Overview

overview

10

Static

static

1

Order Inquiry1.exe

windows7_x64

10

Order Inquiry1.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    17-11-2021 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Order Inquiry1.exe

  • Size

    293KB

  • MD5

    929d566cc846ea33935f22f0adc594ff

  • SHA1

    0dfbe5f5805416cf65dba819b70a0f31717f7f18

  • SHA256

    4f6a9d2f8c26c5106123e3684d72d2624e58226f0c845a265cadf80e67b49842

  • SHA512

    ca0ce216ad180ccefb50339257514ebeb1b3b771331f4ff25288697faa68cc83d50e603932830317bf193f54e06b5ae96e46f3d9fc2b21b391b590bd6bb03e3f

Score
10/10
formbookdn7rratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

C2

http://www.yourherogarden.net/dn7r/

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe
      "C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2476
      • C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe
        "C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3828
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3756
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"
        3⤵
          PID:3988

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsrC882.tmp\uezelwxcsbm.dll
      MD5

      bfb8387dedc90fc0e6173e46b1dd9654

      SHA1

      79a1f4aee0a3ceb09ecfd38f80d08402584a76fd

      SHA256

      47e05ff045771b182dab82d2dda462e216d309b327db88c28156a3d4c0acfa06

      SHA512

      87783fb1a4b09816b678afab97a8d604b05f768381897f2c3b7d2c2f14a668b07577995b22da94b1a906f04524f37196ca23aaddba8f0813a51b26d8938b345f

      Download Submit
    • memory/3056-128-0x0000000005050000-0x00000000051B5000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3056-121-0x00000000025C0000-0x000000000269D000-memory.dmp
      Filesize

      884KB

      Download
    • memory/3756-124-0x0000000002FA0000-0x0000000002FCF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3756-127-0x0000000003640000-0x00000000036D4000-memory.dmp
      Filesize

      592KB

      Download
    • memory/3756-126-0x00000000037E0000-0x0000000003B00000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3756-122-0x0000000000000000-mapping.dmp
      Download
    • memory/3756-123-0x0000000000C40000-0x0000000000C4B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3828-119-0x0000000000A70000-0x0000000000D90000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3828-120-0x00000000005C0000-0x00000000005D5000-memory.dmp
      Filesize

      84KB

      Download
    • memory/3828-117-0x000000000041F200-mapping.dmp
      Download
    • memory/3828-116-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3988-125-0x0000000000000000-mapping.dmp
      Download