Overview

overview

10

Static

static

3

Order#073.exe

windows7-x64

6

Order#073.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 23:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order#073.exe

  • Size

    212KB

  • MD5

    d6912e3cfb5a944107ab95ffbd9c60b0

  • SHA1

    3c2a33f7f9c2eb50ce4cb4d31edbec5a99d14a90

  • SHA256

    978097862e5a0a1051cf9edb9f6bb2c6399b48ed50bcfb93fc8930fae993f4b3

  • SHA512

    346d7563f20c406ab973ef78ac88c7943e3c6ba88e22dbe99e92d5de4e229e06cbeaa6020c6295f95e9a339dcc066895144d5e3227cfc4589a06d280e923e9a1

  • SSDEEP

    1536:aUR1Ted1IXc+nL76qk5GWGweW/+/XXFTy2gPZMp0wxHSPJ3BXlUgtWa3NMA/:fRled1QL76qlWQVlgBM1HSPH1Ya99/

Score
6/10
persistence

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Order#073.exe
    "C:\Users\Admin\AppData\Local\Temp\Order#073.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Users\Admin\AppData\Local\Temp\Order#073.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1868-2-0x0000000000280000-0x0000000000290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1868-3-0x00000000771B1000-0x00000000772B2000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1868-4-0x00000000771B0000-0x0000000077359000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1868-7-0x0000000000280000-0x0000000000290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1868-8-0x0000000000280000-0x0000000000290000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2012-6-0x00000000771B0000-0x0000000077359000-memory.dmp
    Filesize

    1.7MB

    Download