Overview

overview

7

Static

static

1

PO 2781987...er.exe

windows7-x64

7

PO 2781987...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    150s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    18/04/2023, 02:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO 278198726- New Order.exe

  • Size

    690KB

  • MD5

    17809ada8c8f037b1fe8a428904cc6b6

  • SHA1

    7f0fb69877f1190050a4a0193ac6b5a6cdec2b57

  • SHA256

    007a3cbf2cfa788261a8475ccea642bf097870996cf002bc6720d7edc63d25e6

  • SHA512

    8782f028edc9827947fb12c55466cc26c7bd0447526cc1a7c1b99f71a1102ab3fd7eb4d9472ee6f12632ce2940ddeef0c94691a26423dbdea23eddeba1b3ab4f

  • SSDEEP

    12288:MQ7PCFKYTzAGTrNXTOHqPW3f0CEtcxf6q3dox3pj7AC5OScPPGFMWDPpt:d7EKcrNyz3I2i8CkP4McPpt

Score
7/10

Malware Config

Signatures

  • Drops startup file 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO 278198726- New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\PO 278198726- New Order.exe"
    1⤵
    • Drops startup file
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 40 > nul && copy "C:\Users\Admin\AppData\Local\Temp\PO 278198726- New Order.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\653hytddfggyhiky.exe" && ping 127.0.0.1 -n 40 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\653hytddfggyhiky.exe"
      2⤵
      • Drops startup file
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 40
        3⤵
        • Runs ping.exe
        PID:1424
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 40
        3⤵
        • Runs ping.exe
        PID:864

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1308-54-0x0000000000250000-0x0000000000302000-memory.dmp

    Filesize

    712KB

    Download

  • memory/1308-55-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1308-56-0x0000000004440000-0x000000000448A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/1308-57-0x0000000000560000-0x0000000000578000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1308-59-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1308-58-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1308-61-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1308-62-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1308-63-0x0000000004D30000-0x0000000004D70000-memory.dmp

    Filesize

    256KB

    Download