Analysis
-
max time kernel
36s -
max time network
25s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
21-10-2020 16:05
Static task
static1
Behavioral task
behavioral1
Sample
633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe
Resource
win10v200722
General
-
Target
633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe
-
Size
1.2MB
-
MD5
ad90a317e686b1ab9db651c97ee448b2
-
SHA1
5a2e9db7daa14511f8fb4e5a9e93e9721d68e593
-
SHA256
633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2
-
SHA512
65ebd80b4118d41acc1371ede9a9ee4b37011ed2a03dc7751d3e6d3fc92b9bb6956a442e8c38266bd5c97afdd4d68ebc1657ff2faf35c42e9d28aadf15006353
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 2 IoCs
Processes:
Order:binOrder.exepid process 1764 Order:bin 1584 Order.exe -
Modifies extensions of user files 21 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
Order.exedescription ioc process File created C:\Users\Admin\Pictures\CompleteRedo.png.easy2lock_read_me Order.exe File renamed C:\Users\Admin\Pictures\CompressNew.raw => C:\Users\Admin\Pictures\CompressNew.raw.easy2lock Order.exe File renamed C:\Users\Admin\Pictures\DenyApprove.png => C:\Users\Admin\Pictures\DenyApprove.png.easy2lock Order.exe File created C:\Users\Admin\Pictures\UninstallConnect.tif.easy2lock_read_me Order.exe File opened for modification C:\Users\Admin\Pictures\UninstallConnect.tif.easy2lock Order.exe File renamed C:\Users\Admin\Pictures\UseRedo.tif => C:\Users\Admin\Pictures\UseRedo.tif.easy2lock Order.exe File renamed C:\Users\Admin\Pictures\CompleteRedo.png => C:\Users\Admin\Pictures\CompleteRedo.png.easy2lock Order.exe File opened for modification C:\Users\Admin\Pictures\CompressNew.raw.easy2lock Order.exe File created C:\Users\Admin\Pictures\SetResize.raw.easy2lock_read_me Order.exe File opened for modification C:\Users\Admin\Pictures\CompleteRedo.png.easy2lock Order.exe File created C:\Users\Admin\Pictures\DenyApprove.png.easy2lock_read_me Order.exe File renamed C:\Users\Admin\Pictures\SetResize.raw => C:\Users\Admin\Pictures\SetResize.raw.easy2lock Order.exe File created C:\Users\Admin\Pictures\CompressNew.raw.easy2lock_read_me Order.exe File opened for modification C:\Users\Admin\Pictures\DenyApprove.png.easy2lock Order.exe File created C:\Users\Admin\Pictures\InstallUnblock.crw.easy2lock_read_me Order.exe File renamed C:\Users\Admin\Pictures\InstallUnblock.crw => C:\Users\Admin\Pictures\InstallUnblock.crw.easy2lock Order.exe File opened for modification C:\Users\Admin\Pictures\InstallUnblock.crw.easy2lock Order.exe File opened for modification C:\Users\Admin\Pictures\SetResize.raw.easy2lock Order.exe File renamed C:\Users\Admin\Pictures\UninstallConnect.tif => C:\Users\Admin\Pictures\UninstallConnect.tif.easy2lock Order.exe File created C:\Users\Admin\Pictures\UseRedo.tif.easy2lock_read_me Order.exe File opened for modification C:\Users\Admin\Pictures\UseRedo.tif.easy2lock Order.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 1360 takeown.exe 620 icacls.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1452 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exepid process 844 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe 844 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 1360 takeown.exe 620 icacls.exe -
Drops file in System32 directory 2 IoCs
Processes:
Order:binattrib.exedescription ioc process File opened for modification C:\Windows\SysWOW64\Order.exe Order:bin File opened for modification C:\Windows\SysWOW64\Order.exe attrib.exe -
Modifies service 2 TTPs 5 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1112 vssadmin.exe -
NTFS ADS 1 IoCs
Processes:
633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Order:bin 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 1872 vssvc.exe Token: SeRestorePrivilege 1872 vssvc.exe Token: SeAuditPrivilege 1872 vssvc.exe -
Suspicious use of WriteProcessMemory 52 IoCs
Processes:
633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exeOrder:binOrder.execmd.execmd.execmd.exedescription pid process target process PID 844 wrote to memory of 1764 844 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe Order:bin PID 844 wrote to memory of 1764 844 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe Order:bin PID 844 wrote to memory of 1764 844 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe Order:bin PID 844 wrote to memory of 1764 844 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe Order:bin PID 1764 wrote to memory of 1112 1764 Order:bin vssadmin.exe PID 1764 wrote to memory of 1112 1764 Order:bin vssadmin.exe PID 1764 wrote to memory of 1112 1764 Order:bin vssadmin.exe PID 1764 wrote to memory of 1112 1764 Order:bin vssadmin.exe PID 1764 wrote to memory of 1360 1764 Order:bin takeown.exe PID 1764 wrote to memory of 1360 1764 Order:bin takeown.exe PID 1764 wrote to memory of 1360 1764 Order:bin takeown.exe PID 1764 wrote to memory of 1360 1764 Order:bin takeown.exe PID 1764 wrote to memory of 620 1764 Order:bin icacls.exe PID 1764 wrote to memory of 620 1764 Order:bin icacls.exe PID 1764 wrote to memory of 620 1764 Order:bin icacls.exe PID 1764 wrote to memory of 620 1764 Order:bin icacls.exe PID 1584 wrote to memory of 1116 1584 Order.exe cmd.exe PID 1584 wrote to memory of 1116 1584 Order.exe cmd.exe PID 1584 wrote to memory of 1116 1584 Order.exe cmd.exe PID 1584 wrote to memory of 1116 1584 Order.exe cmd.exe PID 1116 wrote to memory of 932 1116 cmd.exe choice.exe PID 1116 wrote to memory of 932 1116 cmd.exe choice.exe PID 1116 wrote to memory of 932 1116 cmd.exe choice.exe PID 1116 wrote to memory of 932 1116 cmd.exe choice.exe PID 1764 wrote to memory of 1176 1764 Order:bin cmd.exe PID 1764 wrote to memory of 1176 1764 Order:bin cmd.exe PID 1764 wrote to memory of 1176 1764 Order:bin cmd.exe PID 1764 wrote to memory of 1176 1764 Order:bin cmd.exe PID 844 wrote to memory of 1452 844 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe cmd.exe PID 844 wrote to memory of 1452 844 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe cmd.exe PID 844 wrote to memory of 1452 844 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe cmd.exe PID 844 wrote to memory of 1452 844 633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe cmd.exe PID 1176 wrote to memory of 952 1176 cmd.exe choice.exe PID 1176 wrote to memory of 952 1176 cmd.exe choice.exe PID 1176 wrote to memory of 952 1176 cmd.exe choice.exe PID 1176 wrote to memory of 952 1176 cmd.exe choice.exe PID 1452 wrote to memory of 960 1452 cmd.exe choice.exe PID 1452 wrote to memory of 960 1452 cmd.exe choice.exe PID 1452 wrote to memory of 960 1452 cmd.exe choice.exe PID 1452 wrote to memory of 960 1452 cmd.exe choice.exe PID 1116 wrote to memory of 1400 1116 cmd.exe attrib.exe PID 1116 wrote to memory of 1400 1116 cmd.exe attrib.exe PID 1116 wrote to memory of 1400 1116 cmd.exe attrib.exe PID 1116 wrote to memory of 1400 1116 cmd.exe attrib.exe PID 1176 wrote to memory of 1000 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1000 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1000 1176 cmd.exe attrib.exe PID 1176 wrote to memory of 1000 1176 cmd.exe attrib.exe PID 1452 wrote to memory of 1320 1452 cmd.exe attrib.exe PID 1452 wrote to memory of 1320 1452 cmd.exe attrib.exe PID 1452 wrote to memory of 1320 1452 cmd.exe attrib.exe PID 1452 wrote to memory of 1320 1452 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 1000 attrib.exe 1320 attrib.exe 1400 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe"C:\Users\Admin\AppData\Local\Temp\633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe"1⤵
- Loads dropped DLL
- NTFS ADS
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Order:binC:\Users\Admin\AppData\Roaming\Order:bin -r2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exeC:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\takeown.exeC:\Windows\system32\takeown.exe /F C:\Windows\system32\Order.exe3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeC:\Windows\system32\icacls.exe C:\Windows\system32\Order.exe /reset3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Roaming\Order" & del "C:\Users\Admin\AppData\Roaming\Order"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Roaming\Order"4⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Users\Admin\AppData\Local\Temp\633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe" & del "C:\Users\Admin\AppData\Local\Temp\633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Users\Admin\AppData\Local\Temp\633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2.bin.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\Order.exeC:\Windows\SysWOW64\Order.exe -s1⤵
- Executes dropped EXE
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c choice /t 10 /d y & attrib -h "C:\Windows\SysWOW64\Order.exe" & del "C:\Windows\SysWOW64\Order.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\choice.exechoice /t 10 /d y3⤵
-
C:\Windows\SysWOW64\attrib.exeattrib -h "C:\Windows\SysWOW64\Order.exe"3⤵
- Drops file in System32 directory
- Views/modifies file attributes
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Order:binMD5
ad90a317e686b1ab9db651c97ee448b2
SHA15a2e9db7daa14511f8fb4e5a9e93e9721d68e593
SHA256633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2
SHA51265ebd80b4118d41acc1371ede9a9ee4b37011ed2a03dc7751d3e6d3fc92b9bb6956a442e8c38266bd5c97afdd4d68ebc1657ff2faf35c42e9d28aadf15006353
-
C:\Users\Admin\AppData\Roaming\Order:binMD5
ad90a317e686b1ab9db651c97ee448b2
SHA15a2e9db7daa14511f8fb4e5a9e93e9721d68e593
SHA256633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2
SHA51265ebd80b4118d41acc1371ede9a9ee4b37011ed2a03dc7751d3e6d3fc92b9bb6956a442e8c38266bd5c97afdd4d68ebc1657ff2faf35c42e9d28aadf15006353
-
C:\Windows\SysWOW64\Order.exeMD5
ad90a317e686b1ab9db651c97ee448b2
SHA15a2e9db7daa14511f8fb4e5a9e93e9721d68e593
SHA256633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2
SHA51265ebd80b4118d41acc1371ede9a9ee4b37011ed2a03dc7751d3e6d3fc92b9bb6956a442e8c38266bd5c97afdd4d68ebc1657ff2faf35c42e9d28aadf15006353
-
C:\Windows\SysWOW64\Order.exeMD5
ad90a317e686b1ab9db651c97ee448b2
SHA15a2e9db7daa14511f8fb4e5a9e93e9721d68e593
SHA256633e3f41ab072d59eb255348209fd3228a8abc3168601c7f95342ef85efdc6b2
SHA51265ebd80b4118d41acc1371ede9a9ee4b37011ed2a03dc7751d3e6d3fc92b9bb6956a442e8c38266bd5c97afdd4d68ebc1657ff2faf35c42e9d28aadf15006353
-
\Users\Admin\AppData\Roaming\OrderMD5
62fd1461c7c88d9927caff8fa827daa8
SHA13d8d3801c533d1e111649dc22371fee59fa7d4c1
SHA256132fda338e786423ca47b94be4e8a6da82615c867415b9e3b2d487565d83995f
SHA51294a09f97b418fca99d05bb7bee1b413ef91a63839354f0e3eb758e3765ddf9cffce7be960eba9dc4e6929332f0047d92a9e123c27e08bb26cdd91587d3d6ee1d
-
\Users\Admin\AppData\Roaming\OrderMD5
62fd1461c7c88d9927caff8fa827daa8
SHA13d8d3801c533d1e111649dc22371fee59fa7d4c1
SHA256132fda338e786423ca47b94be4e8a6da82615c867415b9e3b2d487565d83995f
SHA51294a09f97b418fca99d05bb7bee1b413ef91a63839354f0e3eb758e3765ddf9cffce7be960eba9dc4e6929332f0047d92a9e123c27e08bb26cdd91587d3d6ee1d
-
memory/620-8-0x0000000000000000-mapping.dmp
-
memory/932-11-0x0000000000000000-mapping.dmp
-
memory/952-14-0x0000000000000000-mapping.dmp
-
memory/960-15-0x0000000000000000-mapping.dmp
-
memory/1000-17-0x0000000000000000-mapping.dmp
-
memory/1112-4-0x0000000000000000-mapping.dmp
-
memory/1116-10-0x0000000000000000-mapping.dmp
-
memory/1176-12-0x0000000000000000-mapping.dmp
-
memory/1320-18-0x0000000000000000-mapping.dmp
-
memory/1360-6-0x0000000000000000-mapping.dmp
-
memory/1400-16-0x0000000000000000-mapping.dmp
-
memory/1452-13-0x0000000000000000-mapping.dmp
-
memory/1764-2-0x0000000000000000-mapping.dmp