Overview

overview

10

Static

static

3

New Purche...er.exe

windows7-x64

8

New Purche...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    18-02-2025 03:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Purches Order.exe

  • Size

    613KB

  • MD5

    60158da472c90a2c923bf79be848b8d3

  • SHA1

    8b8de08cfab42c95c60613a91ce71e90b8c51913

  • SHA256

    faa8850d8a28a308c917200981a80bcc481cb089f804f6867a4608a28bf0b2b5

  • SHA512

    dd6a9d12c75eaea593f63e2bccd6ca8add0061d31d22abee4fd5f01ff35af2e94b01f3eb6846023955b812c425fa7ef78e46deca37ed8d1e494589dfe3e5557d

  • SSDEEP

    12288:yxgmiFTt9XakdciLNU/Z0Xa6QqIWMNHKpOtZyLWLP7VSR:G4HtaMLahKa6CXHKcGEP

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GbJwpIWFl.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GbJwpIWFl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8611.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2616
    • C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe"
      2⤵
        PID:684
      • C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe
        "C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe"
        2⤵
          PID:908
        • C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe
          "C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe"
          2⤵
            PID:272
          • C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe
            "C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe"
            2⤵
              PID:2168
            • C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe
              "C:\Users\Admin\AppData\Local\Temp\New Purches Order.exe"
              2⤵
                PID:1660

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp8611.tmp
              Filesize

              1KB

              MD5

              77b411193aa40878ed087fccfe5f2819

              SHA1

              f3164cff6ebb496d72494dc0559f2f29978bfdd2

              SHA256

              f1e0cc403f962e68de32668d39a5a1582ebde43c17e9726db7a29408c8d2c730

              SHA512

              608e6f8872706b76ae3703d51183ae28957d3b68d838ef561ab9125dd44c2025e8870b034a745514ed33ae0b928f31bb932d1d64e9c33250a214167daaf92e2a

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
              Filesize

              7KB

              MD5

              8f64969ead822caefb9f7d360cfd4902

              SHA1

              e8e1046586695070a55d9bb344be52c85e03fc9a

              SHA256

              f068abfe2eda5aa9306551ed497c63f03230d94c4c3738a1023dc284d0f0f5a3

              SHA512

              59cb6b98589268aabb4992403795fd3394b1af5a0ef87ed44f42405923fe20ba934182a65f7bf15017aa1f476cdeed38ce276421a7bdc71637113136f1ccba22

              Download Submit

            • memory/2876-0-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2876-1-0x00000000003D0000-0x000000000046E000-memory.dmp

              Filesize

              632KB

              Download

            • memory/2876-2-0x0000000073D10000-0x00000000743FE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2876-3-0x0000000001DD0000-0x0000000001DEE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/2876-4-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2876-5-0x0000000073D10000-0x00000000743FE000-memory.dmp

              Filesize

              6.9MB

              Download

            • memory/2876-6-0x0000000005040000-0x00000000050AC000-memory.dmp

              Filesize

              432KB

              Download

            • memory/2876-19-0x0000000073D10000-0x00000000743FE000-memory.dmp

              Filesize

              6.9MB

              Download