656c3b8670f697458b20b7caf26ff1b0f724d39d7131c0c048a6786c2013b5f2

Analysis

max time kernel
24s
max time network
110s
platform
windows10_x64
resource
win10v20210408
submitted
24-04-2021 16:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OrionRansomware.bin.exe
Size

2.4MB
MD5

b5f936358b6559ac3c71fd53c0f09f0e
SHA1

2e8f3aa5b5106bfcc1b4438feaf87423e5ea1daa
SHA256

4ed043fb22387fa9a6914744df7c28669e587fd2fcc5b3a4d7ceabdae88c82fd
SHA512

d9235fbc502c22ddd18436aedccf89c830e7cda975b1b581cfb9f5434ca16893388effc533009f20f6a9e71f0ba23cb8217d2f6c0d6fa75008c80fc2dbc321e9

Score

9^/10

evasion spyware stealer

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

OrionRansomware.bin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	OrionRansomware.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	OrionRansomware.bin.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

OrionRansomware.bin.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Wine OrionRansomware.bin.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

OrionRansomware.bin.exe

description pid process

Token: SeDebugPrivilege 640 OrionRansomware.bin.exe
Token: SeDebugPrivilege 640 OrionRansomware.bin.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Wine	OrionRansomware.bin.exe

description	pid	process
Token: SeDebugPrivilege	640	OrionRansomware.bin.exe
Token: SeDebugPrivilege	640	OrionRansomware.bin.exe

C:\Users\Admin\AppData\Local\Temp\OrionRansomware.bin.exe
"C:\Users\Admin\AppData\Local\Temp\OrionRansomware.bin.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of AdjustPrivilegeToken
PID:640

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/640-114-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/640-116-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/640-117-0x0000000007440000-0x0000000007441000-memory.dmp

Filesize
4KB

Download
memory/640-118-0x0000000007650000-0x0000000007651000-memory.dmp

Filesize
4KB

Download
memory/640-119-0x0000000007350000-0x000000000784E000-memory.dmp

Filesize
5.0MB

Download