Overview

overview

10

Static

static

New Order.exe

windows7-x64

10

New Order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    83s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2022 16:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Order.exe

  • Size

    847KB

  • MD5

    c606b79a4bc00248caf9a9c34c27967c

  • SHA1

    e6023105be92a970a854a3a935786dac7eb24bb4

  • SHA256

    4649b0df03857384398c1b95c2e26768ed8a6198499a39d3efdb8d696ede4176

  • SHA512

    3849116a967cbd303e138b3e384e433c53cd2779bde4538975c51bd4d8f8fa4b0414dbce17d41d28a1cb23f537ebad6ab60168a3a16349bb8844a48c8c860a72

Score
10/10
blustealerstormkittycollectionstealer

Malware Config

Signatures

  • BluStealer

    A Modular information stealer written in Visual Basic.

    stealerblustealer
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Order.exe
    "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QWZdOXeSBeFk.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1932
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QWZdOXeSBeFk" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6409.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4480
    • C:\Users\Admin\AppData\Local\Temp\New Order.exe
      "C:\Users\Admin\AppData\Local\Temp\New Order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        3⤵
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp6409.tmp
    Filesize

    1KB

    MD5

    8b01e1eea7ae3e57104d0c9d484246bf

    SHA1

    7f68942efe5593b3623b89ad9ea8256278d50f32

    SHA256

    0cc83e2b4df90b46c7efe90a87c631e1785ccf6733c0d011750728c2af90aee9

    SHA512

    8505ec7201995a01789adf909598d2803cc47755837b96d885b515bf6074d1ff6e3073778f7a892859d17b5c1a8408146bd5ec40bc7a9cf294b03102bfc64e02

    Download Submit

  • memory/1556-133-0x0000000005680000-0x0000000005C24000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1556-134-0x0000000005170000-0x0000000005202000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1556-135-0x0000000005360000-0x000000000536A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1556-136-0x0000000008EC0000-0x0000000008F5C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1556-137-0x0000000008FD0000-0x0000000009036000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1556-132-0x0000000000690000-0x0000000000768000-memory.dmp

    Filesize

    864KB

    Download

  • memory/1696-144-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1696-165-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1696-154-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1696-146-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1932-156-0x0000000070740000-0x000000007078C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1932-140-0x0000000002E30000-0x0000000002E66000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1932-148-0x00000000057B0000-0x00000000057D2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1932-150-0x0000000005FE0000-0x0000000006046000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1932-151-0x0000000006730000-0x000000000674E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1932-142-0x0000000005840000-0x0000000005E68000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1932-163-0x0000000007D80000-0x0000000007D9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1932-155-0x0000000007900000-0x0000000007932000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1932-164-0x0000000007D60000-0x0000000007D68000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1932-157-0x0000000006CF0000-0x0000000006D0E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1932-158-0x0000000008090000-0x000000000870A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1932-159-0x0000000007A40000-0x0000000007A5A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1932-160-0x0000000007AB0000-0x0000000007ABA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1932-161-0x0000000007CC0000-0x0000000007D56000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1932-162-0x0000000007C70000-0x0000000007C7E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4004-153-0x0000000000230000-0x000000000024A000-memory.dmp

    Filesize

    104KB

    Download