27e9c5e774bf0946e99a7f34d14ded33ca1c236765fbcfda83e234d70d15c652

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Purchase Order.exe
Size

1.1MB
MD5

d5261204d9c158b2bab4272f89f7df17
SHA1

11d82d35d6d5ef250b9cedf4d1f7cd98c0246546
SHA256

27e9c5e774bf0946e99a7f34d14ded33ca1c236765fbcfda83e234d70d15c652
SHA512

2710b22611fca8f90c38c715755a4ec34eec2fd176df45c68c4712d6a5b2803643f09bc05d9d08eb2981f4985355e4d1259eb7a42c8766aabc3f9f1badef4564
SSDEEP

24576:bzls/WgXN832qWivcsegk5vQ2F+wK9ADZyM6RGk:YN832q7vwrQW+wYl

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2640	powershell.exe
2808	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Purchase Order.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2640	powershell.exe
2808	powershell.exe
1548	Purchase Order.exe
1548	Purchase Order.exe
1548	Purchase Order.exe
1548	Purchase Order.exe
1548	Purchase Order.exe
1548	Purchase Order.exe
1548	Purchase Order.exe
1548	Purchase Order.exe
1548	Purchase Order.exe
1548	Purchase Order.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	1548	Purchase Order.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 2640	1548	Purchase Order.exe	31
PID 1548 wrote to memory of 2640	1548	Purchase Order.exe	31
PID 1548 wrote to memory of 2640	1548	Purchase Order.exe	31
PID 1548 wrote to memory of 2640	1548	Purchase Order.exe	31
PID 1548 wrote to memory of 2808	1548	Purchase Order.exe	33
PID 1548 wrote to memory of 2808	1548	Purchase Order.exe	33
PID 1548 wrote to memory of 2808	1548	Purchase Order.exe	33
PID 1548 wrote to memory of 2808	1548	Purchase Order.exe	33
PID 1548 wrote to memory of 2604	1548	Purchase Order.exe	35
PID 1548 wrote to memory of 2604	1548	Purchase Order.exe	35
PID 1548 wrote to memory of 2604	1548	Purchase Order.exe	35
PID 1548 wrote to memory of 2604	1548	Purchase Order.exe	35
PID 1548 wrote to memory of 2580	1548	Purchase Order.exe	37
PID 1548 wrote to memory of 2580	1548	Purchase Order.exe	37
PID 1548 wrote to memory of 2580	1548	Purchase Order.exe	37
PID 1548 wrote to memory of 2580	1548	Purchase Order.exe	37
PID 1548 wrote to memory of 2420	1548	Purchase Order.exe	38
PID 1548 wrote to memory of 2420	1548	Purchase Order.exe	38
PID 1548 wrote to memory of 2420	1548	Purchase Order.exe	38
PID 1548 wrote to memory of 2420	1548	Purchase Order.exe	38
PID 1548 wrote to memory of 2996	1548	Purchase Order.exe	39
PID 1548 wrote to memory of 2996	1548	Purchase Order.exe	39
PID 1548 wrote to memory of 2996	1548	Purchase Order.exe	39
PID 1548 wrote to memory of 2996	1548	Purchase Order.exe	39
PID 1548 wrote to memory of 2288	1548	Purchase Order.exe	40
PID 1548 wrote to memory of 2288	1548	Purchase Order.exe	40
PID 1548 wrote to memory of 2288	1548	Purchase Order.exe	40
PID 1548 wrote to memory of 2288	1548	Purchase Order.exe	40
PID 1548 wrote to memory of 768	1548	Purchase Order.exe	41
PID 1548 wrote to memory of 768	1548	Purchase Order.exe	41
PID 1548 wrote to memory of 768	1548	Purchase Order.exe	41
PID 1548 wrote to memory of 768	1548	Purchase Order.exe	41

C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hYpnBXIk.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hYpnBXIk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp584D.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2604
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  PID:2580
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  PID:2996
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  PID:2288
- C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order.exe"
  2⤵
  PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp584D.tmp

Filesize
1KB

MD5
5a613e88c218422f1f5338442ba4cbba

SHA1
eedde1d83b83fe7f23ecf8053cabe1b9baf038f3

SHA256
cfce5b794c79893409ad49a163b6a23ca9629eae1224f218ba3e4dd2da9ee294

SHA512
4976ec5154c80e540cf08a94358d9bfc72f65307fa9f4948040fda3ace73e5b1a1071d89dc3d4d3afd3cfda3cef0b84629ccc7965010789f66007cadf922c6dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3WS9Z1COCGZ7QI9UV0BH.temp

Filesize
7KB

MD5
0fb3e924219c95af55d6960ae346bdd3

SHA1
a4ed653990ca19bd9b48fb47755b07ab24f42e6c

SHA256
8b5a6a5a6408f2d9f721202b5f82880439f4c38024a5b823987e51e0a7840d35

SHA512
12392bf9612d43809539eed7b89558039b2150915c4c79362727da1b589a87ac0dfa9f529ebf024676d90c5addf8ed5f4aa22d97e6ff5cfd9ec5d8bf45909ef4

Download Submit
memory/1548-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/1548-1-0x00000000003E0000-0x00000000004FC000-memory.dmp

Filesize
1.1MB

Download
memory/1548-2-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/1548-3-0x0000000000790000-0x00000000007AE000-memory.dmp

Filesize
120KB

Download
memory/1548-4-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/1548-5-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download
memory/1548-6-0x0000000005F80000-0x0000000006044000-memory.dmp

Filesize
784KB

Download
memory/1548-19-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Filesize
6.9MB

Download