81b7ee55b75f60bbf42484de670154d6a7c182bdfe1181e3a89bb4483dfd6944

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/03/2023, 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rORDERINQUIRY_pdf.exe
Size

249KB
MD5

6682d9d38bbff318f65c39100534f32f
SHA1

6839ee1960631c24f06b927c8f6fb3cbc6a2aa04
SHA256

81b7ee55b75f60bbf42484de670154d6a7c182bdfe1181e3a89bb4483dfd6944
SHA512

437de33ea67954144f855c6b03ca3a2bfd5b7c194d7bb4219518ba1a730fdb8ebd9cba24a86df082ce6f3c98a88cd9904f79c7340f119eaedd20a8074ddbb85f
SSDEEP

6144:/Ya6E8tKKmuHztTgpoMoz6cGpyRlNsjz2peSrheXzaW:/YK8jBJiMpGpyNpeSNeeW

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation	hideggu.exe

Executes dropped EXE 2 IoCs

pid	Process
1764	hideggu.exe
1836	hideggu.exe

Loads dropped DLL 4 IoCs

pid	Process
2040	rORDERINQUIRY_pdf.exe
2040	rORDERINQUIRY_pdf.exe
1764	hideggu.exe
1632	raserver.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 1836	1764	hideggu.exe	29
PID 1836 set thread context of 1244	1836	hideggu.exe	20
PID 1632 set thread context of 1244	1632	raserver.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-3499517378-2376672570-1134980332-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1836	hideggu.exe
1836	hideggu.exe
1836	hideggu.exe
1836	hideggu.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1764	hideggu.exe
1836	hideggu.exe
1836	hideggu.exe
1836	hideggu.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe
1632	raserver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1836	hideggu.exe
Token: SeDebugPrivilege	1632	raserver.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1764	2040	rORDERINQUIRY_pdf.exe	28
PID 2040 wrote to memory of 1764	2040	rORDERINQUIRY_pdf.exe	28
PID 2040 wrote to memory of 1764	2040	rORDERINQUIRY_pdf.exe	28
PID 2040 wrote to memory of 1764	2040	rORDERINQUIRY_pdf.exe	28
PID 1764 wrote to memory of 1836	1764	hideggu.exe	29
PID 1764 wrote to memory of 1836	1764	hideggu.exe	29
PID 1764 wrote to memory of 1836	1764	hideggu.exe	29
PID 1764 wrote to memory of 1836	1764	hideggu.exe	29
PID 1764 wrote to memory of 1836	1764	hideggu.exe	29
PID 1244 wrote to memory of 1632	1244	Explorer.EXE	30
PID 1244 wrote to memory of 1632	1244	Explorer.EXE	30
PID 1244 wrote to memory of 1632	1244	Explorer.EXE	30
PID 1244 wrote to memory of 1632	1244	Explorer.EXE	30
PID 1632 wrote to memory of 1924	1632	raserver.exe	33
PID 1632 wrote to memory of 1924	1632	raserver.exe	33
PID 1632 wrote to memory of 1924	1632	raserver.exe	33
PID 1632 wrote to memory of 1924	1632	raserver.exe	33
PID 1632 wrote to memory of 1924	1632	raserver.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\rORDERINQUIRY_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\rORDERINQUIRY_pdf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\hideggu.exe
    "C:\Users\Admin\AppData\Local\Temp\hideggu.exe" C:\Users\Admin\AppData\Local\Temp\dxzojyuyzr.tc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Users\Admin\AppData\Local\Temp\hideggu.exe
      "C:\Users\Admin\AppData\Local\Temp\hideggu.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1836
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dxzojyuyzr.tc

Filesize
5KB

MD5
b4d217d48719de23cda70c0d6092eac3

SHA1
e8ae7fc69a1f8f13e84a1481d42248337ba9cf0d

SHA256
fa0fdbfe1586bea95a6d6ead2c7ea73d1a3b399e06dc2c7e35b4eb7b5f69dcda

SHA512
ff9deef257676a9aafd7ed3592eaa7107eb4bea568a8f278c3c199a649c8744ee408422f1f43d19ea5cf3a16bac7bded6ed7a43415cd54039e15626e89d9ddf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\exttqpyx.zip

Filesize
474KB

MD5
af10a982a2ef91c9787106eea1a0cc4a

SHA1
00435a36f5e6059287cde2cebb2882669cdba3a5

SHA256
e028068b067e5e60fa5680b0bafa48a31287b6d614ee0b92df51cce23b974099

SHA512
73d0d3034405527798b854dc33fc608c7ccf0af1689e139af4bbb5a5324dc0748bdc2bf632468745920dc7be4eb7f0240d3cf1b5872d3f5c0c897725db78bf9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hideggu.exe

Filesize
7KB

MD5
cb776f77add469dba201d11fc9560ea6

SHA1
2d966017ffed19d4e79f8147d067ddd075fec9a6

SHA256
b7bd0f6e737e281c3f9aebfc16d20911fd5bc7aa8d3febfccfedfda8dcbe0aba

SHA512
26300d0d4bc2c153ea8ac12994d4a18919b970792abe434fa1e244daf1f35e91c3ba4fee0709cc532e4cf2141ceb1b724eaf25d3822d8169050cb1f01f0d03a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hideggu.exe

Filesize
7KB

MD5
cb776f77add469dba201d11fc9560ea6

SHA1
2d966017ffed19d4e79f8147d067ddd075fec9a6

SHA256
b7bd0f6e737e281c3f9aebfc16d20911fd5bc7aa8d3febfccfedfda8dcbe0aba

SHA512
26300d0d4bc2c153ea8ac12994d4a18919b970792abe434fa1e244daf1f35e91c3ba4fee0709cc532e4cf2141ceb1b724eaf25d3822d8169050cb1f01f0d03a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hideggu.exe

Filesize
7KB

MD5
cb776f77add469dba201d11fc9560ea6

SHA1
2d966017ffed19d4e79f8147d067ddd075fec9a6

SHA256
b7bd0f6e737e281c3f9aebfc16d20911fd5bc7aa8d3febfccfedfda8dcbe0aba

SHA512
26300d0d4bc2c153ea8ac12994d4a18919b970792abe434fa1e244daf1f35e91c3ba4fee0709cc532e4cf2141ceb1b724eaf25d3822d8169050cb1f01f0d03a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\hideggu.exe

Filesize
7KB

MD5
cb776f77add469dba201d11fc9560ea6

SHA1
2d966017ffed19d4e79f8147d067ddd075fec9a6

SHA256
b7bd0f6e737e281c3f9aebfc16d20911fd5bc7aa8d3febfccfedfda8dcbe0aba

SHA512
26300d0d4bc2c153ea8ac12994d4a18919b970792abe434fa1e244daf1f35e91c3ba4fee0709cc532e4cf2141ceb1b724eaf25d3822d8169050cb1f01f0d03a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyxddusbnfv.z

Filesize
205KB

MD5
7498d8b5f41dad6ad960e742139029ba

SHA1
edbf0917f1cc95fa22ba9c2f3dfda88cade30b2a

SHA256
67bb593b1751750a58237d79d04fd0a7a796bdf634fb9e094a8a9fe05180d9fd

SHA512
161d16ff7cd4043401f466ce02a9f2c875be3a204f8ca6f44e833d47650e2dee66a285f53526931bc73e4818492532365361fdbb32c5d6d7fc5a712d4929e5e7

Download Submit
\Users\Admin\AppData\Local\Temp\hideggu.exe

Filesize
7KB

MD5
cb776f77add469dba201d11fc9560ea6

SHA1
2d966017ffed19d4e79f8147d067ddd075fec9a6

SHA256
b7bd0f6e737e281c3f9aebfc16d20911fd5bc7aa8d3febfccfedfda8dcbe0aba

SHA512
26300d0d4bc2c153ea8ac12994d4a18919b970792abe434fa1e244daf1f35e91c3ba4fee0709cc532e4cf2141ceb1b724eaf25d3822d8169050cb1f01f0d03a3

Download Submit
\Users\Admin\AppData\Local\Temp\hideggu.exe

Filesize
7KB

MD5
cb776f77add469dba201d11fc9560ea6

SHA1
2d966017ffed19d4e79f8147d067ddd075fec9a6

SHA256
b7bd0f6e737e281c3f9aebfc16d20911fd5bc7aa8d3febfccfedfda8dcbe0aba

SHA512
26300d0d4bc2c153ea8ac12994d4a18919b970792abe434fa1e244daf1f35e91c3ba4fee0709cc532e4cf2141ceb1b724eaf25d3822d8169050cb1f01f0d03a3

Download Submit
\Users\Admin\AppData\Local\Temp\hideggu.exe

Filesize
7KB

MD5
cb776f77add469dba201d11fc9560ea6

SHA1
2d966017ffed19d4e79f8147d067ddd075fec9a6

SHA256
b7bd0f6e737e281c3f9aebfc16d20911fd5bc7aa8d3febfccfedfda8dcbe0aba

SHA512
26300d0d4bc2c153ea8ac12994d4a18919b970792abe434fa1e244daf1f35e91c3ba4fee0709cc532e4cf2141ceb1b724eaf25d3822d8169050cb1f01f0d03a3

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
904KB

MD5
5e5ba61531d74e45b11cadb79e7394a1

SHA1
677224e14aac9dd35f367d5eb1704b36e69356b8

SHA256
99e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c

SHA512
712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46

Download Submit
memory/1244-83-0x0000000003D90000-0x0000000003F90000-memory.dmp

Filesize
2.0MB

Download
memory/1244-73-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1244-88-0x0000000004C80000-0x0000000004D3E000-memory.dmp

Filesize
760KB

Download
memory/1244-86-0x0000000004C80000-0x0000000004D3E000-memory.dmp

Filesize
760KB

Download
memory/1244-77-0x0000000004210000-0x00000000042FA000-memory.dmp

Filesize
936KB

Download
memory/1632-78-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/1632-79-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/1632-80-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1632-81-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1632-82-0x0000000001FD0000-0x00000000022D3000-memory.dmp

Filesize
3.0MB

Download
memory/1632-85-0x0000000000540000-0x00000000005CF000-memory.dmp

Filesize
572KB

Download
memory/1632-130-0x0000000061E00000-0x0000000061ECE000-memory.dmp

Filesize
824KB

Download
memory/1836-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-76-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1836-75-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/1836-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1836-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download