95ed3c8879e41b50d66ab9266db5e2d254d0e28f9fb60026af9a96867078bfe9

General

Target

ORDER SHEET/ORDER SHEET 2.exe
Size

148KB
MD5

d316580dcafdf8c6f54b83c5e2f3b292
SHA1

503cea589b84ed32013ca9405351f6765c78c6ac
SHA256

0c9b03e927a345e73ce00a71115b9eddf2d77473ca94981bd1a2aaeefcf804c3
SHA512

4e69f1dbc1f133eb0b3f6b1e7d5d344e466356bc6aabb7d84cda47ad646845cde9f0aabf7cf27deb8b32cac1388a7f875b2824eda2c4fe8030fec3b293d25d89
SSDEEP

3072:ICfdFNO841lskf4jpmNpglNMLdSfJnHPt/y894L9tqN0suD:IsF084jfgNmP4HTRksu

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

filename.exe

pid process

2632 filename.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1988 cmd.exe

pid	process
2632	filename.exe

pid	process
1988	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

filename.exe

pid process

2632 filename.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ORDER SHEET 2.exefilename.exe

pid process

2092 ORDER SHEET 2.exe
2092 ORDER SHEET 2.exe
2632 filename.exe
2632 filename.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ORDER SHEET 2.exefilename.exe

description pid process

Token: SeDebugPrivilege 2092 ORDER SHEET 2.exe
Token: SeDebugPrivilege 2632 filename.exe

pid	process
2632	filename.exe

pid	process
2092	ORDER SHEET 2.exe
2092	ORDER SHEET 2.exe
2632	filename.exe
2632	filename.exe

description	pid	process
Token: SeDebugPrivilege	2092	ORDER SHEET 2.exe
Token: SeDebugPrivilege	2632	filename.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ORDER SHEET 2.execmd.exefilename.execmd.exe

description	pid	process	target process
PID 2092 wrote to memory of 1988	2092	ORDER SHEET 2.exe	cmd.exe
PID 2092 wrote to memory of 1988	2092	ORDER SHEET 2.exe	cmd.exe
PID 2092 wrote to memory of 1988	2092	ORDER SHEET 2.exe	cmd.exe
PID 2092 wrote to memory of 1988	2092	ORDER SHEET 2.exe	cmd.exe
PID 1988 wrote to memory of 2632	1988	cmd.exe	filename.exe
PID 1988 wrote to memory of 2632	1988	cmd.exe	filename.exe
PID 1988 wrote to memory of 2632	1988	cmd.exe	filename.exe
PID 1988 wrote to memory of 2632	1988	cmd.exe	filename.exe
PID 2632 wrote to memory of 2052	2632	filename.exe	cmd.exe
PID 2632 wrote to memory of 2052	2632	filename.exe	cmd.exe
PID 2632 wrote to memory of 2052	2632	filename.exe	cmd.exe
PID 2632 wrote to memory of 2052	2632	filename.exe	cmd.exe
PID 2052 wrote to memory of 2572	2052	cmd.exe	reg.exe
PID 2052 wrote to memory of 2572	2052	cmd.exe	reg.exe
PID 2052 wrote to memory of 2572	2052	cmd.exe	reg.exe
PID 2052 wrote to memory of 2572	2052	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\ORDER SHEET\ORDER SHEET 2.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER SHEET\ORDER SHEET 2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\SysWOW64\cmd.exe
"cmd"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\SysWOW64\cmd.exe
"cmd"
4⤵
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
5⤵
- Adds Run key to start application
PID:2572

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe
Filesize
148KB

MD5
d316580dcafdf8c6f54b83c5e2f3b292

SHA1
503cea589b84ed32013ca9405351f6765c78c6ac

SHA256
0c9b03e927a345e73ce00a71115b9eddf2d77473ca94981bd1a2aaeefcf804c3

SHA512
4e69f1dbc1f133eb0b3f6b1e7d5d344e466356bc6aabb7d84cda47ad646845cde9f0aabf7cf27deb8b32cac1388a7f875b2824eda2c4fe8030fec3b293d25d89

Download Submit
memory/2092-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2092-1-0x0000000000960000-0x000000000098C000-memory.dmp

Filesize
176KB

Download
memory/2092-2-0x00000000005D0000-0x00000000005FC000-memory.dmp

Filesize
176KB

Download
memory/2092-4-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-9-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-8-0x0000000000370000-0x000000000039C000-memory.dmp

Filesize
176KB

Download
memory/2632-10-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-12-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-13-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2632-14-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-15-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads