Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER.exe
Resource
win7-20220414-en
General
-
Target
NEW ORDER.exe
-
Size
509KB
-
MD5
f0f7a4fd4ae11a32f44c846af92e71e0
-
SHA1
ccba79af34bc38893b7a7a000db0d89377fa547a
-
SHA256
8ff1070136cd6c74a1c79964233004f87434efb65bfc8dc5caf986bd62f12d86
-
SHA512
f87c57ee8dd0231c7c0f7d8c82d35d13b8acc07432f1042f09ab7f35398209244af3bfc96ce8a17c106bcb98cb5a766b5f7c8783c8a48536afbdf98a172f1f86
Malware Config
Extracted
nanocore
1.2.2.0
som2020.zapto.org:1165
185.140.53.6:1165
7222ae52-d704-47b4-8f02-7756162c51c1
-
activate_away_mode
true
-
backup_connection_host
185.140.53.6
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-01-22T11:34:05.203302536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1165
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
7222ae52-d704-47b4-8f02-7756162c51c1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
som2020.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEW ORDER.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Subsystem = "C:\\Program Files (x86)\\WPA Subsystem\\wpass.exe" NEW ORDER.exe -
Processes:
NEW ORDER.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEW ORDER.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEW ORDER.exedescription pid process target process PID 1048 set thread context of 1712 1048 NEW ORDER.exe NEW ORDER.exe -
Drops file in Program Files directory 2 IoCs
Processes:
NEW ORDER.exedescription ioc process File created C:\Program Files (x86)\WPA Subsystem\wpass.exe NEW ORDER.exe File opened for modification C:\Program Files (x86)\WPA Subsystem\wpass.exe NEW ORDER.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2036 schtasks.exe 564 schtasks.exe 612 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
NEW ORDER.exeNEW ORDER.exepid process 1048 NEW ORDER.exe 1048 NEW ORDER.exe 1048 NEW ORDER.exe 1712 NEW ORDER.exe 1712 NEW ORDER.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NEW ORDER.exepid process 1712 NEW ORDER.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEW ORDER.exeNEW ORDER.exedescription pid process Token: SeDebugPrivilege 1048 NEW ORDER.exe Token: SeDebugPrivilege 1712 NEW ORDER.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
NEW ORDER.exeNEW ORDER.exedescription pid process target process PID 1048 wrote to memory of 2036 1048 NEW ORDER.exe schtasks.exe PID 1048 wrote to memory of 2036 1048 NEW ORDER.exe schtasks.exe PID 1048 wrote to memory of 2036 1048 NEW ORDER.exe schtasks.exe PID 1048 wrote to memory of 2036 1048 NEW ORDER.exe schtasks.exe PID 1048 wrote to memory of 1712 1048 NEW ORDER.exe NEW ORDER.exe PID 1048 wrote to memory of 1712 1048 NEW ORDER.exe NEW ORDER.exe PID 1048 wrote to memory of 1712 1048 NEW ORDER.exe NEW ORDER.exe PID 1048 wrote to memory of 1712 1048 NEW ORDER.exe NEW ORDER.exe PID 1048 wrote to memory of 1712 1048 NEW ORDER.exe NEW ORDER.exe PID 1048 wrote to memory of 1712 1048 NEW ORDER.exe NEW ORDER.exe PID 1048 wrote to memory of 1712 1048 NEW ORDER.exe NEW ORDER.exe PID 1048 wrote to memory of 1712 1048 NEW ORDER.exe NEW ORDER.exe PID 1048 wrote to memory of 1712 1048 NEW ORDER.exe NEW ORDER.exe PID 1712 wrote to memory of 564 1712 NEW ORDER.exe schtasks.exe PID 1712 wrote to memory of 564 1712 NEW ORDER.exe schtasks.exe PID 1712 wrote to memory of 564 1712 NEW ORDER.exe schtasks.exe PID 1712 wrote to memory of 564 1712 NEW ORDER.exe schtasks.exe PID 1712 wrote to memory of 612 1712 NEW ORDER.exe schtasks.exe PID 1712 wrote to memory of 612 1712 NEW ORDER.exe schtasks.exe PID 1712 wrote to memory of 612 1712 NEW ORDER.exe schtasks.exe PID 1712 wrote to memory of 612 1712 NEW ORDER.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ntHJzsFhHc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF0D5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3D21.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "WPA Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4923.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp3D21.tmpFilesize
1KB
MD5c8468ecc846a5610de272f51c99ad2e3
SHA15a6a3cbbf0a8187e1366ad33e6cc36441ae33821
SHA256bdcceee63db950ad4e533dab35b2e6ca12bb7ad2a94021900875ff91bebfeee3
SHA5124baf133c1f55cb450ac4b437023fd741225c923792f960441370591c723aea8458925dd00eac468e4329bbefca9af57876a7cbf5d9d80f8cff062fbe7680f80c
-
C:\Users\Admin\AppData\Local\Temp\tmp4923.tmpFilesize
1KB
MD54365cd1ae65923a319ef2683a45891fe
SHA185dde233112660e31c53884aedfbad52e4547e09
SHA25684b6ce4ba26fa6fb57fa70b9ad191f7c42c71e259897955b5d514385bcd91b58
SHA512d1bd24f504c5c2ecaa3ae98268ccc2e400ea3e16980c6caf394eadf7738225e4d5578fbe62bbe2de3fe0cb56a0d76bb3fc84cef3b9cd2f3d8be6d0becefdc035
-
C:\Users\Admin\AppData\Local\Temp\tmpF0D5.tmpFilesize
1KB
MD5aae993b59085c6401b75a8c391bb6846
SHA1249711a5e0e78f5ceabcadfd83391f8198c91979
SHA256f812d8b6a8376b303d88eae7cfe3c8598703742db5d77676a5b6052302a872be
SHA512d9564ab047de3f723a0832f9d81f09cb4916a122b8921b15bd98f8a0110675d367bc71347cbf3c6ac40e998dfcbc3eadb945c4792cd25c628b81c73769a12bd1
-
memory/564-72-0x0000000000000000-mapping.dmp
-
memory/612-74-0x0000000000000000-mapping.dmp
-
memory/1048-54-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB
-
memory/1048-55-0x0000000074F10000-0x00000000754BB000-memory.dmpFilesize
5.7MB
-
memory/1712-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1712-62-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1712-65-0x000000000041E792-mapping.dmp
-
memory/1712-67-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1712-69-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1712-71-0x0000000074F10000-0x00000000754BB000-memory.dmpFilesize
5.7MB
-
memory/1712-61-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1712-59-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1712-58-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2036-56-0x0000000000000000-mapping.dmp