Loading ...

Play interactive tourEdit tour

Windows Analysis Report CNEW ORDER17.exe

Overview

General Information

Sample Name:CNEW ORDER17.exe
Analysis ID:502245
MD5:c54edc9ef9d72fe0fe048e8ac884626b
SHA1:11dce70f33e490eb9b89726776915a374bb59a59
SHA256:43fcb442b80665d42271689310ebd569e84f74287063a62e14beba808178e098
Tags:exeformbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • CNEW ORDER17.exe (PID: 4344 cmdline: 'C:\Users\user\Desktop\CNEW ORDER17.exe' MD5: C54EDC9EF9D72FE0FE048E8AC884626B)
    • CNEW ORDER17.exe (PID: 5680 cmdline: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe MD5: C54EDC9EF9D72FE0FE048E8AC884626B)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • raserver.exe (PID: 4632 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
        • cmd.exe (PID: 4476 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cursoukulelegospel.com/h0c4/"], "decoy": ["looknewly.com", "icha2016.com", "datnenhoalachn.xyz", "fark.ltd", "zjlj.site", "carpinteriacansino.com", "atozmp33.com", "oficialacesso.com", "tuningfrance.com", "rmm-mx96r.net", "outsidestyleshop.com", "eufundas.com", "a91furniture.com", "sfme.net", "englisch.coach", "wallacechen.info", "nyayeo.com", "jintongstore.com", "vanwerknaarwerk.info", "thekimlab.net", "morvirtualassistant.com", "ichatbengal.com", "doctors-technology.com", "mississippisms.com", "koopa.codes", "sproutheads.com", "gardenkitchenspa.com", "hoom.life", "wiselogistic.com", "appadaptor.com", "jumtix.xyz", "academiavirtualjjb.com", "pcmrmf.com", "hlsx069.com", "sunielkapoor.com", "truetaster.com", "rylautosales.com", "cgmobile.net", "www-inloggen-nl.info", "businesswebstrategy.net", "fetch-a-sg-hair-transplant.fyi", "paintingservicespune.com", "cakeeyes.net", "tandebrokers.com", "navigantcapitalpartners.com", "hubska.com", "foillaws.com", "battletraining.com", "bitcoin-recovery.com", "yourbuildvideos.com", "naturalsumaq.com", "prasikapsychotherapy.com", "jphousecleaningservices.com", "fetch-hepatitis-c.zone", "easypay-agent.com", "ronaldcraig.com", "highonloveshop.com", "bayharborislandhouse2.com", "aventuramaker.com", "han-chill.com", "wrapmeupbkk.com", "videomarketing.tips", "ishouldntbthareasonugohard.com", "psychotherapie-wermuth.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x84f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x94fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x5419:$sqlite3step: 68 34 1C 7B E1
    • 0x552c:$sqlite3step: 68 34 1C 7B E1
    • 0x5448:$sqlite3text: 68 38 2A 90 C5
    • 0x556d:$sqlite3text: 68 38 2A 90 C5
    • 0x545b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x5583:$sqlite3blob: 68 53 D8 7F 8C
    00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      15.2.CNEW ORDER17.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        15.2.CNEW ORDER17.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        15.2.CNEW ORDER17.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17619:$sqlite3step: 68 34 1C 7B E1
        • 0x1772c:$sqlite3step: 68 34 1C 7B E1
        • 0x17648:$sqlite3text: 68 38 2A 90 C5
        • 0x1776d:$sqlite3text: 68 38 2A 90 C5
        • 0x1765b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17783:$sqlite3blob: 68 53 D8 7F 8C
        15.2.CNEW ORDER17.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          15.2.CNEW ORDER17.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cursoukulelegospel.com/h0c4/"], "decoy": ["looknewly.com", "icha2016.com", "datnenhoalachn.xyz", "fark.ltd", "zjlj.site", "carpinteriacansino.com", "atozmp33.com", "oficialacesso.com", "tuningfrance.com", "rmm-mx96r.net", "outsidestyleshop.com", "eufundas.com", "a91furniture.com", "sfme.net", "englisch.coach", "wallacechen.info", "nyayeo.com", "jintongstore.com", "vanwerknaarwerk.info", "thekimlab.net", "morvirtualassistant.com", "ichatbengal.com", "doctors-technology.com", "mississippisms.com", "koopa.codes", "sproutheads.com", "gardenkitchenspa.com", "hoom.life", "wiselogistic.com", "appadaptor.com", "jumtix.xyz", "academiavirtualjjb.com", "pcmrmf.com", "hlsx069.com", "sunielkapoor.com", "truetaster.com", "rylautosales.com", "cgmobile.net", "www-inloggen-nl.info", "businesswebstrategy.net", "fetch-a-sg-hair-transplant.fyi", "paintingservicespune.com", "cakeeyes.net", "tandebrokers.com", "navigantcapitalpartners.com", "hubska.com", "foillaws.com", "battletraining.com", "bitcoin-recovery.com", "yourbuildvideos.com", "naturalsumaq.com", "prasikapsychotherapy.com", "jphousecleaningservices.com", "fetch-hepatitis-c.zone", "easypay-agent.com", "ronaldcraig.com", "highonloveshop.com", "bayharborislandhouse2.com", "aventuramaker.com", "han-chill.com", "wrapmeupbkk.com", "videomarketing.tips", "ishouldntbthareasonugohard.com", "psychotherapie-wermuth.com"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: CNEW ORDER17.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeAvira: detection malicious, Label: HEUR/AGEN.1142543
          Machine Learning detection for sampleShow sources
          Source: CNEW ORDER17.exeJoe Sandbox ML: detected
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJoe Sandbox ML: detected
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: CNEW ORDER17.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: CNEW ORDER17.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe, 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdb source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe
          Source: Binary string: RAServer.pdbGCTL source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 4x nop then pop edi15_2_00416C93
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi18_2_02E56C93

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cursoukulelegospel.com/h0c4/
          Source: CNEW ORDER17.exe, 0000000F.00000002.519538682.0000000000B7A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: CNEW ORDER17.exe
          Source: CNEW ORDER17.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0040103015_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041E8F315_2_0041E8F3
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041E1F915_2_0041E1F9
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D30015_2_0041D300
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00402D8715_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00402D9015_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409E4015_2_00409E40
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409E3C15_2_00409E3C
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00402FB015_2_00402FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E100218_2_044E1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443841F18_2_0443841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B09018_2_0443B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F1D5518_2_044F1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442F90018_2_0442F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04420D2018_2_04420D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444412018_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04446E3018_2_04446E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445EBB018_2_0445EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D30018_2_02E5D300
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5E8F318_2_02E5E8F3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5E1F918_2_02E5E1F9
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E49E4018_2_02E49E40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E49E3C18_2_02E49E3C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E42FB018_2_02E42FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E42D8718_2_02E42D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E42D9018_2_02E42D90
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041A060 NtClose,15_2_0041A060
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041A110 NtAllocateVirtualMemory,15_2_0041A110
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419F30 NtCreateFile,15_2_00419F30
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419FE0 NtReadFile,15_2_00419FE0
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041A05B NtClose,15_2_0041A05B
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419F2A NtCreateFile,15_2_00419F2A
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419FDA NtReadFile,15_2_00419FDA
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00419F84 NtCreateFile,15_2_00419F84
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469840 NtDelayExecution,LdrInitializeThunk,18_2_04469840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469860 NtQuerySystemInformation,LdrInitializeThunk,18_2_04469860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469540 NtReadFile,LdrInitializeThunk,18_2_04469540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_04469910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044695D0 NtClose,LdrInitializeThunk,18_2_044695D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044699A0 NtCreateSection,LdrInitializeThunk,18_2_044699A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469650 NtQueryValueKey,LdrInitializeThunk,18_2_04469650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A50 NtCreateFile,LdrInitializeThunk,18_2_04469A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_04469660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044696D0 NtCreateKey,LdrInitializeThunk,18_2_044696D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044696E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_044696E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469710 NtQueryInformationToken,LdrInitializeThunk,18_2_04469710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469FE0 NtCreateMutant,LdrInitializeThunk,18_2_04469FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469780 NtMapViewOfSection,LdrInitializeThunk,18_2_04469780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446B040 NtSuspendThread,18_2_0446B040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469820 NtEnumerateKey,18_2_04469820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044698F0 NtReadVirtualMemory,18_2_044698F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044698A0 NtWriteVirtualMemory,18_2_044698A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469950 NtQueueApcThread,18_2_04469950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469560 NtWriteFile,18_2_04469560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469520 NtWaitForSingleObject,18_2_04469520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446AD30 NtSetContextThread,18_2_0446AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044699D0 NtCreateProcessEx,18_2_044699D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044695F0 NtQueryInformationFile,18_2_044695F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469670 NtQueryInformationProcess,18_2_04469670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A00 NtProtectVirtualMemory,18_2_04469A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469610 NtEnumerateValueKey,18_2_04469610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A10 NtQuerySection,18_2_04469A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A20 NtResumeThread,18_2_04469A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469A80 NtOpenDirectoryObject,18_2_04469A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469760 NtOpenProcess,18_2_04469760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469770 NtSetInformationFile,18_2_04469770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446A770 NtOpenThread,18_2_0446A770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469B00 NtSetValueKey,18_2_04469B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446A710 NtOpenProcessToken,18_2_0446A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04469730 NtQueryVirtualMemory,18_2_04469730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044697A0 NtUnmapViewOfSection,18_2_044697A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446A3B0 NtGetContextThread,18_2_0446A3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5A060 NtClose,18_2_02E5A060
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5A110 NtAllocateVirtualMemory,18_2_02E5A110
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59FE0 NtReadFile,18_2_02E59FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59F30 NtCreateFile,18_2_02E59F30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5A05B NtClose,18_2_02E5A05B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59FDA NtReadFile,18_2_02E59FDA
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59F84 NtCreateFile,18_2_02E59F84
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E59F2A NtCreateFile,18_2_02E59F2A
          Source: CNEW ORDER17.exe, 00000000.00000000.296992741.000000000026A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePlyqntsieflxwczqxdgrrbh.dll" vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 0000000F.00000002.520200234.000000000125F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 0000000F.00000003.518794069.0000000000BBF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameraserver.exej% vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exe, 0000000F.00000000.421473120.000000000059A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exeBinary or memory string: OriginalFilenameConsoleApp17.exeB vs CNEW ORDER17.exe
          Source: CNEW ORDER17.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: CNEW ORDER17.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: CNEW ORDER17.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile read: C:\Users\user\Desktop\CNEW ORDER17.exeJump to behavior
          Source: CNEW ORDER17.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\CNEW ORDER17.exe 'C:\Users\user\Desktop\CNEW ORDER17.exe'
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CNEW ORDER17.exe.logJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/3@0/0
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_01
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: CNEW ORDER17.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: CNEW ORDER17.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: CNEW ORDER17.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe, 00000012.00000002.571207765.000000000451F000.00000040.00000001.sdmp
          Source: Binary string: RAServer.pdb source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: CNEW ORDER17.exe, 0000000F.00000002.519709359.0000000000FB0000.00000040.00000001.sdmp, raserver.exe
          Source: Binary string: RAServer.pdbGCTL source: CNEW ORDER17.exe, 0000000F.00000002.521099012.0000000003030000.00000040.00020000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D0D2 push eax; ret 15_2_0041D0D8
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D0DB push eax; ret 15_2_0041D142
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D085 push eax; ret 15_2_0041D0D8
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0041D13C push eax; ret 15_2_0041D142
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00417C84 pushfd ; ret 15_2_00417C8E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0447D0D1 push ecx; ret 18_2_0447D0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D0D2 push eax; ret 18_2_02E5D0D8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D0DB push eax; ret 18_2_02E5D142
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D085 push eax; ret 18_2_02E5D0D8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E5D13C push eax; ret 18_2_02E5D142
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_02E57C84 pushfd ; ret 18_2_02E57C8E
          Source: CNEW ORDER17.exeStatic PE information: 0xE32C5996 [Tue Oct 10 16:02:30 2090 UTC]
          Source: initial sampleStatic PE information: section name: .text entropy: 7.99906118019
          Source: initial sampleStatic PE information: section name: .text entropy: 7.99906118019
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeFile created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xEA
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000002E498E4 second address: 0000000002E498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000002E49B5E second address: 0000000002E49B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348Thread sleep count: 1054 > 30Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348Thread sleep count: 34 > 30Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 4348Thread sleep time: -34000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exe TID: 2244Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409A90 rdtsc 15_2_00409A90
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeWindow / User API: threadDelayed 1054Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000010.00000000.455828193.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
          Source: explorer.exe, 00000010.00000000.470059747.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
          Source: explorer.exe, 00000010.00000000.470059747.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
          Source: explorer.exe, 00000010.00000000.455691375.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_00409A90 rdtsc 15_2_00409A90
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04440050 mov eax, dword ptr fs:[00000030h]18_2_04440050
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04440050 mov eax, dword ptr fs:[00000030h]18_2_04440050
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BC450 mov eax, dword ptr fs:[00000030h]18_2_044BC450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BC450 mov eax, dword ptr fs:[00000030h]18_2_044BC450
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444746D mov eax, dword ptr fs:[00000030h]18_2_0444746D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F1074 mov eax, dword ptr fs:[00000030h]18_2_044F1074
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E2073 mov eax, dword ptr fs:[00000030h]18_2_044E2073
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]18_2_044A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]18_2_044A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]18_2_044A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6C0A mov eax, dword ptr fs:[00000030h]18_2_044A6C0A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F740D mov eax, dword ptr fs:[00000030h]18_2_044F740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F740D mov eax, dword ptr fs:[00000030h]18_2_044F740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F740D mov eax, dword ptr fs:[00000030h]18_2_044F740D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E1C06 mov eax, dword ptr fs:[00000030h]18_2_044E1C06
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F4015 mov eax, dword ptr fs:[00000030h]18_2_044F4015
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F4015 mov eax, dword ptr fs:[00000030h]18_2_044F4015
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h]18_2_044A7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h]18_2_044A7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7016 mov eax, dword ptr fs:[00000030h]18_2_044A7016
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]18_2_0443B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]18_2_0443B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]18_2_0443B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443B02A mov eax, dword ptr fs:[00000030h]18_2_0443B02A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445BC2C mov eax, dword ptr fs:[00000030h]18_2_0445BC2C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8CD6 mov eax, dword ptr fs:[00000030h]18_2_044F8CD6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov ecx, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BB8D0 mov eax, dword ptr fs:[00000030h]18_2_044BB8D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E14FB mov eax, dword ptr fs:[00000030h]18_2_044E14FB
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h]18_2_044A6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h]18_2_044A6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A6CF0 mov eax, dword ptr fs:[00000030h]18_2_044A6CF0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429080 mov eax, dword ptr fs:[00000030h]18_2_04429080
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A3884 mov eax, dword ptr fs:[00000030h]18_2_044A3884
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A3884 mov eax, dword ptr fs:[00000030h]18_2_044A3884
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044690AF mov eax, dword ptr fs:[00000030h]18_2_044690AF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445F0BF mov ecx, dword ptr fs:[00000030h]18_2_0445F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445F0BF mov eax, dword ptr fs:[00000030h]18_2_0445F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445F0BF mov eax, dword ptr fs:[00000030h]18_2_0445F0BF
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444B944 mov eax, dword ptr fs:[00000030h]18_2_0444B944
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444B944 mov eax, dword ptr fs:[00000030h]18_2_0444B944
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04463D43 mov eax, dword ptr fs:[00000030h]18_2_04463D43
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A3540 mov eax, dword ptr fs:[00000030h]18_2_044A3540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04447D50 mov eax, dword ptr fs:[00000030h]18_2_04447D50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B171 mov eax, dword ptr fs:[00000030h]18_2_0442B171
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B171 mov eax, dword ptr fs:[00000030h]18_2_0442B171
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444C577 mov eax, dword ptr fs:[00000030h]18_2_0444C577
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444C577 mov eax, dword ptr fs:[00000030h]18_2_0444C577
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429100 mov eax, dword ptr fs:[00000030h]18_2_04429100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429100 mov eax, dword ptr fs:[00000030h]18_2_04429100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429100 mov eax, dword ptr fs:[00000030h]18_2_04429100
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov eax, dword ptr fs:[00000030h]18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04444120 mov ecx, dword ptr fs:[00000030h]18_2_04444120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442AD30 mov eax, dword ptr fs:[00000030h]18_2_0442AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04433D34 mov eax, dword ptr fs:[00000030h]18_2_04433D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8D34 mov eax, dword ptr fs:[00000030h]18_2_044F8D34
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044AA537 mov eax, dword ptr fs:[00000030h]18_2_044AA537
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h]18_2_04454D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h]18_2_04454D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04454D3B mov eax, dword ptr fs:[00000030h]18_2_04454D3B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445513A mov eax, dword ptr fs:[00000030h]18_2_0445513A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445513A mov eax, dword ptr fs:[00000030h]18_2_0445513A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h]18_2_0442B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h]18_2_0442B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442B1E1 mov eax, dword ptr fs:[00000030h]18_2_0442B1E1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044D8DF1 mov eax, dword ptr fs:[00000030h]18_2_044D8DF1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445A185 mov eax, dword ptr fs:[00000030h]18_2_0445A185
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444C182 mov eax, dword ptr fs:[00000030h]18_2_0444C182
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]18_2_04422D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]18_2_04422D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]18_2_04422D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]18_2_04422D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04422D8A mov eax, dword ptr fs:[00000030h]18_2_04422D8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445FD9B mov eax, dword ptr fs:[00000030h]18_2_0445FD9B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445FD9B mov eax, dword ptr fs:[00000030h]18_2_0445FD9B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044535A1 mov eax, dword ptr fs:[00000030h]18_2_044535A1
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]18_2_04429240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]18_2_04429240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]18_2_04429240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04429240 mov eax, dword ptr fs:[00000030h]18_2_04429240
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04437E41 mov eax, dword ptr fs:[00000030h]18_2_04437E41
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DB260 mov eax, dword ptr fs:[00000030h]18_2_044DB260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DB260 mov eax, dword ptr fs:[00000030h]18_2_044DB260
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8A62 mov eax, dword ptr fs:[00000030h]18_2_044F8A62
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443766D mov eax, dword ptr fs:[00000030h]18_2_0443766D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]18_2_0444AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]18_2_0444AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]18_2_0444AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]18_2_0444AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0444AE73 mov eax, dword ptr fs:[00000030h]18_2_0444AE73
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0446927A mov eax, dword ptr fs:[00000030h]18_2_0446927A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h]18_2_0442C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h]18_2_0442C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442C600 mov eax, dword ptr fs:[00000030h]18_2_0442C600
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04443A1C mov eax, dword ptr fs:[00000030h]18_2_04443A1C
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442E620 mov eax, dword ptr fs:[00000030h]18_2_0442E620
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DFE3F mov eax, dword ptr fs:[00000030h]18_2_044DFE3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04468EC7 mov eax, dword ptr fs:[00000030h]18_2_04468EC7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044536CC mov eax, dword ptr fs:[00000030h]18_2_044536CC
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DFEC0 mov eax, dword ptr fs:[00000030h]18_2_044DFEC0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8ED6 mov eax, dword ptr fs:[00000030h]18_2_044F8ED6
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044376E2 mov eax, dword ptr fs:[00000030h]18_2_044376E2
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044516E0 mov ecx, dword ptr fs:[00000030h]18_2_044516E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BFE87 mov eax, dword ptr fs:[00000030h]18_2_044BFE87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445D294 mov eax, dword ptr fs:[00000030h]18_2_0445D294
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445D294 mov eax, dword ptr fs:[00000030h]18_2_0445D294
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]18_2_044252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]18_2_044252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]18_2_044252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]18_2_044252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044252A5 mov eax, dword ptr fs:[00000030h]18_2_044252A5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h]18_2_044F0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h]18_2_044F0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F0EA5 mov eax, dword ptr fs:[00000030h]18_2_044F0EA5
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A46A7 mov eax, dword ptr fs:[00000030h]18_2_044A46A7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443AAB0 mov eax, dword ptr fs:[00000030h]18_2_0443AAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443AAB0 mov eax, dword ptr fs:[00000030h]18_2_0443AAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445FAB0 mov eax, dword ptr fs:[00000030h]18_2_0445FAB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442DB40 mov eax, dword ptr fs:[00000030h]18_2_0442DB40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443EF40 mov eax, dword ptr fs:[00000030h]18_2_0443EF40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8B58 mov eax, dword ptr fs:[00000030h]18_2_044F8B58
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442F358 mov eax, dword ptr fs:[00000030h]18_2_0442F358
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0442DB60 mov ecx, dword ptr fs:[00000030h]18_2_0442DB60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0443FF60 mov eax, dword ptr fs:[00000030h]18_2_0443FF60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F8F6A mov eax, dword ptr fs:[00000030h]18_2_044F8F6A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04453B7A mov eax, dword ptr fs:[00000030h]18_2_04453B7A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04453B7A mov eax, dword ptr fs:[00000030h]18_2_04453B7A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F070D mov eax, dword ptr fs:[00000030h]18_2_044F070D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F070D mov eax, dword ptr fs:[00000030h]18_2_044F070D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E131B mov eax, dword ptr fs:[00000030h]18_2_044E131B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BFF10 mov eax, dword ptr fs:[00000030h]18_2_044BFF10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044BFF10 mov eax, dword ptr fs:[00000030h]18_2_044BFF10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04424F2E mov eax, dword ptr fs:[00000030h]18_2_04424F2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04424F2E mov eax, dword ptr fs:[00000030h]18_2_04424F2E
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445E730 mov eax, dword ptr fs:[00000030h]18_2_0445E730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044E138A mov eax, dword ptr fs:[00000030h]18_2_044E138A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04431B8F mov eax, dword ptr fs:[00000030h]18_2_04431B8F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_04431B8F mov eax, dword ptr fs:[00000030h]18_2_04431B8F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044DD380 mov ecx, dword ptr fs:[00000030h]18_2_044DD380
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_0445B390 mov eax, dword ptr fs:[00000030h]18_2_0445B390
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h]18_2_044A7794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h]18_2_044A7794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044A7794 mov eax, dword ptr fs:[00000030h]18_2_044A7794
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 18_2_044F5BA5 mov eax, dword ptr fs:[00000030h]18_2_044F5BA5
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeCode function: 15_2_0040ACD0 LdrLoadDll,15_2_0040ACD0
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection unmapped: C:\Windows\SysWOW64\raserver.exe base address: C0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeSection loaded: unknown target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeThread register set: target process: 3352Jump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeProcess created: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exeProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\CNEW ORDER17.exe'Jump to behavior
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000010.00000000.448733880.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000010.00000000.495329240.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000010.00000000.455828193.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeQueries volume information: C:\Users\user\Desktop\CNEW ORDER17.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\CNEW ORDER17.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.CNEW ORDER17.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000010.00000000.455090898.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.569532126.0000000000350000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424773076.0000000003719000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000000.472604115.00000000079B2000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570686773.0000000002B40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519487969.0000000000B30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.424873904.00000000037B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.518976654.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570839920.0000000002E40000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.519680465.0000000000F70000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection412Rootkit1Credential API Hooking1Security Software Discovery121Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Process Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion31SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Virtualization/Sandbox Evasion31NTDSApplication Window Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection412LSA SecretsSystem Information Discovery112SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information3Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing3DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files