Analysis
-
max time kernel
145s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 23:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
Order#073.exe
Resource
win7-20240508-en
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
Order#073.exe
Resource
win10v2004-20240226-en
9 signatures
150 seconds
General
-
Target
Order#073.exe
-
Size
212KB
-
MD5
d6912e3cfb5a944107ab95ffbd9c60b0
-
SHA1
3c2a33f7f9c2eb50ce4cb4d31edbec5a99d14a90
-
SHA256
978097862e5a0a1051cf9edb9f6bb2c6399b48ed50bcfb93fc8930fae993f4b3
-
SHA512
346d7563f20c406ab973ef78ac88c7943e3c6ba88e22dbe99e92d5de4e229e06cbeaa6020c6295f95e9a339dcc066895144d5e3227cfc4589a06d280e923e9a1
-
SSDEEP
1536:aUR1Ted1IXc+nL76qk5GWGweW/+/XXFTy2gPZMp0wxHSPJ3BXlUgtWa3NMA/:fRled1QL76qlWQVlgBM1HSPH1Ya99/
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegAsm.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BUNDFLDEDE = "C:\\Users\\Admin\\HALV\\TARMREN.exe" RegAsm.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
Processes:
flow ioc 17 drive.google.com 18 drive.google.com 19 drive.google.com 9 drive.google.com 10 drive.google.com 15 drive.google.com 11 drive.google.com 13 drive.google.com 14 drive.google.com 3 drive.google.com 6 drive.google.com 7 drive.google.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Order#073.exeRegAsm.exepid process 1868 Order#073.exe 2012 RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order#073.exedescription pid process target process PID 1868 set thread context of 2012 1868 Order#073.exe RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Order#073.exepid process 1868 Order#073.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Order#073.exepid process 1868 Order#073.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Order#073.exedescription pid process target process PID 1868 wrote to memory of 2012 1868 Order#073.exe RegAsm.exe PID 1868 wrote to memory of 2012 1868 Order#073.exe RegAsm.exe PID 1868 wrote to memory of 2012 1868 Order#073.exe RegAsm.exe PID 1868 wrote to memory of 2012 1868 Order#073.exe RegAsm.exe PID 1868 wrote to memory of 2012 1868 Order#073.exe RegAsm.exe PID 1868 wrote to memory of 2012 1868 Order#073.exe RegAsm.exe PID 1868 wrote to memory of 2012 1868 Order#073.exe RegAsm.exe PID 1868 wrote to memory of 2012 1868 Order#073.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order#073.exe"C:\Users\Admin\AppData\Local\Temp\Order#073.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\Order#073.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1868-2-0x0000000000280000-0x0000000000290000-memory.dmpFilesize
64KB
-
memory/1868-3-0x00000000771B1000-0x00000000772B2000-memory.dmpFilesize
1.0MB
-
memory/1868-4-0x00000000771B0000-0x0000000077359000-memory.dmpFilesize
1.7MB
-
memory/1868-7-0x0000000000280000-0x0000000000290000-memory.dmpFilesize
64KB
-
memory/1868-8-0x0000000000280000-0x0000000000290000-memory.dmpFilesize
64KB
-
memory/2012-6-0x00000000771B0000-0x0000000077359000-memory.dmpFilesize
1.7MB