Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
16-11-2021 12:14
Static task
static1
Behavioral task
behavioral1
Sample
new order.exe
Resource
win7-en-20211014
General
-
Target
new order.exe
-
Size
506KB
-
MD5
42d37691292ac45ed40d57c76b335cd5
-
SHA1
9b7e5e7d353cab9c42edb33a060f9d91200192f9
-
SHA256
ea03c34322299aafb7f2c7b442ff7f4a661ea952bddb76b83a1c274460eb45a5
-
SHA512
8a3f2b7b8b3f6235637a4c8839998fe3cdb27376c086f1ea9a8d4146b020d7426efeb38e68d415686b63f5ff7a27b8ec6a17fc22ef37e79b21271225114b7c27
Malware Config
Extracted
formbook
4.1
jy0b
http://www.filecrev.com/jy0b/
lamejorimagen.com
mykabukibrush.com
modgon.com
barefoottherapeutics.com
shimpeg.net
trade-sniper.com
chiangkhancityhotel.com
joblessmoni.club
stespritsubways.com
chico-group.com
nni8.xyz
searchtypically.online
jobsyork.com
bestsales-crypto.com
iqmarketing.info
bullcityphotobooths.com
fwssc.icu
1oc87s.icu
usdiesel.xyz
secrets2optimumnutrition.com
charlotte-s-creations.com
homenetmidrand.com
sytypij.xyz
tapehitsscriptsparty.com
adelenashville.com
greendylife.com
agbqs.com
lilcrox.xyz
thepersonalevolutionmaven.com
graciasmiangel.com
heidisgifts.com
flchimneyspecialists.com
yorkrehabclinic.com
cent-pour-centsons.com
marcoislandsupsurf.net
expressdiagnostics.info
surferjackproductions.com
duscopy.store
uekra.tech
campaigncupgunplant.xyz
cheetahadvance.com
blickosinski.icu
laketacostahoe.com
drippysupplyco.com
isomassagegun.com
clarition.com
andrew-pillar.com
truthbudgeting.com
cloudfixr.com
cfasministries.com
compliant-now-beta.com
kssc17.icu
plewabuilders.com
uslugi-email.site
167hours.com
sodo6697.com
voyagesify.com
ranodalei.com
culturao.com
littlepotato-id.com
integtiryhvacsanmateo.com
neatmounts.com
reddictnflstream.com
digistore-maya.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3972-119-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3972-120-0x000000000041F150-mapping.dmp formbook behavioral2/memory/4088-127-0x0000000000A20000-0x0000000000A4F000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
new order.exepid process 516 new order.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
new order.exenew order.execmmon32.exedescription pid process target process PID 516 set thread context of 3972 516 new order.exe new order.exe PID 3972 set thread context of 2716 3972 new order.exe Explorer.EXE PID 4088 set thread context of 2716 4088 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
new order.execmmon32.exepid process 3972 new order.exe 3972 new order.exe 3972 new order.exe 3972 new order.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe 4088 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2716 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
new order.execmmon32.exepid process 3972 new order.exe 3972 new order.exe 3972 new order.exe 4088 cmmon32.exe 4088 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
new order.execmmon32.exedescription pid process Token: SeDebugPrivilege 3972 new order.exe Token: SeDebugPrivilege 4088 cmmon32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
new order.exeExplorer.EXEcmmon32.exedescription pid process target process PID 516 wrote to memory of 3972 516 new order.exe new order.exe PID 516 wrote to memory of 3972 516 new order.exe new order.exe PID 516 wrote to memory of 3972 516 new order.exe new order.exe PID 516 wrote to memory of 3972 516 new order.exe new order.exe PID 516 wrote to memory of 3972 516 new order.exe new order.exe PID 516 wrote to memory of 3972 516 new order.exe new order.exe PID 2716 wrote to memory of 4088 2716 Explorer.EXE cmmon32.exe PID 2716 wrote to memory of 4088 2716 Explorer.EXE cmmon32.exe PID 2716 wrote to memory of 4088 2716 Explorer.EXE cmmon32.exe PID 4088 wrote to memory of 4228 4088 cmmon32.exe cmd.exe PID 4088 wrote to memory of 4228 4088 cmmon32.exe cmd.exe PID 4088 wrote to memory of 4228 4088 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\new order.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsgA097.tmp\jagzgkp.dllMD5
1d837eefac21fec00909dbfb5b56a513
SHA140ff5b73d8d69305cb6c1dc4b57f1cd0c7e7b429
SHA25602311063d33ba8efdde6229dfa0759e6d4ae6daa41bc560ccc5e61a032fe42bf
SHA5127d0997201bfb60fc6a2b61fb16cfe25d784ec723aa84f4b3c339d40fe887f2668a08525bf81acd992f47b67c2416ecf5331b7a63cfa503b39bae805aab39643b
-
memory/2716-131-0x0000000005FB0000-0x00000000060BC000-memory.dmpFilesize
1.0MB
-
memory/2716-124-0x0000000005D30000-0x0000000005E8B000-memory.dmpFilesize
1.4MB
-
memory/3972-119-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3972-120-0x000000000041F150-mapping.dmp
-
memory/3972-123-0x00000000008E0000-0x00000000008F4000-memory.dmpFilesize
80KB
-
memory/3972-122-0x0000000000990000-0x0000000000CB0000-memory.dmpFilesize
3.1MB
-
memory/4088-125-0x0000000000000000-mapping.dmp
-
memory/4088-127-0x0000000000A20000-0x0000000000A4F000-memory.dmpFilesize
188KB
-
memory/4088-128-0x00000000049B0000-0x0000000004CD0000-memory.dmpFilesize
3.1MB
-
memory/4088-130-0x0000000004720000-0x00000000047B3000-memory.dmpFilesize
588KB
-
memory/4088-126-0x0000000000A60000-0x0000000000A6C000-memory.dmpFilesize
48KB
-
memory/4228-129-0x0000000000000000-mapping.dmp