95ed3c8879e41b50d66ab9266db5e2d254d0e28f9fb60026af9a96867078bfe9

General

Target

ORDER SHEET/ORDER SHEET 2.exe
Size

148KB
MD5

d316580dcafdf8c6f54b83c5e2f3b292
SHA1

503cea589b84ed32013ca9405351f6765c78c6ac
SHA256

0c9b03e927a345e73ce00a71115b9eddf2d77473ca94981bd1a2aaeefcf804c3
SHA512

4e69f1dbc1f133eb0b3f6b1e7d5d344e466356bc6aabb7d84cda47ad646845cde9f0aabf7cf27deb8b32cac1388a7f875b2824eda2c4fe8030fec3b293d25d89
SSDEEP

3072:ICfdFNO841lskf4jpmNpglNMLdSfJnHPt/y894L9tqN0suD:IsF084jfgNmP4HTRksu

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

filename.exe

pid	Process
2632	filename.exe

Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid	Process
1988	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

filename.exe

pid	Process
2632	filename.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ORDER SHEET 2.exefilename.exe

pid	Process
2092	ORDER SHEET 2.exe
2092	ORDER SHEET 2.exe
2632	filename.exe
2632	filename.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ORDER SHEET 2.exefilename.exe

description	pid	Process
Token: SeDebugPrivilege	2092	ORDER SHEET 2.exe
Token: SeDebugPrivilege	2632	filename.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

ORDER SHEET 2.execmd.exefilename.execmd.exe

description	pid	Process	procid_target
PID 2092 wrote to memory of 1988	2092	ORDER SHEET 2.exe	28
PID 2092 wrote to memory of 1988	2092	ORDER SHEET 2.exe	28
PID 2092 wrote to memory of 1988	2092	ORDER SHEET 2.exe	28
PID 2092 wrote to memory of 1988	2092	ORDER SHEET 2.exe	28
PID 1988 wrote to memory of 2632	1988	cmd.exe	30
PID 1988 wrote to memory of 2632	1988	cmd.exe	30
PID 1988 wrote to memory of 2632	1988	cmd.exe	30
PID 1988 wrote to memory of 2632	1988	cmd.exe	30
PID 2632 wrote to memory of 2052	2632	filename.exe	31
PID 2632 wrote to memory of 2052	2632	filename.exe	31
PID 2632 wrote to memory of 2052	2632	filename.exe	31
PID 2632 wrote to memory of 2052	2632	filename.exe	31
PID 2052 wrote to memory of 2572	2052	cmd.exe	33
PID 2052 wrote to memory of 2572	2052	cmd.exe	33
PID 2052 wrote to memory of 2572	2052	cmd.exe	33
PID 2052 wrote to memory of 2572	2052	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\ORDER SHEET\ORDER SHEET 2.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER SHEET\ORDER SHEET 2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2632
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe

Filesize
148KB

MD5
d316580dcafdf8c6f54b83c5e2f3b292

SHA1
503cea589b84ed32013ca9405351f6765c78c6ac

SHA256
0c9b03e927a345e73ce00a71115b9eddf2d77473ca94981bd1a2aaeefcf804c3

SHA512
4e69f1dbc1f133eb0b3f6b1e7d5d344e466356bc6aabb7d84cda47ad646845cde9f0aabf7cf27deb8b32cac1388a7f875b2824eda2c4fe8030fec3b293d25d89

Download Submit
memory/2092-0-0x000000007494E000-0x000000007494F000-memory.dmp

Filesize
4KB

Download
memory/2092-1-0x0000000000960000-0x000000000098C000-memory.dmp

Filesize
176KB

Download
memory/2092-2-0x00000000005D0000-0x00000000005FC000-memory.dmp

Filesize
176KB

Download
memory/2092-4-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2092-9-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-8-0x0000000000370000-0x000000000039C000-memory.dmp

Filesize
176KB

Download
memory/2632-10-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-12-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-13-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/2632-14-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download
memory/2632-15-0x0000000074940000-0x000000007502E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads