Windows Analysis Report ORDINE + DDT A.M.F SpA.exe

Overview

General Information

Sample Name:	ORDINE + DDT A.M.F SpA.exe
Analysis ID:	528460
MD5:	f5423b7a89876044078cbb68db883af8
SHA1:	24c550c47d26090f298fea030d7fb890c94737a5
SHA256:	68a315123349444d30fed12643a7be20eb003531a4b95d0db800fb765449037d
Tags:	exeguloader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

PE / OLE file has an invalid certificate

Contains functionality to call native functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000000.00000002.770096860.0000000002130000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://fabricraft.co.za/Farmant_hhVNwJna195.bin"}

Multi AV Scanner detection for submitted file

Source: ORDINE + DDT A.M.F SpA.exe

Virustotal: Detection: 21%

Perma Link

Compliance:

Uses 32bit PE files

Source: ORDINE + DDT A.M.F SpA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://fabricraft.co.za/Farmant_hhVNwJna195.bin

Source: ORDINE + DDT A.M.F SpA.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: ORDINE + DDT A.M.F SpA.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: ORDINE + DDT A.M.F SpA.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: ORDINE + DDT A.M.F SpA.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: ORDINE + DDT A.M.F SpA.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: ORDINE + DDT A.M.F SpA.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: ORDINE + DDT A.M.F SpA.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ORDINE + DDT A.M.F SpA.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: ORDINE + DDT A.M.F SpA.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: ORDINE + DDT A.M.F SpA.exe	String found in binary or memory: https://www.digicert.com/CPS0

System Summary:

Uses 32bit PE files

Source: ORDINE + DDT A.M.F SpA.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Sample file is different than original file name gathered from version info

Source: ORDINE + DDT A.M.F SpA.exe, 00000000.00000000.243020310.0000000000426000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameHYDROCHELIDON.exe vs ORDINE + DDT A.M.F SpA.exe
Source: ORDINE + DDT A.M.F SpA.exe	Binary or memory string: OriginalFilenameHYDROCHELIDON.exe vs ORDINE + DDT A.M.F SpA.exe

PE file contains strange resources

Source: ORDINE + DDT A.M.F SpA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: ORDINE + DDT A.M.F SpA.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Detected potential crypto function

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021382FF	0_2_021382FF
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213CF92	0_2_0213CF92
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D203	0_2_0213D203
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02138A09	0_2_02138A09
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136A38	0_2_02136A38
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02137625	0_2_02137625
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213622C	0_2_0213622C
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213B651	0_2_0213B651
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213C251	0_2_0213C251
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02132655	0_2_02132655
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D245	0_2_0213D245
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213BE73	0_2_0213BE73
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213BE7D	0_2_0213BE7D
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213768F	0_2_0213768F
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213728D	0_2_0213728D
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136ED6	0_2_02136ED6
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213B6DF	0_2_0213B6DF
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213C2DF	0_2_0213C2DF
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213C2E1	0_2_0213C2E1
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136AE4	0_2_02136AE4
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213871A	0_2_0213871A
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02138327	0_2_02138327
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213732E	0_2_0213732E
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136770	0_2_02136770
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02138775	0_2_02138775
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136768	0_2_02136768
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213C386	0_2_0213C386
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136F85	0_2_02136F85
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213B785	0_2_0213B785
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021373B2	0_2_021373B2
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213BFB4	0_2_0213BFB4
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02137FB9	0_2_02137FB9
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136BBD	0_2_02136BBD
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213CFA2	0_2_0213CFA2
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213ABD4	0_2_0213ABD4
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021363DF	0_2_021363DF
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021363DD	0_2_021363DD
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021357CF	0_2_021357CF
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021387CE	0_2_021387CE
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02135FF4	0_2_02135FF4
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213CFE1	0_2_0213CFE1
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213C016	0_2_0213C016
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02135802	0_2_02135802
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136831	0_2_02136831
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02137037	0_2_02137037
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02135822	0_2_02135822
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D02D	0_2_0213D02D
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136C43	0_2_02136C43
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02138877	0_2_02138877
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213BC79	0_2_0213BC79
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213B87F	0_2_0213B87F
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D06E	0_2_0213D06E
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213C09D	0_2_0213C09D
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021374A5	0_2_021374A5
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D0DB	0_2_0213D0DB
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021388C6	0_2_021388C6
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021364C8	0_2_021364C8
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136CF4	0_2_02136CF4
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021370E1	0_2_021370E1
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021368E9	0_2_021368E9
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213C114	0_2_0213C114
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213B523	0_2_0213B523
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213B927	0_2_0213B927
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213B525	0_2_0213B525
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D12E	0_2_0213D12E
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213895F	0_2_0213895F
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D171	0_2_0213D171
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02137577	0_2_02137577
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136D7C	0_2_02136D7C
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213C192	0_2_0213C192
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213719D	0_2_0213719D
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02138D8E	0_2_02138D8E
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213B5A3	0_2_0213B5A3
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021369AB	0_2_021369AB
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02138DD3	0_2_02138DD3
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021325C5	0_2_021325C5
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02136DF2	0_2_02136DF2
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213B1EB	0_2_0213B1EB
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D1EB	0_2_0213D1EB

PE / OLE file has an invalid certificate

Source: ORDINE + DDT A.M.F SpA.exe

Static PE information: invalid certificate

Contains functionality to call native functions

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021382FF NtAllocateVirtualMemory,	0_2_021382FF
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02138327 NtAllocateVirtualMemory,	0_2_02138327
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021383C3 NtAllocateVirtualMemory,	0_2_021383C3
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02138494 NtAllocateVirtualMemory,	0_2_02138494

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe

Process Stats: CPU usage > 98%

Source: ORDINE + DDT A.M.F SpA.exe

Virustotal: Detection: 21%

Source: ORDINE + DDT A.M.F SpA.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe

File created: C:\Users\user\AppData\Local\Temp\~DF61EBE6BB9760AAB6.TMP

Jump to behavior

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.770096860.0000000002130000.00000040.00000001.sdmp, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_004078D8 push ds; ret	0_2_004078D9
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_00407B43 push es; ret	0_2_00407B68
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_00409392 push esi; retf	0_2_00409398
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_004083A0 pushad ; ret	0_2_004083A1
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02132A15 push edx; ret	0_2_02132A4C
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02132A4D push edx; ret	0_2_02132A4C
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021342FC push eax; retn 0010h	0_2_02134835
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021347F8 push eax; retn 0010h	0_2_02134835
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02131BFE push ss; ret	0_2_02131E0B
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02131CCE push ss; ret	0_2_02131E0B
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213AD25 push FFFFFFB9h; retf	0_2_0213AD2A
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213AD2D push FFFFFFB9h; retf	0_2_0213AD4C
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02135183 push esp; retf	0_2_02135184
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02131D80 push ss; ret	0_2_02131E0B
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021329F4 push edx; ret	0_2_02132A4C

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe

RDTSC instruction interceptor: First address: 000000000213B377 second address: 000000000213B377 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4AE6A9DEh 0x00000007 xor eax, 580FDEE5h 0x0000000c xor eax, 94337E6Fh 0x00000011 add eax, 7925F6ADh 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F3774C71088h 0x0000001e lfence 0x00000021 mov edx, B2453275h 0x00000026 xor edx, 67D05173h 0x0000002c xor edx, 57570862h 0x00000032 xor edx, FD3C6B70h 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d jmp 00007F3774C710B6h 0x0000003f test al, bl 0x00000041 test bl, FFFFFFEBh 0x00000044 test bh, FFFFFFC1h 0x00000047 cmp dh, 0000000Eh 0x0000004a ret 0x0000004b sub edx, esi 0x0000004d ret 0x0000004e add edi, edx 0x00000050 test ah, ah 0x00000052 dec dword ptr [ebp+000000F8h] 0x00000058 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000005f jne 00007F3774C7106Ah 0x00000061 call 00007F3774C71105h 0x00000066 call 00007F3774C710A9h 0x0000006b lfence 0x0000006e mov edx, B2453275h 0x00000073 xor edx, 67D05173h 0x00000079 xor edx, 57570862h 0x0000007f xor edx, FD3C6B70h 0x00000085 mov edx, dword ptr [edx] 0x00000087 lfence 0x0000008a jmp 00007F3774C710B6h 0x0000008c test al, bl 0x0000008e test bl, FFFFFFEBh 0x00000091 test bh, FFFFFFC1h 0x00000094 cmp dh, 0000000Eh 0x00000097 ret 0x00000098 mov esi, edx 0x0000009a pushad 0x0000009b rdtsc

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe

Code function: 0_2_0213B36F rdtsc

0_2_0213B36F

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe

Process Stats: CPU usage > 90% for more than 60s

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213BE73 mov eax, dword ptr fs:[00000030h]	0_2_0213BE73
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213BE7D mov eax, dword ptr fs:[00000030h]	0_2_0213BE7D
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213A66D mov eax, dword ptr fs:[00000030h]	0_2_0213A66D
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_021357CF mov eax, dword ptr fs:[00000030h]	0_2_021357CF
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02135802 mov eax, dword ptr fs:[00000030h]	0_2_02135802
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02135822 mov eax, dword ptr fs:[00000030h]	0_2_02135822
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213ADAD mov eax, dword ptr fs:[00000030h]	0_2_0213ADAD
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_02137DAD mov eax, dword ptr fs:[00000030h]	0_2_02137DAD

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe

Code function: 0_2_0213B36F rdtsc

0_2_0213B36F

Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213CF92 RtlAddVectoredExceptionHandler,	0_2_0213CF92
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D203 RtlAddVectoredExceptionHandler,	0_2_0213D203
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D245 RtlAddVectoredExceptionHandler,	0_2_0213D245
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D2DA RtlAddVectoredExceptionHandler,	0_2_0213D2DA
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D397 RtlAddVectoredExceptionHandler,	0_2_0213D397
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213CFA2 RtlAddVectoredExceptionHandler,	0_2_0213CFA2
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D3E3 RtlAddVectoredExceptionHandler,	0_2_0213D3E3
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213CFE1 RtlAddVectoredExceptionHandler,	0_2_0213CFE1
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D02D RtlAddVectoredExceptionHandler,	0_2_0213D02D
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D06E RtlAddVectoredExceptionHandler,	0_2_0213D06E
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D485 RtlAddVectoredExceptionHandler,	0_2_0213D485
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D0DB RtlAddVectoredExceptionHandler,	0_2_0213D0DB
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D12E RtlAddVectoredExceptionHandler,	0_2_0213D12E
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D55A RtlAddVectoredExceptionHandler,	0_2_0213D55A
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D171 RtlAddVectoredExceptionHandler,	0_2_0213D171
Source: C:\Users\user\Desktop\ORDINE + DDT A.M.F SpA.exe	Code function: 0_2_0213D1EB RtlAddVectoredExceptionHandler,	0_2_0213D1EB

Source: ORDINE + DDT A.M.F SpA.exe, 00000000.00000002.769516970.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: ORDINE + DDT A.M.F SpA.exe, 00000000.00000002.769516970.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: ORDINE + DDT A.M.F SpA.exe, 00000000.00000002.769516970.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: ORDINE + DDT A.M.F SpA.exe, 00000000.00000002.769516970.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: ORDINE + DDT A.M.F SpA.exe, 00000000.00000002.769516970.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://fabricraft.co.za/Farmant_hhVNwJna195.bin	false		high

ID:	528460
Product:	CloudBasic
Start time:	10:37:18
Start date:	25.11.2021
Sample:	ORDINE + DDT A.M.F SpA.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	f5423b7a89876044078cbb68db883af8
SHA1:	24c550c47d26090f298fea030d7fb890c94737a5
SHA256:	68a315123349444d30fed12643a7be20eb003531a4b95d0db800fb765449037d
Filetype:	Win32 Executable (generic) a (10002005/4) 99.15%

Windows Analysis Report ORDINE + DDT A.M.F SpA.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Screenshots

Behavior Graph

Network Map

Contacted URLs