Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
13-01-2021 20:13
Static task
static1
Behavioral task
behavioral1
Sample
Inv.exe
Resource
win7v20201028
General
-
Target
Inv.exe
-
Size
326KB
-
MD5
a3aba7d40da6c8c86e4e8d035803f314
-
SHA1
469b36f05939d6ec6457f1b72ba9f6c7a960be06
-
SHA256
1f94eb81e3cde4f677fd210e1ff7f5d06987cbdc2fa7de79e28b224e49244b40
-
SHA512
2cfa59a865a8292b98fb3e8e6ae79a4613d773be87c927ba4cc8e0f034010c0e5ebd0b85a74ca02ef59d47335908bcc610a597bc9cbfbfaaf364d76f51fff2fc
Malware Config
Extracted
formbook
http://www.nationshiphop.com/hko6/
apartmentsineverettwa.com
forritcu.net
hotroodes.com
skinnerttc.com
royaltrustmyanmar.com
adreslog.com
kaysbridalboutiques.com
multitask-improvements.com
geniiforum.com
smarthomehatinh.asia
banglikeaboss.com
javlover.club
affiliateclubindia.com
mycapecoralhomevalue.com
comparamuebles.online
newrochellenissan.com
nairobi-paris.com
fwk.xyz
downdepot.com
nextgenmemorabilia.com
achonabu.com
stevebana.xyz
jacmkt.com
weownthenight187.com
divshop.pro
wewearceylon.com
skyreadymix.net
jaffacorner.com
bakerlibra.icu
femalecoliving.com
best20banks.com
millcityloam.com
signature-office.com
qlifepharmacy.com
dextermind.net
fittcycleacademy.com
davidoff.sucks
1033393.com
tutorsboulder.com
bonicc.com
goodberryjuice.com
zhaowulu.com
teryaq.media
a-zsolutionsllc.com
bitcoincandy.xyz
cfmfair.com
annefontain.com
princesssexyluxwear.com
prodigybrushes.com
zzhqp.com
hwcailing.com
translatiions.com
azery.site
wy1917.com
ringohouse.info
chartershome.com
thongtinhay.net
2201virginiacondo5.com
laurieryork.net
mujeresnegociantes.com
anchoriaswimwear.com
michaelsala.com
esdeportebici.com
ninjitsoo.com
Signatures
-
Formbook Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1960-2-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1960-3-0x000000000041ECF0-mapping.dmp formbook behavioral1/memory/1844-4-0x0000000000380000-0x00000000003A9000-memory.dmp formbook behavioral1/memory/468-5-0x0000000000000000-mapping.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1704 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Inv.exeInv.exewscript.exedescription pid process target process PID 1844 set thread context of 1960 1844 Inv.exe Inv.exe PID 1960 set thread context of 1236 1960 Inv.exe Explorer.EXE PID 468 set thread context of 1236 468 wscript.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Inv.exewscript.exepid process 1960 Inv.exe 1960 Inv.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe 468 wscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Inv.exeInv.exewscript.exepid process 1844 Inv.exe 1960 Inv.exe 1960 Inv.exe 1960 Inv.exe 468 wscript.exe 468 wscript.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Inv.exewscript.exedescription pid process Token: SeDebugPrivilege 1960 Inv.exe Token: SeDebugPrivilege 468 wscript.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE 1236 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Inv.exeExplorer.EXEwscript.exedescription pid process target process PID 1844 wrote to memory of 1960 1844 Inv.exe Inv.exe PID 1844 wrote to memory of 1960 1844 Inv.exe Inv.exe PID 1844 wrote to memory of 1960 1844 Inv.exe Inv.exe PID 1844 wrote to memory of 1960 1844 Inv.exe Inv.exe PID 1844 wrote to memory of 1960 1844 Inv.exe Inv.exe PID 1236 wrote to memory of 468 1236 Explorer.EXE wscript.exe PID 1236 wrote to memory of 468 1236 Explorer.EXE wscript.exe PID 1236 wrote to memory of 468 1236 Explorer.EXE wscript.exe PID 1236 wrote to memory of 468 1236 Explorer.EXE wscript.exe PID 468 wrote to memory of 1704 468 wscript.exe cmd.exe PID 468 wrote to memory of 1704 468 wscript.exe cmd.exe PID 468 wrote to memory of 1704 468 wscript.exe cmd.exe PID 468 wrote to memory of 1704 468 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inv.exe"C:\Users\Admin\AppData\Local\Temp\Inv.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Inv.exe"C:\Users\Admin\AppData\Local\Temp\Inv.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Inv.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/468-5-0x0000000000000000-mapping.dmp
-
memory/468-6-0x0000000000180000-0x00000000001A6000-memory.dmpFilesize
152KB
-
memory/468-8-0x00000000034B0000-0x000000000363B000-memory.dmpFilesize
1.5MB
-
memory/1704-7-0x0000000000000000-mapping.dmp
-
memory/1844-4-0x0000000000380000-0x00000000003A9000-memory.dmpFilesize
164KB
-
memory/1960-2-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1960-3-0x000000000041ECF0-mapping.dmp