Analysis Overview
SHA256
716cc459f4685123823a8e5fc94768b3526c0900c98a0e51c5ce4b794b6b9f8c
Threat Level: Known bad
The file rOrderRequirements-Invoice.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Deletes itself
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-11 18:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-11 18:57
Reported
2023-10-12 11:15
Platform
win7-20230831-en
Max time kernel
152s
Max time network
144s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2144 set thread context of 2624 | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe |
| PID 2624 set thread context of 1268 | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | C:\Windows\Explorer.EXE |
| PID 2620 set thread context of 1268 | N/A | C:\Windows\SysWOW64\chkdsk.exe | C:\Windows\Explorer.EXE |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe"
C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.bbmusic906.com | udp |
| US | 208.109.203.174:80 | www.bbmusic906.com | tcp |
| US | 8.8.8.8:53 | www.drillingkingtool.com | udp |
| US | 172.67.161.23:80 | www.drillingkingtool.com | tcp |
| US | 8.8.8.8:53 | www.imtmlife.online | udp |
| US | 66.96.162.144:80 | www.imtmlife.online | tcp |
Files
memory/2144-0-0x0000000000D20000-0x0000000000DF0000-memory.dmp
memory/2144-1-0x0000000073FA0000-0x000000007468E000-memory.dmp
memory/2144-2-0x0000000007200000-0x0000000007240000-memory.dmp
memory/2144-3-0x0000000000270000-0x0000000000280000-memory.dmp
memory/2144-4-0x0000000073FA0000-0x000000007468E000-memory.dmp
memory/2144-5-0x0000000007200000-0x0000000007240000-memory.dmp
memory/2144-6-0x00000000002D0000-0x00000000002DC000-memory.dmp
memory/2144-7-0x0000000007170000-0x00000000071DE000-memory.dmp
memory/2624-8-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2624-10-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2624-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2624-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2144-15-0x0000000073FA0000-0x000000007468E000-memory.dmp
memory/2624-16-0x00000000008D0000-0x0000000000BD3000-memory.dmp
memory/2624-18-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1268-20-0x0000000006780000-0x00000000068DB000-memory.dmp
memory/2624-19-0x0000000000180000-0x0000000000194000-memory.dmp
memory/2620-21-0x0000000000B60000-0x0000000000B67000-memory.dmp
memory/2620-22-0x0000000000B60000-0x0000000000B67000-memory.dmp
memory/2620-23-0x00000000000C0000-0x00000000000EF000-memory.dmp
memory/2620-24-0x0000000001F70000-0x0000000002273000-memory.dmp
memory/2620-25-0x00000000000C0000-0x00000000000EF000-memory.dmp
memory/1268-26-0x0000000006780000-0x00000000068DB000-memory.dmp
memory/2620-28-0x0000000002280000-0x0000000002313000-memory.dmp
memory/1268-29-0x0000000002DE0000-0x0000000002EE0000-memory.dmp
memory/1268-30-0x0000000003F30000-0x0000000004027000-memory.dmp
memory/1268-31-0x0000000003F30000-0x0000000004027000-memory.dmp
memory/1268-33-0x0000000003F30000-0x0000000004027000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-11 18:57
Reported
2023-10-12 11:15
Platform
win10v2004-20230915-en
Max time kernel
149s
Max time network
157s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2796 set thread context of 2456 | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe |
| PID 2456 set thread context of 3124 | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | C:\Windows\Explorer.EXE |
| PID 3248 set thread context of 3124 | N/A | C:\Windows\SysWOW64\colorcpl.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe"
C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe"
C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe
"C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe"
C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rOrderRequirements-Invoice.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wyldnwestern.com | udp |
| US | 3.33.130.190:80 | www.wyldnwestern.com | tcp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.105261.com | udp |
| US | 45.59.125.74:80 | www.105261.com | tcp |
| US | 8.8.8.8:53 | 74.125.59.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.vcdaawug.click | udp |
| HK | 43.154.67.170:80 | www.vcdaawug.click | tcp |
| US | 8.8.8.8:53 | 204.201.50.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.vcdaawug.click | udp |
| HK | 43.154.67.170:80 | www.vcdaawug.click | tcp |
| US | 8.8.8.8:53 | www.bmsexpert.com | udp |
| US | 3.18.7.81:80 | www.bmsexpert.com | tcp |
| US | 8.8.8.8:53 | 81.7.18.3.in-addr.arpa | udp |
Files
memory/2796-0-0x0000000075070000-0x0000000075820000-memory.dmp
memory/2796-1-0x0000000000630000-0x0000000000700000-memory.dmp
memory/2796-2-0x0000000007B50000-0x00000000080F4000-memory.dmp
memory/2796-3-0x0000000007640000-0x00000000076D2000-memory.dmp
memory/2796-4-0x0000000007610000-0x0000000007620000-memory.dmp
memory/2796-5-0x00000000075E0000-0x00000000075EA000-memory.dmp
memory/2796-6-0x0000000007870000-0x000000000790C000-memory.dmp
memory/2796-7-0x0000000007810000-0x0000000007820000-memory.dmp
memory/2796-8-0x0000000075070000-0x0000000075820000-memory.dmp
memory/2796-9-0x0000000007610000-0x0000000007620000-memory.dmp
memory/2796-10-0x0000000007A20000-0x0000000007A2C000-memory.dmp
memory/2796-11-0x00000000099C0000-0x0000000009A2E000-memory.dmp
memory/2456-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2796-14-0x0000000075070000-0x0000000075820000-memory.dmp
memory/2456-15-0x0000000001760000-0x0000000001AAA000-memory.dmp
memory/2456-18-0x00000000012B0000-0x00000000012C4000-memory.dmp
memory/2456-17-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3124-19-0x0000000008A30000-0x0000000008B86000-memory.dmp
memory/3124-20-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-21-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-22-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-23-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-25-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-29-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-27-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-26-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-31-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-32-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-34-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-35-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-36-0x00000000029D0000-0x00000000029E0000-memory.dmp
memory/3124-37-0x0000000008A30000-0x0000000008B86000-memory.dmp
memory/3124-39-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-40-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-38-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-42-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-44-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-47-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-46-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-48-0x00000000029D0000-0x00000000029E0000-memory.dmp
memory/3124-49-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-51-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-52-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-50-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-55-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-53-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-56-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3248-57-0x0000000000BA0000-0x0000000000BB9000-memory.dmp
memory/3248-58-0x0000000000BA0000-0x0000000000BB9000-memory.dmp
memory/3248-59-0x0000000000AA0000-0x0000000000ACF000-memory.dmp
memory/3248-60-0x0000000002D60000-0x00000000030AA000-memory.dmp
memory/3248-61-0x0000000000AA0000-0x0000000000ACF000-memory.dmp
memory/3248-63-0x0000000002B70000-0x0000000002C03000-memory.dmp
memory/3124-64-0x0000000008C70000-0x0000000008D8D000-memory.dmp
memory/3124-65-0x0000000008C70000-0x0000000008D8D000-memory.dmp
memory/3124-67-0x0000000008C70000-0x0000000008D8D000-memory.dmp
memory/3124-73-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-72-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-74-0x00000000029D0000-0x00000000029E0000-memory.dmp
memory/3124-75-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-76-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-77-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-78-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-79-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-81-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-83-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-84-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-85-0x0000000007170000-0x0000000007180000-memory.dmp
memory/3124-86-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-87-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-89-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-91-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-93-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-88-0x0000000007170000-0x0000000007180000-memory.dmp
memory/3124-95-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-97-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-98-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-99-0x0000000007170000-0x0000000007180000-memory.dmp
memory/3124-100-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-101-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-102-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-104-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-105-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-103-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-107-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/3124-108-0x0000000002990000-0x00000000029A0000-memory.dmp