e1951d7c32816561ef8f00f5612a088479e1edb3a8cdbc7b7a48d8b60de5c541

Analysis

max time kernel
48s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
16-09-2022 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rem order.scr.exe
Size

1.2MB
MD5

03b3d450a89959d30f4bfee50b157ad0
SHA1

0f47f3a40e0f2ababb272e54bf49fab8f0990009
SHA256

e1951d7c32816561ef8f00f5612a088479e1edb3a8cdbc7b7a48d8b60de5c541
SHA512

a5e3d89cb9c621dbb1bf89db362f064a32242a362bfd9b564f1e5d000f4b8ae6f82e1f82ddb7a44b70e6217fe760be2b67f940207b4ee9d3610f022080133d60
SSDEEP

24576:YlubgKHsv8FE3UkFDYukPLx1S1cayY6Hnt+I0w4hp:Y4sKMUq3Uk50l1IxyrtAwe

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

rem order.scr.exe

pid process

1760 rem order.scr.exe
1760 rem order.scr.exe
1760 rem order.scr.exe
1760 rem order.scr.exe
1760 rem order.scr.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rem order.scr.exe

description pid process

Token: SeDebugPrivilege 1760 rem order.scr.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rem order.scr.exe

pid process

1760 rem order.scr.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

rem order.scr.exe

pid process

1760 rem order.scr.exe

pid	process
1760	rem order.scr.exe
1760	rem order.scr.exe
1760	rem order.scr.exe
1760	rem order.scr.exe
1760	rem order.scr.exe

description	pid	process
Token: SeDebugPrivilege	1760	rem order.scr.exe

pid	process
1760	rem order.scr.exe

pid	process
1760	rem order.scr.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

rem order.scr.exe

description	pid	process	target process
PID 1760 wrote to memory of 1148	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1148	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1148	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1148	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1148	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1148	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1148	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 856	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 856	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 856	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 856	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 856	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 856	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 856	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 676	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 676	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 676	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 676	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 676	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 676	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 676	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1108	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1108	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1108	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1108	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1108	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1108	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 1108	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 516	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 516	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 516	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 516	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 516	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 516	1760	rem order.scr.exe	rem order.scr.exe
PID 1760 wrote to memory of 516	1760	rem order.scr.exe	rem order.scr.exe

C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe"
2⤵
PID:1148

C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe"
2⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe"
2⤵
PID:676

C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe"
2⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe
"C:\Users\Admin\AppData\Local\Temp\rem order.scr.exe"
2⤵
PID:516

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1760-54-0x0000000000170000-0x00000000002AE000-memory.dmp

Filesize
1.2MB

Download
memory/1760-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1760-56-0x00000000003D0000-0x00000000003E6000-memory.dmp

Filesize
88KB

Download
memory/1760-57-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/1760-58-0x00000000080B0000-0x0000000008180000-memory.dmp

Filesize
832KB

Download
memory/1760-59-0x0000000007F10000-0x0000000007F8C000-memory.dmp

Filesize
496KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads