Analysis
-
max time kernel
153s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
25-01-2022 16:56
Static task
static1
Behavioral task
behavioral1
Sample
New_Order.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
New_Order.exe
Resource
win10-en-20211208
General
-
Target
New_Order.exe
-
Size
2.6MB
-
MD5
3b585ac87a4c039f3685c66cadc62960
-
SHA1
a7f60a4dd8931e81b736adc744a4e709e8c5ffe7
-
SHA256
60fb9597e5843c72d761525f73ca728409579d81901860981ebd84f7d153cfa3
-
SHA512
bf2c4dea4cf1174562b60a6793111aa486e512c4a2e4da1d227ff3852a2c8e7892f1a3bc8ec2eb1315ebaa353f13fa684bade76b4c9c807cf0e86b5ac3903dfd
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
New_Order.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion New_Order.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion New_Order.exe -
Processes:
resource yara_rule behavioral2/memory/2116-117-0x0000000000400000-0x0000000000A4B000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
Processes:
New_Order.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA New_Order.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
New_Order.exepid process 2116 New_Order.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
New_Order.exedescription pid process target process PID 2116 set thread context of 3628 2116 New_Order.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
New_Order.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 New_Order.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c0000000100000004000000000800000b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f New_Order.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
New_Order.exepid process 2116 New_Order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
New_Order.exepid process 2116 New_Order.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
New_Order.exedescription pid process target process PID 2116 wrote to memory of 3628 2116 New_Order.exe AppLaunch.exe PID 2116 wrote to memory of 3628 2116 New_Order.exe AppLaunch.exe PID 2116 wrote to memory of 3628 2116 New_Order.exe AppLaunch.exe PID 2116 wrote to memory of 3628 2116 New_Order.exe AppLaunch.exe PID 2116 wrote to memory of 3628 2116 New_Order.exe AppLaunch.exe -
outlook_office_path 1 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe -
outlook_win_path 1 IoCs
Processes:
AppLaunch.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New_Order.exe"C:\Users\Admin\AppData\Local\Temp\New_Order.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2116-117-0x0000000000400000-0x0000000000A4B000-memory.dmpFilesize
6.3MB
-
memory/2116-118-0x0000000000401000-0x000000000046B000-memory.dmpFilesize
424KB
-
memory/2116-119-0x00000000777F0000-0x000000007797E000-memory.dmpFilesize
1.6MB
-
memory/3628-122-0x0000000000CC0000-0x0000000000D26000-memory.dmpFilesize
408KB
-
memory/3628-126-0x0000000009570000-0x000000000962C000-memory.dmpFilesize
752KB
-
memory/3628-129-0x00000000096D0000-0x000000000976C000-memory.dmpFilesize
624KB
-
memory/3628-204-0x0000000009560000-0x0000000009561000-memory.dmpFilesize
4KB