Analysis
-
max time kernel
148s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07-12-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
ORDER__9.EXE.exe
Resource
win7-20220901-en
General
-
Target
ORDER__9.EXE.exe
-
Size
259KB
-
MD5
227e97fd58338811c7c831524ba17f0d
-
SHA1
9ddb00c67fa1a5eaa1687fcf478d04d7e37c5514
-
SHA256
f5cd237bed69b3fd27584548ca0f4ea6244a16174b51ab2b62be2a6c2a7159e7
-
SHA512
efff3e3bce3a313992354d18e589b44180c091514d19d9ffb0ebca8e30afa694d4b7ccf297e4e804e14dd04356ac34b5e763f0cd0add3f97db808eff0580672e
-
SSDEEP
6144:QBn1U6sxaTc7gU2KF+TW+V86v53P2jT+YI:gUPaTRYXm95f2LI
Malware Config
Extracted
formbook
4.1
pr28
huaxinimg.com
baorungas.com
comercializadoramultimus.com
blr-batipro.com
wantagedfas.uk
1thingplan.one
cweilin.com
lorienconsultingllc.com
jdzsjwx.com
casafacil.site
hkacgt.com
hasid.africa
92dgr97k4hr9.com
cvbiop.xyz
1wbskm.top
fantasticmobility.com
goodchoice2022.com
hafizpower.com
familiajoya.com
fundscrahelp.info
654-jp.com
locksmithexpressny.com
daniellelaurenhealth.com
65062.site
globallogisticsairline.com
livingdisabilitybenfits.com
cyprusposte.com
gladyshelps.click
letv.one
59963y.com
cre8tstudio.com
expandintofreedom.com
czechpeniche.com
windkind.net
cash4.cash
h9qblfpaog.one
growhthair.com
dmukpropertysolutions.co.uk
esd-protection.com
eqweqwewqewqewq.com
jovehome.com
dibujoart.com
fuy3.com
hthg172.com
crovv-creek.com
cannyok.online
inlook24.com
minionenterprises.net
doralfoundationssale.com
higgyspianobar.com
abundantproduction.com
agriseats.tech
diwolei.com
enwaav.tech
combienes.com
josiil.com
zweniprojects.africa
criplogistic.online
nerroir.com
blurockindustry.com
imaginaitonlibrary.com
ahavahfn.com
dougrushinglistings.com
leadsintolistings.com
alpheusmangale.com
Signatures
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/560-65-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/764-71-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/764-76-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
pid Process 840 yqtmj.exe 560 yqtmj.exe -
Loads dropped DLL 2 IoCs
pid Process 1308 ORDER__9.EXE.exe 840 yqtmj.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 840 set thread context of 560 840 yqtmj.exe 29 PID 560 set thread context of 1212 560 yqtmj.exe 14 PID 764 set thread context of 1212 764 chkdsk.exe 14 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 560 yqtmj.exe 560 yqtmj.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe 764 chkdsk.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1212 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 840 yqtmj.exe 560 yqtmj.exe 560 yqtmj.exe 560 yqtmj.exe 764 chkdsk.exe 764 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 560 yqtmj.exe Token: SeDebugPrivilege 764 chkdsk.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1212 Explorer.EXE 1212 Explorer.EXE -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1308 wrote to memory of 840 1308 ORDER__9.EXE.exe 27 PID 1308 wrote to memory of 840 1308 ORDER__9.EXE.exe 27 PID 1308 wrote to memory of 840 1308 ORDER__9.EXE.exe 27 PID 1308 wrote to memory of 840 1308 ORDER__9.EXE.exe 27 PID 840 wrote to memory of 560 840 yqtmj.exe 29 PID 840 wrote to memory of 560 840 yqtmj.exe 29 PID 840 wrote to memory of 560 840 yqtmj.exe 29 PID 840 wrote to memory of 560 840 yqtmj.exe 29 PID 840 wrote to memory of 560 840 yqtmj.exe 29 PID 1212 wrote to memory of 764 1212 Explorer.EXE 30 PID 1212 wrote to memory of 764 1212 Explorer.EXE 30 PID 1212 wrote to memory of 764 1212 Explorer.EXE 30 PID 1212 wrote to memory of 764 1212 Explorer.EXE 30 PID 764 wrote to memory of 1764 764 chkdsk.exe 31 PID 764 wrote to memory of 1764 764 chkdsk.exe 31 PID 764 wrote to memory of 1764 764 chkdsk.exe 31 PID 764 wrote to memory of 1764 764 chkdsk.exe 31
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\ORDER__9.EXE.exe"C:\Users\Admin\AppData\Local\Temp\ORDER__9.EXE.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Users\Admin\AppData\Local\Temp\yqtmj.exe"C:\Users\Admin\AppData\Local\Temp\yqtmj.exe" C:\Users\Admin\AppData\Local\Temp\forzva.whj3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\yqtmj.exe"C:\Users\Admin\AppData\Local\Temp\yqtmj.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
-
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\yqtmj.exe"3⤵PID:1764
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD552d0f6a84019b64b1367f9a85e9b49f9
SHA1ddb47861c8aad95af9e33fbf1ebe4556b7744e8d
SHA256cdc649db185a51e5ee61942c135a003340d425bf7fccfe62172907485c5451f4
SHA5124effcdc878837e5713b036213a1f20de3c705056b0998b0b9384e2bc577b6d97ec3a67717aaacd65401a0543c116fc254ebc29458d95d251c1dad85aaccd3da3
-
Filesize
185KB
MD56dc84948d15eb3e4e0ffa150721cb56d
SHA1744375f6063be96c219ac2a77b7a83b950abf7d2
SHA25625619bf05012a64e668f6e4193560f05a2fc7544dfdbfd1cb4b8bd7210dd48f2
SHA5125fdb1ebcd025b2f6f9778f81988e7a34085d7f333697a7d5f02879c689a9d1c6f88d7fef895d71b68ffbd18db837359e8cc72af0c28d491fad1e88cd26761a33
-
Filesize
100KB
MD5db6e8d7728ac0cb43fd68837b3893cfd
SHA1e380628a5f49bee69b6d4a7add4a5e3098a53c61
SHA256d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6
SHA5123633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221
-
Filesize
100KB
MD5db6e8d7728ac0cb43fd68837b3893cfd
SHA1e380628a5f49bee69b6d4a7add4a5e3098a53c61
SHA256d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6
SHA5123633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221
-
Filesize
100KB
MD5db6e8d7728ac0cb43fd68837b3893cfd
SHA1e380628a5f49bee69b6d4a7add4a5e3098a53c61
SHA256d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6
SHA5123633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221
-
Filesize
100KB
MD5db6e8d7728ac0cb43fd68837b3893cfd
SHA1e380628a5f49bee69b6d4a7add4a5e3098a53c61
SHA256d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6
SHA5123633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221
-
Filesize
100KB
MD5db6e8d7728ac0cb43fd68837b3893cfd
SHA1e380628a5f49bee69b6d4a7add4a5e3098a53c61
SHA256d347f23fffc573fb0dd9172e2ad85bb08daf63f471a939ac360c9e67c02a02f6
SHA5123633ee0728ac51f409b4c545e68949ac5885bb968a387d836e0c46826b9f788f9c936ad005a4a3b0d51b9964ad2d6508d28ee99b3d717b20c28b7fdf28133221