Analysis
-
max time kernel
157s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
24-01-2022 04:19
Static task
static1
Behavioral task
behavioral1
Sample
ORDINE_I.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
ORDINE_I.exe
Resource
win10-en-20211208
General
-
Target
ORDINE_I.exe
-
Size
456KB
-
MD5
2d70d1014e14a4dd6d7946bc671171eb
-
SHA1
55a4372861d107d745fa45db3f300b642ac9004f
-
SHA256
04ebd3663b3066198bb0b96dcc074e93b281d65effa52f4607479b7ed4cda16b
-
SHA512
6082e01bc9539d5b353e85dbb844431b7a166f94386bb11047059dfb627909398cf6dcf843033ddcadc78184c4d5ecc7c988f39bec9c9791d95924efa9687168
Malware Config
Extracted
remcos
2.5.0 Pro
cashoutRTD 2019
cashout2018.ddnss.de:2018
-
audio_folder
audio
-
audio_path
%AppData%
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
5
-
copy_file
dmw.exe
-
copy_folder
dmw
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
true
-
install_flag
false
-
install_path
%AppData%
-
keylog_crypt
true
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
winloga
-
keylog_path
%AppData%
-
mouse_option
false
-
mutex
dmw-ID6F8B
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
dmw
-
take_screenshot_option
false
-
take_screenshot_time
5
- take_screenshot_title
Signatures
-
Blocklisted process makes network request 19 IoCs
Processes:
cmd.exeflow pid process 3 1736 cmd.exe 4 1736 cmd.exe 6 1736 cmd.exe 7 1736 cmd.exe 9 1736 cmd.exe 10 1736 cmd.exe 12 1736 cmd.exe 13 1736 cmd.exe 15 1736 cmd.exe 16 1736 cmd.exe 18 1736 cmd.exe 20 1736 cmd.exe 21 1736 cmd.exe 23 1736 cmd.exe 24 1736 cmd.exe 26 1736 cmd.exe 27 1736 cmd.exe 29 1736 cmd.exe 30 1736 cmd.exe -
Loads dropped DLL 2 IoCs
Processes:
ORDINE_I.exepid process 952 ORDINE_I.exe 952 ORDINE_I.exe -
Drops file in Windows directory 1 IoCs
Processes:
ORDINE_I.exedescription ioc process File opened for modification C:\Windows\win.ini ORDINE_I.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ORDINE_I.exepid process 952 ORDINE_I.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
ORDINE_I.exepid process 952 ORDINE_I.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 1736 cmd.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
ORDINE_I.exedescription pid process target process PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe PID 952 wrote to memory of 1736 952 ORDINE_I.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDINE_I.exe"C:\Users\Admin\AppData\Local\Temp\ORDINE_I.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\abscissas.dllMD5
ff3f76bf3b71a26909438b543d2667c4
SHA1d185d8a472ce338a11a5aa5b6c83607f2e725152
SHA2564281980a36a06d96c8e3a4ecebbb05698e3c47b3229f5ab102f4e55ebb6a0c5e
SHA5128b252655eda88a1f28a9e3dc94de932b44642698d5b467c3bcf39249ac3f964872171ec5ce7a134868719af16d22064a0631967713cc1be4aed7db3cbd37ea73
-
\Users\Admin\AppData\Local\Temp\nsd40.tmp\vivo.dllMD5
0d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
memory/952-54-0x0000000076041000-0x0000000076043000-memory.dmpFilesize
8KB
-
memory/952-57-0x00000000003F0000-0x00000000003FB000-memory.dmpFilesize
44KB
-
memory/952-61-0x0000000000300000-0x0000000000304000-memory.dmpFilesize
16KB
-
memory/952-62-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/952-63-0x0000000077040000-0x00000000771E9000-memory.dmpFilesize
1.7MB
-
memory/952-64-0x00000000024C0000-0x000000000310A000-memory.dmpFilesize
12.3MB
-
memory/1736-66-0x0000000000090000-0x0000000000096000-memory.dmpFilesize
24KB
-
memory/1736-67-0x0000000077040000-0x00000000771E9000-memory.dmpFilesize
1.7MB
-
memory/1736-72-0x0000000000400000-0x0000000000420000-memory.dmpFilesize
128KB