2439c872928da3c00588be03810fde5ca6a79b3ae2d763a0daa1c3cb8b4d8a95

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-04-2024 03:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New_Order.exe
Size

701KB
MD5

34348ca190185b5e1822ead38eae667a
SHA1

45efa3c31b7d38f94698bf925ecfe68fb1f464bb
SHA256

39c5a56b8c3dae08df6ddc4e99f1c0388f90f7ff30be314b902276b8a0e444ad
SHA512

a3425a5ccc274898eeab879216ce67829642a4819036426b7662213a0682a5cfae5b5a1705972a34d53996c8d7b4f486c77fdf128dc092629161058741cc929c
SSDEEP

12288:vNgLeFR6DXlv312Z3+2z1djGFPNMreGCR/4L/YiVfq1Ij0C5wYYnzp8byJFn2kR:KXJ312Z+2zzje2A4RNEDT+OJFt

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2876	New_Order.exe
2556	powershell.exe
2652	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	New_Order.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 2652	2876	New_Order.exe	28
PID 2876 wrote to memory of 2652	2876	New_Order.exe	28
PID 2876 wrote to memory of 2652	2876	New_Order.exe	28
PID 2876 wrote to memory of 2652	2876	New_Order.exe	28
PID 2876 wrote to memory of 2556	2876	New_Order.exe	30
PID 2876 wrote to memory of 2556	2876	New_Order.exe	30
PID 2876 wrote to memory of 2556	2876	New_Order.exe	30
PID 2876 wrote to memory of 2556	2876	New_Order.exe	30
PID 2876 wrote to memory of 2576	2876	New_Order.exe	31
PID 2876 wrote to memory of 2576	2876	New_Order.exe	31
PID 2876 wrote to memory of 2576	2876	New_Order.exe	31
PID 2876 wrote to memory of 2576	2876	New_Order.exe	31
PID 2876 wrote to memory of 2448	2876	New_Order.exe	34
PID 2876 wrote to memory of 2448	2876	New_Order.exe	34
PID 2876 wrote to memory of 2448	2876	New_Order.exe	34
PID 2876 wrote to memory of 2448	2876	New_Order.exe	34
PID 2876 wrote to memory of 2456	2876	New_Order.exe	35
PID 2876 wrote to memory of 2456	2876	New_Order.exe	35
PID 2876 wrote to memory of 2456	2876	New_Order.exe	35
PID 2876 wrote to memory of 2456	2876	New_Order.exe	35
PID 2876 wrote to memory of 2464	2876	New_Order.exe	36
PID 2876 wrote to memory of 2464	2876	New_Order.exe	36
PID 2876 wrote to memory of 2464	2876	New_Order.exe	36
PID 2876 wrote to memory of 2464	2876	New_Order.exe	36
PID 2876 wrote to memory of 2496	2876	New_Order.exe	37
PID 2876 wrote to memory of 2496	2876	New_Order.exe	37
PID 2876 wrote to memory of 2496	2876	New_Order.exe	37
PID 2876 wrote to memory of 2496	2876	New_Order.exe	37
PID 2876 wrote to memory of 2520	2876	New_Order.exe	38
PID 2876 wrote to memory of 2520	2876	New_Order.exe	38
PID 2876 wrote to memory of 2520	2876	New_Order.exe	38
PID 2876 wrote to memory of 2520	2876	New_Order.exe	38

C:\Users\Admin\AppData\Local\Temp\New_Order.exe
"C:\Users\Admin\AppData\Local\Temp\New_Order.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New_Order.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CdfzEInhH.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CdfzEInhH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6DC1.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2576
- C:\Users\Admin\AppData\Local\Temp\New_Order.exe
  "C:\Users\Admin\AppData\Local\Temp\New_Order.exe"
  2⤵
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\New_Order.exe
  "C:\Users\Admin\AppData\Local\Temp\New_Order.exe"
  2⤵
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\New_Order.exe
  "C:\Users\Admin\AppData\Local\Temp\New_Order.exe"
  2⤵
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\New_Order.exe
  "C:\Users\Admin\AppData\Local\Temp\New_Order.exe"
  2⤵
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\New_Order.exe
  "C:\Users\Admin\AppData\Local\Temp\New_Order.exe"
  2⤵
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6DC1.tmp

Filesize
1KB

MD5
0c6ff68bf111f3509ea22102f4f066e7

SHA1
055ee397fbca7ac9ac8a08f609ed806a0c706751

SHA256
153f4ead689dcdd23521ecb81fb0edc29c75c8d9b2b95ccc7510364966953870

SHA512
e6f6f0f8290642d5c5f5596564d65aaebb3ea02d91f81b05ec924c1cfaf96dcc2cd6c613a83ae94d1565f717e75bd7fadd1d5785065ba9140b0965fa27843f8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FSHX51EMRZX6SNAYJOR5.temp

Filesize
7KB

MD5
7eb0b89adb2647c60d001eb02783318e

SHA1
37a57dc80097829cff588481329636ef9f7fd370

SHA256
143ccf3054eb90e6acad162680af2bc484ef64bddd02d8fef9dc7cb688474687

SHA512
2b062dde449fdcdc123790e5a52b33dae8a63e3f9299c9582bef36bbdc79b533e2f9fa72391182b893179bfa53733c48af8c394f07e7c56b0e77743d05f2adf4

Download Submit
memory/2556-25-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2556-29-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2556-26-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2556-24-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2556-20-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2556-21-0x0000000001EF0000-0x0000000001F30000-memory.dmp

Filesize
256KB

Download
memory/2652-23-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2652-28-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2652-27-0x0000000003140000-0x0000000003180000-memory.dmp

Filesize
256KB

Download
memory/2652-19-0x000000006E340000-0x000000006E8EB000-memory.dmp

Filesize
5.7MB

Download
memory/2652-22-0x0000000003140000-0x0000000003180000-memory.dmp

Filesize
256KB

Download
memory/2876-0-0x00000000003C0000-0x0000000000472000-memory.dmp

Filesize
712KB

Download
memory/2876-18-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2876-1-0x0000000074820000-0x0000000074F0E000-memory.dmp

Filesize
6.9MB

Download
memory/2876-3-0x0000000000370000-0x0000000000390000-memory.dmp

Filesize
128KB

Download
memory/2876-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/2876-5-0x0000000000480000-0x0000000000504000-memory.dmp

Filesize
528KB

Download
memory/2876-4-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download