Analysis
-
max time kernel
146s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
19-12-2022 08:55
Static task
static1
Behavioral task
behavioral1
Sample
Order.exe
Resource
win7-20220812-en
General
-
Target
Order.exe
-
Size
275KB
-
MD5
40c08389f9b3ac964f7a1188f51dfb7b
-
SHA1
05b6fb387f69441d4107227d361d3b8ffef821dd
-
SHA256
426072e14b14fa10a6bf93d53c6bc17ab8d6c0871411dfece93bc765fd7d55ef
-
SHA512
e42e4cee19cfd90c0fee5ca6ee9425cc257524a1c4de02f94a2b01bbb99679c8794c981eec61f743afa0e8afe5bb744299033695f71fede7b6e753f97e17cbf6
-
SSDEEP
6144:Lkwtd2QvDC3Wol85o0Fv7UbxoNdyY5A0UHpMV1s3CvPqPY551P:bAQvGWouCaUbU+pMQSncY5b
Malware Config
Extracted
formbook
scse
SKpYFyVNT2zunKf0uuM=
FlEHUseI7I5XbrO8fR/XBcS9ZA==
FPuxoUOxkLiATugw
VKdxsDSk0jdT5Kw=
FpqHf9iI/1tl97E=
YGI6sIl3UIxfZvlD+JiUuuLR
oBAEO0suBEAD5aK00A==
RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==
VFg9s3W0/Ype8A3cZb+D7g==
hwD+VNd6014nrsaTWm4FBcS9ZA==
zkAdUq1soKYUfZaTqLmL
XVQ9WbRivUIQ477a/hKv+g==
QireF2geizAwmp674AGc5g==
PSTUQxs6j8OATugw
LHJhyy2VbX8NEqf0uuM=
MiY1vg6T3HqATugw
wqkUjaVXnGgBqA==
jUr/eUtSIT01Wegt
PjQidcqKzAbSZICUZb+D7g==
OkAmcv12sUEAIHwFHakzdIo2FPHw
zyDLsw+3I3H6gnaGZb+D7g==
ll0HRs5IJGxCZMJPahHgOt2RqjU=
YqaIEokHuw6V
jGJG11YCObJ+IQIXCW8KU+ZcbA==
jv4ITr8zITdT5Kw=
nXYro3yHe5YV5aK00A==
rJt1IPkxeQDUayhVCJyUuuLR
oFwz1DUU/RdD5aK00A==
FHlVTKEVIRFE5aK00A==
8GhjL2lJOWD+5aK00A==
k3BLouunGsagwhAi6oeUuuLR
p45GiQN5bZMjR9karDwDa442FPHw
Zdd7rVCKu/b3TIVU6t/lP92RqjU=
wyjxGjYHuw6V
nW5RrwV6yTdT5Kw=
itzGDGclWW4SqnLBSWH5Pt2RqjU=
8zwgceJYRWn+DKf0uuM=
EmojFmj027tsHrs=
ExQEPY5UyyS00HPvNNCH8w==
laiGCZRTkbg/XAl/Zb+D7g==
wYQysWBl+DdT5Kw=
MWo3rYV3XoAJ5aK00A==
hnht0SrcDR+XpjV6H6WUuuLR
rxqw6S7qG8A=
aEcfph/RAUAcfZYnXOw=
EXdVkuuzJ8eEjkTROs2D
MDYsc8l6w0wM7ZOiyQ==
Rw3XPwT+8UID5aK00A==
zDPp+Pskft/5iqS+0Q==
Z8h8hYCm/ULHXQ+YY2kJBcS9ZA==
vTDkm31vabx5EfoFMjLsVpBlz+fQfg==
+EcrRpZyp7tFba65dhvXBcS9ZA==
rHVJpwl6dLSATugw
gUoTghFSoTMpiXyQe9N3uOjQ
47Zwn/CkFQCty07ROs2D
NYkP+jcHuw6V
nfvdFnkHuw6V
L4piRRhAmfwGKITjemhRkmQ=
s6Jdx36Q+t5U7LE=
58iYH6dVmzYCnHZ/Zb+D7g==
IQ/WHZJWuVUD5aK00A==
Cf6t72PUxhnicjvBiFxqP0o2FPHw
DQr7l4R4rlEJ5aK00A==
62gezKeQv8mIIBbcZb+D7g==
kmuregister.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
sschk.exesschk.exepid process 576 sschk.exe 1480 sschk.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
sschk.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation sschk.exe -
Loads dropped DLL 4 IoCs
Processes:
Order.exesschk.exenetsh.exepid process 1564 Order.exe 1564 Order.exe 576 sschk.exe 1128 netsh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
sschk.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\mvjsvq = "C:\\Users\\Admin\\AppData\\Roaming\\xlmtj\\wjiewrepiqsc.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\sschk.exe\" C:\\Users\\Admin\\AppData\\Local\\T" sschk.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
sschk.exesschk.exenetsh.exedescription pid process target process PID 576 set thread context of 1480 576 sschk.exe sschk.exe PID 1480 set thread context of 1376 1480 sschk.exe Explorer.EXE PID 1128 set thread context of 1376 1128 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
netsh.exedescription ioc process Key created \Registry\User\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 netsh.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
sschk.exenetsh.exepid process 1480 sschk.exe 1480 sschk.exe 1480 sschk.exe 1480 sschk.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe -
Suspicious behavior: MapViewOfSection 8 IoCs
Processes:
sschk.exesschk.exenetsh.exepid process 576 sschk.exe 1480 sschk.exe 1480 sschk.exe 1480 sschk.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe 1128 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
sschk.exenetsh.exedescription pid process Token: SeDebugPrivilege 1480 sschk.exe Token: SeDebugPrivilege 1128 netsh.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1376 Explorer.EXE 1376 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1376 Explorer.EXE 1376 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Order.exesschk.exeExplorer.EXEnetsh.exedescription pid process target process PID 1564 wrote to memory of 576 1564 Order.exe sschk.exe PID 1564 wrote to memory of 576 1564 Order.exe sschk.exe PID 1564 wrote to memory of 576 1564 Order.exe sschk.exe PID 1564 wrote to memory of 576 1564 Order.exe sschk.exe PID 576 wrote to memory of 1480 576 sschk.exe sschk.exe PID 576 wrote to memory of 1480 576 sschk.exe sschk.exe PID 576 wrote to memory of 1480 576 sschk.exe sschk.exe PID 576 wrote to memory of 1480 576 sschk.exe sschk.exe PID 576 wrote to memory of 1480 576 sschk.exe sschk.exe PID 1376 wrote to memory of 1128 1376 Explorer.EXE netsh.exe PID 1376 wrote to memory of 1128 1376 Explorer.EXE netsh.exe PID 1376 wrote to memory of 1128 1376 Explorer.EXE netsh.exe PID 1376 wrote to memory of 1128 1376 Explorer.EXE netsh.exe PID 1128 wrote to memory of 1212 1128 netsh.exe Firefox.exe PID 1128 wrote to memory of 1212 1128 netsh.exe Firefox.exe PID 1128 wrote to memory of 1212 1128 netsh.exe Firefox.exe PID 1128 wrote to memory of 1212 1128 netsh.exe Firefox.exe PID 1128 wrote to memory of 1212 1128 netsh.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order.exe"C:\Users\Admin\AppData\Local\Temp\Order.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sschk.exe"C:\Users\Admin\AppData\Local\Temp\sschk.exe" C:\Users\Admin\AppData\Local\Temp\uqmpszrescr.mh3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\sschk.exe"C:\Users\Admin\AppData\Local\Temp\sschk.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\sschk.exeFilesize
128KB
MD5d5711c7dd676247b08e5d6bcfa3163e4
SHA13b6255b87b2067a2022fa3049faf52609e884797
SHA256e736927372d65401306e5deda3e516c24a1f52641862034847218d3923993ed3
SHA512eef729152468f88a969f5c752d8ba0b20f3881d3d99696488463e54aa27f6351a55f956bccb7f5555ca2d5da1a8037d23e8c144d5280cee8f4d39b4b72cea4d4
-
C:\Users\Admin\AppData\Local\Temp\sschk.exeFilesize
128KB
MD5d5711c7dd676247b08e5d6bcfa3163e4
SHA13b6255b87b2067a2022fa3049faf52609e884797
SHA256e736927372d65401306e5deda3e516c24a1f52641862034847218d3923993ed3
SHA512eef729152468f88a969f5c752d8ba0b20f3881d3d99696488463e54aa27f6351a55f956bccb7f5555ca2d5da1a8037d23e8c144d5280cee8f4d39b4b72cea4d4
-
C:\Users\Admin\AppData\Local\Temp\sschk.exeFilesize
128KB
MD5d5711c7dd676247b08e5d6bcfa3163e4
SHA13b6255b87b2067a2022fa3049faf52609e884797
SHA256e736927372d65401306e5deda3e516c24a1f52641862034847218d3923993ed3
SHA512eef729152468f88a969f5c752d8ba0b20f3881d3d99696488463e54aa27f6351a55f956bccb7f5555ca2d5da1a8037d23e8c144d5280cee8f4d39b4b72cea4d4
-
C:\Users\Admin\AppData\Local\Temp\tllavf.jFilesize
184KB
MD564e026b55299735b9db1af520d95c567
SHA17eee907d5dbd2200ecddcc83082344780a06cebb
SHA25668a579dd70b4f44a3f974c22473798f9781bc1d2761e53d9c4f98580d6e6763d
SHA512a5a4eb133ae8548d1c66bec32993df5ee90c650dd653c817b028a00212e3ac1801cd925831273baeb0e72371361bf8dad91dd1379acfe2b3f924b4b4d58cd2a9
-
C:\Users\Admin\AppData\Local\Temp\uqmpszrescr.mhFilesize
7KB
MD5792469c8fa02e0eea0ba2bb71fd99ea8
SHA1dfea8de272b9e88a5a4135cb5e4cc6fc1dd95c47
SHA256b56c9f242715c82598af57710034a20d51991b265269a4e73826d1c37e3bf66f
SHA512338d582d394bfbe76fa8c5cb5050892eff81c8869fc4a5d272ebc8f8ce9405bd9f7b930d73d73a2dc5a8652021db1a67e339b71ad6f167a5b60f7a59ac5b58d2
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
922KB
MD5dda1b03a5cd2ca37c96b7daf5e3a8ed7
SHA1c70e5f58e61980d39608f0795879bf012dbbbca2
SHA25679f86c1edbbc69652a03a0f5667b3985bcf1e19f16fa3b8c7934e5b97ab8586d
SHA512bf83648c9b5d6d65b2c8409d262a1b7421d2cb13d6c759ec5f352c2d1c5adff3ee2395250fbdfe3590f25fe96bf6b40c2d82a8e7eecaab03be2e6a398e83981f
-
\Users\Admin\AppData\Local\Temp\sschk.exeFilesize
128KB
MD5d5711c7dd676247b08e5d6bcfa3163e4
SHA13b6255b87b2067a2022fa3049faf52609e884797
SHA256e736927372d65401306e5deda3e516c24a1f52641862034847218d3923993ed3
SHA512eef729152468f88a969f5c752d8ba0b20f3881d3d99696488463e54aa27f6351a55f956bccb7f5555ca2d5da1a8037d23e8c144d5280cee8f4d39b4b72cea4d4
-
\Users\Admin\AppData\Local\Temp\sschk.exeFilesize
128KB
MD5d5711c7dd676247b08e5d6bcfa3163e4
SHA13b6255b87b2067a2022fa3049faf52609e884797
SHA256e736927372d65401306e5deda3e516c24a1f52641862034847218d3923993ed3
SHA512eef729152468f88a969f5c752d8ba0b20f3881d3d99696488463e54aa27f6351a55f956bccb7f5555ca2d5da1a8037d23e8c144d5280cee8f4d39b4b72cea4d4
-
\Users\Admin\AppData\Local\Temp\sschk.exeFilesize
128KB
MD5d5711c7dd676247b08e5d6bcfa3163e4
SHA13b6255b87b2067a2022fa3049faf52609e884797
SHA256e736927372d65401306e5deda3e516c24a1f52641862034847218d3923993ed3
SHA512eef729152468f88a969f5c752d8ba0b20f3881d3d99696488463e54aa27f6351a55f956bccb7f5555ca2d5da1a8037d23e8c144d5280cee8f4d39b4b72cea4d4
-
memory/576-57-0x0000000000000000-mapping.dmp
-
memory/1128-74-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1128-75-0x0000000000B30000-0x0000000000E33000-memory.dmpFilesize
3.0MB
-
memory/1128-78-0x0000000000080000-0x00000000000AD000-memory.dmpFilesize
180KB
-
memory/1128-76-0x00000000009A0000-0x0000000000A2F000-memory.dmpFilesize
572KB
-
memory/1128-73-0x00000000015A0000-0x00000000015BB000-memory.dmpFilesize
108KB
-
memory/1128-72-0x0000000000000000-mapping.dmp
-
memory/1376-71-0x0000000004A50000-0x0000000004B54000-memory.dmpFilesize
1.0MB
-
memory/1376-77-0x0000000006C90000-0x0000000006E00000-memory.dmpFilesize
1.4MB
-
memory/1376-80-0x0000000006C90000-0x0000000006E00000-memory.dmpFilesize
1.4MB
-
memory/1480-70-0x0000000000070000-0x0000000000080000-memory.dmpFilesize
64KB
-
memory/1480-69-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/1480-66-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1480-68-0x0000000000810000-0x0000000000B13000-memory.dmpFilesize
3.0MB
-
memory/1480-67-0x0000000000401000-0x000000000042E000-memory.dmpFilesize
180KB
-
memory/1480-64-0x00000000004012B0-mapping.dmp
-
memory/1564-54-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB