Analysis
-
max time kernel
148s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 17:28
Static task
static1
Behavioral task
behavioral1
Sample
order 0091.com.exe
Resource
win7-en-20210920
General
-
Target
order 0091.com.exe
-
Size
427KB
-
MD5
c6d40c961c2a1940c29ff433fc9217ee
-
SHA1
a55d2f584620864fe9eb49e7647bb86fc2c20050
-
SHA256
cf0d36f933310c07f1554db7e6e8a2e79c01ee933717e13f96ae841302306512
-
SHA512
97c9df9f0492303c86a94e0fb25edac5cbd23e30cc4bcddc00ef47f7b70a7642da57f144bfa505a3ef0cad2de7f8d4fe464e58df931aeb54861e57c84f65fff7
Malware Config
Extracted
formbook
4.1
dn7r
http://www.yourherogarden.net/dn7r/
eventphotographerdfw.com
thehalalcoinstaking.com
philipfaziofineart.com
intercoh.com
gaiaseyephotography.com
chatbotforrealestate.com
lovelancemg.com
marlieskasberger.com
elcongoenespanol.info
lepirecredit.com
distribution-concept.com
e99game.com
exit11festival.com
twodollartoothbrushclub.com
cocktailsandlawn.com
performimprove.network
24horas-telefono-11840.com
cosmossify.com
kellenleote.com
perovskite.energy
crosschain.services
xiwanghe.com
mollycayton.com
bonipay.com
uuwyxc.com
viberiokno-online.com
mobceo.com
menzelna.com
tiffaniefoster.com
premiumautowesthartford.com
ownhome.house
bestmartinshop.com
splashstoreofficial.com
guidemining.com
ecshopdemo.com
bestprinting1.com
s-circle2020.com
ncagency.info
easydigitalzone.com
reikiforthecollective.com
theknottteam.com
evolvedpixel.com
japxo.online
ryansqualityrenovations.com
dentimagenquito.net
pantherprints.co.uk
apoporangi.com
thietkemietvuon.net
ifernshop.com
casaruralesgranada.com
camp-3saumons.com
eddsucks.com
blwcd.com
deldlab.com
susanperb.com
autosanitizingsolutions.com
femhouse.com
ironcageclash.com
thekinghealer.com
shaghayeghbovand.com
advertfaces.com
lonriley.com
mased-world.online
mythicspacex.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3460-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3460-117-0x000000000041F200-mapping.dmp formbook behavioral2/memory/2112-125-0x0000000003050000-0x000000000307F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
order 0091.com.exepid process 712 order 0091.com.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
order 0091.com.exeorder 0091.com.exewlanext.exedescription pid process target process PID 712 set thread context of 3460 712 order 0091.com.exe order 0091.com.exe PID 3460 set thread context of 3056 3460 order 0091.com.exe Explorer.EXE PID 2112 set thread context of 3056 2112 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
order 0091.com.exewlanext.exepid process 3460 order 0091.com.exe 3460 order 0091.com.exe 3460 order 0091.com.exe 3460 order 0091.com.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe 2112 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
order 0091.com.exewlanext.exepid process 3460 order 0091.com.exe 3460 order 0091.com.exe 3460 order 0091.com.exe 2112 wlanext.exe 2112 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
order 0091.com.exewlanext.exedescription pid process Token: SeDebugPrivilege 3460 order 0091.com.exe Token: SeDebugPrivilege 2112 wlanext.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE 3056 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE 3056 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
order 0091.com.exeExplorer.EXEwlanext.exedescription pid process target process PID 712 wrote to memory of 3460 712 order 0091.com.exe order 0091.com.exe PID 712 wrote to memory of 3460 712 order 0091.com.exe order 0091.com.exe PID 712 wrote to memory of 3460 712 order 0091.com.exe order 0091.com.exe PID 712 wrote to memory of 3460 712 order 0091.com.exe order 0091.com.exe PID 712 wrote to memory of 3460 712 order 0091.com.exe order 0091.com.exe PID 712 wrote to memory of 3460 712 order 0091.com.exe order 0091.com.exe PID 3056 wrote to memory of 2112 3056 Explorer.EXE wlanext.exe PID 3056 wrote to memory of 2112 3056 Explorer.EXE wlanext.exe PID 3056 wrote to memory of 2112 3056 Explorer.EXE wlanext.exe PID 2112 wrote to memory of 1600 2112 wlanext.exe cmd.exe PID 2112 wrote to memory of 1600 2112 wlanext.exe cmd.exe PID 2112 wrote to memory of 1600 2112 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\order 0091.com.exe"C:\Users\Admin\AppData\Local\Temp\order 0091.com.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\order 0091.com.exe"C:\Users\Admin\AppData\Local\Temp\order 0091.com.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\order 0091.com.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsvC546.tmp\brfrqelhtqi.dllMD5
08f8c05553706af957306d9cce346ebb
SHA1bc1ccb5f00c582752d4a5103b122fe5299dad8d4
SHA256628e6ecd0231ccdefd6d684a8d0f07ff16f0213ae04e29adb7ff94853cce2cc3
SHA5123dd9ea6672f45734931e194b066fe042a4d79e6cdd8a8999b874b7a4eaacf09d123e77d996be795b0d6e131fd9555e17fd4af445c1ad8c9a9cd3cb5f0ec1e0a1
-
memory/1600-123-0x0000000000000000-mapping.dmp
-
memory/2112-125-0x0000000003050000-0x000000000307F000-memory.dmpFilesize
188KB
-
memory/2112-122-0x0000000000000000-mapping.dmp
-
memory/2112-124-0x0000000000950000-0x0000000000967000-memory.dmpFilesize
92KB
-
memory/2112-126-0x0000000003590000-0x00000000038B0000-memory.dmpFilesize
3.1MB
-
memory/2112-127-0x0000000003270000-0x0000000003304000-memory.dmpFilesize
592KB
-
memory/3056-121-0x0000000004D20000-0x0000000004E88000-memory.dmpFilesize
1.4MB
-
memory/3056-128-0x0000000005B70000-0x0000000005CB4000-memory.dmpFilesize
1.3MB
-
memory/3460-119-0x00000000009F0000-0x0000000000D10000-memory.dmpFilesize
3.1MB
-
memory/3460-120-0x00000000009D0000-0x00000000009E5000-memory.dmpFilesize
84KB
-
memory/3460-117-0x000000000041F200-mapping.dmp
-
memory/3460-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB