b8b0e1b5106516278698d904604494bdb1c7a41d60fb1787c99b8c06d5aa06b1

Analysis

max time kernel
30s
max time network
16s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 08:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

New Order 01.exe
Size

1.2MB
MD5

8b4dd7361f14f8976387a44bb9bc846b
SHA1

9bb7febab49e75e8234718806c94513ce149d79a
SHA256

ae7d55977f010445b83b1eb544c65afe7cbd14e49ce0e47ea9939c7f010f214e
SHA512

ce0c2f0801d750d62ef7b63ecdef3ee960407bd4c4e055b73568ae9ad73ab499f16c096940fafb65acb123489d88289c00e0eba794c82714b8109b74da7dd298
SSDEEP

24576:LAHnh+eWsN3skA4RV1Hom2KXMmHahgURDzjXmHbmb0O5:mh+ZkldoPK8YahzRD0uh

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2700 set thread context of 1520	2700	New Order 01.exe	89

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3100	1520	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Order 01.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2700	New Order 01.exe
2700	New Order 01.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2700	New Order 01.exe
2700	New Order 01.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2700	New Order 01.exe
2700	New Order 01.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 1520	2700	New Order 01.exe	89
PID 2700 wrote to memory of 1520	2700	New Order 01.exe	89
PID 2700 wrote to memory of 1520	2700	New Order 01.exe	89
PID 2700 wrote to memory of 1520	2700	New Order 01.exe	89

C:\Users\Admin\AppData\Local\Temp\New Order 01.exe
"C:\Users\Admin\AppData\Local\Temp\New Order 01.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\New Order 01.exe"
  2⤵
  PID:1520
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 196
    3⤵
    - Program crash
    PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1520 -ip 1520
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\aut7148.tmp

Filesize
282KB

MD5
c25908ee46c66fc5a2488a3c62e8f8b8

SHA1
711d24f396e0dd1f51d5b98cb35c3e89e4040c49

SHA256
983305dfc1e061e188bf239a02c57146f179c0f8f41b359a60dd182a6012719d

SHA512
a77da3994c8469e4f2f5f242da0bc7ba36d02ecf371c7b1d351a38ee09fa4fc4aa6e21d7efa1ca802ac6cee5cb8192d1fb7189d892d408d921f2fe2543e49675

Download Submit
memory/1520-14-0x0000000000420000-0x0000000000467000-memory.dmp

Filesize
284KB

Download
memory/2700-13-0x0000000000F60000-0x0000000000F64000-memory.dmp

Filesize
16KB

Download