Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-10-2021 12:05
Static task
static1
Behavioral task
behavioral1
Sample
orde443123.exe
Resource
win7-en-20210920
General
-
Target
orde443123.exe
-
Size
250KB
-
MD5
bfb2b5d00165cb4984c29c172e0dad8d
-
SHA1
e5baa4cfe4b0ec678910e94fc8785fd28605bb6b
-
SHA256
e6aaec2b958d4b734ff02c7c63b7e24a619eef826efb16b955ebe5306b9953aa
-
SHA512
d0d20eda540283ead0b873c27f047c7f433c4f85e1a8b890c8c4ef7daeebc91c691c2aad59de1eccca26cc8748ba123f55200a183dd7a1421f98dbd264e96815
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/744-116-0x000000000041F120-mapping.dmp formbook behavioral2/memory/744-115-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3032-123-0x0000000000420000-0x000000000044F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
orde443123.exepid process 4648 orde443123.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
orde443123.exeorde443123.exeNETSTAT.EXEdescription pid process target process PID 4648 set thread context of 744 4648 orde443123.exe orde443123.exe PID 744 set thread context of 3048 744 orde443123.exe Explorer.EXE PID 3032 set thread context of 3048 3032 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 3032 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
orde443123.exeNETSTAT.EXEpid process 744 orde443123.exe 744 orde443123.exe 744 orde443123.exe 744 orde443123.exe 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE 3032 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
orde443123.exeNETSTAT.EXEpid process 744 orde443123.exe 744 orde443123.exe 744 orde443123.exe 3032 NETSTAT.EXE 3032 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
orde443123.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 744 orde443123.exe Token: SeDebugPrivilege 3032 NETSTAT.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
orde443123.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 4648 wrote to memory of 744 4648 orde443123.exe orde443123.exe PID 4648 wrote to memory of 744 4648 orde443123.exe orde443123.exe PID 4648 wrote to memory of 744 4648 orde443123.exe orde443123.exe PID 4648 wrote to memory of 744 4648 orde443123.exe orde443123.exe PID 4648 wrote to memory of 744 4648 orde443123.exe orde443123.exe PID 4648 wrote to memory of 744 4648 orde443123.exe orde443123.exe PID 3048 wrote to memory of 3032 3048 Explorer.EXE NETSTAT.EXE PID 3048 wrote to memory of 3032 3048 Explorer.EXE NETSTAT.EXE PID 3048 wrote to memory of 3032 3048 Explorer.EXE NETSTAT.EXE PID 3032 wrote to memory of 4184 3032 NETSTAT.EXE cmd.exe PID 3032 wrote to memory of 4184 3032 NETSTAT.EXE cmd.exe PID 3032 wrote to memory of 4184 3032 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\orde443123.exe"C:\Users\Admin\AppData\Local\Temp\orde443123.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\orde443123.exe"C:\Users\Admin\AppData\Local\Temp\orde443123.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\orde443123.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nspAC44.tmp\irjzbmbgo.dllMD5
3525f0279729cb34e886c8a83b5ce9c8
SHA1b6edfeff839616e0155026cabed1e48de96a9063
SHA256082c9b72407d063bb96c2830bcaf5f285d2d616e8a8d729a52b39ccbd30b8211
SHA5122c74fc1a977204adb58a1af19850fa705716ca5c9b1d42f2b0d84dfe14a2e5c6af5f9e158b4cc132c1874de3b67cdd422cfc00e0dad63982718d5d0ce5f31f55
-
memory/744-116-0x000000000041F120-mapping.dmp
-
memory/744-115-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/744-119-0x00000000008E0000-0x00000000008F4000-memory.dmpFilesize
80KB
-
memory/744-118-0x0000000000980000-0x0000000000CA0000-memory.dmpFilesize
3.1MB
-
memory/3032-121-0x0000000000000000-mapping.dmp
-
memory/3032-123-0x0000000000420000-0x000000000044F000-memory.dmpFilesize
188KB
-
memory/3032-122-0x0000000001210000-0x000000000121B000-memory.dmpFilesize
44KB
-
memory/3032-125-0x0000000000B00000-0x0000000000E20000-memory.dmpFilesize
3.1MB
-
memory/3032-126-0x0000000000960000-0x00000000009F3000-memory.dmpFilesize
588KB
-
memory/3048-120-0x00000000051C0000-0x00000000052E1000-memory.dmpFilesize
1.1MB
-
memory/3048-127-0x00000000029B0000-0x0000000002A4D000-memory.dmpFilesize
628KB
-
memory/4184-124-0x0000000000000000-mapping.dmp