5557fd8f7a386a10f8f20cb2059f514e3fbe81cc4d03f3d36a4da7084e008b1b

Analysis

max time kernel
33s
max time network
136s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13-02-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Order Confirmation 202311028.exe
Size

615KB
MD5

f044ecbe7061c181c782ad9406113b0b
SHA1

f482fe9341d6e040a563ba0f429c165840bb48a0
SHA256

5d361031b16736fe2a96b8907d2a33d28e40aca2587f74eb4d92482ce4e68118
SHA512

b1762af153a87a9271c2bcaebd5894c336041b8af9b9fa2e1259aeeabfe63221f8d347b72b593d41bf6a1efeb53c856bc322ba0ee8f12faa16bae051d32b9229
SSDEEP

12288:wop/kb5q37+1/GygOiDFG+JudHPqd1tm8e7wsR9UOR3D64ho2:wou4/ygOYFG+qid1Y8e7wQ9phm2

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2964	New Order Confirmation 202311028.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Startup key = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder1\\Gaussfilterbredde.exe"	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2964	New Order Confirmation 202311028.exe
2856	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2964 set thread context of 2856	2964	New Order Confirmation 202311028.exe	29

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\filmslide\windowful.lnk	New Order Confirmation 202311028.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2964	New Order Confirmation 202311028.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2856	2964	New Order Confirmation 202311028.exe	29
PID 2964 wrote to memory of 2856	2964	New Order Confirmation 202311028.exe	29
PID 2964 wrote to memory of 2856	2964	New Order Confirmation 202311028.exe	29
PID 2964 wrote to memory of 2856	2964	New Order Confirmation 202311028.exe	29
PID 2964 wrote to memory of 2856	2964	New Order Confirmation 202311028.exe	29
PID 2964 wrote to memory of 2856	2964	New Order Confirmation 202311028.exe	29

C:\Users\Admin\AppData\Local\Temp\New Order Confirmation 202311028.exe
"C:\Users\Admin\AppData\Local\Temp\New Order Confirmation 202311028.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Program Files (x86)\windows mail\wab.exe
  "C:\Users\Admin\AppData\Local\Temp\New Order Confirmation 202311028.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
144B

MD5
b2e62fc0cce1922c383a524f8d0e5eac

SHA1
36ca5cae90e780ba7ac77e65d2aff4ce9294fc3c

SHA256
a7945eabd0599f859d466c6a8f2577814c7439429a0ba73d460cebaac79a6f46

SHA512
e31eaa48745cc8118ad1126831f6d134e049ce345a49b4de25cd0ebcb2ccf1dc6f3a0138da66233b2f4121dff8b0692cd50a0a7002afcbb053c1984a6f84c82a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1d10e4e1366967277bbdae831ef2143

SHA1
94f3e78e8490b1ebc4effdaa264fc4674b73e190

SHA256
4daec155c9edf727815d346f074af3f5036339edc52e00f0b709cdc828441384

SHA512
8409740bc8b311f0d3efeb60059d5c39e228edc32672ffc5d35a64ed0e39bbb526672013c025291c6b30ea63979b279642b3affe817aa4bf51342d36fcbadaef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9002.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9091.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\nst1161.tmp\System.dll

Filesize
11KB

MD5
3f176d1ee13b0d7d6bd92e1c7a0b9bae

SHA1
fe582246792774c2c9dd15639ffa0aca90d6fd0b

SHA256
fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e

SHA512
0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6

Download Submit
memory/2856-151-0x0000000077B50000-0x0000000077CF9000-memory.dmp

Filesize
1.7MB

Download
memory/2856-135-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-26-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-126-0x0000000077D40000-0x0000000077E16000-memory.dmp

Filesize
856KB

Download
memory/2856-124-0x0000000002020000-0x0000000007AC6000-memory.dmp

Filesize
90.6MB

Download
memory/2856-128-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-127-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-129-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-130-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-131-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-132-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-133-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-134-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-155-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-136-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-137-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-138-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-139-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-140-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-141-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-142-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-143-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-144-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-145-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-146-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-147-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-148-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-149-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-150-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-23-0x0000000077D76000-0x0000000077D77000-memory.dmp

Filesize
4KB

Download
memory/2856-156-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-153-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-160-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-24-0x0000000077D40000-0x0000000077E16000-memory.dmp

Filesize
856KB

Download
memory/2856-152-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-157-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-159-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-154-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-161-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-162-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-163-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-164-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-165-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-166-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-167-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-168-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-169-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-170-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-171-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-172-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-173-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-174-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-175-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-176-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-178-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-179-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-180-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-181-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-182-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-184-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-185-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-186-0x0000000000FB0000-0x0000000002012000-memory.dmp

Filesize
16.4MB

Download
memory/2856-22-0x0000000077B50000-0x0000000077CF9000-memory.dmp

Filesize
1.7MB

Download
memory/2964-19-0x0000000077B50000-0x0000000077CF9000-memory.dmp

Filesize
1.7MB

Download
memory/2964-20-0x0000000077D40000-0x0000000077E16000-memory.dmp

Filesize
856KB

Download
memory/2964-21-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads