d0bcfaba75056d8d1e308e4088122850eea75007f191b5c8d9aac67e8cd0dfe3

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
11-10-2023 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Approved Purchase Order Nr.227.exe
Size

765KB
MD5

563b0fcdde7369186ac38d0b09306aa7
SHA1

df516393eb762506b627b6257b9d83ceb61d80f8
SHA256

d0bcfaba75056d8d1e308e4088122850eea75007f191b5c8d9aac67e8cd0dfe3
SHA512

4baf303d8f2b353a40626ccf80a6b409a2ff162a1e505fcf4ff15a1a7d1a67ca89543f046ff457fdfaa80040242bd4c44172794a31e06a25ab069f859f174a8f
SSDEEP

12288:w7252w6Wl3ZgY3RBxx7a4OQDkAncT9HyWCk7cUxvReS+uhQM:rIDWtZgWRBT7a4O/d1Isbx1h

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2260	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2228	Approved Purchase Order Nr.227.exe
2228	Approved Purchase Order Nr.227.exe
2228	Approved Purchase Order Nr.227.exe
2228	Approved Purchase Order Nr.227.exe
2228	Approved Purchase Order Nr.227.exe
2228	Approved Purchase Order Nr.227.exe
2228	Approved Purchase Order Nr.227.exe
2228	Approved Purchase Order Nr.227.exe
2228	Approved Purchase Order Nr.227.exe
2228	Approved Purchase Order Nr.227.exe
2744	powershell.exe
2764	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	Approved Purchase Order Nr.227.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2744	2228	Approved Purchase Order Nr.227.exe	30
PID 2228 wrote to memory of 2744	2228	Approved Purchase Order Nr.227.exe	30
PID 2228 wrote to memory of 2744	2228	Approved Purchase Order Nr.227.exe	30
PID 2228 wrote to memory of 2744	2228	Approved Purchase Order Nr.227.exe	30
PID 2228 wrote to memory of 2764	2228	Approved Purchase Order Nr.227.exe	32
PID 2228 wrote to memory of 2764	2228	Approved Purchase Order Nr.227.exe	32
PID 2228 wrote to memory of 2764	2228	Approved Purchase Order Nr.227.exe	32
PID 2228 wrote to memory of 2764	2228	Approved Purchase Order Nr.227.exe	32
PID 2228 wrote to memory of 2260	2228	Approved Purchase Order Nr.227.exe	34
PID 2228 wrote to memory of 2260	2228	Approved Purchase Order Nr.227.exe	34
PID 2228 wrote to memory of 2260	2228	Approved Purchase Order Nr.227.exe	34
PID 2228 wrote to memory of 2260	2228	Approved Purchase Order Nr.227.exe	34
PID 2228 wrote to memory of 2532	2228	Approved Purchase Order Nr.227.exe	36
PID 2228 wrote to memory of 2532	2228	Approved Purchase Order Nr.227.exe	36
PID 2228 wrote to memory of 2532	2228	Approved Purchase Order Nr.227.exe	36
PID 2228 wrote to memory of 2532	2228	Approved Purchase Order Nr.227.exe	36
PID 2228 wrote to memory of 2476	2228	Approved Purchase Order Nr.227.exe	37
PID 2228 wrote to memory of 2476	2228	Approved Purchase Order Nr.227.exe	37
PID 2228 wrote to memory of 2476	2228	Approved Purchase Order Nr.227.exe	37
PID 2228 wrote to memory of 2476	2228	Approved Purchase Order Nr.227.exe	37
PID 2228 wrote to memory of 2472	2228	Approved Purchase Order Nr.227.exe	38
PID 2228 wrote to memory of 2472	2228	Approved Purchase Order Nr.227.exe	38
PID 2228 wrote to memory of 2472	2228	Approved Purchase Order Nr.227.exe	38
PID 2228 wrote to memory of 2472	2228	Approved Purchase Order Nr.227.exe	38
PID 2228 wrote to memory of 2492	2228	Approved Purchase Order Nr.227.exe	39
PID 2228 wrote to memory of 2492	2228	Approved Purchase Order Nr.227.exe	39
PID 2228 wrote to memory of 2492	2228	Approved Purchase Order Nr.227.exe	39
PID 2228 wrote to memory of 2492	2228	Approved Purchase Order Nr.227.exe	39
PID 2228 wrote to memory of 1856	2228	Approved Purchase Order Nr.227.exe	40
PID 2228 wrote to memory of 1856	2228	Approved Purchase Order Nr.227.exe	40
PID 2228 wrote to memory of 1856	2228	Approved Purchase Order Nr.227.exe	40
PID 2228 wrote to memory of 1856	2228	Approved Purchase Order Nr.227.exe	40

C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe
"C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\shfpLdzGHySvv.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\shfpLdzGHySvv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4338.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe
  "C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe"
  2⤵
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe
  "C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe"
  2⤵
  PID:2476
- C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe
  "C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe"
  2⤵
  PID:2472
- C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe
  "C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe"
  2⤵
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe
  "C:\Users\Admin\AppData\Local\Temp\Approved Purchase Order Nr.227.exe"
  2⤵
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4338.tmp

Filesize
1KB

MD5
c0bcb5669b81e6aa0052dbb96e456893

SHA1
887e5c9a10c7bc008cf43770780a4f27eb336a23

SHA256
8f60c00e62ce5765199c7f60983985495741b8f4f17eb27d8147046fdcfb7600

SHA512
9fbf71daeb12eaeb496e9f5031e643ddb278d2f8e61e7da4ac1ab0de2eab61d1aebfa97cf39e0587c39ca4ebb60560782f79e3b5bbc2c8da41b4d9dbf0264c98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DVPGWDE8M5BT85GEPTIZ.temp

Filesize
7KB

MD5
854f0c849372f30b4c99b4e355378ac1

SHA1
6f084cc0b328673719508700a5bca5c3e9673608

SHA256
0dbf0c17ec4edaecbba0907d04834f0c7a0e9ca35a3b3d9eb10e0c49f73bb187

SHA512
bed2d6ca3777f7a4355883b071b0c4bb05e91923f272a41f3e253868577d4694935d60077987a34218696702a91417cae69d57313008c4b1b88ddecc689b0302

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
854f0c849372f30b4c99b4e355378ac1

SHA1
6f084cc0b328673719508700a5bca5c3e9673608

SHA256
0dbf0c17ec4edaecbba0907d04834f0c7a0e9ca35a3b3d9eb10e0c49f73bb187

SHA512
bed2d6ca3777f7a4355883b071b0c4bb05e91923f272a41f3e253868577d4694935d60077987a34218696702a91417cae69d57313008c4b1b88ddecc689b0302

Download Submit
memory/2228-0-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-1-0x0000000000390000-0x0000000000454000-memory.dmp

Filesize
784KB

Download
memory/2228-2-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/2228-3-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2228-4-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2228-5-0x00000000048B0000-0x00000000048F0000-memory.dmp

Filesize
256KB

Download
memory/2228-6-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2228-7-0x0000000005680000-0x00000000056FC000-memory.dmp

Filesize
496KB

Download
memory/2228-20-0x0000000074830000-0x0000000074F1E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-23-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/2744-28-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/2744-37-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-31-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/2744-25-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-22-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2744-30-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-27-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/2764-29-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-26-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/2764-24-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-32-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-33-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/2764-34-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/2764-35-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/2764-21-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download
memory/2764-36-0x000000006F6C0000-0x000000006FC6B000-memory.dmp

Filesize
5.7MB

Download