Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
17-11-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
Order Inquiry1.exe
Resource
win7-en-20211104
General
-
Target
Order Inquiry1.exe
-
Size
293KB
-
MD5
929d566cc846ea33935f22f0adc594ff
-
SHA1
0dfbe5f5805416cf65dba819b70a0f31717f7f18
-
SHA256
4f6a9d2f8c26c5106123e3684d72d2624e58226f0c845a265cadf80e67b49842
-
SHA512
ca0ce216ad180ccefb50339257514ebeb1b3b771331f4ff25288697faa68cc83d50e603932830317bf193f54e06b5ae96e46f3d9fc2b21b391b590bd6bb03e3f
Malware Config
Extracted
formbook
4.1
dn7r
http://www.yourherogarden.net/dn7r/
eventphotographerdfw.com
thehalalcoinstaking.com
philipfaziofineart.com
intercoh.com
gaiaseyephotography.com
chatbotforrealestate.com
lovelancemg.com
marlieskasberger.com
elcongoenespanol.info
lepirecredit.com
distribution-concept.com
e99game.com
exit11festival.com
twodollartoothbrushclub.com
cocktailsandlawn.com
performimprove.network
24horas-telefono-11840.com
cosmossify.com
kellenleote.com
perovskite.energy
crosschain.services
xiwanghe.com
mollycayton.com
bonipay.com
uuwyxc.com
viberiokno-online.com
mobceo.com
menzelna.com
tiffaniefoster.com
premiumautowesthartford.com
ownhome.house
bestmartinshop.com
splashstoreofficial.com
guidemining.com
ecshopdemo.com
bestprinting1.com
s-circle2020.com
ncagency.info
easydigitalzone.com
reikiforthecollective.com
theknottteam.com
evolvedpixel.com
japxo.online
ryansqualityrenovations.com
dentimagenquito.net
pantherprints.co.uk
apoporangi.com
thietkemietvuon.net
ifernshop.com
casaruralesgranada.com
camp-3saumons.com
eddsucks.com
blwcd.com
deldlab.com
susanperb.com
autosanitizingsolutions.com
femhouse.com
ironcageclash.com
thekinghealer.com
shaghayeghbovand.com
advertfaces.com
lonriley.com
mased-world.online
mythicspacex.com
Signatures
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/768-57-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/768-58-0x000000000041F200-mapping.dmp formbook behavioral1/memory/768-63-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/464-70-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1188 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
Order Inquiry1.exepid process 1684 Order Inquiry1.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Order Inquiry1.exeOrder Inquiry1.exeraserver.exedescription pid process target process PID 1684 set thread context of 768 1684 Order Inquiry1.exe Order Inquiry1.exe PID 768 set thread context of 1412 768 Order Inquiry1.exe Explorer.EXE PID 768 set thread context of 1412 768 Order Inquiry1.exe Explorer.EXE PID 464 set thread context of 1412 464 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Order Inquiry1.exeraserver.exepid process 768 Order Inquiry1.exe 768 Order Inquiry1.exe 768 Order Inquiry1.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe 464 raserver.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Order Inquiry1.exeraserver.exepid process 768 Order Inquiry1.exe 768 Order Inquiry1.exe 768 Order Inquiry1.exe 768 Order Inquiry1.exe 464 raserver.exe 464 raserver.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order Inquiry1.exeraserver.exedescription pid process Token: SeDebugPrivilege 768 Order Inquiry1.exe Token: SeDebugPrivilege 464 raserver.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE 1412 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1412 Explorer.EXE 1412 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Order Inquiry1.exeExplorer.EXEraserver.exedescription pid process target process PID 1684 wrote to memory of 768 1684 Order Inquiry1.exe Order Inquiry1.exe PID 1684 wrote to memory of 768 1684 Order Inquiry1.exe Order Inquiry1.exe PID 1684 wrote to memory of 768 1684 Order Inquiry1.exe Order Inquiry1.exe PID 1684 wrote to memory of 768 1684 Order Inquiry1.exe Order Inquiry1.exe PID 1684 wrote to memory of 768 1684 Order Inquiry1.exe Order Inquiry1.exe PID 1684 wrote to memory of 768 1684 Order Inquiry1.exe Order Inquiry1.exe PID 1684 wrote to memory of 768 1684 Order Inquiry1.exe Order Inquiry1.exe PID 1412 wrote to memory of 464 1412 Explorer.EXE raserver.exe PID 1412 wrote to memory of 464 1412 Explorer.EXE raserver.exe PID 1412 wrote to memory of 464 1412 Explorer.EXE raserver.exe PID 1412 wrote to memory of 464 1412 Explorer.EXE raserver.exe PID 464 wrote to memory of 1188 464 raserver.exe cmd.exe PID 464 wrote to memory of 1188 464 raserver.exe cmd.exe PID 464 wrote to memory of 1188 464 raserver.exe cmd.exe PID 464 wrote to memory of 1188 464 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nstEAAE.tmp\uezelwxcsbm.dllMD5
bfb8387dedc90fc0e6173e46b1dd9654
SHA179a1f4aee0a3ceb09ecfd38f80d08402584a76fd
SHA25647e05ff045771b182dab82d2dda462e216d309b327db88c28156a3d4c0acfa06
SHA51287783fb1a4b09816b678afab97a8d604b05f768381897f2c3b7d2c2f14a668b07577995b22da94b1a906f04524f37196ca23aaddba8f0813a51b26d8938b345f
-
memory/464-66-0x0000000000000000-mapping.dmp
-
memory/464-72-0x0000000001CD0000-0x0000000001D64000-memory.dmpFilesize
592KB
-
memory/464-70-0x0000000000080000-0x00000000000AF000-memory.dmpFilesize
188KB
-
memory/464-69-0x0000000001F60000-0x0000000002263000-memory.dmpFilesize
3.0MB
-
memory/464-68-0x00000000006E0000-0x00000000006FC000-memory.dmpFilesize
112KB
-
memory/768-61-0x0000000000360000-0x0000000000375000-memory.dmpFilesize
84KB
-
memory/768-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/768-64-0x00000000003A0000-0x00000000003B5000-memory.dmpFilesize
84KB
-
memory/768-60-0x0000000000890000-0x0000000000B93000-memory.dmpFilesize
3.0MB
-
memory/768-58-0x000000000041F200-mapping.dmp
-
memory/768-57-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1188-71-0x0000000000000000-mapping.dmp
-
memory/1412-65-0x0000000005160000-0x0000000005214000-memory.dmpFilesize
720KB
-
memory/1412-62-0x0000000006D10000-0x0000000006E9C000-memory.dmpFilesize
1.5MB
-
memory/1412-73-0x0000000007CE0000-0x0000000007E48000-memory.dmpFilesize
1.4MB
-
memory/1684-55-0x0000000075C51000-0x0000000075C53000-memory.dmpFilesize
8KB