Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 06:12
Static task
static1
Behavioral task
behavioral1
Sample
ORDER.exe
Resource
win7-20220901-en
General
-
Target
ORDER.exe
-
Size
862KB
-
MD5
d4bedaa24b4f2d4001325502a1bcf3bb
-
SHA1
e326c7f7045cc49aa94ddcda0f92fd794f6a182b
-
SHA256
5affdcb7df43eaffa763090a9c0c8159e6ec2f97181214c99bb28e3922f0f4cb
-
SHA512
e916454713007cb920699f3304d42c33d99b0c4c2c8a30472b22a644eb736a329e2d0ad970ae9e90a744004fab365c811da269b5bf091a11b0c8d6af2dc9ae18
-
SSDEEP
12288:xe2iNeAejHgWakKK4boAO135KLnYqr096OE0ls72h8DL2St2qjJ5nXe4x:xe1Gjak9qg5+nYM09s0lkvFHjrXe
Malware Config
Extracted
nanocore
1.2.2.0
dera5nano.ddns.net:1010
107.182.129.248:1010
5a26bcef-e67f-486a-8e48-1748cc7891a2
-
activate_away_mode
true
-
backup_connection_host
107.182.129.248
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-06-06T12:07:01.612898436Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1010
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
5a26bcef-e67f-486a-8e48-1748cc7891a2
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
dera5nano.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ORDER.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation ORDER.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ORDER.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Monitor = "C:\\Program Files (x86)\\AGP Monitor\\agpmon.exe" ORDER.exe -
Processes:
ORDER.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ORDER.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ORDER.exedescription pid process target process PID 1668 set thread context of 3696 1668 ORDER.exe ORDER.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ORDER.exedescription ioc process File created C:\Program Files (x86)\AGP Monitor\agpmon.exe ORDER.exe File opened for modification C:\Program Files (x86)\AGP Monitor\agpmon.exe ORDER.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 2312 schtasks.exe 2852 schtasks.exe 4588 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
ORDER.exepid process 3696 ORDER.exe 3696 ORDER.exe 3696 ORDER.exe 3696 ORDER.exe 3696 ORDER.exe 3696 ORDER.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ORDER.exepid process 3696 ORDER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ORDER.exedescription pid process Token: SeDebugPrivilege 3696 ORDER.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
ORDER.exeORDER.exedescription pid process target process PID 1668 wrote to memory of 2312 1668 ORDER.exe schtasks.exe PID 1668 wrote to memory of 2312 1668 ORDER.exe schtasks.exe PID 1668 wrote to memory of 2312 1668 ORDER.exe schtasks.exe PID 1668 wrote to memory of 3696 1668 ORDER.exe ORDER.exe PID 1668 wrote to memory of 3696 1668 ORDER.exe ORDER.exe PID 1668 wrote to memory of 3696 1668 ORDER.exe ORDER.exe PID 1668 wrote to memory of 3696 1668 ORDER.exe ORDER.exe PID 1668 wrote to memory of 3696 1668 ORDER.exe ORDER.exe PID 1668 wrote to memory of 3696 1668 ORDER.exe ORDER.exe PID 1668 wrote to memory of 3696 1668 ORDER.exe ORDER.exe PID 1668 wrote to memory of 3696 1668 ORDER.exe ORDER.exe PID 3696 wrote to memory of 2852 3696 ORDER.exe schtasks.exe PID 3696 wrote to memory of 2852 3696 ORDER.exe schtasks.exe PID 3696 wrote to memory of 2852 3696 ORDER.exe schtasks.exe PID 3696 wrote to memory of 4588 3696 ORDER.exe schtasks.exe PID 3696 wrote to memory of 4588 3696 ORDER.exe schtasks.exe PID 3696 wrote to memory of 4588 3696 ORDER.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORDER.exe"C:\Users\Admin\AppData\Local\Temp\ORDER.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZTESxFWol" /XML "C:\Users\Admin\AppData\Local\Temp\tmp17FC.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\ORDER.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1B48.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "AGP Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1B88.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ORDER.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
C:\Users\Admin\AppData\Local\Temp\tmp17FC.tmpFilesize
1KB
MD5676fff0f2934141949fa844c0f73e3d5
SHA16414bf8624c7e423e9eaa89431fa09159d91c9ef
SHA256efa08b0ad9a60aa0e9f67778e5fa8e91a5c73f0c907c3514e25efef57fe51090
SHA512f1378d0b86cb47959f722e109bf188f02aa5038f70dce194d650773a06a8c55d679de267a8f4b5242de6e3cc179e96d941c70ab3ad79251e892487240b3a262d
-
C:\Users\Admin\AppData\Local\Temp\tmp1B48.tmpFilesize
1KB
MD543afabe24a830af0444dc1771f5dc45f
SHA148e33244666c4af62976f78be645861c54cbaf2e
SHA2560a330374229af71528e246356cfdc21bad94f4a7b4a2fb9b967ccb047fc89fd3
SHA512aad08996947de90113af8b0893134dd14c7d4b7369db7119eacc927feac79c3fea865a21b1263e95579cdcd5827fed5b50329b2768a7fa7e885ce99db59986a9
-
C:\Users\Admin\AppData\Local\Temp\tmp1B88.tmpFilesize
1KB
MD5157cd55403665c49c9fd3ca1196c4397
SHA14feed6e606b41bb617274471349582963182756b
SHA25649d903f84313feb16bd189c58b6c206f98b05da00ea0da881e2ff0c893b6ba5e
SHA512bea7e3caa9c37cadd772a6d3ee0d9ed47de6b3e880cd58649be2939cacd00f70d4edc1ad177e432539267bb520094d9cda3f781cdfc69122f3775242321c11b8
-
memory/1668-133-0x00000000059F0000-0x0000000005F94000-memory.dmpFilesize
5.6MB
-
memory/1668-135-0x0000000005660000-0x00000000056FC000-memory.dmpFilesize
624KB
-
memory/1668-136-0x00000000055D0000-0x00000000055DA000-memory.dmpFilesize
40KB
-
memory/1668-134-0x0000000005520000-0x00000000055B2000-memory.dmpFilesize
584KB
-
memory/1668-132-0x0000000000AB0000-0x0000000000B8E000-memory.dmpFilesize
888KB
-
memory/2312-137-0x0000000000000000-mapping.dmp
-
memory/2852-142-0x0000000000000000-mapping.dmp
-
memory/3696-140-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3696-139-0x0000000000000000-mapping.dmp
-
memory/3696-146-0x0000000006B20000-0x0000000006B86000-memory.dmpFilesize
408KB
-
memory/4588-144-0x0000000000000000-mapping.dmp