Analysis
-
max time kernel
16s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:24
Static task
static1
Behavioral task
behavioral1
Sample
NEW_ORDE.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
NEW_ORDE.exe
Resource
win10v2004-20220414-en
General
-
Target
NEW_ORDE.exe
-
Size
521KB
-
MD5
52133a225e1285915e4c871f802db4e0
-
SHA1
4a61cccd463daa442568f98263d5a9944cc724b9
-
SHA256
08e3928e063f4d85e7580cb03a62d69e7c3c0ba1bd04e2867343931e335862bd
-
SHA512
bdb76a4ec24d16e9c3f6ec3e7f30b698743d0818c2167793441528477aec89d2712962ef66cae3e9b43516f90bd644e386308c2c0971ccf6940d43cf2664c301
Malware Config
Signatures
-
CoreEntity .NET Packer 1 IoCs
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
Processes:
resource yara_rule behavioral1/memory/2020-56-0x0000000000650000-0x0000000000658000-memory.dmp coreentity -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/2020-57-0x0000000002230000-0x000000000228A000-memory.dmp rezer0 -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
NEW_ORDE.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion NEW_ORDE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion NEW_ORDE.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
NEW_ORDE.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum NEW_ORDE.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 NEW_ORDE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
NEW_ORDE.exepid process 2020 NEW_ORDE.exe 2020 NEW_ORDE.exe 2020 NEW_ORDE.exe 2020 NEW_ORDE.exe 2020 NEW_ORDE.exe 2020 NEW_ORDE.exe 2020 NEW_ORDE.exe 2020 NEW_ORDE.exe 2020 NEW_ORDE.exe 2020 NEW_ORDE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEW_ORDE.exedescription pid process Token: SeDebugPrivilege 2020 NEW_ORDE.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
NEW_ORDE.exedescription pid process target process PID 2020 wrote to memory of 1208 2020 NEW_ORDE.exe schtasks.exe PID 2020 wrote to memory of 1208 2020 NEW_ORDE.exe schtasks.exe PID 2020 wrote to memory of 1208 2020 NEW_ORDE.exe schtasks.exe PID 2020 wrote to memory of 1208 2020 NEW_ORDE.exe schtasks.exe PID 2020 wrote to memory of 688 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 688 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 688 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 688 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1456 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1456 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1456 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1456 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1212 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1212 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1212 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1212 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1132 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1132 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1132 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1132 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1136 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1136 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1136 2020 NEW_ORDE.exe NEW_ORDE.exe PID 2020 wrote to memory of 1136 2020 NEW_ORDE.exe NEW_ORDE.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe"C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gTZhcFj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9223.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\NEW_ORDE.exe"{path}"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9223.tmpFilesize
1KB
MD5fad98f03c02510ea1aaeec21d1aed55c
SHA1e64f550fdc7870ede04d62684ec3c32fb6a4fe4a
SHA2567ec4af2983e60f835c9c8a95d1b74552cd119368b4b352fb52717674a5ddfe1d
SHA512773c4bd0378c5d7b6c9e5dc7a0866d2c6f15377c9212f80997b16105964e8f1a2820f22b6cc911f37512acd70e5b7f0afed99209169fc8bf85c204558925cd82
-
memory/1208-58-0x0000000000000000-mapping.dmp
-
memory/2020-54-0x00000000003E0000-0x0000000000468000-memory.dmpFilesize
544KB
-
memory/2020-55-0x0000000076451000-0x0000000076453000-memory.dmpFilesize
8KB
-
memory/2020-56-0x0000000000650000-0x0000000000658000-memory.dmpFilesize
32KB
-
memory/2020-57-0x0000000002230000-0x000000000228A000-memory.dmpFilesize
360KB