Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 12:38
Static task
static1
Behavioral task
behavioral1
Sample
FIRST PURCHASE ORDER.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
FIRST PURCHASE ORDER.exe
Resource
win10v2004-20220414-en
General
-
Target
FIRST PURCHASE ORDER.exe
-
Size
714KB
-
MD5
dbbac19cfd01ab4e759500a13168a30b
-
SHA1
71917c8765aaa6e2869cc1b949bfddf3580457c5
-
SHA256
fe41fe0b302887f61f20473015f386ab57ddb4cc278b3e1639c07337012a58f4
-
SHA512
caa08b928acff84a762f64c8c18c332db8f546d003085415560bdc265c3c90953d3e54da5e2031d188beca49e8c891966f8f8de66c8202928045acfd7d80d4ee
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
FIRST PURCHASE ORDER.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation FIRST PURCHASE ORDER.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
FIRST PURCHASE ORDER.exepid process 3216 FIRST PURCHASE ORDER.exe 3216 FIRST PURCHASE ORDER.exe 3216 FIRST PURCHASE ORDER.exe 3216 FIRST PURCHASE ORDER.exe 3216 FIRST PURCHASE ORDER.exe 3216 FIRST PURCHASE ORDER.exe 3216 FIRST PURCHASE ORDER.exe 3216 FIRST PURCHASE ORDER.exe 3216 FIRST PURCHASE ORDER.exe 3216 FIRST PURCHASE ORDER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FIRST PURCHASE ORDER.exedescription pid process Token: SeDebugPrivilege 3216 FIRST PURCHASE ORDER.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
FIRST PURCHASE ORDER.exedescription pid process target process PID 3216 wrote to memory of 3148 3216 FIRST PURCHASE ORDER.exe schtasks.exe PID 3216 wrote to memory of 3148 3216 FIRST PURCHASE ORDER.exe schtasks.exe PID 3216 wrote to memory of 3148 3216 FIRST PURCHASE ORDER.exe schtasks.exe PID 3216 wrote to memory of 316 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 316 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 316 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 176 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 176 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 176 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 204 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 204 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 204 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 212 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 212 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 212 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 4020 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 4020 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe PID 3216 wrote to memory of 4020 3216 FIRST PURCHASE ORDER.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FIRST PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\FIRST PURCHASE ORDER.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EOFicAFbFaB" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCDA0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpCDA0.tmpFilesize
1KB
MD54de0bd61d977a1861de83a9cbd234d24
SHA17dac22ec3c496b0c7556ac21123034bef0aa998b
SHA256504f8664c8262c9dd9775422792fc743c88acce1c26d1f8a7d9cba87aeac24f5
SHA512fa6ecaf0f0e6c055ac8ae6f12e2e653c54894de1c07336c191251f47bc774b837db865fa3778feb21a032817fc4dae452bff67bc781dcb25c60220025e620f45
-
memory/176-137-0x0000000000000000-mapping.dmp
-
memory/204-138-0x0000000000000000-mapping.dmp
-
memory/212-139-0x0000000000000000-mapping.dmp
-
memory/316-136-0x0000000000000000-mapping.dmp
-
memory/3148-134-0x0000000000000000-mapping.dmp
-
memory/3216-130-0x0000000000230000-0x00000000002E8000-memory.dmpFilesize
736KB
-
memory/3216-131-0x0000000005290000-0x0000000005834000-memory.dmpFilesize
5.6MB
-
memory/3216-132-0x0000000004CE0000-0x0000000004D72000-memory.dmpFilesize
584KB
-
memory/3216-133-0x0000000004E20000-0x0000000004EBC000-memory.dmpFilesize
624KB
-
memory/4020-140-0x0000000000000000-mapping.dmp