Overview

overview

10

Static

static

Order-411546.exe

windows7_x64

10

Order-411546.exe

windows10-2004_x64

9

Analysis

  • max time kernel
    91s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order-411546.exe

  • Size

    806KB

  • MD5

    22ffcd520fe68ef6d11c131577091fff

  • SHA1

    08ba8ae52078a1ad86ea3b8bde4f619b23d0eb04

  • SHA256

    c8174141c60baa057aa9780fdb5fe1e4af59b9d3a9d5a1d8ab7d929b13d3882b

  • SHA512

    f53c611e64a76cf46be0c8941edf987e0f25db0c4682d15aa60d595fddb4ead053f3fdd3d0cb0996d13f76a6e2ce1dcf2ecd15db6debabe5ef44b0a91478eac7

Score
9/10
evasion

Malware Config

Signatures

  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order-411546.exe
    "C:\Users\Admin\AppData\Local\Temp\Order-411546.exe"
    1⤵
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4628
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CCllnFRcWGdXpZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3524
    • C:\Users\Admin\AppData\Local\Temp\Order-411546.exe
      "{path}"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order-411546.exe' & exit
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4136
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\Order-411546.exe'
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1688

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Order-411546.exe.log
    Filesize

    1KB

    MD5

    c17b9ea2f46c2a49181facc730b8215e

    SHA1

    5956e73ffe08e1b80cdc7ea76b5763726c579383

    SHA256

    a71f3ec0863c33f8dca2020e1237c5b0af7b18ed9cfebba03d57b8fc71b55db5

    SHA512

    8d32ecac4fdd71b992f3f6598b4cf20b2666cdcce295c3aa6156c1ff1a75247f66fa3d9f7cf66d0fdb2c699e2b76c3b6e12e6079b1f5eb7fb6e0f7f793706d56

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp536F.tmp
    Filesize

    1KB

    MD5

    372ee4f7db987696b0bf18a6c1fd1e9c

    SHA1

    77b43c6a3c96cbdd127923477c5ec04ad69b0bcf

    SHA256

    e0b4232606decaf4991bd85b7ac93647b1f14d29eae569c5620799d899b9f7f8

    SHA512

    033f556a13a4c55c22f5379daaf6276ab17781713b8432c059e228db75857c7eb205520755baa298de735cce12ed102913430ca94fd04b09cbb386fbed959bc1

    Download Submit

  • memory/1688-145-0x0000000005AC0000-0x0000000005AE2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1688-149-0x0000000006E70000-0x0000000006E8A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1688-148-0x0000000007FD0000-0x000000000864A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1688-147-0x0000000006990000-0x00000000069AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1688-150-0x00000000079F0000-0x0000000007A86000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1688-146-0x0000000005B60000-0x0000000005BC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1688-143-0x00000000030A0000-0x00000000030D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1688-144-0x0000000005BD0000-0x00000000061F8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1688-151-0x0000000006F10000-0x0000000006F32000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4628-130-0x0000000000570000-0x0000000000640000-memory.dmp

    Filesize

    832KB

    Download

  • memory/4628-135-0x00000000060F0000-0x0000000006156000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4628-134-0x00000000052C0000-0x000000000535C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4628-133-0x0000000004EE0000-0x0000000004EEA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4628-132-0x0000000004F10000-0x0000000004FA2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4628-131-0x0000000005590000-0x0000000005B34000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4816-139-0x0000000000400000-0x000000000048E000-memory.dmp

    Filesize

    568KB

    Download