Overview

overview

9

Static

static

7

New_Order.exe

windows7_x64

9

New_Order.exe

windows10_x64

9

Resubmissions

25-01-2022 16:56

220125-vf2xpsbeb5 9

11-01-2022 16:17

220111-trh4asgcb9 9

Analysis

  • max time kernel
    153s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    25-01-2022 16:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New_Order.exe

  • Size

    2.6MB

  • MD5

    3b585ac87a4c039f3685c66cadc62960

  • SHA1

    a7f60a4dd8931e81b736adc744a4e709e8c5ffe7

  • SHA256

    60fb9597e5843c72d761525f73ca728409579d81901860981ebd84f7d153cfa3

  • SHA512

    bf2c4dea4cf1174562b60a6793111aa486e512c4a2e4da1d227ff3852a2c8e7892f1a3bc8ec2eb1315ebaa353f13fa684bade76b4c9c807cf0e86b5ac3903dfd

Score
9/10
collectionevasionthemidatrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New_Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New_Order.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2116
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • outlook_office_path
      • outlook_win_path
      PID:3628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Install Root Certificate

1
T1130

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

3
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2116-117-0x0000000000400000-0x0000000000A4B000-memory.dmp
    Filesize

    6.3MB

    Download
  • memory/2116-118-0x0000000000401000-0x000000000046B000-memory.dmp
    Filesize

    424KB

    Download
  • memory/2116-119-0x00000000777F0000-0x000000007797E000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/3628-122-0x0000000000CC0000-0x0000000000D26000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3628-126-0x0000000009570000-0x000000000962C000-memory.dmp
    Filesize

    752KB

    Download
  • memory/3628-129-0x00000000096D0000-0x000000000976C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3628-204-0x0000000009560000-0x0000000009561000-memory.dmp
    Filesize

    4KB

    Download