Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
27-03-2023 15:19
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDERS RIPLEY CHILE - WDSCHILE.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
NEW ORDERS RIPLEY CHILE - WDSCHILE.exe
Resource
win10v2004-20230220-en
General
-
Target
NEW ORDERS RIPLEY CHILE - WDSCHILE.exe
-
Size
776KB
-
MD5
39f0289d03e15ee2dc83e561645c4a6d
-
SHA1
b20ed4c283b9af631ff89720f8242392c4b9543f
-
SHA256
63e437a647e0cd76c38f1e73b5f1d5aa54c8e6a7f26cd31bd0fae9b1994751e9
-
SHA512
63ecdbc41f9ad0939521e0120e1765320c262b1f47e0b869e47e3bd31fce5d4a10a9d78d6202c0cd6ce1f0d8708492685655e8d33974770c078ff39c3e3c9aad
-
SSDEEP
24576:uMwf+m50w/dByz96NHuhR60AkJApfZ5ZM1P3A6YlBE5GwM:uMwf0w/dsEwRTApfrW93AXbENM
Malware Config
Extracted
formbook
4.1
u34f
carpool.bar
badburyparkbakery.co.uk
aigooglebot.com
arihantautogas.com
specmart.online
newschatgpt.net
mmcroberts.com
ativeerrtechnologies.com
pheonix-blog-lomg-1098.com
simplisetup.com
teorikatapublishing.com
stephanyvgrfingle.click
tropicoa.com
isystem.world
tiger-lion.space
mackenziefarms.net
tl8841.buzz
alfabank.credit
lockdaccesactolapqqk.com
directaccesspetroleum.com
seastheday.world
labxinfo.net
schachtuniere.com
rebalcompany.com
fazzhq.com
giups.com
gamma-distribution.com
dengizaim1969.ru
besocialeventsnj.com
iwnu.buzz
discoverthrift.com
lepornogayplus.com
rapiddermscan.com
emdhconstruction.com
mistersim.space
shoplasana.com
osomsites.com
nesttutorial.store
cbizgrowth.site
forandagainst.studio
gimmetimes.com
ladywhistleblow.com
todaysiphone.com
bizbuxs.com
loasterfio.fun
9506x.xyz
uptimegator.com
0755cars.com
knightofcali.com
shopwvkmb.site
maddies-shop.com
matrixhypermarket.com
zulutrade-ai.store
rangerfps.online
telecomds.online
marsspider.com
regensburg-apartment.com
thienhavosong.click
consultavenue.com
nutriversalfitness.com
ircecnter.com
olmctemperance.com
wildberriys.ru
pontoazevedo.com
goingsalary.tech
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/568-93-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/568-101-0x0000000000400000-0x0000000001462000-memory.dmp formbook behavioral1/memory/1736-103-0x0000000000070000-0x000000000009F000-memory.dmp formbook behavioral1/memory/1736-105-0x0000000000070000-0x000000000009F000-memory.dmp formbook -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exeNEW ORDERS RIPLEY CHILE - WDSCHILE.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe NEW ORDERS RIPLEY CHILE - WDSCHILE.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe NEW ORDERS RIPLEY CHILE - WDSCHILE.exe -
Loads dropped DLL 1 IoCs
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exepid process 836 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exepid process 568 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exeNEW ORDERS RIPLEY CHILE - WDSCHILE.exepid process 836 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe 568 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exeNEW ORDERS RIPLEY CHILE - WDSCHILE.exewscript.exedescription pid process target process PID 836 set thread context of 568 836 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe NEW ORDERS RIPLEY CHILE - WDSCHILE.exe PID 568 set thread context of 1256 568 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe Explorer.EXE PID 1736 set thread context of 1256 1736 wscript.exe Explorer.EXE -
Drops file in Program Files directory 1 IoCs
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exedescription ioc process File opened for modification C:\Program Files (x86)\Servantry.ini NEW ORDERS RIPLEY CHILE - WDSCHILE.exe -
Drops file in Windows directory 1 IoCs
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exedescription ioc process File opened for modification C:\Windows\Akustikerne\Blinker42.Vel33 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exewscript.exepid process 568 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe 568 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe 1736 wscript.exe 1736 wscript.exe 1736 wscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exeNEW ORDERS RIPLEY CHILE - WDSCHILE.exewscript.exepid process 836 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe 568 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe 568 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe 568 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe 1736 wscript.exe 1736 wscript.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exeExplorer.EXEwscript.exedescription pid process Token: SeDebugPrivilege 568 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe Token: SeShutdownPrivilege 1256 Explorer.EXE Token: SeDebugPrivilege 1736 wscript.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
NEW ORDERS RIPLEY CHILE - WDSCHILE.exeExplorer.EXEwscript.exedescription pid process target process PID 836 wrote to memory of 568 836 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe NEW ORDERS RIPLEY CHILE - WDSCHILE.exe PID 836 wrote to memory of 568 836 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe NEW ORDERS RIPLEY CHILE - WDSCHILE.exe PID 836 wrote to memory of 568 836 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe NEW ORDERS RIPLEY CHILE - WDSCHILE.exe PID 836 wrote to memory of 568 836 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe NEW ORDERS RIPLEY CHILE - WDSCHILE.exe PID 836 wrote to memory of 568 836 NEW ORDERS RIPLEY CHILE - WDSCHILE.exe NEW ORDERS RIPLEY CHILE - WDSCHILE.exe PID 1256 wrote to memory of 1736 1256 Explorer.EXE wscript.exe PID 1256 wrote to memory of 1736 1256 Explorer.EXE wscript.exe PID 1256 wrote to memory of 1736 1256 Explorer.EXE wscript.exe PID 1256 wrote to memory of 1736 1256 Explorer.EXE wscript.exe PID 1736 wrote to memory of 1064 1736 wscript.exe cmd.exe PID 1736 wrote to memory of 1064 1736 wscript.exe cmd.exe PID 1736 wrote to memory of 1064 1736 wscript.exe cmd.exe PID 1736 wrote to memory of 1064 1736 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDERS RIPLEY CHILE - WDSCHILE.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDERS RIPLEY CHILE - WDSCHILE.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\NEW ORDERS RIPLEY CHILE - WDSCHILE.exe"C:\Users\Admin\AppData\Local\Temp\NEW ORDERS RIPLEY CHILE - WDSCHILE.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\NEW ORDERS RIPLEY CHILE - WDSCHILE.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\nsdF9C.tmp\System.dllFilesize
12KB
MD5564bb0373067e1785cba7e4c24aab4bf
SHA17c9416a01d821b10b2eef97b80899d24014d6fc1
SHA2567a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5
SHA51222c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472
-
memory/568-101-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/568-70-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/568-68-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/568-98-0x0000000001470000-0x0000000005B28000-memory.dmpFilesize
70.7MB
-
memory/568-94-0x0000000001470000-0x0000000005B28000-memory.dmpFilesize
70.7MB
-
memory/568-95-0x0000000036020000-0x0000000036323000-memory.dmpFilesize
3.0MB
-
memory/568-96-0x0000000035EF0000-0x0000000035F04000-memory.dmpFilesize
80KB
-
memory/568-93-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/568-69-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/1256-109-0x0000000005E50000-0x0000000005FBB000-memory.dmpFilesize
1.4MB
-
memory/1256-97-0x0000000005E50000-0x0000000005FBB000-memory.dmpFilesize
1.4MB
-
memory/1256-107-0x0000000002B10000-0x0000000002B3B000-memory.dmpFilesize
172KB
-
memory/1736-100-0x0000000000260000-0x0000000000286000-memory.dmpFilesize
152KB
-
memory/1736-103-0x0000000000070000-0x000000000009F000-memory.dmpFilesize
188KB
-
memory/1736-104-0x0000000001F20000-0x0000000002223000-memory.dmpFilesize
3.0MB
-
memory/1736-105-0x0000000000070000-0x000000000009F000-memory.dmpFilesize
188KB
-
memory/1736-108-0x00000000022D0000-0x0000000002363000-memory.dmpFilesize
588KB
-
memory/1736-99-0x0000000000260000-0x0000000000286000-memory.dmpFilesize
152KB