90e6b30c2f8303d7416e222d43fe7e777619b7e5cb0f9bc0d08cfb36fee4a899

Analysis

max time kernel
122s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2023, 15:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Order Specifications.exe
Size

701.2MB
MD5

355622a4df7433ae0735e850300a0096
SHA1

9a0358f5a5ca9ccec766ea615aeb3cbfba7a9c87
SHA256

41c0c66cee089ae7046fab50bd410283fea43a9cb7dbb5d031775a2cac5b1912
SHA512

7fa98d0f9903af3f4b3e89fbf7e2aa7526041a3e7e6e7a0c2fef6a18d0c61777f41a5130f550db76075ca8ac6dac3ca893b8a639b9bd030bc4c3eed7c3bb127f
SSDEEP

24576:i0biRoSErVxIE520lwStPHO1guspefmICr+qd1NF0bsKBI+Hu42:iy4oRrjIw20lnt0spesr+Wr0b5/Q

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4408 set thread context of 4336	4408	Order Specifications.exe	90

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
4408	Order Specifications.exe
4408	Order Specifications.exe
4408	Order Specifications.exe
4408	Order Specifications.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3236	taskmgr.exe
Token: SeSystemProfilePrivilege	3236	taskmgr.exe
Token: SeCreateGlobalPrivilege	3236	taskmgr.exe
Token: SeDebugPrivilege	4408	Order Specifications.exe
Token: SeDebugPrivilege	4336	Order Specifications.exe
Token: 33	3236	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3236	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe
3236	taskmgr.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 232	4408	Order Specifications.exe	88
PID 4408 wrote to memory of 232	4408	Order Specifications.exe	88
PID 4408 wrote to memory of 232	4408	Order Specifications.exe	88
PID 4408 wrote to memory of 100	4408	Order Specifications.exe	89
PID 4408 wrote to memory of 100	4408	Order Specifications.exe	89
PID 4408 wrote to memory of 100	4408	Order Specifications.exe	89
PID 4408 wrote to memory of 4336	4408	Order Specifications.exe	90
PID 4408 wrote to memory of 4336	4408	Order Specifications.exe	90
PID 4408 wrote to memory of 4336	4408	Order Specifications.exe	90
PID 4408 wrote to memory of 4336	4408	Order Specifications.exe	90
PID 4408 wrote to memory of 4336	4408	Order Specifications.exe	90
PID 4408 wrote to memory of 4336	4408	Order Specifications.exe	90
PID 4408 wrote to memory of 4336	4408	Order Specifications.exe	90
PID 4408 wrote to memory of 4336	4408	Order Specifications.exe	90

C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe
"C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe
  "C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe"
  2⤵
  PID:232
- C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe
  "C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe"
  2⤵
  PID:100
- C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe
  "C:\Users\Admin\AppData\Local\Temp\Order Specifications.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4336

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3244

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order Specifications.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/3236-149-0x000002C91B1C0000-0x000002C91B1C1000-memory.dmp

Filesize
4KB

Download
memory/3236-151-0x000002C91B1C0000-0x000002C91B1C1000-memory.dmp

Filesize
4KB

Download
memory/3236-150-0x000002C91B1C0000-0x000002C91B1C1000-memory.dmp

Filesize
4KB

Download
memory/3236-147-0x000002C91B1C0000-0x000002C91B1C1000-memory.dmp

Filesize
4KB

Download
memory/3236-148-0x000002C91B1C0000-0x000002C91B1C1000-memory.dmp

Filesize
4KB

Download
memory/3236-139-0x000002C91B1C0000-0x000002C91B1C1000-memory.dmp

Filesize
4KB

Download
memory/3236-140-0x000002C91B1C0000-0x000002C91B1C1000-memory.dmp

Filesize
4KB

Download
memory/3236-141-0x000002C91B1C0000-0x000002C91B1C1000-memory.dmp

Filesize
4KB

Download
memory/3236-145-0x000002C91B1C0000-0x000002C91B1C1000-memory.dmp

Filesize
4KB

Download
memory/3236-146-0x000002C91B1C0000-0x000002C91B1C1000-memory.dmp

Filesize
4KB

Download
memory/4336-165-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-176-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-2472-0x00000000059B0000-0x0000000005A16000-memory.dmp

Filesize
408KB

Download
memory/4336-1886-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4336-208-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-206-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-153-0x0000000000400000-0x00000000004A0000-memory.dmp

Filesize
640KB

Download
memory/4336-204-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-156-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-157-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-159-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-161-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-163-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-202-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-167-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4336-168-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-170-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-172-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-174-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-200-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-178-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-180-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-182-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-184-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-186-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-188-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-190-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-192-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-194-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-196-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4336-198-0x0000000005600000-0x00000000056EC000-memory.dmp

Filesize
944KB

Download
memory/4408-138-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/4408-133-0x00000000005D0000-0x000000000070E000-memory.dmp

Filesize
1.2MB

Download
memory/4408-134-0x00000000056F0000-0x0000000005C94000-memory.dmp

Filesize
5.6MB

Download
memory/4408-152-0x0000000005300000-0x0000000005310000-memory.dmp

Filesize
64KB

Download
memory/4408-135-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/4408-136-0x0000000005230000-0x000000000523A000-memory.dmp

Filesize
40KB

Download
memory/4408-137-0x0000000005310000-0x00000000053AC000-memory.dmp

Filesize
624KB

Download