Windows Analysis Report Order Items.exe

Overview

General Information

Sample Name: Order Items.exe
Analysis ID: 458852
MD5: 32448ad048712424b7a5458913ef81ae
SHA1: 7ea927a711ad1222feec156ceed9551bf95b8291
SHA256: 441cfed8f57c89ce355e5ba64417bf5b6dc409ac122936da28be46227cea0b8e
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.narrowpathwc.com/n8ba/"], "decoy": ["thefitflect.com", "anytourist.com", "blggz.xyz", "ascope.club", "obyeboss.com", "braun-mathematik.online", "mtsnurulislamsby.com", "jwpropertiestn.com", "animalds.com", "cunerier.com", "sillysocklife.com", "shopliyonamaaghin.net", "theredcymbalsco.com", "lostbikeproject.com", "ryggoqlmga.club", "realestatetriggers.com", "luvlauricephotography.com", "cheesehome.cloud", "5fashionfix.net", "wata-6-rwem.net", "ominvestment.net", "rrinuwsq643do2.xyz", "teamtacozzzz.com", "newjerseyreosales.com", "theresahovo.com", "wowmovies.today", "77k6tgikpbs39.net", "americagoldenwheels.com", "digitaladbasket.com", "gcagame.com", "arielatkins.net", "2020coaches.com", "effthisshit.com", "nycabl.com", "fbvanminh.com", "lovebirdsgifts.com", "anxietyxpill.com", "recaptcha-lnc.com", "aprendelspr.com", "expatinsur.com", "backtothesimplethings.com", "pcf-it.services", "wintonplaceoh.com", "designermotherhood.com", "naamt.com", "lifestylebykendra.com", "thehighstatusemporium.com", "oneninelacrosse.com", "mariasmoworldwide.com", "kitesurf-piraten.net", "atelierbond.com", "mynjelderlaw.com", "moucopia.com", "hauhome.club", "imroundtable.com", "thralink.com", "baoequities.com", "nassy.cloud", "goldenstatelabradoodles.com", "revenueremedyintensive.com", "dfendglobal.com", "pugliaandgastronomy.com", "cypios.net", "trinioware.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\mtBGJEC.exe Virustotal: Detection: 39% Perma Link
Source: C:\Users\user\AppData\Roaming\mtBGJEC.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: Order Items.exe Virustotal: Detection: 39% Perma Link
Source: Order Items.exe ReversingLabs: Detection: 44%
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\mtBGJEC.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Order Items.exe Joe Sandbox ML: detected
Source: Order Items.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.narrowpathwc.com/n8ba/
Source: unknown TCP traffic detected without corresponding DNS query: 20.82.209.183
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 51.103.5.186
Source: unknown TCP traffic detected without corresponding DNS query: 51.103.5.186
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 131.253.33.200
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.141
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.141
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.141
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.141
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.141
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.141
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.141
Source: unknown TCP traffic detected without corresponding DNS query: 40.126.31.141
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: unknown TCP traffic detected without corresponding DNS query: 51.103.5.186
Source: unknown TCP traffic detected without corresponding DNS query: 51.103.5.186
Source: unknown TCP traffic detected without corresponding DNS query: 93.184.220.29
Source: Order Items.exe, 00000000.00000002.251271345.00000000028C1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49676
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49685
Source: unknown Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49694 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49693 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49680
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49685 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49680 -> 443

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Order Items.exe
Detected potential crypto function
Source: C:\Users\user\Desktop\Order Items.exe Code function: 0_2_00007FFF30155076 0_2_00007FFF30155076
Sample file is different than original file name gathered from version info
Source: Order Items.exe, 00000000.00000002.250797027.0000000000A9C000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Order Items.exe
Source: Order Items.exe, 00000000.00000002.258881968.000000001B300000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs Order Items.exe
Source: Order Items.exe, 00000000.00000002.250490915.0000000000516000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNonEventAttribu.exe6 vs Order Items.exe
Source: Order Items.exe, 00000000.00000002.251271345.00000000028C1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameConfigNodeType.dll> vs Order Items.exe
Source: Order Items.exe, 00000000.00000002.258978676.000000001B370000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameStoreElement.dllB vs Order Items.exe
Source: Order Items.exe, 00000000.00000002.251053555.00000000027C0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Order Items.exe
Source: Order Items.exe, 00000000.00000002.259102875.000000001B410000.00000002.00000001.sdmp Binary or memory string: originalfilename vs Order Items.exe
Source: Order Items.exe, 00000000.00000002.259102875.000000001B410000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Order Items.exe
Source: Order Items.exe Binary or memory string: OriginalFilenameNonEventAttribu.exe6 vs Order Items.exe
Yara signature match
Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Order Items.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: mtBGJEC.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@14/4@0/0
Source: C:\Users\user\Desktop\Order Items.exe File created: C:\Users\user\AppData\Roaming\mtBGJEC.exe Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Mutant created: \Sessions\1\BaseNamedObjects\wzGlwWLiyewwxNUGilgIfTbqP
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_01
Source: C:\Users\user\Desktop\Order Items.exe File created: C:\Users\user\AppData\Local\Temp\tmp1086.tmp Jump to behavior
Source: Order Items.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Order Items.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Order Items.exe Virustotal: Detection: 39%
Source: Order Items.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\Order Items.exe File read: C:\Users\user\Desktop\Order Items.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Order Items.exe 'C:\Users\user\Desktop\Order Items.exe'
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp'
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Order Items.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Order Items.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Order Items.exe Code function: 0_2_0046991C push 72060001h; retf 0_2_00469922
Source: C:\Users\user\Desktop\Order Items.exe Code function: 0_2_00007FFF30157713 push ebx; retf 0_2_00007FFF3015771A
Source: C:\Users\user\Desktop\Order Items.exe Code function: 0_2_00007FFF30157F17 push ebx; ret 0_2_00007FFF30157F1A
Source: initial sample Static PE information: section name: .text entropy: 7.43608385702
Source: initial sample Static PE information: section name: .text entropy: 7.43608385702

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\Order Items.exe File created: C:\Users\user\AppData\Roaming\mtBGJEC.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp'
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Order Items.exe PID: 2772, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Order Items.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Order Items.exe TID: 6076 Thread sleep time: -42276s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe TID: 5720 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Order Items.exe Thread delayed: delay time: 42276 Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp Binary or memory string: vmware
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: Order Items.exe, 00000000.00000002.253582851.0000000002C69000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: C:\Users\user\Desktop\Order Items.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Users\user\Desktop\Order Items.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\mtBGJEC' /XML 'C:\Users\user\AppData\Local\Temp\tmp1086.tmp' Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Order Items.exe Queries volume information: C:\Users\user\Desktop\Order Items.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Order Items.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.254756698.00000000128D1000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 458852 Sample: Order Items.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Malicious sample detected (through community Yara rule) 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 9 other signatures 2->34 7 Order Items.exe 7 2->7         started        process3 file4 20 C:\Users\user\AppData\Roaming\mtBGJEC.exe, PE32 7->20 dropped 22 C:\Users\user\...\mtBGJEC.exe:Zone.Identifier, ASCII 7->22 dropped 24 C:\Users\user\AppData\Local\...\tmp1086.tmp, XML 7->24 dropped 26 C:\Users\user\AppData\...\Order Items.exe.log, ASCII 7->26 dropped 10 schtasks.exe 1 7->10         started        12 MSBuild.exe 7->12         started        14 MSBuild.exe 7->14         started        16 3 other processes 7->16 process5 process6 18 conhost.exe 10->18         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.narrowpathwc.com/n8ba/ true
  • Avira URL Cloud: safe
 low