Analysis
-
max time kernel
153s -
max time network
27s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 07:04
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER - BLL04658464.exe
Resource
win7v20201028
General
-
Target
NEW ORDER - BLL04658464.exe
-
Size
641KB
-
MD5
c43b615ee95f80f037b142b55decf144
-
SHA1
1cb557a6198866592dd0644d0561edafae222f06
-
SHA256
fea4f85475d53bbb39592cb92dc6588948b1dd218e4ac554749ffe1fc26ffc67
-
SHA512
189590db3368a348bf827f9e46970a64b29d95587dbbab7fbc0a000e51e3f5845bfbf8b8bf3a9a8c57273fce15d68ad9c7704daff2b37daae1b9b69aa7dac674
Malware Config
Extracted
formbook
4.1
http://www.bendhighswimming.com/crdi/
propertyjumpstartwebinar.com
boc-vip.club
polestarnyc.com
travelonlinebiz.com
bukovynaent.com
bestfashoin.com
miniindiastore.com
wehatebillgates.com
holmescountyjusticecourt.com
colectivorenovemosjuntos.com
houstowarehouse.com
aocsw.com
sml-uniform.com
bandanasaint.com
petposhdeluxe.com
ezcscpawq.com
ladiesoption.club
refixu.com
selfwrrrth.com
rovietry.com
enaoc.com
karyolaw.com
diversitymarketingtx.net
browsersentenderbanco.net
samtheshepherd.com
nash-arbitrazh.com
gampang-kerja.tech
ereplacementparrts.com
eventmidasbuy14.com
sia-rikvel.com
top2016.net
686638.com
ton.blue
desktower.net
dbykq020.com
stack30.com
tiendasfotoprix.com
kylesmaier.com
ekmantsang.com
jumlasx.xyz
qingqingyuyin.com
cdnsubs.xyz
maxamoose.com
huelling.com
xn--bjrnnstet-z2a8q.online
betale-posten.com
lalatendu.info
nochipmanicure.net
bichat.website
washington32reds.com
centrodesaludcrecer.com
phihoteldeimedaglioni.com
kilmalliefarms.com
icecreamsocialwp.com
mac-makeup.club
elzooz.com
iqomw.com
bestattorneycle.com
startonsocial.com
purensoessentials.com
therealyolandafay.com
feildwolf.com
nativesupps.com
nbatimeout.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1616-11-0x000000000041ED20-mapping.dmp formbook behavioral1/memory/1616-10-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/784-20-0x0000000000090000-0x00000000000BE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1012 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
NEW ORDER - BLL04658464.exeNEW ORDER - BLL04658464.exemsiexec.exedescription pid process target process PID 1036 set thread context of 1616 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1616 set thread context of 1212 1616 NEW ORDER - BLL04658464.exe Explorer.EXE PID 784 set thread context of 1212 784 msiexec.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
NEW ORDER - BLL04658464.exeNEW ORDER - BLL04658464.exemsiexec.exepid process 1036 NEW ORDER - BLL04658464.exe 1036 NEW ORDER - BLL04658464.exe 1036 NEW ORDER - BLL04658464.exe 1036 NEW ORDER - BLL04658464.exe 1616 NEW ORDER - BLL04658464.exe 1616 NEW ORDER - BLL04658464.exe 784 msiexec.exe 784 msiexec.exe 784 msiexec.exe 784 msiexec.exe 784 msiexec.exe 784 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
NEW ORDER - BLL04658464.exemsiexec.exepid process 1616 NEW ORDER - BLL04658464.exe 1616 NEW ORDER - BLL04658464.exe 1616 NEW ORDER - BLL04658464.exe 784 msiexec.exe 784 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
NEW ORDER - BLL04658464.exeNEW ORDER - BLL04658464.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1036 NEW ORDER - BLL04658464.exe Token: SeDebugPrivilege 1616 NEW ORDER - BLL04658464.exe Token: SeDebugPrivilege 784 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
NEW ORDER - BLL04658464.exeExplorer.EXEmsiexec.exedescription pid process target process PID 1036 wrote to memory of 1612 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1036 wrote to memory of 1612 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1036 wrote to memory of 1612 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1036 wrote to memory of 1612 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1036 wrote to memory of 1616 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1036 wrote to memory of 1616 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1036 wrote to memory of 1616 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1036 wrote to memory of 1616 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1036 wrote to memory of 1616 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1036 wrote to memory of 1616 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1036 wrote to memory of 1616 1036 NEW ORDER - BLL04658464.exe NEW ORDER - BLL04658464.exe PID 1212 wrote to memory of 784 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 784 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 784 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 784 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 784 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 784 1212 Explorer.EXE msiexec.exe PID 1212 wrote to memory of 784 1212 Explorer.EXE msiexec.exe PID 784 wrote to memory of 1012 784 msiexec.exe cmd.exe PID 784 wrote to memory of 1012 784 msiexec.exe cmd.exe PID 784 wrote to memory of 1012 784 msiexec.exe cmd.exe PID 784 wrote to memory of 1012 784 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/784-16-0x0000000000000000-mapping.dmp
-
memory/784-22-0x0000000000BA0000-0x0000000000C33000-memory.dmpFilesize
588KB
-
memory/784-19-0x0000000000330000-0x0000000000344000-memory.dmpFilesize
80KB
-
memory/784-21-0x0000000002220000-0x0000000002523000-memory.dmpFilesize
3.0MB
-
memory/784-20-0x0000000000090000-0x00000000000BE000-memory.dmpFilesize
184KB
-
memory/784-17-0x00000000760F1000-0x00000000760F3000-memory.dmpFilesize
8KB
-
memory/1012-18-0x0000000000000000-mapping.dmp
-
memory/1036-7-0x000000007EF40000-0x000000007EF41000-memory.dmpFilesize
4KB
-
memory/1036-9-0x0000000000AE0000-0x0000000000B13000-memory.dmpFilesize
204KB
-
memory/1036-8-0x0000000005C40000-0x0000000005CB8000-memory.dmpFilesize
480KB
-
memory/1036-2-0x0000000074570000-0x0000000074C5E000-memory.dmpFilesize
6.9MB
-
memory/1036-6-0x0000000000550000-0x0000000000554000-memory.dmpFilesize
16KB
-
memory/1036-5-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/1036-3-0x0000000000FB0000-0x0000000000FB1000-memory.dmpFilesize
4KB
-
memory/1212-14-0x0000000006C50000-0x0000000006D6D000-memory.dmpFilesize
1.1MB
-
memory/1616-10-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1616-13-0x0000000000180000-0x0000000000194000-memory.dmpFilesize
80KB
-
memory/1616-15-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/1616-11-0x000000000041ED20-mapping.dmp