ORDER INQUIRY.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	ORDER INQUIRY.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4760 schtasks.exe

pid	process
4760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

ORDER INQUIRY.exe

pid	process
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe
2300	ORDER INQUIRY.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ORDER INQUIRY.exe

description pid process

Token: SeDebugPrivilege 2300 ORDER INQUIRY.exe

description	pid	process
Token: SeDebugPrivilege	2300	ORDER INQUIRY.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

ORDER INQUIRY.exe

description	pid	process	target process
PID 2300 wrote to memory of 4760	2300	ORDER INQUIRY.exe	schtasks.exe
PID 2300 wrote to memory of 4760	2300	ORDER INQUIRY.exe	schtasks.exe
PID 2300 wrote to memory of 4760	2300	ORDER INQUIRY.exe	schtasks.exe
PID 2300 wrote to memory of 4624	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 4624	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 4624	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 4144	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 4144	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 4144	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 4928	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 4928	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 4928	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 5048	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 5048	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 5048	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 5104	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 5104	2300	ORDER INQUIRY.exe	vbc.exe
PID 2300 wrote to memory of 5104	2300	ORDER INQUIRY.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\ORDER INQUIRY.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER INQUIRY.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rsYfak" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE091.tmp"
2⤵
- Creates scheduled task(s)
PID:4760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:4624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:4144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:4928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:5048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"{path}"
2⤵
PID:5104

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpE091.tmp
Filesize
1KB

MD5
b4542b9f78a8f2b71b59924531e71cd8

SHA1
5d45683716b85effda889eada92524ee9cb2b54a

SHA256
820d47d31dce9e0f05efa0ebf7c9876925e90b8f613f8cddd5fefbe5bcbd41e7

SHA512
4a0979efa342240b9e5d3a6e721c32be3a23e6f003a0167085ea586c51c0abbdf4a8e4b36a0e0a72293536b30c60446432fa3ec5b201a90e58f872774f5d28b4

Download Submit
memory/2300-130-0x0000000000620000-0x000000000066C000-memory.dmp

Filesize
304KB

Download
memory/2300-131-0x00000000056B0000-0x0000000005C54000-memory.dmp

Filesize
5.6MB

Download
memory/2300-132-0x00000000052E0000-0x0000000005372000-memory.dmp

Filesize
584KB

Download
memory/2300-133-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/2300-134-0x00000000089D0000-0x0000000008A6C000-memory.dmp

Filesize
624KB

Download
memory/4144-138-0x0000000000000000-mapping.dmp

Download
memory/4624-137-0x0000000000000000-mapping.dmp

Download
memory/4760-135-0x0000000000000000-mapping.dmp

Download
memory/4928-139-0x0000000000000000-mapping.dmp

Download
memory/5048-140-0x0000000000000000-mapping.dmp

Download
memory/5104-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads