Overview

overview

10

Static

static

ORDER202.exe

windows7_x64

10

ORDER202.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    90s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER202.exe

  • Size

    941KB

  • MD5

    0a3d357409cb2337a4d533b64b8265cd

  • SHA1

    33cd12b0333af20dcb611b1f42d6a62f8167e90b

  • SHA256

    5f678c283847316bd366cc6a5dcd2b20072271080f493607a03ecd5d26ba65a7

  • SHA512

    8b2f1ad1c8260e2afabf8290d680ee29249fe2edb79d7740b039729f9cc5bbd3231836ac249a206488cb375efe9c3f5979b9b1b7e30e56b19c5692365b67fb64

Score
10/10
massloggercollectioncoreentityevasionrezer0spywarestealer

Malware Config

Signatures

  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 32 IoCs
  • MassLogger log file 1 IoCs

    Detects a log file produced by MassLogger.

  • Modifies visibility of file extensions in Explorer 2 TTPs
    evasion
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Accesses Microsoft Outlook profiles 1 TTPs 15 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORDER202.exe
    "C:\Users\Admin\AppData\Local\Temp\ORDER202.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1492
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hkEmZYRoabC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD4A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1312
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:2024
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:1988

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpD4A.tmp
      Filesize

      1KB

      MD5

      9d4c14cf45fc912249672eec091ecdd5

      SHA1

      3567289b2edd8dd4a042706710c2c7bf53a55897

      SHA256

      bf8d2379a38ba747abbaf150bfd8d10285069cd82e13cc8af20df78b5616304b

      SHA512

      20fab2e71483101a431edd47c4abae68d761149b12add0a7cf8046bd5589d9e72ed970e0e54e3c93f01b642125bd6342f19519fbe00d53136a54e71318a6fa59

      Download Submit
    • memory/1312-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1492-54-0x0000000001020000-0x0000000001112000-memory.dmp
      Filesize

      968KB

      Download
    • memory/1492-55-0x0000000000F50000-0x000000000101A000-memory.dmp
      Filesize

      808KB

      Download
    • memory/1492-56-0x0000000074C81000-0x0000000074C83000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1492-57-0x00000000004A0000-0x00000000004A8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/1492-58-0x0000000007890000-0x000000000793E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/1988-83-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-91-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-64-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-65-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-66-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-67-0x00000000004A1E2E-mapping.dmp
      Download
    • memory/1988-69-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-71-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-73-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-75-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-77-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-79-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-81-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-61-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-85-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-87-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-89-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-62-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-93-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-95-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-97-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-99-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-101-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-103-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-105-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-107-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-109-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-111-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-113-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-115-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-117-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-119-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-121-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-123-0x0000000000400000-0x00000000004A6000-memory.dmp
      Filesize

      664KB

      Download
    • memory/1988-571-0x0000000004C30000-0x0000000004C74000-memory.dmp
      Filesize

      272KB

      Download