9dca638219e066e03580c78ee2911a9a15945f9585861451703ff0b0ac73eb40

General

Target

order confirmation.exe
Size

1.2MB
MD5

ce8f7848c768c7db0cb93126e3a53c15
SHA1

672e04fd85105dc26fd6ba8b798f79dc1eb7ff04
SHA256

9dca638219e066e03580c78ee2911a9a15945f9585861451703ff0b0ac73eb40
SHA512

c1d0e096b5327537f753facda3fdc26a9a0b45e4b1cca3356d2d7f4131e0c6ebb04b11c1961a415548617f6ef37a20557ede092f69350440b158947db8cb6c91
SSDEEP

12288:Dxa2iNp68hzeFqPFCwflmsGNv+l4Y2+jvbL1YzYPqfIGYVpyADqjJ5nX:A1pwgmBNzQjvb+SNWjrX

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1576 schtasks.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

order confirmation.exe

pid process

1972 order confirmation.exe
1972 order confirmation.exe
1972 order confirmation.exe
1972 order confirmation.exe
1972 order confirmation.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

order confirmation.exe

description pid process

Token: SeDebugPrivilege 1972 order confirmation.exe

pid	process
1576	schtasks.exe

pid	process
1972	order confirmation.exe
1972	order confirmation.exe
1972	order confirmation.exe
1972	order confirmation.exe
1972	order confirmation.exe

description	pid	process
Token: SeDebugPrivilege	1972	order confirmation.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

order confirmation.exe

description	pid	process	target process
PID 1972 wrote to memory of 1576	1972	order confirmation.exe	schtasks.exe
PID 1972 wrote to memory of 1576	1972	order confirmation.exe	schtasks.exe
PID 1972 wrote to memory of 1576	1972	order confirmation.exe	schtasks.exe
PID 1972 wrote to memory of 1576	1972	order confirmation.exe	schtasks.exe
PID 1972 wrote to memory of 856	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 856	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 856	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 856	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 948	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 948	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 948	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 948	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 1772	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 1772	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 1772	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 1772	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 944	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 944	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 944	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 944	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 1420	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 1420	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 1420	1972	order confirmation.exe	order confirmation.exe
PID 1972 wrote to memory of 1420	1972	order confirmation.exe	order confirmation.exe

C:\Users\Admin\AppData\Local\Temp\order confirmation.exe
"C:\Users\Admin\AppData\Local\Temp\order confirmation.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dOfndS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp67D8.tmp"
2⤵
- Creates scheduled task(s)
PID:1576

C:\Users\Admin\AppData\Local\Temp\order confirmation.exe
"{path}"
2⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\order confirmation.exe
"{path}"
2⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\order confirmation.exe
"{path}"
2⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\order confirmation.exe
"{path}"
2⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\order confirmation.exe
"{path}"
2⤵
PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp67D8.tmp

Filesize
1KB

MD5
38ef2d3a82c1d82ebad2be502e4986d6

SHA1
6b4225313c681aef67d22f11a0290d72064258e8

SHA256
3db146951b7db8025d77d9aa3035029ba12577c503579a44364ddbfb3288e47a

SHA512
ddc11530d036cf03ce1e23f7ffe8fcf8c1bfbae641a1dce7277aacaa3d6bda5091d6f807a5a2dc1657b34ed10f85d6c6ece01c7849cd675a4e24d3f099a478e2

Download Submit
memory/1576-59-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x00000000003F0000-0x000000000051C000-memory.dmp

Filesize
1.2MB

Download
memory/1972-55-0x0000000075501000-0x0000000075503000-memory.dmp

Filesize
8KB

Download
memory/1972-56-0x00000000008A0000-0x00000000008C0000-memory.dmp

Filesize
128KB

Download
memory/1972-57-0x0000000005340000-0x00000000053F2000-memory.dmp

Filesize
712KB

Download
memory/1972-58-0x0000000004BF0000-0x0000000004C5C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads