Analysis
-
max time kernel
145s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
25-10-2021 16:52
Static task
static1
Behavioral task
behavioral1
Sample
otr69022.exe
Resource
win7-en-20210920
General
-
Target
otr69022.exe
-
Size
256KB
-
MD5
00e7692bd5da0993f8cd7ed1c4b35d26
-
SHA1
6c342d8f0b727586f58007fa8073e5176ee7b652
-
SHA256
c115f11cec4e606d14bd5df33ea033f0311ca2e9915e5fb7908736b9cfa18729
-
SHA512
7ccc7c1e315046af035c2e9bb1f0d101db1d1db234c3d9eacae8e70548cfe76afeab0ba7eade78c06c906715487ca69912ca8d2be143e70508a77f4d643a5a30
Malware Config
Extracted
formbook
4.1
rv9n
http://www.cjspizza.net/rv9n/
olivia-grace.show
zhuwww.com
keiretsu.xyz
olidnh.space
searuleansec.com
2fastrepair.com
brooklynmetalroof.com
scodol.com
novaprint.pro
the-loaner.com
nextroundscap.com
zbwlggs.com
internetautodealer.com
xn--tornrealestate-ekb.com
yunjiuhuo.com
skandinaviskakryptobanken.com
coxivarag.rest
ophthalmologylab.com
zzzzgjcdbqnn98.net
doeful.com
beatthebank.fund
deposit-pulsa2021.xyz
uptownsecuritysystems.com
thegroveonglendale.com
destinationth.com
healthcareuninsured.com
longhang.xyz
ypxwwxjqcqhutyp.com
ip-15-235-90.net
rancholachiquita.com
macblog.xyz
skillsbazar.com
beatyup.com
academiapinto.com
myguagua.com
fto8y.com
ohioleads.net
paravocebrasil.com
thecanyonmanor.com
acu-bps.com
comunicaretresessanta.net
schwa-bingcorp.com
discountcouponcodes-jp.space
kufazo.online
metaverge.club
800car.online
brendanbaehr.com
garfieldtoken.net
secretfoldr.com
13itcasino.com
marketingatelier.net
computersslide.com
marcastudios.com
thestreetsoflondon.life
maintaintest.com
cronicasdebia.com
apm-app.com
sepulchral.xyz
lodha-project.com
theartofsoulwork.com
swimminglessonsshop.com
klarnabet.com
control-of-space.net
heliumathletic.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/760-56-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/760-57-0x000000000041F120-mapping.dmp formbook behavioral1/memory/1260-65-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1388 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
otr69022.exepid process 332 otr69022.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
otr69022.exeotr69022.execmd.exedescription pid process target process PID 332 set thread context of 760 332 otr69022.exe otr69022.exe PID 760 set thread context of 1392 760 otr69022.exe Explorer.EXE PID 1260 set thread context of 1392 1260 cmd.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
otr69022.execmd.exepid process 760 otr69022.exe 760 otr69022.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe 1260 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
otr69022.execmd.exepid process 760 otr69022.exe 760 otr69022.exe 760 otr69022.exe 1260 cmd.exe 1260 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
otr69022.execmd.exedescription pid process Token: SeDebugPrivilege 760 otr69022.exe Token: SeDebugPrivilege 1260 cmd.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE 1392 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1392 Explorer.EXE 1392 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
otr69022.exeExplorer.EXEcmd.exedescription pid process target process PID 332 wrote to memory of 760 332 otr69022.exe otr69022.exe PID 332 wrote to memory of 760 332 otr69022.exe otr69022.exe PID 332 wrote to memory of 760 332 otr69022.exe otr69022.exe PID 332 wrote to memory of 760 332 otr69022.exe otr69022.exe PID 332 wrote to memory of 760 332 otr69022.exe otr69022.exe PID 332 wrote to memory of 760 332 otr69022.exe otr69022.exe PID 332 wrote to memory of 760 332 otr69022.exe otr69022.exe PID 1392 wrote to memory of 1260 1392 Explorer.EXE cmd.exe PID 1392 wrote to memory of 1260 1392 Explorer.EXE cmd.exe PID 1392 wrote to memory of 1260 1392 Explorer.EXE cmd.exe PID 1392 wrote to memory of 1260 1392 Explorer.EXE cmd.exe PID 1260 wrote to memory of 1388 1260 cmd.exe cmd.exe PID 1260 wrote to memory of 1388 1260 cmd.exe cmd.exe PID 1260 wrote to memory of 1388 1260 cmd.exe cmd.exe PID 1260 wrote to memory of 1388 1260 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\otr69022.exe"C:\Users\Admin\AppData\Local\Temp\otr69022.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\otr69022.exe"C:\Users\Admin\AppData\Local\Temp\otr69022.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\otr69022.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstDD94.tmp\mbba.dllMD5
e83191aac369d7512911f1c86fe6b4bf
SHA14214650caa03a2b5bd086f07b24e5d98926e031e
SHA256370a60f0c2956e729adb71695cdb5fa413be95f92dbf43631f6747eb6bff5a48
SHA5126e3720a7bfa0d172fccccad9d06bf5f61ca229c7ea4f4fa5fb07e7125c5daac3f4d470fba7f8010bad9ea810289f15a982c8ed6e7bd838fc8297012185509a85
-
memory/332-54-0x0000000075FA1000-0x0000000075FA3000-memory.dmpFilesize
8KB
-
memory/760-56-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/760-57-0x000000000041F120-mapping.dmp
-
memory/760-60-0x00000000002C0000-0x00000000002D4000-memory.dmpFilesize
80KB
-
memory/760-59-0x0000000000830000-0x0000000000B33000-memory.dmpFilesize
3.0MB
-
memory/1260-64-0x000000004A400000-0x000000004A44C000-memory.dmpFilesize
304KB
-
memory/1260-62-0x0000000000000000-mapping.dmp
-
memory/1260-65-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/1260-66-0x0000000002060000-0x0000000002363000-memory.dmpFilesize
3.0MB
-
memory/1260-67-0x0000000001D90000-0x0000000001E23000-memory.dmpFilesize
588KB
-
memory/1388-63-0x0000000000000000-mapping.dmp
-
memory/1392-61-0x0000000006960000-0x0000000006B00000-memory.dmpFilesize
1.6MB
-
memory/1392-68-0x0000000006BE0000-0x0000000006D46000-memory.dmpFilesize
1.4MB