Analysis
-
max time kernel
151s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-01-2021 09:44
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7v20201028
General
-
Target
invoice.exe
-
Size
540KB
-
MD5
59f1d68e7d7425a82b9fe1a3ff2dd295
-
SHA1
95332a045f2e869e01f1adcffd529b7c4a6980c8
-
SHA256
adc10139a3870919bf60c4345f1e9d09eec3c590a434e761c55ff3da112e9a68
-
SHA512
ea81d912c4ce33d5cfc5ebd66bfeae4a3fdfd6260b8507b89738b56d6ead4418f192f59774b8cce3e163cb479752783e36a3a4c9bff3d89e93de0945d6afc8aa
Malware Config
Extracted
formbook
http://www.berkeleyreese.com/tabo/
clarkandfarm.com
membersplusisthebest.com
themiraclesboutique.com
jhbsqmzaz.icu
shubharambhvastralay.com
flixnite.com
ewanthompson.net
pompanodogtrainers.com
palmbeachdialysiscenter.com
humpflix.com
siplumbing.info
photographerasheville.com
chapalalistings.com
sandwichfairnh.com
c2b-333.com
alwaysbebright.com
century-ych.com
groundcloudio.com
matodentro.com
sketch59.com
cfgtwemusa.com
msheathermusic.com
iaglcorp.com
pablogalvezbaritono.com
best4software.info
kuma-giant.com
tangledstringsinc.com
sewfrofabrics.com
wrensrevival.com
whatisasap.com
philosobri.com
lacongregacion.com
striiikecricket.store
digi-plates.com
linktraff.com
electfranklabuda.com
nativecocos.com
trumpchangeofaddress.com
canadiangrogg.com
realandycollinsbass.com
reelonesmedia.com
biboobaby.com
restoremyorigin.com
qiatufbrn.icu
train4retail.com
smbmmtcollege.com
preciadoenterprises.com
fosteringunitytoday.com
sgshiyongjun.com
hondamotorcycles-vccp.com
ugl.xyz
aquaticboxing.com
shops2ship.com
starseedsapparel.com
listenlock.com
pattayafoodbox.com
speedyangelslogictics.com
tsrunkai.com
magentos6.com
marketingcows.asia
parksummit6th.com
hard-skill.com
losduquesdewindsurf.com
genebelikov.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2032-4-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/2040-11-0x00000000000B0000-0x00000000000DE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1220 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
invoice.exeinvoice.exesystray.exedescription pid process target process PID 1044 set thread context of 2032 1044 invoice.exe invoice.exe PID 2032 set thread context of 1224 2032 invoice.exe Explorer.EXE PID 2040 set thread context of 1224 2040 systray.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
invoice.exesystray.exepid process 2032 invoice.exe 2032 invoice.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe 2040 systray.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
invoice.exeinvoice.exesystray.exepid process 1044 invoice.exe 2032 invoice.exe 2032 invoice.exe 2032 invoice.exe 2040 systray.exe 2040 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
invoice.exesystray.exedescription pid process Token: SeDebugPrivilege 2032 invoice.exe Token: SeDebugPrivilege 2040 systray.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE 1224 Explorer.EXE -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
invoice.exeExplorer.EXEsystray.exedescription pid process target process PID 1044 wrote to memory of 2032 1044 invoice.exe invoice.exe PID 1044 wrote to memory of 2032 1044 invoice.exe invoice.exe PID 1044 wrote to memory of 2032 1044 invoice.exe invoice.exe PID 1044 wrote to memory of 2032 1044 invoice.exe invoice.exe PID 1044 wrote to memory of 2032 1044 invoice.exe invoice.exe PID 1224 wrote to memory of 2040 1224 Explorer.EXE systray.exe PID 1224 wrote to memory of 2040 1224 Explorer.EXE systray.exe PID 1224 wrote to memory of 2040 1224 Explorer.EXE systray.exe PID 1224 wrote to memory of 2040 1224 Explorer.EXE systray.exe PID 2040 wrote to memory of 1220 2040 systray.exe cmd.exe PID 2040 wrote to memory of 1220 2040 systray.exe cmd.exe PID 2040 wrote to memory of 1220 2040 systray.exe cmd.exe PID 2040 wrote to memory of 1220 2040 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\invoice.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-2-0x00000000760A1000-0x00000000760A3000-memory.dmpFilesize
8KB
-
memory/1220-9-0x0000000000000000-mapping.dmp
-
memory/1224-14-0x00000000067A0000-0x0000000006889000-memory.dmpFilesize
932KB
-
memory/1224-7-0x0000000004940000-0x0000000004ADC000-memory.dmpFilesize
1.6MB
-
memory/2032-3-0x000000000041ED40-mapping.dmp
-
memory/2032-5-0x0000000000A90000-0x0000000000D93000-memory.dmpFilesize
3.0MB
-
memory/2032-6-0x0000000000170000-0x0000000000184000-memory.dmpFilesize
80KB
-
memory/2032-4-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2040-8-0x0000000000000000-mapping.dmp
-
memory/2040-11-0x00000000000B0000-0x00000000000DE000-memory.dmpFilesize
184KB
-
memory/2040-12-0x0000000001EE0000-0x00000000021E3000-memory.dmpFilesize
3.0MB
-
memory/2040-13-0x0000000001D70000-0x0000000001E03000-memory.dmpFilesize
588KB
-
memory/2040-10-0x00000000000A0000-0x00000000000A5000-memory.dmpFilesize
20KB