Analysis
-
max time kernel
154s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
03-02-2022 06:10
Static task
static1
Behavioral task
behavioral1
Sample
ORDER_41.exe
Resource
win7-en-20211208
General
-
Target
ORDER_41.exe
-
Size
247KB
-
MD5
cf7349316d1d05e5aeaad6223b79dad6
-
SHA1
5bdf74611a7b53d0e31667ee1a4703c94d28a727
-
SHA256
05b4da3e3aab112ef15f61ae3b033f5e304e5b2289a787c3be944c17b50a0226
-
SHA512
b8333f33986935ed031532743db7bc7491fd4028aa4b7d99e6024b60f978d1cc4cdc772a9dcd23b8395145ffad33186fe416aefc906fba84fe3ff6a18c0dd147
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
Processes:
ORDER_41.exepid process 1764 ORDER_41.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1112 1764 WerFault.exe ORDER_41.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe 1112 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1112 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1112 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ORDER_41.exedescription pid process target process PID 1764 wrote to memory of 1112 1764 ORDER_41.exe WerFault.exe PID 1764 wrote to memory of 1112 1764 ORDER_41.exe WerFault.exe PID 1764 wrote to memory of 1112 1764 ORDER_41.exe WerFault.exe PID 1764 wrote to memory of 1112 1764 ORDER_41.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER_41.exe"C:\Users\Admin\AppData\Local\Temp\ORDER_41.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 4842⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsw124A.tmp\ltgdog.dllMD5
98189c153d282aa05774000f121b8f6f
SHA1e4c6a1025279983aca1d975b74808cf515116e28
SHA2565fc08ded5f7bca3c521af66f9610268d490bc43f4278420e90cb695b0b19c248
SHA5127a366f711e8719028e8946eb34cd2ad75bb88544992a0d21b2d335d692818875524024b14863e8b5417d1462c0c2a7aaa7643ea04d892e869a87e8331864255b
-
memory/1112-58-0x00000000002F0000-0x000000000031D000-memory.dmpFilesize
180KB
-
memory/1764-55-0x0000000076B81000-0x0000000076B83000-memory.dmpFilesize
8KB