234f6413a29fd682d75e754921a6c5fd19d470cc24835f34636d28f06a0fa956

General

Target

Order-Item list.exe
Size

596KB
MD5

e50062929312e517c158965db1858662
SHA1

37a0bf7c126c5bd4ab90bb183c38248983cd3d66
SHA256

af905972a17e26abbcdb1b00d7ce10499707d2a3c42f5a9584a4823adf1a1c0e
SHA512

84afc4560779f303e3a4e00dc64aa24bda50eed1ec6711d69917a3a5cf79963fd44829ef9ab6ad260b902052836f28d19c488439f52c2456a88a8c0e4cab0ad0

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

992 schtasks.exe

pid	process
992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

Order-Item list.exe

pid	process
1900	Order-Item list.exe
1900	Order-Item list.exe
1900	Order-Item list.exe
1900	Order-Item list.exe
1900	Order-Item list.exe
1900	Order-Item list.exe
1900	Order-Item list.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Order-Item list.exe

description pid process

Token: SeDebugPrivilege 1900 Order-Item list.exe

description	pid	process
Token: SeDebugPrivilege	1900	Order-Item list.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Order-Item list.exe

description	pid	process	target process
PID 1900 wrote to memory of 992	1900	Order-Item list.exe	schtasks.exe
PID 1900 wrote to memory of 992	1900	Order-Item list.exe	schtasks.exe
PID 1900 wrote to memory of 992	1900	Order-Item list.exe	schtasks.exe
PID 1900 wrote to memory of 992	1900	Order-Item list.exe	schtasks.exe
PID 1900 wrote to memory of 888	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 888	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 888	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 888	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 1768	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 1768	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 1768	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 1768	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 268	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 268	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 268	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 268	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 1192	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 1192	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 1192	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 1192	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 568	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 568	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 568	1900	Order-Item list.exe	Order-Item list.exe
PID 1900 wrote to memory of 568	1900	Order-Item list.exe	Order-Item list.exe

C:\Users\Admin\AppData\Local\Temp\Order-Item list.exe
"C:\Users\Admin\AppData\Local\Temp\Order-Item list.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\&startupname&" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB5D.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:992
- C:\Users\Admin\AppData\Local\Temp\Order-Item list.exe
  "{path}"
  2⤵
  PID:888
- C:\Users\Admin\AppData\Local\Temp\Order-Item list.exe
  "{path}"
  2⤵
  PID:1768
- C:\Users\Admin\AppData\Local\Temp\Order-Item list.exe
  "{path}"
  2⤵
  PID:568
- C:\Users\Admin\AppData\Local\Temp\Order-Item list.exe
  "{path}"
  2⤵
  PID:1192
- C:\Users\Admin\AppData\Local\Temp\Order-Item list.exe
  "{path}"
  2⤵
  PID:268

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpAB5D.tmp

Filesize
1KB

MD5
d2aa72e1e0a9b7dcb81af5082540153a

SHA1
69f84c985fea812daa2fcfd1941a7d60facb4a7e

SHA256
c7a368be198491672c06e17b5626878b39a06de3bb28c0f028cc3aff46e43d3d

SHA512
541bbb3c838c14bfc2c91d1394a99a72f76ad8c3534da1215336ffdc3d63922d456af573ced60d5dff7f9e70fc1f7c8f3cd8ad997374356ecb784695ea312692

Download Submit
memory/992-58-0x0000000000000000-mapping.dmp

Download
memory/1900-54-0x00000000001F0000-0x000000000028C000-memory.dmp

Filesize
624KB

Download
memory/1900-55-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1900-56-0x0000000004310000-0x0000000004380000-memory.dmp

Filesize
448KB

Download
memory/1900-57-0x0000000000690000-0x00000000006E6000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads