Analysis

  • max time kernel
    122s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2023, 09:53

General

  • Target

    Order List.exe

  • Size

    601KB

  • MD5

    5f9d08905947d0167b602c711e826ae2

  • SHA1

    7e5319d96b816d2d0ab791e958e01286980bacdd

  • SHA256

    5988f060dbe1ec144bf3cbc913c2c50b2a0aef571965d81b5a6070cd543b617b

  • SHA512

    05f12b137e47598b35694f4d996eff2056b37e2850c2dea646a72824f79d28018014a05bb91ca4560f9c5b0c15708cd3dc584175eaac10dc8cdb286204ed3598

  • SSDEEP

    6144:SgORa6xKTuuuqjL7IMLeSpVlyVvQGtGMq9tpvKuUdXaiVW6C5JOumdinMF6dFWVf:Sgm/SpyV13qNy7d8VOumcJWVkNPSB

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order List.exe
    "C:\Users\Admin\AppData\Local\Temp\Order List.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 552
      2⤵
      • Program crash
      PID:1184

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nso38DE.tmp\System.dll

    Filesize

    12KB

    MD5

    6e55a6e7c3fdbd244042eb15cb1ec739

    SHA1

    070ea80e2192abc42f358d47b276990b5fa285a9

    SHA256

    acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

    SHA512

    2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

  • C:\Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

    Filesize

    7KB

    MD5

    ec9c99216ef11cdd85965e78bc797d2c

    SHA1

    1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

    SHA256

    c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

    SHA512

    35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

  • \Users\Admin\AppData\Local\Temp\nso38DE.tmp\System.dll

    Filesize

    12KB

    MD5

    6e55a6e7c3fdbd244042eb15cb1ec739

    SHA1

    070ea80e2192abc42f358d47b276990b5fa285a9

    SHA256

    acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

    SHA512

    2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

  • \Users\Admin\AppData\Local\Temp\nso38DE.tmp\System.dll

    Filesize

    12KB

    MD5

    6e55a6e7c3fdbd244042eb15cb1ec739

    SHA1

    070ea80e2192abc42f358d47b276990b5fa285a9

    SHA256

    acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506

    SHA512

    2d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35

  • \Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

    Filesize

    7KB

    MD5

    ec9c99216ef11cdd85965e78bc797d2c

    SHA1

    1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

    SHA256

    c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

    SHA512

    35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

  • \Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

    Filesize

    7KB

    MD5

    ec9c99216ef11cdd85965e78bc797d2c

    SHA1

    1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

    SHA256

    c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

    SHA512

    35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

  • \Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

    Filesize

    7KB

    MD5

    ec9c99216ef11cdd85965e78bc797d2c

    SHA1

    1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

    SHA256

    c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

    SHA512

    35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

  • \Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

    Filesize

    7KB

    MD5

    ec9c99216ef11cdd85965e78bc797d2c

    SHA1

    1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

    SHA256

    c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

    SHA512

    35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

  • \Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

    Filesize

    7KB

    MD5

    ec9c99216ef11cdd85965e78bc797d2c

    SHA1

    1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

    SHA256

    c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

    SHA512

    35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

  • \Users\Admin\AppData\Local\Temp\nso38DE.tmp\nsExec.dll

    Filesize

    7KB

    MD5

    ec9c99216ef11cdd85965e78bc797d2c

    SHA1

    1d5f93fbf4f8aab8164b109e9e1768e7b80ad88c

    SHA256

    c1b7c3ef8b77a5bb335dc9ec9c3546b249014dde43aa2a9ed719b4d5933741df

    SHA512

    35ff522c4efb3875fce0d6dce438f5225e5f27b414e7c16df88031e90b528c057fe10b4bbf755445c0500c3521e0797f562690aa7209f588169164bbfaceaba1

  • memory/2812-38-0x0000000003850000-0x00000000056FF000-memory.dmp

    Filesize

    30.7MB

  • memory/2812-39-0x0000000003850000-0x00000000056FF000-memory.dmp

    Filesize

    30.7MB