Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 07:40
Static task
static1
Behavioral task
behavioral1
Sample
Order Inquiry.exe
Resource
win7v20201028
General
-
Target
Order Inquiry.exe
-
Size
222KB
-
MD5
6664568334aabc380dda1821fdd379d9
-
SHA1
8b847d59b54068e0cb5316c1e4f6e5db286d98d9
-
SHA256
ee0a32169adde722c5652fb40046d8251fa8a89ce615a637ed5708372af0d163
-
SHA512
cb391712b7c9138cb12bc5f0176ddb7739f25db7e1c4da03b02ba0b68ba0cce00650341230f189fff1f398eab7ac0ac2584d4d171a5f6430c78130dbd6e431fa
Malware Config
Extracted
formbook
4.1
http://www.c-voyageinc.com/r4ei/
8clintonstreet.com
sherylhotpepperblends.com
eucham.asia
earnestqueen.com
vstexchange.com
theoutofbounds.com
allincursive.com
getgenevieved.com
commonlawpeoplesassembly.net
brideclubstorerastreamento.com
cngelectricaldesign.com
mizmaleather.com
nicolabenge.com
babyboxbuy.com
xaydungquan9.com
hclifechurch.com
cwyxonlp.icu
inocentkidd.com
worldhw.com
soul.exchange
garshbedmi.info
hayratindonesia.com
optimummedical-uk.com
jagocopywriter.com
loandong.com
tnacharters.com
rdj-cpa.com
nklwmb.com
baykusbaskimerkezi.xyz
websiteworlda-z.com
gulumsekoop.xyz
artforthebayarea.com
hkafrfudl.icu
thekhufureign.com
stanfordcodingtutor.com
puoynios.website
saearners.info
epipdfhany.com
cowboycooloutfitters.net
therealrefinery.com
royal-english-academy.com
dante.report
montonvuraeditted.space
webuytampabayhouses.com
phorice.com
juxrams.info
francisboyrd.com
edifice-base.com
shjzly.com
frisdrank.deals
cannajointn.com
dianshi.ink
droneserviceshouston.com
swaymontoya.com
omvvv.com
yourherogarden.net
areenaarora.com
complex-kokukenzyo.com
minyakgelici.com
municipiodeanton.net
opimexico.com
xgame.online
squrl.network
bayleafdenver.info
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1944-7-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2020-12-0x0000000000070000-0x000000000009E000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1624 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Order Inquiry.exepid process 1684 Order Inquiry.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order Inquiry.exeOrder Inquiry.execscript.exedescription pid process target process PID 1684 set thread context of 1944 1684 Order Inquiry.exe Order Inquiry.exe PID 1944 set thread context of 1276 1944 Order Inquiry.exe Explorer.EXE PID 2020 set thread context of 1276 2020 cscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Order Inquiry.execscript.exepid process 1944 Order Inquiry.exe 1944 Order Inquiry.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe 2020 cscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Order Inquiry.exeOrder Inquiry.execscript.exepid process 1684 Order Inquiry.exe 1944 Order Inquiry.exe 1944 Order Inquiry.exe 1944 Order Inquiry.exe 2020 cscript.exe 2020 cscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order Inquiry.execscript.exedescription pid process Token: SeDebugPrivilege 1944 Order Inquiry.exe Token: SeDebugPrivilege 2020 cscript.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Order Inquiry.exeExplorer.EXEcscript.exedescription pid process target process PID 1684 wrote to memory of 1944 1684 Order Inquiry.exe Order Inquiry.exe PID 1684 wrote to memory of 1944 1684 Order Inquiry.exe Order Inquiry.exe PID 1684 wrote to memory of 1944 1684 Order Inquiry.exe Order Inquiry.exe PID 1684 wrote to memory of 1944 1684 Order Inquiry.exe Order Inquiry.exe PID 1684 wrote to memory of 1944 1684 Order Inquiry.exe Order Inquiry.exe PID 1276 wrote to memory of 2020 1276 Explorer.EXE cscript.exe PID 1276 wrote to memory of 2020 1276 Explorer.EXE cscript.exe PID 1276 wrote to memory of 2020 1276 Explorer.EXE cscript.exe PID 1276 wrote to memory of 2020 1276 Explorer.EXE cscript.exe PID 2020 wrote to memory of 1624 2020 cscript.exe cmd.exe PID 2020 wrote to memory of 1624 2020 cscript.exe cmd.exe PID 2020 wrote to memory of 1624 2020 cscript.exe cmd.exe PID 2020 wrote to memory of 1624 2020 cscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cscript.exe"C:\Windows\SysWOW64\cscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsh168.tmp\u50p.dllMD5
8339650c424842bdf21c460c26a92a92
SHA1d3f9cb60ec1b8ca634bc4d24bb4a9579fdf10b96
SHA25614ca3ecc145171f8fbd847a696c2a1f1d3c804fcfe6cec1a7f02f9c20285066d
SHA5127e6b39a87c7cf81228e15bf3e916f785725e77544e6795dd9945cc53f1d5b10a46b0d6b1b8e47f68a0ef8e87bc18e4a314ffcfabe65ddbbe7d67d32cec44afca
-
memory/1276-9-0x0000000006C40000-0x0000000006DDA000-memory.dmpFilesize
1.6MB
-
memory/1276-16-0x0000000004B60000-0x0000000004C09000-memory.dmpFilesize
676KB
-
memory/1624-13-0x0000000000000000-mapping.dmp
-
memory/1684-5-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1684-2-0x00000000756A1000-0x00000000756A3000-memory.dmpFilesize
8KB
-
memory/1944-6-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1944-7-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1944-8-0x0000000000580000-0x0000000000594000-memory.dmpFilesize
80KB
-
memory/1944-4-0x000000000041ED40-mapping.dmp
-
memory/2020-10-0x0000000000000000-mapping.dmp
-
memory/2020-11-0x0000000000860000-0x0000000000882000-memory.dmpFilesize
136KB
-
memory/2020-12-0x0000000000070000-0x000000000009E000-memory.dmpFilesize
184KB
-
memory/2020-14-0x0000000002140000-0x0000000002443000-memory.dmpFilesize
3.0MB
-
memory/2020-15-0x0000000000700000-0x0000000000793000-memory.dmpFilesize
588KB