Analysis
-
max time kernel
146s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 07:40
Static task
static1
Behavioral task
behavioral1
Sample
Order Inquiry.exe
Resource
win7v20201028
General
-
Target
Order Inquiry.exe
-
Size
222KB
-
MD5
6664568334aabc380dda1821fdd379d9
-
SHA1
8b847d59b54068e0cb5316c1e4f6e5db286d98d9
-
SHA256
ee0a32169adde722c5652fb40046d8251fa8a89ce615a637ed5708372af0d163
-
SHA512
cb391712b7c9138cb12bc5f0176ddb7739f25db7e1c4da03b02ba0b68ba0cce00650341230f189fff1f398eab7ac0ac2584d4d171a5f6430c78130dbd6e431fa
Malware Config
Extracted
formbook
4.1
http://www.c-voyageinc.com/r4ei/
8clintonstreet.com
sherylhotpepperblends.com
eucham.asia
earnestqueen.com
vstexchange.com
theoutofbounds.com
allincursive.com
getgenevieved.com
commonlawpeoplesassembly.net
brideclubstorerastreamento.com
cngelectricaldesign.com
mizmaleather.com
nicolabenge.com
babyboxbuy.com
xaydungquan9.com
hclifechurch.com
cwyxonlp.icu
inocentkidd.com
worldhw.com
soul.exchange
garshbedmi.info
hayratindonesia.com
optimummedical-uk.com
jagocopywriter.com
loandong.com
tnacharters.com
rdj-cpa.com
nklwmb.com
baykusbaskimerkezi.xyz
websiteworlda-z.com
gulumsekoop.xyz
artforthebayarea.com
hkafrfudl.icu
thekhufureign.com
stanfordcodingtutor.com
puoynios.website
saearners.info
epipdfhany.com
cowboycooloutfitters.net
therealrefinery.com
royal-english-academy.com
dante.report
montonvuraeditted.space
webuytampabayhouses.com
phorice.com
juxrams.info
francisboyrd.com
edifice-base.com
shjzly.com
frisdrank.deals
cannajointn.com
dianshi.ink
droneserviceshouston.com
swaymontoya.com
omvvv.com
yourherogarden.net
areenaarora.com
complex-kokukenzyo.com
minyakgelici.com
municipiodeanton.net
opimexico.com
xgame.online
squrl.network
bayleafdenver.info
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3028-6-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3576-12-0x0000000000E60000-0x0000000000E8E000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
Order Inquiry.exepid process 580 Order Inquiry.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order Inquiry.exeOrder Inquiry.execontrol.exedescription pid process target process PID 580 set thread context of 3028 580 Order Inquiry.exe Order Inquiry.exe PID 3028 set thread context of 3032 3028 Order Inquiry.exe Explorer.EXE PID 3576 set thread context of 3032 3576 control.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Order Inquiry.execontrol.exepid process 3028 Order Inquiry.exe 3028 Order Inquiry.exe 3028 Order Inquiry.exe 3028 Order Inquiry.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe 3576 control.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Order Inquiry.exeOrder Inquiry.execontrol.exepid process 580 Order Inquiry.exe 3028 Order Inquiry.exe 3028 Order Inquiry.exe 3028 Order Inquiry.exe 3576 control.exe 3576 control.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order Inquiry.execontrol.exedescription pid process Token: SeDebugPrivilege 3028 Order Inquiry.exe Token: SeDebugPrivilege 3576 control.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
Order Inquiry.exeExplorer.EXEcontrol.exedescription pid process target process PID 580 wrote to memory of 3028 580 Order Inquiry.exe Order Inquiry.exe PID 580 wrote to memory of 3028 580 Order Inquiry.exe Order Inquiry.exe PID 580 wrote to memory of 3028 580 Order Inquiry.exe Order Inquiry.exe PID 580 wrote to memory of 3028 580 Order Inquiry.exe Order Inquiry.exe PID 3032 wrote to memory of 3576 3032 Explorer.EXE control.exe PID 3032 wrote to memory of 3576 3032 Explorer.EXE control.exe PID 3032 wrote to memory of 3576 3032 Explorer.EXE control.exe PID 3576 wrote to memory of 208 3576 control.exe cmd.exe PID 3576 wrote to memory of 208 3576 control.exe cmd.exe PID 3576 wrote to memory of 208 3576 control.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order Inquiry.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsf53C4.tmp\u50p.dllMD5
8339650c424842bdf21c460c26a92a92
SHA1d3f9cb60ec1b8ca634bc4d24bb4a9579fdf10b96
SHA25614ca3ecc145171f8fbd847a696c2a1f1d3c804fcfe6cec1a7f02f9c20285066d
SHA5127e6b39a87c7cf81228e15bf3e916f785725e77544e6795dd9945cc53f1d5b10a46b0d6b1b8e47f68a0ef8e87bc18e4a314ffcfabe65ddbbe7d67d32cec44afca
-
memory/208-14-0x0000000000000000-mapping.dmp
-
memory/580-3-0x0000000002620000-0x0000000002622000-memory.dmpFilesize
8KB
-
memory/3028-7-0x0000000000AF0000-0x0000000000E10000-memory.dmpFilesize
3.1MB
-
memory/3028-8-0x00000000009E0000-0x00000000009F4000-memory.dmpFilesize
80KB
-
memory/3028-6-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3028-4-0x000000000041ED40-mapping.dmp
-
memory/3032-9-0x0000000005050000-0x00000000051A8000-memory.dmpFilesize
1.3MB
-
memory/3032-16-0x0000000002A00000-0x0000000002AC7000-memory.dmpFilesize
796KB
-
memory/3576-10-0x0000000000000000-mapping.dmp
-
memory/3576-11-0x0000000000EA0000-0x0000000000EC0000-memory.dmpFilesize
128KB
-
memory/3576-13-0x0000000004F60000-0x0000000005280000-memory.dmpFilesize
3.1MB
-
memory/3576-12-0x0000000000E60000-0x0000000000E8E000-memory.dmpFilesize
184KB
-
memory/3576-15-0x0000000004DC0000-0x0000000004E53000-memory.dmpFilesize
588KB