48ce6fe586c630ed2f41ba2f9c926d742bf379d56d9fcf89c852f03b4d46f7e7

Analysis

max time kernel
154s
max time network
146s
platform
windows7_x64
resource
win7-en-20211208
submitted
03-02-2022 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER_41.exe
Size

247KB
MD5

cf7349316d1d05e5aeaad6223b79dad6
SHA1

5bdf74611a7b53d0e31667ee1a4703c94d28a727
SHA256

05b4da3e3aab112ef15f61ae3b033f5e304e5b2289a787c3be944c17b50a0226
SHA512

b8333f33986935ed031532743db7bc7491fd4028aa4b7d99e6024b60f978d1cc4cdc772a9dcd23b8395145ffad33186fe416aefc906fba84fe3ff6a18c0dd147

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

ORDER_41.exe

pid process

1764 ORDER_41.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1112 1764 WerFault.exe ORDER_41.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1112 WerFault.exe
1112 WerFault.exe
1112 WerFault.exe
1112 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1112 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1112 WerFault.exe

pid	process
1764	ORDER_41.exe

pid	pid_target	process	target process
1112	1764	WerFault.exe	ORDER_41.exe

pid	process
1112	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe
1112	WerFault.exe

pid	process
1112	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1112	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ORDER_41.exe

description	pid	process	target process
PID 1764 wrote to memory of 1112	1764	ORDER_41.exe	WerFault.exe
PID 1764 wrote to memory of 1112	1764	ORDER_41.exe	WerFault.exe
PID 1764 wrote to memory of 1112	1764	ORDER_41.exe	WerFault.exe
PID 1764 wrote to memory of 1112	1764	ORDER_41.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ORDER_41.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER_41.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 484
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1112

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsw124A.tmp\ltgdog.dll
MD5
98189c153d282aa05774000f121b8f6f

SHA1
e4c6a1025279983aca1d975b74808cf515116e28

SHA256
5fc08ded5f7bca3c521af66f9610268d490bc43f4278420e90cb695b0b19c248

SHA512
7a366f711e8719028e8946eb34cd2ad75bb88544992a0d21b2d335d692818875524024b14863e8b5417d1462c0c2a7aaa7643ea04d892e869a87e8331864255b

Download Submit
memory/1112-58-0x00000000002F0000-0x000000000031D000-memory.dmp

Filesize
180KB

Download
memory/1764-55-0x0000000076B81000-0x0000000076B83000-memory.dmp

Filesize
8KB

Download