c3be16e52a0fd48ac7a64b992dbdc6566c5e6d523466c91cce1109c20d64fc6e

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Order.exe
Size

747KB
MD5

c0bed465b5df10e26d58f8dbba87a7e6
SHA1

49611ce1c8a200ac404c7cae77d81702d64192eb
SHA256

c3be16e52a0fd48ac7a64b992dbdc6566c5e6d523466c91cce1109c20d64fc6e
SHA512

751f3b2a4079dcbb00045effa35cac0c156a554d809800ef6b96b213a24cecb10b77b0ed562a6e62e4b27a4b992d67fc1792de9767e9262be95153a1731a22a5
SSDEEP

12288:dT58++c2/p0FdmxxSK1qwQWkOvdK9k7Yk13QpWm0KFymle/+bO3Y9M4X92C:dT58+86wxx51f0kNKFLUmbOltC

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2312	New Order.exe
2312	New Order.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1968	2312	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Order.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1968	2312	New Order.exe	30
PID 2312 wrote to memory of 1968	2312	New Order.exe	30
PID 2312 wrote to memory of 1968	2312	New Order.exe	30
PID 2312 wrote to memory of 1968	2312	New Order.exe	30

C:\Users\Admin\AppData\Local\Temp\New Order.exe
"C:\Users\Admin\AppData\Local\Temp\New Order.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 532
  2⤵
  - Program crash
  PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nstA269.tmp\System.dll

Filesize
12KB

MD5
d968cb2b98b83c03a9f02dd9b8df97dc

SHA1
d784c9b7a92dce58a5038beb62a48ff509e166a0

SHA256
a4ec98011ef99e595912718c1a1bf1aa67bfc2192575729d42f559d01f67b95c

SHA512
2ee41dc68f329a1519a8073ece7d746c9f3bf45d8ef3b915deb376af37e26074134af5f83c8af0fe0ab227f0d1acca9f37e5ca7ae37c46c3bcc0331fe5e2b97e

Download Submit