Windows Analysis Report CNEW ORDER17.exe

Overview

General Information

Sample Name: CNEW ORDER17.exe
Analysis ID: 502245
MD5: c54edc9ef9d72fe0fe048e8ac884626b
SHA1: 11dce70f33e490eb9b89726776915a374bb59a59
SHA256: 43fcb442b80665d42271689310ebd569e84f74287063a62e14beba808178e098
Tags: exeformbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.cursoukulelegospel.com/h0c4/"], "decoy": ["looknewly.com", "icha2016.com", "datnenhoalachn.xyz", "fark.ltd", "zjlj.site", "carpinteriacansino.com", "atozmp33.com", "oficialacesso.com", "tuningfrance.com", "rmm-mx96r.net", "outsidestyleshop.com", "eufundas.com", "a91furniture.com", "sfme.net", "englisch.coach", "wallacechen.info", "nyayeo.com", "jintongstore.com", "vanwerknaarwerk.info", "thekimlab.net", "morvirtualassistant.com", "ichatbengal.com", "doctors-technology.com", "mississippisms.com", "koopa.codes", "sproutheads.com", "gardenkitchenspa.com", "hoom.life", "wiselogistic.com", "appadaptor.com", "jumtix.xyz", "academiavirtualjjb.com", "pcmrmf.com", "hlsx069.com", "sunielkapoor.com", "truetaster.com", "rylautosales.com", "cgmobile.net", "www-inloggen-nl.info", "businesswebstrategy.net", "fetch-a-sg-hair-transplant.fyi", "paintingservicespune.com", "cakeeyes.net", "tandebrokers.com", "navigantcapitalpartners.com", "hubska.com", "foillaws.com", "battletraining.com", "bitcoin-recovery.com", "yourbuildvideos.com", "naturalsumaq.com", "prasikapsychotherapy.com", "jphousecleaningservices.com", "fetch-hepatitis-c.zone", "easypay-agent.com", "ronaldcraig.com", "highonloveshop.com", "bayharborislandhouse2.com", "aventuramaker.com", "han-chill.com", "wrapmeupbkk.com", "videomarketing.tips", "ishouldntbthareasonugohard.com", "psychotherapie-wermuth.com"]}
Yara detected FormBook
Source: Yara match File source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: CNEW ORDER17.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Avira: detection malicious, Label: HEUR/AGEN.1142543
Machine Learning detection for sample
Source: CNEW ORDER17.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.2.CNEW ORDER17.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: CNEW ORDER17.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: CNEW ORDER17.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe, 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp
Source: Binary string: RAServer.pdb source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe
Source: Binary string: RAServer.pdbGCTL source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 4x nop then pop edi 15_2_00416C93
Source: C:\Windows\SysWOW64\raserver.exe Code function: 4x nop then pop edi 18_2_02E56C93

Networking:

barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.cursoukulelegospel.com/h0c4/

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: CNEW ORDER17.exe, 0000000F.00000002.519538682.0000000000B7A000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: CNEW ORDER17.exe
Uses 32bit PE files
Source: CNEW ORDER17.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00401030 15_2_00401030
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0041E8F3 15_2_0041E8F3
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0041E1F9 15_2_0041E1F9
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0041D300 15_2_0041D300
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00402D87 15_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00402D90 15_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00409E40 15_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00409E3C 15_2_00409E3C
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00402FB0 15_2_00402FB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1002 18_2_044E1002
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443841F 18_2_0443841F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443B090 18_2_0443B090
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F1D55 18_2_044F1D55
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442F900 18_2_0442F900
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04420D20 18_2_04420D20
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04444120 18_2_04444120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04446E30 18_2_04446E30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445EBB0 18_2_0445EBB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E5D300 18_2_02E5D300
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E5E8F3 18_2_02E5E8F3
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E5E1F9 18_2_02E5E1F9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E49E40 18_2_02E49E40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E49E3C 18_2_02E49E3C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E42FB0 18_2_02E42FB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E42D87 18_2_02E42D87
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E42D90 18_2_02E42D90
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0041A060 NtClose, 15_2_0041A060
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0041A110 NtAllocateVirtualMemory, 15_2_0041A110
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00419F30 NtCreateFile, 15_2_00419F30
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00419FE0 NtReadFile, 15_2_00419FE0
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0041A05B NtClose, 15_2_0041A05B
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00419F2A NtCreateFile, 15_2_00419F2A
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00419FDA NtReadFile, 15_2_00419FDA
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00419F84 NtCreateFile, 15_2_00419F84
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469840 NtDelayExecution,LdrInitializeThunk, 18_2_04469840
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_04469860
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469540 NtReadFile,LdrInitializeThunk, 18_2_04469540
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_04469910
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044695D0 NtClose,LdrInitializeThunk, 18_2_044695D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044699A0 NtCreateSection,LdrInitializeThunk, 18_2_044699A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469650 NtQueryValueKey,LdrInitializeThunk, 18_2_04469650
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469A50 NtCreateFile,LdrInitializeThunk, 18_2_04469A50
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_04469660
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044696D0 NtCreateKey,LdrInitializeThunk, 18_2_044696D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044696E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_044696E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469710 NtQueryInformationToken,LdrInitializeThunk, 18_2_04469710
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469FE0 NtCreateMutant,LdrInitializeThunk, 18_2_04469FE0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469780 NtMapViewOfSection,LdrInitializeThunk, 18_2_04469780
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0446B040 NtSuspendThread, 18_2_0446B040
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469820 NtEnumerateKey, 18_2_04469820
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044698F0 NtReadVirtualMemory, 18_2_044698F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044698A0 NtWriteVirtualMemory, 18_2_044698A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469950 NtQueueApcThread, 18_2_04469950
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469560 NtWriteFile, 18_2_04469560
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469520 NtWaitForSingleObject, 18_2_04469520
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0446AD30 NtSetContextThread, 18_2_0446AD30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044699D0 NtCreateProcessEx, 18_2_044699D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044695F0 NtQueryInformationFile, 18_2_044695F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469670 NtQueryInformationProcess, 18_2_04469670
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469A00 NtProtectVirtualMemory, 18_2_04469A00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469610 NtEnumerateValueKey, 18_2_04469610
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469A10 NtQuerySection, 18_2_04469A10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469A20 NtResumeThread, 18_2_04469A20
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469A80 NtOpenDirectoryObject, 18_2_04469A80
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469760 NtOpenProcess, 18_2_04469760
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469770 NtSetInformationFile, 18_2_04469770
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0446A770 NtOpenThread, 18_2_0446A770
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469B00 NtSetValueKey, 18_2_04469B00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0446A710 NtOpenProcessToken, 18_2_0446A710
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04469730 NtQueryVirtualMemory, 18_2_04469730
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044697A0 NtUnmapViewOfSection, 18_2_044697A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0446A3B0 NtGetContextThread, 18_2_0446A3B0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E5A060 NtClose, 18_2_02E5A060
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E5A110 NtAllocateVirtualMemory, 18_2_02E5A110
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E59FE0 NtReadFile, 18_2_02E59FE0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E59F30 NtCreateFile, 18_2_02E59F30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E5A05B NtClose, 18_2_02E5A05B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E59FDA NtReadFile, 18_2_02E59FDA
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E59F84 NtCreateFile, 18_2_02E59F84
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E59F2A NtCreateFile, 18_2_02E59F2A
Sample file is different than original file name gathered from version info
Source: CNEW ORDER17.exe, 00000000.00000000.296992741.000000000026A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
Source: CNEW ORDER17.exe, 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePlyqntsieflxwczqxdgrrbh.dll" vs CNEW ORDER17.exe
Source: CNEW ORDER17.exe, 0000000F.00000002.520200234.000000000125F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs CNEW ORDER17.exe
Source: CNEW ORDER17.exe, 0000000F.00000003.518794069.0000000000BBF000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameraserver.exej% vs CNEW ORDER17.exe
Source: CNEW ORDER17.exe, 0000000F.00000000.421473120.000000000059A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
Source: CNEW ORDER17.exe Binary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
PE file contains strange resources
Source: CNEW ORDER17.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CNEW ORDER17.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CNEW ORDER17.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CNEW ORDER17.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CNEW ORDER17.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CNEW ORDER17.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: CNEW ORDER17.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: CNEW ORDER17.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CNEW ORDER17.exe File read: C:\Users\user\Desktop\CNEW ORDER17.exe Jump to behavior
Source: CNEW ORDER17.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\CNEW ORDER17.exe 'C:\Users\user\Desktop\CNEW ORDER17.exe'
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CNEW ORDER17.exe.log Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe File created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/3@0/0
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01
Source: C:\Users\user\Desktop\CNEW ORDER17.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: CNEW ORDER17.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: CNEW ORDER17.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: CNEW ORDER17.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe, 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp
Source: Binary string: RAServer.pdb source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdb source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe
Source: Binary string: RAServer.pdbGCTL source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0041D0D2 push eax; ret 15_2_0041D0D8
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0041D0DB push eax; ret 15_2_0041D142
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0041D085 push eax; ret 15_2_0041D0D8
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0041D13C push eax; ret 15_2_0041D142
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00417C84 pushfd ; ret 15_2_00417C8E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0447D0D1 push ecx; ret 18_2_0447D0E4
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E5D0D2 push eax; ret 18_2_02E5D0D8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E5D0DB push eax; ret 18_2_02E5D142
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E5D085 push eax; ret 18_2_02E5D0D8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E5D13C push eax; ret 18_2_02E5D142
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_02E57C84 pushfd ; ret 18_2_02E57C8E
Binary contains a suspicious time stamp
Source: CNEW ORDER17.exe Static PE information: 0xE32C5996 [Tue Oct 10 16:02:30 2090 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.99906118019
Source: initial sample Static PE information: section name: .text entropy: 7.99906118019

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\CNEW ORDER17.exe File created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xEA
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\raserver.exe Process created: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
Source: C:\Windows\SysWOW64\raserver.exe Process created: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe' Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 0000000002E498E4 second address: 0000000002E498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 0000000002E49B5E second address: 0000000002E49B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348 Thread sleep count: 1054 > 30 Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348 Thread sleep time: -34000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 2244 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\raserver.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00409A90 rdtsc 15_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Window / User API: threadDelayed 1054 Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.455828193.0000000008778000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000010.00000000.470059747.00000000067C2000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000010.00000000.470059747.00000000067C2000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_00409A90 rdtsc 15_2_00409A90
Enables debug privileges
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04440050 mov eax, dword ptr fs:[00000030h] 18_2_04440050
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04440050 mov eax, dword ptr fs:[00000030h] 18_2_04440050
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BC450 mov eax, dword ptr fs:[00000030h] 18_2_044BC450
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BC450 mov eax, dword ptr fs:[00000030h] 18_2_044BC450
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444746D mov eax, dword ptr fs:[00000030h] 18_2_0444746D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F1074 mov eax, dword ptr fs:[00000030h] 18_2_044F1074
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E2073 mov eax, dword ptr fs:[00000030h] 18_2_044E2073
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h] 18_2_044A6C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h] 18_2_044A6C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h] 18_2_044A6C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h] 18_2_044A6C0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F740D mov eax, dword ptr fs:[00000030h] 18_2_044F740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F740D mov eax, dword ptr fs:[00000030h] 18_2_044F740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F740D mov eax, dword ptr fs:[00000030h] 18_2_044F740D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h] 18_2_044E1C06
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F4015 mov eax, dword ptr fs:[00000030h] 18_2_044F4015
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F4015 mov eax, dword ptr fs:[00000030h] 18_2_044F4015
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h] 18_2_044A7016
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h] 18_2_044A7016
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h] 18_2_044A7016
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h] 18_2_0443B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h] 18_2_0443B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h] 18_2_0443B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h] 18_2_0443B02A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445BC2C mov eax, dword ptr fs:[00000030h] 18_2_0445BC2C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F8CD6 mov eax, dword ptr fs:[00000030h] 18_2_044F8CD6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h] 18_2_044BB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BB8D0 mov ecx, dword ptr fs:[00000030h] 18_2_044BB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h] 18_2_044BB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h] 18_2_044BB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h] 18_2_044BB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h] 18_2_044BB8D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E14FB mov eax, dword ptr fs:[00000030h] 18_2_044E14FB
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h] 18_2_044A6CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h] 18_2_044A6CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h] 18_2_044A6CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04429080 mov eax, dword ptr fs:[00000030h] 18_2_04429080
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A3884 mov eax, dword ptr fs:[00000030h] 18_2_044A3884
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A3884 mov eax, dword ptr fs:[00000030h] 18_2_044A3884
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044690AF mov eax, dword ptr fs:[00000030h] 18_2_044690AF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445F0BF mov ecx, dword ptr fs:[00000030h] 18_2_0445F0BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445F0BF mov eax, dword ptr fs:[00000030h] 18_2_0445F0BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445F0BF mov eax, dword ptr fs:[00000030h] 18_2_0445F0BF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444B944 mov eax, dword ptr fs:[00000030h] 18_2_0444B944
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444B944 mov eax, dword ptr fs:[00000030h] 18_2_0444B944
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04463D43 mov eax, dword ptr fs:[00000030h] 18_2_04463D43
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A3540 mov eax, dword ptr fs:[00000030h] 18_2_044A3540
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04447D50 mov eax, dword ptr fs:[00000030h] 18_2_04447D50
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442B171 mov eax, dword ptr fs:[00000030h] 18_2_0442B171
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442B171 mov eax, dword ptr fs:[00000030h] 18_2_0442B171
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444C577 mov eax, dword ptr fs:[00000030h] 18_2_0444C577
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444C577 mov eax, dword ptr fs:[00000030h] 18_2_0444C577
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04429100 mov eax, dword ptr fs:[00000030h] 18_2_04429100
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04429100 mov eax, dword ptr fs:[00000030h] 18_2_04429100
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04429100 mov eax, dword ptr fs:[00000030h] 18_2_04429100
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04444120 mov eax, dword ptr fs:[00000030h] 18_2_04444120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04444120 mov eax, dword ptr fs:[00000030h] 18_2_04444120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04444120 mov eax, dword ptr fs:[00000030h] 18_2_04444120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04444120 mov eax, dword ptr fs:[00000030h] 18_2_04444120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04444120 mov ecx, dword ptr fs:[00000030h] 18_2_04444120
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442AD30 mov eax, dword ptr fs:[00000030h] 18_2_0442AD30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h] 18_2_04433D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F8D34 mov eax, dword ptr fs:[00000030h] 18_2_044F8D34
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044AA537 mov eax, dword ptr fs:[00000030h] 18_2_044AA537
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h] 18_2_04454D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h] 18_2_04454D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h] 18_2_04454D3B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445513A mov eax, dword ptr fs:[00000030h] 18_2_0445513A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445513A mov eax, dword ptr fs:[00000030h] 18_2_0445513A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h] 18_2_0442B1E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h] 18_2_0442B1E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h] 18_2_0442B1E1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044D8DF1 mov eax, dword ptr fs:[00000030h] 18_2_044D8DF1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445A185 mov eax, dword ptr fs:[00000030h] 18_2_0445A185
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444C182 mov eax, dword ptr fs:[00000030h] 18_2_0444C182
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h] 18_2_04422D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h] 18_2_04422D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h] 18_2_04422D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h] 18_2_04422D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h] 18_2_04422D8A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445FD9B mov eax, dword ptr fs:[00000030h] 18_2_0445FD9B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445FD9B mov eax, dword ptr fs:[00000030h] 18_2_0445FD9B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044535A1 mov eax, dword ptr fs:[00000030h] 18_2_044535A1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04429240 mov eax, dword ptr fs:[00000030h] 18_2_04429240
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04429240 mov eax, dword ptr fs:[00000030h] 18_2_04429240
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04429240 mov eax, dword ptr fs:[00000030h] 18_2_04429240
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04429240 mov eax, dword ptr fs:[00000030h] 18_2_04429240
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h] 18_2_04437E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h] 18_2_04437E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h] 18_2_04437E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h] 18_2_04437E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h] 18_2_04437E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h] 18_2_04437E41
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044DB260 mov eax, dword ptr fs:[00000030h] 18_2_044DB260
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044DB260 mov eax, dword ptr fs:[00000030h] 18_2_044DB260
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F8A62 mov eax, dword ptr fs:[00000030h] 18_2_044F8A62
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443766D mov eax, dword ptr fs:[00000030h] 18_2_0443766D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h] 18_2_0444AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h] 18_2_0444AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h] 18_2_0444AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h] 18_2_0444AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h] 18_2_0444AE73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0446927A mov eax, dword ptr fs:[00000030h] 18_2_0446927A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h] 18_2_0442C600
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h] 18_2_0442C600
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h] 18_2_0442C600
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04443A1C mov eax, dword ptr fs:[00000030h] 18_2_04443A1C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442E620 mov eax, dword ptr fs:[00000030h] 18_2_0442E620
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044DFE3F mov eax, dword ptr fs:[00000030h] 18_2_044DFE3F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04468EC7 mov eax, dword ptr fs:[00000030h] 18_2_04468EC7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044536CC mov eax, dword ptr fs:[00000030h] 18_2_044536CC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044DFEC0 mov eax, dword ptr fs:[00000030h] 18_2_044DFEC0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F8ED6 mov eax, dword ptr fs:[00000030h] 18_2_044F8ED6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044376E2 mov eax, dword ptr fs:[00000030h] 18_2_044376E2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044516E0 mov ecx, dword ptr fs:[00000030h] 18_2_044516E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BFE87 mov eax, dword ptr fs:[00000030h] 18_2_044BFE87
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445D294 mov eax, dword ptr fs:[00000030h] 18_2_0445D294
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445D294 mov eax, dword ptr fs:[00000030h] 18_2_0445D294
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h] 18_2_044252A5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h] 18_2_044252A5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h] 18_2_044252A5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h] 18_2_044252A5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h] 18_2_044252A5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h] 18_2_044F0EA5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h] 18_2_044F0EA5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h] 18_2_044F0EA5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A46A7 mov eax, dword ptr fs:[00000030h] 18_2_044A46A7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443AAB0 mov eax, dword ptr fs:[00000030h] 18_2_0443AAB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443AAB0 mov eax, dword ptr fs:[00000030h] 18_2_0443AAB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445FAB0 mov eax, dword ptr fs:[00000030h] 18_2_0445FAB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442DB40 mov eax, dword ptr fs:[00000030h] 18_2_0442DB40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443EF40 mov eax, dword ptr fs:[00000030h] 18_2_0443EF40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F8B58 mov eax, dword ptr fs:[00000030h] 18_2_044F8B58
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442F358 mov eax, dword ptr fs:[00000030h] 18_2_0442F358
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0442DB60 mov ecx, dword ptr fs:[00000030h] 18_2_0442DB60
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0443FF60 mov eax, dword ptr fs:[00000030h] 18_2_0443FF60
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F8F6A mov eax, dword ptr fs:[00000030h] 18_2_044F8F6A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04453B7A mov eax, dword ptr fs:[00000030h] 18_2_04453B7A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04453B7A mov eax, dword ptr fs:[00000030h] 18_2_04453B7A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F070D mov eax, dword ptr fs:[00000030h] 18_2_044F070D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F070D mov eax, dword ptr fs:[00000030h] 18_2_044F070D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E131B mov eax, dword ptr fs:[00000030h] 18_2_044E131B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BFF10 mov eax, dword ptr fs:[00000030h] 18_2_044BFF10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044BFF10 mov eax, dword ptr fs:[00000030h] 18_2_044BFF10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04424F2E mov eax, dword ptr fs:[00000030h] 18_2_04424F2E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04424F2E mov eax, dword ptr fs:[00000030h] 18_2_04424F2E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445E730 mov eax, dword ptr fs:[00000030h] 18_2_0445E730
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044E138A mov eax, dword ptr fs:[00000030h] 18_2_044E138A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04431B8F mov eax, dword ptr fs:[00000030h] 18_2_04431B8F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_04431B8F mov eax, dword ptr fs:[00000030h] 18_2_04431B8F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044DD380 mov ecx, dword ptr fs:[00000030h] 18_2_044DD380
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_0445B390 mov eax, dword ptr fs:[00000030h] 18_2_0445B390
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h] 18_2_044A7794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h] 18_2_044A7794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h] 18_2_044A7794
Source: C:\Windows\SysWOW64\raserver.exe Code function: 18_2_044F5BA5 mov eax, dword ptr fs:[00000030h] 18_2_044F5BA5
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Code function: 15_2_0040ACD0 LdrLoadDll, 15_2_0040ACD0
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: C0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Section loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Thread register set: target process: 3352 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Process created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe Process created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe' Jump to behavior
Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000010.00000000.448733880.0000000000B68000.00000004.00000020.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000000.455828193.0000000008778000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndh

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Queries volume information: C:\Users\user\Desktop\CNEW ORDER17.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CNEW ORDER17.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502245 Sample: CNEW ORDER17.exe Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for dropped file 2->34 36 8 other signatures 2->36 9 CNEW ORDER17.exe 3 2->9         started        process3 file4 24 C:\Users\user\AppData\...\CNEW ORDER17.exe, PE32 9->24 dropped 26 C:\Users\...\CNEW ORDER17.exe:Zone.Identifier, ASCII 9->26 dropped 28 C:\Users\user\...\CNEW ORDER17.exe.log, ASCII 9->28 dropped 12 CNEW ORDER17.exe 9->12         started        process5 signatures6 38 Modifies the context of a thread in another process (thread injection) 12->38 40 Maps a DLL or memory area into another process 12->40 42 Sample uses process hollowing technique 12->42 44 Queues an APC in another process (thread injection) 12->44 15 raserver.exe 12->15         started        18 explorer.exe 12->18 injected process7 signatures8 46 Self deletion via cmd delete 15->46 48 Modifies the context of a thread in another process (thread injection) 15->48 50 Maps a DLL or memory area into another process 15->50 52 Tries to detect virtualization through RDTSC time measurements 15->52 20 cmd.exe 1 15->20         started        process9 process10 22 conhost.exe 20->22         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.cursoukulelegospel.com/h0c4/ true
  • Avira URL Cloud: safe
 low