0b47a3df832568b06ef48ec7a8930bee0561840f2f8c218b661177880913cef6

Analysis

max time kernel
189s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
21-05-2022 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

new order.exe
Size

304KB
MD5

7c3af2b1640815d44ef42a11ffb3eb28
SHA1

059a0423d8f45c9ec833791071b6ab84dfa21ba9
SHA256

087836474ec9c75d0ebf6c9d36c805d0bf70bf2cc63985fb68d87797b1e923fa
SHA512

6c97323f45c50ff07d160eb16f0a9d558b73960413d5bd1377092711910d7f76a1e0ad8b3153044e1671e6a250e7d73d83fe3124752810be734cead7bc592b26

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

new order.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype = "\"C:\\Users\\Admin\\AppData\\Local\\Skype.exe\""	new order.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

new order.exe

pid	process
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe
1388	new order.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

new order.exe

description pid process

Token: SeDebugPrivilege 1388 new order.exe

description	pid	process
Token: SeDebugPrivilege	1388	new order.exe

C:\Users\Admin\AppData\Local\Temp\new order.exe
"C:\Users\Admin\AppData\Local\Temp\new order.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-130-0x0000000000A90000-0x0000000000AE2000-memory.dmp

Filesize
328KB

Download
memory/1388-131-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/1388-132-0x0000000005520000-0x00000000055B2000-memory.dmp

Filesize
584KB

Download
memory/1388-133-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/1388-134-0x0000000005800000-0x000000000589C000-memory.dmp

Filesize
624KB

Download
memory/1388-135-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download