f995edeb5bb3d11a9fd0edd1c75fd987caba4d2ce28f79fff9875b7c635667e8

General

Target

New Order No Q240419617.exe
Size

834KB
MD5

f0a478ed8708a6425227f6890e829452
SHA1

223368040aa836f75caa1429ee7c23a37c8549d7
SHA256

b4b17895d93678aa95d2fd85370650513f6c7207ead9c154ddaa0215cabc03f1
SHA512

d6a06f6637bbba5ee8cd74602d46b32ea55b623e8aa000ddadcf610087125129091a57a6d0b3bb6a2337a8be53d2ade1c74d55d4df7abddc3bc09bb3aeceff50
SSDEEP

12288:qyqnHvjNIrpf9rN/mc/CCznedC/weVcseeeiOVTvrVvKmGA1LovNF3qk1vfmvw4V:yPjKr5BNDPDedmVcseF1vZFLo1Nqk1X

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2636 schtasks.exe

pid	process
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

New Order No Q240419617.exepowershell.exepowershell.exe

pid	process
1732	New Order No Q240419617.exe
1732	New Order No Q240419617.exe
1732	New Order No Q240419617.exe
1732	New Order No Q240419617.exe
1732	New Order No Q240419617.exe
1732	New Order No Q240419617.exe
1732	New Order No Q240419617.exe
1732	New Order No Q240419617.exe
1732	New Order No Q240419617.exe
1732	New Order No Q240419617.exe
1732	New Order No Q240419617.exe
2728	powershell.exe
2620	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

New Order No Q240419617.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1732	New Order No Q240419617.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

New Order No Q240419617.exe

description	pid	process	target process
PID 1732 wrote to memory of 2620	1732	New Order No Q240419617.exe	powershell.exe
PID 1732 wrote to memory of 2620	1732	New Order No Q240419617.exe	powershell.exe
PID 1732 wrote to memory of 2620	1732	New Order No Q240419617.exe	powershell.exe
PID 1732 wrote to memory of 2620	1732	New Order No Q240419617.exe	powershell.exe
PID 1732 wrote to memory of 2728	1732	New Order No Q240419617.exe	powershell.exe
PID 1732 wrote to memory of 2728	1732	New Order No Q240419617.exe	powershell.exe
PID 1732 wrote to memory of 2728	1732	New Order No Q240419617.exe	powershell.exe
PID 1732 wrote to memory of 2728	1732	New Order No Q240419617.exe	powershell.exe
PID 1732 wrote to memory of 2636	1732	New Order No Q240419617.exe	schtasks.exe
PID 1732 wrote to memory of 2636	1732	New Order No Q240419617.exe	schtasks.exe
PID 1732 wrote to memory of 2636	1732	New Order No Q240419617.exe	schtasks.exe
PID 1732 wrote to memory of 2636	1732	New Order No Q240419617.exe	schtasks.exe
PID 1732 wrote to memory of 2444	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2444	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2444	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2444	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2448	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2448	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2448	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2448	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2464	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2464	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2464	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2464	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2556	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2556	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2556	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2556	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2800	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2800	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2800	1732	New Order No Q240419617.exe	New Order No Q240419617.exe
PID 1732 wrote to memory of 2800	1732	New Order No Q240419617.exe	New Order No Q240419617.exe

C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe
"C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JIHVnPBTqQm.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIHVnPBTqQm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp32F2.tmp"
  2⤵
  - Creates scheduled task(s)
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe
  "C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe"
  2⤵
  PID:2444
- C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe
  "C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe"
  2⤵
  PID:2448
- C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe
  "C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe"
  2⤵
  PID:2464
- C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe
  "C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe"
  2⤵
  PID:2556
- C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe
  "C:\Users\Admin\AppData\Local\Temp\New Order No Q240419617.exe"
  2⤵
  PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp32F2.tmp

Filesize
1KB

MD5
56f139c86ef572478d34282be5a5bf14

SHA1
7ad736f8e358e274f60cb2afbf312e6191708c4e

SHA256
e10c89fbbe0ddfc6ad84f804c0ac959a03c846c87473341261343922903e373c

SHA512
bb75ef689405183b68ef057a01082aace833b10cb47f647d852b9ffb09e5eee2579bf93e8e6804c92e61ed6439c78662abcdeb023571e575543cbc9a6f90c28c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
03f5f469f83cb7bcdb308500f9e6f5c6

SHA1
c65d5654b8b32815e80b2145a8b4622cda8cba7f

SHA256
a61dd245a8fd185c833189e0c3155f5523d841cf75d13750b1fad44193e26803

SHA512
91d024435091d02e0037c0c32a4351159fba4c86e611ac5f581fcd3ac843ad536f2ee196e829e1d6950b8678a29e68b67bfdb0b0d92f650db7ea7f0448ff54bf

Download Submit
memory/1732-0-0x00000000003E0000-0x00000000004B6000-memory.dmp

Filesize
856KB

Download
memory/1732-1-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-2-0x0000000004C70000-0x0000000004CB0000-memory.dmp

Filesize
256KB

Download
memory/1732-3-0x00000000003C0000-0x00000000003E0000-memory.dmp

Filesize
128KB

Download
memory/1732-4-0x00000000004C0000-0x00000000004D4000-memory.dmp

Filesize
80KB

Download
memory/1732-5-0x00000000051C0000-0x0000000005244000-memory.dmp

Filesize
528KB

Download
memory/1732-18-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads