Analysis
-
max time kernel
151s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
08-10-2021 23:29
Static task
static1
Behavioral task
behavioral1
Sample
orden 000873.exe
Resource
win7v20210408
General
-
Target
orden 000873.exe
-
Size
253KB
-
MD5
abaf85c4c2935c711827ba7af2bfbbb0
-
SHA1
bf13a8cc2844a4f1912ccc7a1a6f8acb91ccd896
-
SHA256
f561431a18d41cec483b9763d2529633933a2683eb5075d54650922b84da6279
-
SHA512
5b2aec946133e6b1608258a42996fb2269cc465642ada8641385236ac166859c2c12f6fc252b7546b45c56603536e31649435258d22492c58a3ea948c72a6a44
Malware Config
Extracted
formbook
4.1
dn7r
http://www.yourherogarden.net/dn7r/
eventphotographerdfw.com
thehalalcoinstaking.com
philipfaziofineart.com
intercoh.com
gaiaseyephotography.com
chatbotforrealestate.com
lovelancemg.com
marlieskasberger.com
elcongoenespanol.info
lepirecredit.com
distribution-concept.com
e99game.com
exit11festival.com
twodollartoothbrushclub.com
cocktailsandlawn.com
performimprove.network
24horas-telefono-11840.com
cosmossify.com
kellenleote.com
perovskite.energy
crosschain.services
xiwanghe.com
mollycayton.com
bonipay.com
uuwyxc.com
viberiokno-online.com
mobceo.com
menzelna.com
tiffaniefoster.com
premiumautowesthartford.com
ownhome.house
bestmartinshop.com
splashstoreofficial.com
guidemining.com
ecshopdemo.com
bestprinting1.com
s-circle2020.com
ncagency.info
easydigitalzone.com
reikiforthecollective.com
theknottteam.com
evolvedpixel.com
japxo.online
ryansqualityrenovations.com
dentimagenquito.net
pantherprints.co.uk
apoporangi.com
thietkemietvuon.net
ifernshop.com
casaruralesgranada.com
camp-3saumons.com
eddsucks.com
blwcd.com
deldlab.com
susanperb.com
autosanitizingsolutions.com
femhouse.com
ironcageclash.com
thekinghealer.com
shaghayeghbovand.com
advertfaces.com
lonriley.com
mased-world.online
mythicspacex.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1984-62-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1984-63-0x000000000041F200-mapping.dmp formbook behavioral1/memory/1672-70-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1492 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
orden 000873.exepid process 1100 orden 000873.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
orden 000873.exeorden 000873.exeNAPSTAT.EXEdescription pid process target process PID 1100 set thread context of 1984 1100 orden 000873.exe orden 000873.exe PID 1984 set thread context of 1212 1984 orden 000873.exe Explorer.EXE PID 1672 set thread context of 1212 1672 NAPSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
orden 000873.exeNAPSTAT.EXEpid process 1984 orden 000873.exe 1984 orden 000873.exe 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
orden 000873.exeNAPSTAT.EXEpid process 1984 orden 000873.exe 1984 orden 000873.exe 1984 orden 000873.exe 1672 NAPSTAT.EXE 1672 NAPSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
orden 000873.exeNAPSTAT.EXEdescription pid process Token: SeDebugPrivilege 1984 orden 000873.exe Token: SeDebugPrivilege 1672 NAPSTAT.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
orden 000873.exeExplorer.EXENAPSTAT.EXEdescription pid process target process PID 1100 wrote to memory of 1984 1100 orden 000873.exe orden 000873.exe PID 1100 wrote to memory of 1984 1100 orden 000873.exe orden 000873.exe PID 1100 wrote to memory of 1984 1100 orden 000873.exe orden 000873.exe PID 1100 wrote to memory of 1984 1100 orden 000873.exe orden 000873.exe PID 1100 wrote to memory of 1984 1100 orden 000873.exe orden 000873.exe PID 1100 wrote to memory of 1984 1100 orden 000873.exe orden 000873.exe PID 1100 wrote to memory of 1984 1100 orden 000873.exe orden 000873.exe PID 1212 wrote to memory of 1672 1212 Explorer.EXE NAPSTAT.EXE PID 1212 wrote to memory of 1672 1212 Explorer.EXE NAPSTAT.EXE PID 1212 wrote to memory of 1672 1212 Explorer.EXE NAPSTAT.EXE PID 1212 wrote to memory of 1672 1212 Explorer.EXE NAPSTAT.EXE PID 1672 wrote to memory of 1492 1672 NAPSTAT.EXE cmd.exe PID 1672 wrote to memory of 1492 1672 NAPSTAT.EXE cmd.exe PID 1672 wrote to memory of 1492 1672 NAPSTAT.EXE cmd.exe PID 1672 wrote to memory of 1492 1672 NAPSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\orden 000873.exe"C:\Users\Admin\AppData\Local\Temp\orden 000873.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\orden 000873.exe"C:\Users\Admin\AppData\Local\Temp\orden 000873.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NAPSTAT.EXE"C:\Windows\SysWOW64\NAPSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\orden 000873.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsy38B.tmp\eufknrtale.dllMD5
07632e94e5393111fb508e610749a18d
SHA171aa6c5d8a799b891c554f72dc0c0f11b1ca1a8b
SHA256f6307ed5f0e3eb12b47dac295cebcdcbe7104823b25b535726cb8b6f0a256c45
SHA5129bbe74b6d277cbd1c65f2a0c44bf4d1400a95a3a555b247bf6211f612ee29d38aa999cc9428719f5b3684758904087dbee3fc83362c9cc09c4c99e9e7db7d167
-
memory/1100-60-0x0000000075AF1000-0x0000000075AF3000-memory.dmpFilesize
8KB
-
memory/1212-67-0x0000000004FE0000-0x0000000005099000-memory.dmpFilesize
740KB
-
memory/1212-74-0x0000000006A10000-0x0000000006B02000-memory.dmpFilesize
968KB
-
memory/1492-72-0x0000000000000000-mapping.dmp
-
memory/1672-70-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1672-68-0x0000000000000000-mapping.dmp
-
memory/1672-69-0x0000000000A90000-0x0000000000AD6000-memory.dmpFilesize
280KB
-
memory/1672-71-0x0000000002070000-0x0000000002373000-memory.dmpFilesize
3.0MB
-
memory/1672-73-0x0000000000990000-0x0000000000A24000-memory.dmpFilesize
592KB
-
memory/1984-66-0x0000000000480000-0x0000000000495000-memory.dmpFilesize
84KB
-
memory/1984-65-0x0000000000700000-0x0000000000A03000-memory.dmpFilesize
3.0MB
-
memory/1984-63-0x000000000041F200-mapping.dmp
-
memory/1984-62-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB