Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
24-04-2021 16:39
Static task
static1
Behavioral task
behavioral1
Sample
OrionRansomware.bin.exe
Resource
win7v20210410
General
-
Target
OrionRansomware.bin.exe
-
Size
2.4MB
-
MD5
b5f936358b6559ac3c71fd53c0f09f0e
-
SHA1
2e8f3aa5b5106bfcc1b4438feaf87423e5ea1daa
-
SHA256
4ed043fb22387fa9a6914744df7c28669e587fd2fcc5b3a4d7ceabdae88c82fd
-
SHA512
d9235fbc502c22ddd18436aedccf89c830e7cda975b1b581cfb9f5434ca16893388effc533009f20f6a9e71f0ba23cb8217d2f6c0d6fa75008c80fc2dbc321e9
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
OrionRansomware.bin.exedescription ioc process File renamed C:\Users\Admin\Pictures\UnprotectConvert.png => C:\Users\Admin\Pictures\UnprotectConvert.png.XXXXX OrionRansomware.bin.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
OrionRansomware.bin.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion OrionRansomware.bin.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion OrionRansomware.bin.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
OrionRansomware.bin.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Wine OrionRansomware.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 3 IoCs
Processes:
rundll32.exerundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 972 NOTEPAD.EXE 864 NOTEPAD.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 292 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
OrionRansomware.bin.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 1104 OrionRansomware.bin.exe Token: SeDebugPrivilege 1104 OrionRansomware.bin.exe Token: 33 1500 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1500 AUDIODG.EXE Token: 33 1500 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1500 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 292 wrote to memory of 972 292 rundll32.exe NOTEPAD.EXE PID 292 wrote to memory of 972 292 rundll32.exe NOTEPAD.EXE PID 292 wrote to memory of 972 292 rundll32.exe NOTEPAD.EXE PID 828 wrote to memory of 864 828 rundll32.exe NOTEPAD.EXE PID 828 wrote to memory of 864 828 rundll32.exe NOTEPAD.EXE PID 828 wrote to memory of 864 828 rundll32.exe NOTEPAD.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\OrionRansomware.bin.exe"C:\Users\Admin\AppData\Local\Temp\OrionRansomware.bin.exe"1⤵
- Modifies extensions of user files
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2e41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Documents\Are.docx.XXXXX1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Are.docx.XXXXX2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SwitchSplit.avi.XXXXX1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SwitchSplit.avi.XXXXX2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Desktop\SwitchSplit.avi.XXXXXMD5
163ca142d726dd8600d92f59857cb935
SHA1094e7a35ff3e7a0bce4e224bdfdc0962207d0f51
SHA256043026b84035f91f39fa28575b0cc4a917cc28ae7d4edab8345b0fd3c07b058d
SHA512484213b395ab6deb794b5aeb77d7cedd88fa97584c009d24e9f588a56a7e767d8882014968e8b55e92f0135301a650b3faa53ea1d09740b0e28f7c49a4a4965a
-
C:\Users\Admin\Documents\Are.docx.XXXXXMD5
7253979b89a1e33bb086820450047ee6
SHA1c0a602e395edd68d3c0ec4924d7a5596719f358e
SHA2560b39c813f1869464553cddbb5345a0ecd01d1fc36aa348d71a0102639e8ad3de
SHA5123069ce7b350890c9bca4387e50e6a4770943ac323b27f6948ebfec4d6a33ebdb79ca3c0ef021df53f44cd9fa0b849d5560b25cc6ac0e3b5fe61227af5244a618
-
memory/292-64-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmpFilesize
8KB
-
memory/864-69-0x0000000000000000-mapping.dmp
-
memory/972-65-0x0000000000000000-mapping.dmp
-
memory/1104-60-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB
-
memory/1104-61-0x00000000010A0000-0x00000000010A1000-memory.dmpFilesize
4KB
-
memory/1104-63-0x0000000006EF0000-0x0000000006EF1000-memory.dmpFilesize
4KB