95ed3c8879e41b50d66ab9266db5e2d254d0e28f9fb60026af9a96867078bfe9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER SHEET/ORDER SHEET 2.exe
Size

148KB
MD5

d316580dcafdf8c6f54b83c5e2f3b292
SHA1

503cea589b84ed32013ca9405351f6765c78c6ac
SHA256

0c9b03e927a345e73ce00a71115b9eddf2d77473ca94981bd1a2aaeefcf804c3
SHA512

4e69f1dbc1f133eb0b3f6b1e7d5d344e466356bc6aabb7d84cda47ad646845cde9f0aabf7cf27deb8b32cac1388a7f875b2824eda2c4fe8030fec3b293d25d89
SSDEEP

3072:ICfdFNO841lskf4jpmNpglNMLdSfJnHPt/y894L9tqN0suD:IsF084jfgNmP4HTRksu

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

filename.exe

pid	Process
2116	filename.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update = "cmd /c type C:\\Users\\Admin\\AppData\\Local\\Temp\\Update.txt \| cmd"	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

filename.exe

pid	Process
2116	filename.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ORDER SHEET 2.exefilename.exe

pid	Process
3804	ORDER SHEET 2.exe
3804	ORDER SHEET 2.exe
2116	filename.exe
2116	filename.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ORDER SHEET 2.exefilename.exe

description	pid	Process
Token: SeDebugPrivilege	3804	ORDER SHEET 2.exe
Token: SeDebugPrivilege	2116	filename.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

ORDER SHEET 2.execmd.exefilename.execmd.exe

description	pid	Process	procid_target
PID 3804 wrote to memory of 2184	3804	ORDER SHEET 2.exe	84
PID 3804 wrote to memory of 2184	3804	ORDER SHEET 2.exe	84
PID 3804 wrote to memory of 2184	3804	ORDER SHEET 2.exe	84
PID 2184 wrote to memory of 2116	2184	cmd.exe	87
PID 2184 wrote to memory of 2116	2184	cmd.exe	87
PID 2184 wrote to memory of 2116	2184	cmd.exe	87
PID 2116 wrote to memory of 4024	2116	filename.exe	88
PID 2116 wrote to memory of 4024	2116	filename.exe	88
PID 2116 wrote to memory of 4024	2116	filename.exe	88
PID 4024 wrote to memory of 2444	4024	cmd.exe	91
PID 4024 wrote to memory of 2444	4024	cmd.exe	91
PID 4024 wrote to memory of 2444	4024	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\ORDER SHEET\ORDER SHEET 2.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER SHEET\ORDER SHEET 2.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4024
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Update" /d "cmd /c type "C:\Users\Admin\AppData\Local\Temp\Update.txt" | cmd"
        5⤵
        Adds Run key to start application
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\filename.exe

Filesize
148KB

MD5
d316580dcafdf8c6f54b83c5e2f3b292

SHA1
503cea589b84ed32013ca9405351f6765c78c6ac

SHA256
0c9b03e927a345e73ce00a71115b9eddf2d77473ca94981bd1a2aaeefcf804c3

SHA512
4e69f1dbc1f133eb0b3f6b1e7d5d344e466356bc6aabb7d84cda47ad646845cde9f0aabf7cf27deb8b32cac1388a7f875b2824eda2c4fe8030fec3b293d25d89

Download Submit
memory/2116-18-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2116-17-0x0000000008A90000-0x0000000008A9A000-memory.dmp

Filesize
40KB

Download
memory/2116-16-0x0000000008990000-0x0000000008A22000-memory.dmp

Filesize
584KB

Download
memory/2116-15-0x0000000003020000-0x000000000302A000-memory.dmp

Filesize
40KB

Download
memory/2116-13-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2116-12-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3804-3-0x0000000005C60000-0x0000000006204000-memory.dmp

Filesize
5.6MB

Download
memory/3804-11-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3804-5-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/3804-4-0x00000000055B0000-0x00000000055DC000-memory.dmp

Filesize
176KB

Download
memory/3804-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/3804-2-0x0000000005610000-0x00000000056AC000-memory.dmp

Filesize
624KB

Download
memory/3804-1-0x0000000000C30000-0x0000000000C5C000-memory.dmp

Filesize
176KB

Download