Analysis
-
max time kernel
146s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 20:32
Static task
static1
Behavioral task
behavioral1
Sample
ORDREDEVIREMENT.exe
Resource
win7-20240729-en
General
-
Target
ORDREDEVIREMENT.exe
-
Size
712KB
-
MD5
6cfdfa1de0f031646ee75bde799cb877
-
SHA1
6da4c76342858daf1c4e55d537ebfe8b846b87b1
-
SHA256
64a8f5c2209bf86e1aa4489fffa5cf93aee6955b0106909345a313de38ad7885
-
SHA512
77acb0a4e390c687d5e4c70c9c4b2f4c6b3e01cd53faf61e3d3e760f126c843ec3a51321d5110796891d0409c3eddbae6cf8653e31c19a77d3f411914ccce72d
-
SSDEEP
12288:nX5Xt1wWT9YeNqKXO0WTmPUIBdL23sUk/d6nifUmyyDdU/wxSc1GFVeDB:hT9YKXO0fbf16nicsWoxS
Malware Config
Extracted
formbook
4.1
bc01
epatitis-treatment-26155.bond
52cy67sk.bond
nline-degree-6987776.world
ingxingdiandeng-2033.top
mberbreeze.cyou
48xc300mw.autos
obs-for-seniors-39582.bond
tpetersburg-3-tonn.online
egafon-parser.online
172jh.shop
ltraman.pro
bqfhnys.shop
ntercash24-cad.homes
uhtwister.cloud
alk-in-tubs-27353.bond
ucas-saaad.buzz
oko.events
8080713.xyz
refabricated-homes-74404.bond
inaa.boo
nnevateknoloji.xyz
ar-accident-lawyer-389.today
ianju-fvqh092.vip
ealthandwellnessly.digital
qzxx.top
q8189.top
ecurity-service-22477.bond
ractors-42621.bond
astamadre.shop
tonomushotel.xyz
cowatt.fun
olocaustaffirmer.net
delphi.ltd
mmwinni.buzz
8009.top
nline-gaming-ox-fr.xyz
irtyeffingrancher.info
omotech-dz.net
akemoneyonline.bond
ustbookin.online
eals.lat
irmag.online
eddogbrands.website
oifulcares.net
aming-chair-83359.bond
ewferg.top
areless.net
torygame168.online
y-language-menu.net
iring-cleaners-2507.xyz
inancialenlightment.info
ar-accident-lawyer-389.today
sicologosportugueses.online
ajabandot.website
oidakings.net
2ar1.shop
comedia.lol
kjbrosmm.shop
ffpage.shop
nfluencer-marketing-17923.bond
ebshieldsrenew.live
lkjuy.xyz
lussalesapp.website
hildrens-clothing.today
avada-casino-tlj.buzz
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral1/memory/2212-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2212-18-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/3020-24-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2912 powershell.exe -
Deletes itself 1 IoCs
pid Process 2720 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2312 set thread context of 2212 2312 ORDREDEVIREMENT.exe 32 PID 2212 set thread context of 1204 2212 ORDREDEVIREMENT.exe 21 PID 3020 set thread context of 1204 3020 raserver.exe 21 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ORDREDEVIREMENT.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language raserver.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 29 IoCs
pid Process 2212 ORDREDEVIREMENT.exe 2212 ORDREDEVIREMENT.exe 2912 powershell.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe 3020 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2212 ORDREDEVIREMENT.exe 2212 ORDREDEVIREMENT.exe 2212 ORDREDEVIREMENT.exe 3020 raserver.exe 3020 raserver.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2212 ORDREDEVIREMENT.exe Token: SeDebugPrivilege 2912 powershell.exe Token: SeDebugPrivilege 3020 raserver.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2912 2312 ORDREDEVIREMENT.exe 30 PID 2312 wrote to memory of 2912 2312 ORDREDEVIREMENT.exe 30 PID 2312 wrote to memory of 2912 2312 ORDREDEVIREMENT.exe 30 PID 2312 wrote to memory of 2912 2312 ORDREDEVIREMENT.exe 30 PID 2312 wrote to memory of 2212 2312 ORDREDEVIREMENT.exe 32 PID 2312 wrote to memory of 2212 2312 ORDREDEVIREMENT.exe 32 PID 2312 wrote to memory of 2212 2312 ORDREDEVIREMENT.exe 32 PID 2312 wrote to memory of 2212 2312 ORDREDEVIREMENT.exe 32 PID 2312 wrote to memory of 2212 2312 ORDREDEVIREMENT.exe 32 PID 2312 wrote to memory of 2212 2312 ORDREDEVIREMENT.exe 32 PID 2312 wrote to memory of 2212 2312 ORDREDEVIREMENT.exe 32 PID 1204 wrote to memory of 3020 1204 Explorer.EXE 33 PID 1204 wrote to memory of 3020 1204 Explorer.EXE 33 PID 1204 wrote to memory of 3020 1204 Explorer.EXE 33 PID 1204 wrote to memory of 3020 1204 Explorer.EXE 33 PID 3020 wrote to memory of 2720 3020 raserver.exe 34 PID 3020 wrote to memory of 2720 3020 raserver.exe 34 PID 3020 wrote to memory of 2720 3020 raserver.exe 34 PID 3020 wrote to memory of 2720 3020 raserver.exe 34
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\ORDREDEVIREMENT.exe"C:\Users\Admin\AppData\Local\Temp\ORDREDEVIREMENT.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ORDREDEVIREMENT.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\ORDREDEVIREMENT.exe"C:\Users\Admin\AppData\Local\Temp\ORDREDEVIREMENT.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2212
-
-
-
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\ORDREDEVIREMENT.exe"3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2720
-
-