665aedc941ee4a7f199bad9431099c3591368f895c13b8be6f17dc29b2bcb66a

General

Target

NEW_ORDE.exe
Size

521KB
MD5

52133a225e1285915e4c871f802db4e0
SHA1

4a61cccd463daa442568f98263d5a9944cc724b9
SHA256

08e3928e063f4d85e7580cb03a62d69e7c3c0ba1bd04e2867343931e335862bd
SHA512

bdb76a4ec24d16e9c3f6ec3e7f30b698743d0818c2167793441528477aec89d2712962ef66cae3e9b43516f90bd644e386308c2c0971ccf6940d43cf2664c301

Score

10^/10

coreentity evasion rezer0

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
behavioral1/memory/2020-56-0x0000000000650000-0x0000000000658000-memory.dmp	coreentity

Looks for VirtualBox Guest Additions in registry 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/2020-57-0x0000000002230000-0x000000000228A000-memory.dmp	rezer0

Looks for VMWare Tools registry key 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NEW_ORDE.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	NEW_ORDE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	NEW_ORDE.exe

Maps connected drives based on registry 3 TTPs 2 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

NEW_ORDE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	NEW_ORDE.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	NEW_ORDE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1208 schtasks.exe

pid	process
1208	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

NEW_ORDE.exe

pid	process
2020	NEW_ORDE.exe
2020	NEW_ORDE.exe
2020	NEW_ORDE.exe
2020	NEW_ORDE.exe
2020	NEW_ORDE.exe
2020	NEW_ORDE.exe
2020	NEW_ORDE.exe
2020	NEW_ORDE.exe
2020	NEW_ORDE.exe
2020	NEW_ORDE.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

NEW_ORDE.exe

description pid process

Token: SeDebugPrivilege 2020 NEW_ORDE.exe

description	pid	process
Token: SeDebugPrivilege	2020	NEW_ORDE.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

NEW_ORDE.exe

description	pid	process	target process
PID 2020 wrote to memory of 1208	2020	NEW_ORDE.exe	schtasks.exe
PID 2020 wrote to memory of 1208	2020	NEW_ORDE.exe	schtasks.exe
PID 2020 wrote to memory of 1208	2020	NEW_ORDE.exe	schtasks.exe
PID 2020 wrote to memory of 1208	2020	NEW_ORDE.exe	schtasks.exe
PID 2020 wrote to memory of 688	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 688	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 688	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 688	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1456	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1456	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1456	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1456	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1212	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1212	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1212	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1212	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1132	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1132	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1132	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1132	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1136	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1136	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1136	2020	NEW_ORDE.exe	NEW_ORDE.exe
PID 2020 wrote to memory of 1136	2020	NEW_ORDE.exe	NEW_ORDE.exe

C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe
"C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe"
1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gTZhcFj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9223.tmp"
2⤵
- Creates scheduled task(s)
PID:1208

C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe
"{path}"
2⤵
PID:688

C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe
"{path}"
2⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe
"{path}"
2⤵
PID:1212

C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe
"{path}"
2⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe
"{path}"
2⤵
PID:1136

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

3

T1082

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9223.tmp
Filesize
1KB

MD5
fad98f03c02510ea1aaeec21d1aed55c

SHA1
e64f550fdc7870ede04d62684ec3c32fb6a4fe4a

SHA256
7ec4af2983e60f835c9c8a95d1b74552cd119368b4b352fb52717674a5ddfe1d

SHA512
773c4bd0378c5d7b6c9e5dc7a0866d2c6f15377c9212f80997b16105964e8f1a2820f22b6cc911f37512acd70e5b7f0afed99209169fc8bf85c204558925cd82

Download Submit
memory/1208-58-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x00000000003E0000-0x0000000000468000-memory.dmp

Filesize
544KB

Download
memory/2020-55-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/2020-56-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/2020-57-0x0000000002230000-0x000000000228A000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads