Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
17-11-2021 11:35
Static task
static1
Behavioral task
behavioral1
Sample
Order Inquiry1.exe
Resource
win7-en-20211104
General
-
Target
Order Inquiry1.exe
-
Size
293KB
-
MD5
929d566cc846ea33935f22f0adc594ff
-
SHA1
0dfbe5f5805416cf65dba819b70a0f31717f7f18
-
SHA256
4f6a9d2f8c26c5106123e3684d72d2624e58226f0c845a265cadf80e67b49842
-
SHA512
ca0ce216ad180ccefb50339257514ebeb1b3b771331f4ff25288697faa68cc83d50e603932830317bf193f54e06b5ae96e46f3d9fc2b21b391b590bd6bb03e3f
Malware Config
Extracted
formbook
4.1
dn7r
http://www.yourherogarden.net/dn7r/
eventphotographerdfw.com
thehalalcoinstaking.com
philipfaziofineart.com
intercoh.com
gaiaseyephotography.com
chatbotforrealestate.com
lovelancemg.com
marlieskasberger.com
elcongoenespanol.info
lepirecredit.com
distribution-concept.com
e99game.com
exit11festival.com
twodollartoothbrushclub.com
cocktailsandlawn.com
performimprove.network
24horas-telefono-11840.com
cosmossify.com
kellenleote.com
perovskite.energy
crosschain.services
xiwanghe.com
mollycayton.com
bonipay.com
uuwyxc.com
viberiokno-online.com
mobceo.com
menzelna.com
tiffaniefoster.com
premiumautowesthartford.com
ownhome.house
bestmartinshop.com
splashstoreofficial.com
guidemining.com
ecshopdemo.com
bestprinting1.com
s-circle2020.com
ncagency.info
easydigitalzone.com
reikiforthecollective.com
theknottteam.com
evolvedpixel.com
japxo.online
ryansqualityrenovations.com
dentimagenquito.net
pantherprints.co.uk
apoporangi.com
thietkemietvuon.net
ifernshop.com
casaruralesgranada.com
camp-3saumons.com
eddsucks.com
blwcd.com
deldlab.com
susanperb.com
autosanitizingsolutions.com
femhouse.com
ironcageclash.com
thekinghealer.com
shaghayeghbovand.com
advertfaces.com
lonriley.com
mased-world.online
mythicspacex.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3828-116-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3828-117-0x000000000041F200-mapping.dmp formbook behavioral2/memory/3756-124-0x0000000002FA0000-0x0000000002FCF000-memory.dmp formbook -
Loads dropped DLL 1 IoCs
Processes:
Order Inquiry1.exepid process 2476 Order Inquiry1.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Order Inquiry1.exeOrder Inquiry1.exeipconfig.exedescription pid process target process PID 2476 set thread context of 3828 2476 Order Inquiry1.exe Order Inquiry1.exe PID 3828 set thread context of 3056 3828 Order Inquiry1.exe Explorer.EXE PID 3756 set thread context of 3056 3756 ipconfig.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 3756 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
Order Inquiry1.exeipconfig.exepid process 3828 Order Inquiry1.exe 3828 Order Inquiry1.exe 3828 Order Inquiry1.exe 3828 Order Inquiry1.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe 3756 ipconfig.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Order Inquiry1.exeipconfig.exepid process 3828 Order Inquiry1.exe 3828 Order Inquiry1.exe 3828 Order Inquiry1.exe 3756 ipconfig.exe 3756 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order Inquiry1.exeipconfig.exedescription pid process Token: SeDebugPrivilege 3828 Order Inquiry1.exe Token: SeDebugPrivilege 3756 ipconfig.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Order Inquiry1.exeExplorer.EXEipconfig.exedescription pid process target process PID 2476 wrote to memory of 3828 2476 Order Inquiry1.exe Order Inquiry1.exe PID 2476 wrote to memory of 3828 2476 Order Inquiry1.exe Order Inquiry1.exe PID 2476 wrote to memory of 3828 2476 Order Inquiry1.exe Order Inquiry1.exe PID 2476 wrote to memory of 3828 2476 Order Inquiry1.exe Order Inquiry1.exe PID 2476 wrote to memory of 3828 2476 Order Inquiry1.exe Order Inquiry1.exe PID 2476 wrote to memory of 3828 2476 Order Inquiry1.exe Order Inquiry1.exe PID 3056 wrote to memory of 3756 3056 Explorer.EXE ipconfig.exe PID 3056 wrote to memory of 3756 3056 Explorer.EXE ipconfig.exe PID 3056 wrote to memory of 3756 3056 Explorer.EXE ipconfig.exe PID 3756 wrote to memory of 3988 3756 ipconfig.exe cmd.exe PID 3756 wrote to memory of 3988 3756 ipconfig.exe cmd.exe PID 3756 wrote to memory of 3988 3756 ipconfig.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Order Inquiry1.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsrC882.tmp\uezelwxcsbm.dllMD5
bfb8387dedc90fc0e6173e46b1dd9654
SHA179a1f4aee0a3ceb09ecfd38f80d08402584a76fd
SHA25647e05ff045771b182dab82d2dda462e216d309b327db88c28156a3d4c0acfa06
SHA51287783fb1a4b09816b678afab97a8d604b05f768381897f2c3b7d2c2f14a668b07577995b22da94b1a906f04524f37196ca23aaddba8f0813a51b26d8938b345f
-
memory/3056-128-0x0000000005050000-0x00000000051B5000-memory.dmpFilesize
1.4MB
-
memory/3056-121-0x00000000025C0000-0x000000000269D000-memory.dmpFilesize
884KB
-
memory/3756-124-0x0000000002FA0000-0x0000000002FCF000-memory.dmpFilesize
188KB
-
memory/3756-127-0x0000000003640000-0x00000000036D4000-memory.dmpFilesize
592KB
-
memory/3756-126-0x00000000037E0000-0x0000000003B00000-memory.dmpFilesize
3.1MB
-
memory/3756-122-0x0000000000000000-mapping.dmp
-
memory/3756-123-0x0000000000C40000-0x0000000000C4B000-memory.dmpFilesize
44KB
-
memory/3828-119-0x0000000000A70000-0x0000000000D90000-memory.dmpFilesize
3.1MB
-
memory/3828-120-0x00000000005C0000-0x00000000005D5000-memory.dmpFilesize
84KB
-
memory/3828-117-0x000000000041F200-mapping.dmp
-
memory/3828-116-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3988-125-0x0000000000000000-mapping.dmp