Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
15-10-2021 13:15
Static task
static1
Behavioral task
behavioral1
Sample
uorr23190.exe
Resource
win7-en-20210920
General
-
Target
uorr23190.exe
-
Size
249KB
-
MD5
28e013c2654f47916f1a62cf09308cad
-
SHA1
fa785ccc69ec30254ee9b81f87dca6764350075e
-
SHA256
fa5502396dc7ec0fc5508d901eb8b3e555558cdbaff338a1911db0edd4563b78
-
SHA512
69c2de2dd642e287a956baf250ebe592b00b93295600006232fe69e473dcd2dc350df2b0ecb7f92a3d0a20e35f8951bd8e25e6290bcf629df97e326e738f16ca
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2268-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2268-117-0x000000000041F120-mapping.dmp formbook behavioral2/memory/984-125-0x0000000000A80000-0x0000000000AAF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
uorr23190.exepid process 1556 uorr23190.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
uorr23190.exeuorr23190.exewlanext.exedescription pid process target process PID 1556 set thread context of 2268 1556 uorr23190.exe uorr23190.exe PID 2268 set thread context of 3008 2268 uorr23190.exe Explorer.EXE PID 984 set thread context of 3008 984 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
uorr23190.exewlanext.exepid process 2268 uorr23190.exe 2268 uorr23190.exe 2268 uorr23190.exe 2268 uorr23190.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe 984 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3008 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
uorr23190.exewlanext.exepid process 2268 uorr23190.exe 2268 uorr23190.exe 2268 uorr23190.exe 984 wlanext.exe 984 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
uorr23190.exewlanext.exedescription pid process Token: SeDebugPrivilege 2268 uorr23190.exe Token: SeDebugPrivilege 984 wlanext.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
uorr23190.exeExplorer.EXEwlanext.exedescription pid process target process PID 1556 wrote to memory of 2268 1556 uorr23190.exe uorr23190.exe PID 1556 wrote to memory of 2268 1556 uorr23190.exe uorr23190.exe PID 1556 wrote to memory of 2268 1556 uorr23190.exe uorr23190.exe PID 1556 wrote to memory of 2268 1556 uorr23190.exe uorr23190.exe PID 1556 wrote to memory of 2268 1556 uorr23190.exe uorr23190.exe PID 1556 wrote to memory of 2268 1556 uorr23190.exe uorr23190.exe PID 3008 wrote to memory of 984 3008 Explorer.EXE wlanext.exe PID 3008 wrote to memory of 984 3008 Explorer.EXE wlanext.exe PID 3008 wrote to memory of 984 3008 Explorer.EXE wlanext.exe PID 984 wrote to memory of 3212 984 wlanext.exe cmd.exe PID 984 wrote to memory of 3212 984 wlanext.exe cmd.exe PID 984 wrote to memory of 3212 984 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uorr23190.exe"C:\Users\Admin\AppData\Local\Temp\uorr23190.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uorr23190.exe"C:\Users\Admin\AppData\Local\Temp\uorr23190.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\uorr23190.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdCBBE.tmp\yzwbonbom.dllMD5
8b7c957c4a8ddf81d0ebb46d55054e1e
SHA16a17d7bf1915a1ccdfa39227a10fa443400af774
SHA2561eaf128b2888192f6659cc7c70aa0db515057449f873f40e0fd3a3cd6a8105b0
SHA512a6579a5c8a1f26b786cd29823d0106f0b876df41256b3c21fa5d7a041c3a696b62ae87dcd0fd1336240c82bce37ae7e0ecefbf8dbb6d57c57aeaf3e399f7b2e3
-
memory/984-124-0x0000000000FD0000-0x0000000000FE7000-memory.dmpFilesize
92KB
-
memory/984-122-0x0000000000000000-mapping.dmp
-
memory/984-125-0x0000000000A80000-0x0000000000AAF000-memory.dmpFilesize
188KB
-
memory/984-126-0x0000000003330000-0x0000000003650000-memory.dmpFilesize
3.1MB
-
memory/984-127-0x0000000002FF0000-0x0000000003083000-memory.dmpFilesize
588KB
-
memory/2268-117-0x000000000041F120-mapping.dmp
-
memory/2268-120-0x00000000008F0000-0x0000000000904000-memory.dmpFilesize
80KB
-
memory/2268-119-0x0000000000940000-0x0000000000C60000-memory.dmpFilesize
3.1MB
-
memory/2268-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3008-121-0x0000000005AE0000-0x0000000005C49000-memory.dmpFilesize
1.4MB
-
memory/3008-128-0x0000000003130000-0x00000000031E2000-memory.dmpFilesize
712KB
-
memory/3212-123-0x0000000000000000-mapping.dmp