Overview

overview

10

Static

static

APPROVE ORDER .exe

windows7_x64

10

APPROVE ORDER .exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    APPROVE ORDER .exe

  • Size

    400KB

  • MD5

    96b3b7fcba7348f92c8b0a888f0bc619

  • SHA1

    508fd0984218206747e49d544c829e0b29790f9f

  • SHA256

    ee6195ec1370d529ba036d6ce5f7ca391822519455a57817e1576ac8a45b8b8d

  • SHA512

    6eb3362a08a121e1203bbacd215d8320c772ed55cb97a78fa2e133b0fc58cc067738f820e16a83bc7ee33db9e5df71dd5f8577faf07a9842acffa3e90db67503

Score
10/10
m00nd3v_loggercollectioncoreentityinfostealerrezer0spywarestealer

Malware Config

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • M00nd3v_Logger

    M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.

    stealerspywarem00nd3v_logger
  • M00nD3v Logger Payload 6 IoCs

    Detects M00nD3v Logger payload in memory.

    infostealer
  • NirSoft MailPassView 13 IoCs

    Password recovery tool for various email clients

  • Nirsoft 13 IoCs
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\APPROVE ORDER .exe
    "C:\Users\Admin\AppData\Local\Temp\APPROVE ORDER .exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1008
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ohsbzTbXG" /XML "C:\Users\Admin\AppData\Local\Temp\tmp272.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1984
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp2453.tmp"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:776
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmpD828.tmp"
        3⤵
        • Accesses Microsoft Outlook accounts
        PID:1892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp272.tmp
    Filesize

    1KB

    MD5

    c8428c6b1c6189e5934f84432897cc15

    SHA1

    faf612d66a6204d62ced8e378e584a75b41abb20

    SHA256

    4bf1af5f7c39c2efd7cf295386d91683dc77429b5cd5fdd2b7bf02ee6fd63a66

    SHA512

    6c094572c95a5fb7a8ba62845a176d0e2eb7c5315311b2c56c4d5b44ca5fbfc99abe8697273eb780f8ac0bb4dc258b6e9700ea3e289a228c2705f80869458873

    Download Submit
  • memory/776-78-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/776-73-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/776-75-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/776-72-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/776-85-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/776-77-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/776-84-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/776-80-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/776-81-0x000000000041211A-mapping.dmp
    Download
  • memory/1008-57-0x0000000000610000-0x000000000065C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1008-54-0x0000000000810000-0x000000000087A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/1008-56-0x0000000000410000-0x0000000000418000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1008-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1728-60-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1728-70-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1728-68-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1728-66-0x000000000043F8EE-mapping.dmp
    Download
  • memory/1728-65-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1728-64-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1728-63-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1728-61-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1892-95-0x000000000041211A-mapping.dmp
    Download
  • memory/1892-98-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1892-99-0x0000000000400000-0x000000000041C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/1984-58-0x0000000000000000-mapping.dmp
    Download