Analysis
-
max time kernel
151s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:59
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER.exe
Resource
win7-20220414-en
General
-
Target
NEW ORDER.exe
-
Size
509KB
-
MD5
f0f7a4fd4ae11a32f44c846af92e71e0
-
SHA1
ccba79af34bc38893b7a7a000db0d89377fa547a
-
SHA256
8ff1070136cd6c74a1c79964233004f87434efb65bfc8dc5caf986bd62f12d86
-
SHA512
f87c57ee8dd0231c7c0f7d8c82d35d13b8acc07432f1042f09ab7f35398209244af3bfc96ce8a17c106bcb98cb5a766b5f7c8783c8a48536afbdf98a172f1f86
Malware Config
Extracted
nanocore
1.2.2.0
som2020.zapto.org:1165
185.140.53.6:1165
7222ae52-d704-47b4-8f02-7756162c51c1
-
activate_away_mode
true
-
backup_connection_host
185.140.53.6
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-01-22T11:34:05.203302536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1165
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
7222ae52-d704-47b4-8f02-7756162c51c1
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
som2020.zapto.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
NEW ORDER.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation NEW ORDER.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
NEW ORDER.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsvc.exe" NEW ORDER.exe -
Processes:
NEW ORDER.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NEW ORDER.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEW ORDER.exedescription pid process target process PID 1504 set thread context of 504 1504 NEW ORDER.exe NEW ORDER.exe -
Drops file in Program Files directory 2 IoCs
Processes:
NEW ORDER.exedescription ioc process File created C:\Program Files (x86)\TCP Service\tcpsvc.exe NEW ORDER.exe File opened for modification C:\Program Files (x86)\TCP Service\tcpsvc.exe NEW ORDER.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 1620 schtasks.exe 1916 schtasks.exe 3540 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
NEW ORDER.exeNEW ORDER.exepid process 1504 NEW ORDER.exe 1504 NEW ORDER.exe 1504 NEW ORDER.exe 1504 NEW ORDER.exe 504 NEW ORDER.exe 504 NEW ORDER.exe 504 NEW ORDER.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
NEW ORDER.exepid process 504 NEW ORDER.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
NEW ORDER.exeNEW ORDER.exedescription pid process Token: SeDebugPrivilege 1504 NEW ORDER.exe Token: SeDebugPrivilege 504 NEW ORDER.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
NEW ORDER.exeNEW ORDER.exedescription pid process target process PID 1504 wrote to memory of 3540 1504 NEW ORDER.exe schtasks.exe PID 1504 wrote to memory of 3540 1504 NEW ORDER.exe schtasks.exe PID 1504 wrote to memory of 3540 1504 NEW ORDER.exe schtasks.exe PID 1504 wrote to memory of 504 1504 NEW ORDER.exe NEW ORDER.exe PID 1504 wrote to memory of 504 1504 NEW ORDER.exe NEW ORDER.exe PID 1504 wrote to memory of 504 1504 NEW ORDER.exe NEW ORDER.exe PID 1504 wrote to memory of 504 1504 NEW ORDER.exe NEW ORDER.exe PID 1504 wrote to memory of 504 1504 NEW ORDER.exe NEW ORDER.exe PID 1504 wrote to memory of 504 1504 NEW ORDER.exe NEW ORDER.exe PID 1504 wrote to memory of 504 1504 NEW ORDER.exe NEW ORDER.exe PID 1504 wrote to memory of 504 1504 NEW ORDER.exe NEW ORDER.exe PID 504 wrote to memory of 1620 504 NEW ORDER.exe schtasks.exe PID 504 wrote to memory of 1620 504 NEW ORDER.exe schtasks.exe PID 504 wrote to memory of 1620 504 NEW ORDER.exe schtasks.exe PID 504 wrote to memory of 1916 504 NEW ORDER.exe schtasks.exe PID 504 wrote to memory of 1916 504 NEW ORDER.exe schtasks.exe PID 504 wrote to memory of 1916 504 NEW ORDER.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ntHJzsFhHc" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8BAB.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp906D.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9272.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\NEW ORDER.exe.logFilesize
496B
MD57baa6583f69f63f7230df9bf98448356
SHA1fe9eb85b57192362da704a3c130377fe83862320
SHA256a632504621b4cac1d5ba5465c7ad9b30f3d036e9838682506782124a211bed4f
SHA5120e72541791281c0fdac1f5fc6beea0b9eb8766b2a386aecb92cb8a44e5b59b7114c79194393ddeff957ffe86021a311caed7ce2731b863d97ad441870efbc051
-
C:\Users\Admin\AppData\Local\Temp\tmp8BAB.tmpFilesize
1KB
MD5f4fc5a024678772129f7d10b850ef02a
SHA18765fb74414c23ea1c8d5dc4b01bf818fb3eb6c0
SHA2568bbdfe7aeb789c3f77ddc4809ed130752d09d9c94ee7afda563d746ae471a1bd
SHA512b6faccc15452f9154e72ff68b3479703a9a3d51ceaa9322cb61bd5d19617cd735cf4a0516b8d9411f3f7e24ea315f3d6c9a6b8ab2a240d4ef8443709efa1e554
-
C:\Users\Admin\AppData\Local\Temp\tmp906D.tmpFilesize
1KB
MD5c8468ecc846a5610de272f51c99ad2e3
SHA15a6a3cbbf0a8187e1366ad33e6cc36441ae33821
SHA256bdcceee63db950ad4e533dab35b2e6ca12bb7ad2a94021900875ff91bebfeee3
SHA5124baf133c1f55cb450ac4b437023fd741225c923792f960441370591c723aea8458925dd00eac468e4329bbefca9af57876a7cbf5d9d80f8cff062fbe7680f80c
-
C:\Users\Admin\AppData\Local\Temp\tmp9272.tmpFilesize
1KB
MD59db6095f31f8b4ae8173fe11424a8dfe
SHA14b0655ae95def24a41710ca137649d93bfa49407
SHA2569911b4513e44521c90c020ddcddea1ddc58095055a72ec638b593bf9ee23aa72
SHA5125bee977264545a30a2d53e674f54a4066d4529dc9162d46911b9cac957052cdc1ea7c8d60f9c57d3f33db6cb964b1e6bb2347d0e0e2af0a32ac98938c02ffc1c
-
memory/504-133-0x0000000000000000-mapping.dmp
-
memory/504-134-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/504-138-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/1504-130-0x0000000075510000-0x0000000075AC1000-memory.dmpFilesize
5.7MB
-
memory/1620-136-0x0000000000000000-mapping.dmp
-
memory/1916-139-0x0000000000000000-mapping.dmp
-
memory/3540-131-0x0000000000000000-mapping.dmp