Analysis
-
max time kernel
145s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 17:12
Static task
static1
Behavioral task
behavioral1
Sample
Orcdpfi_Signed_.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Orcdpfi_Signed_.exe
Resource
win10v20201028
General
-
Target
Orcdpfi_Signed_.exe
-
Size
2.2MB
-
MD5
fe5446b7bad5ccddc411dd35a9607d77
-
SHA1
1c487b3d275a1e931cb3d10bd9a345a09dc35340
-
SHA256
1e91dc39314361fd45321a8adc28435467ad1167ee0cc646f77946b522b9efe3
-
SHA512
803bb99fa256d1e932993f6f671d22bf927e0e6fa3ad412401cb52542775c8370f7d3f4a4a74d1e8f89b7642882e0bd0c0d3392af834421cd835d2f333953e9a
Malware Config
Extracted
formbook
http://www.joomlas123.info/n7ak/
audereventur.com
huro14.com
wwwjinsha155.com
antiquevendor.com
samuraisoulfood.net
traffic4updates.download
hypersarv.com
rapport-happy-wedding.com
rokutechnosupport.online
allworljob.com
hanaleedossmann.com
kauai-marathon.com
bepbosch.com
kangen-international.com
zoneshopemenowz.com
belviderewrestling.com
ipllink.com
sellingforcreators.com
wwwswty6655.com
qtumboa.com
bazarmoney.net
librosdecienciaficcion.com
shopmomsthebomb.com
vanjacob.com
tgyaa.com
theporncollective.net
hydrabadproperties.com
brindesecologicos.com
sayagayrimenkul.net
4btoken.com
shycedu.com
overall789.top
maison-pierre-bayle.com
elitemediamasters.com
sharmasfabrics.com
hoshamp.com
myultimateleadgenerator.com
office4u.info
thaimart1.com
ultimatewindowusa.com
twoblazesartworks.com
airteloffer.com
shoupaizhao.com
741dakotadr.info
books4arab.net
artedelcioccolato.biz
tjqcu.info
teccoop.net
maturebridesdressguide.com
excelcapfunding.com
bitcoinak.com
profileorderflow.com
unbelievabowboutique.com
midlandshomesolutionsltd.com
healthywithhook.com
stirlingpiper.com
manfast.online
arikorin.com
texastrustedinsurance.com
moodandmystery.com
yh77808.com
s-immotanger.com
runzexd.com
meteoannecy.net
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1192-4-0x0000000010410000-0x000000001043D000-memory.dmp formbook behavioral2/memory/1100-6-0x0000000000000000-mapping.dmp formbook behavioral2/memory/832-8-0x0000000000000000-mapping.dmp formbook -
ModiLoader First Stage 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1192-0-0x0000000003E30000-0x0000000003EA3000-memory.dmp modiloader_stage1 -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\L4NH56HX_ = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" cscript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run cscript.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
ieinstal.execscript.exedescription pid process target process PID 1100 set thread context of 2588 1100 ieinstal.exe Explorer.EXE PID 832 set thread context of 2588 832 cscript.exe Explorer.EXE -
Processes:
cscript.exedescription ioc process Key created \Registry\User\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cscript.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 20 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
ieinstal.execscript.exepid process 1100 ieinstal.exe 1100 ieinstal.exe 1100 ieinstal.exe 1100 ieinstal.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
ieinstal.execscript.exepid process 1100 ieinstal.exe 1100 ieinstal.exe 1100 ieinstal.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe 832 cscript.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
ieinstal.execscript.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 1100 ieinstal.exe Token: SeDebugPrivilege 832 cscript.exe Token: SeShutdownPrivilege 2588 Explorer.EXE Token: SeCreatePagefilePrivilege 2588 Explorer.EXE Token: SeShutdownPrivilege 2588 Explorer.EXE Token: SeCreatePagefilePrivilege 2588 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2588 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Orcdpfi_Signed_.exeExplorer.EXEcscript.exedescription pid process target process PID 1192 wrote to memory of 1100 1192 Orcdpfi_Signed_.exe ieinstal.exe PID 1192 wrote to memory of 1100 1192 Orcdpfi_Signed_.exe ieinstal.exe PID 1192 wrote to memory of 1100 1192 Orcdpfi_Signed_.exe ieinstal.exe PID 1192 wrote to memory of 1100 1192 Orcdpfi_Signed_.exe ieinstal.exe PID 1192 wrote to memory of 1100 1192 Orcdpfi_Signed_.exe ieinstal.exe PID 1192 wrote to memory of 1100 1192 Orcdpfi_Signed_.exe ieinstal.exe PID 2588 wrote to memory of 832 2588 Explorer.EXE cscript.exe PID 2588 wrote to memory of 832 2588 Explorer.EXE cscript.exe PID 2588 wrote to memory of 832 2588 Explorer.EXE cscript.exe PID 832 wrote to memory of 840 832 cscript.exe Firefox.exe PID 832 wrote to memory of 840 832 cscript.exe Firefox.exe PID 832 wrote to memory of 840 832 cscript.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Orcdpfi_Signed_.exe"C:\Users\Admin\AppData\Local\Temp\Orcdpfi_Signed_.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\94O2R65S\94Ologim.jpegMD5
4ba545d1bedda2449b18f17f9880cc32
SHA1430d1fa2edd87df6d151af8a62a592b231ffa42a
SHA256b61bfa62ff7459b04445d95f2c9f7c9f3faba9850ca0439e93bb77c55a9dc0ba
SHA51212a0e8b7092e75f88027f3e13b42547878af03af6201d03ab4ae7d0866700a5dc25679ea5516d8e2048bc6199697c56a1412b38e2a3377a2d423626fa81a0543
-
C:\Users\Admin\AppData\Roaming\94O2R65S\94Ologrf.iniMD5
2f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\94O2R65S\94Ologri.iniMD5
d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\94O2R65S\94Ologrv.iniMD5
bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/832-13-0x0000000006690000-0x0000000006780000-memory.dmpFilesize
960KB
-
memory/832-8-0x0000000000000000-mapping.dmp
-
memory/832-9-0x00000000012C0000-0x00000000012E7000-memory.dmpFilesize
156KB
-
memory/832-10-0x00000000012C0000-0x00000000012E7000-memory.dmpFilesize
156KB
-
memory/832-12-0x0000000005840000-0x00000000059AE000-memory.dmpFilesize
1.4MB
-
memory/840-15-0x00007FF794960000-0x00007FF7949F3000-memory.dmpFilesize
588KB
-
memory/840-14-0x0000000000000000-mapping.dmp
-
memory/840-16-0x00007FF794960000-0x00007FF7949F3000-memory.dmpFilesize
588KB
-
memory/840-17-0x00007FF794960000-0x00007FF7949F3000-memory.dmpFilesize
588KB
-
memory/1100-6-0x0000000000000000-mapping.dmp
-
memory/1100-5-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/1192-0-0x0000000003E30000-0x0000000003EA3000-memory.dmpFilesize
460KB
-
memory/1192-4-0x0000000010410000-0x000000001043D000-memory.dmpFilesize
180KB
-
memory/1192-2-0x0000000004EB0000-0x0000000004F15000-memory.dmpFilesize
404KB