Analysis
-
max time kernel
147s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-01-2021 09:44
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7v20201028
General
-
Target
invoice.exe
-
Size
540KB
-
MD5
59f1d68e7d7425a82b9fe1a3ff2dd295
-
SHA1
95332a045f2e869e01f1adcffd529b7c4a6980c8
-
SHA256
adc10139a3870919bf60c4345f1e9d09eec3c590a434e761c55ff3da112e9a68
-
SHA512
ea81d912c4ce33d5cfc5ebd66bfeae4a3fdfd6260b8507b89738b56d6ead4418f192f59774b8cce3e163cb479752783e36a3a4c9bff3d89e93de0945d6afc8aa
Malware Config
Extracted
formbook
http://www.berkeleyreese.com/tabo/
clarkandfarm.com
membersplusisthebest.com
themiraclesboutique.com
jhbsqmzaz.icu
shubharambhvastralay.com
flixnite.com
ewanthompson.net
pompanodogtrainers.com
palmbeachdialysiscenter.com
humpflix.com
siplumbing.info
photographerasheville.com
chapalalistings.com
sandwichfairnh.com
c2b-333.com
alwaysbebright.com
century-ych.com
groundcloudio.com
matodentro.com
sketch59.com
cfgtwemusa.com
msheathermusic.com
iaglcorp.com
pablogalvezbaritono.com
best4software.info
kuma-giant.com
tangledstringsinc.com
sewfrofabrics.com
wrensrevival.com
whatisasap.com
philosobri.com
lacongregacion.com
striiikecricket.store
digi-plates.com
linktraff.com
electfranklabuda.com
nativecocos.com
trumpchangeofaddress.com
canadiangrogg.com
realandycollinsbass.com
reelonesmedia.com
biboobaby.com
restoremyorigin.com
qiatufbrn.icu
train4retail.com
smbmmtcollege.com
preciadoenterprises.com
fosteringunitytoday.com
sgshiyongjun.com
hondamotorcycles-vccp.com
ugl.xyz
aquaticboxing.com
shops2ship.com
starseedsapparel.com
listenlock.com
pattayafoodbox.com
speedyangelslogictics.com
tsrunkai.com
magentos6.com
marketingcows.asia
parksummit6th.com
hard-skill.com
losduquesdewindsurf.com
genebelikov.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2684-3-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3996-10-0x0000000000B20000-0x0000000000B4E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
invoice.exeinvoice.exemsdt.exedescription pid process target process PID 3108 set thread context of 2684 3108 invoice.exe invoice.exe PID 2684 set thread context of 2756 2684 invoice.exe Explorer.EXE PID 3996 set thread context of 2756 3996 msdt.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
invoice.exemsdt.exepid process 2684 invoice.exe 2684 invoice.exe 2684 invoice.exe 2684 invoice.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe 3996 msdt.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
invoice.exeinvoice.exemsdt.exepid process 3108 invoice.exe 2684 invoice.exe 2684 invoice.exe 2684 invoice.exe 3996 msdt.exe 3996 msdt.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
invoice.exeExplorer.EXEmsdt.exedescription pid process Token: SeDebugPrivilege 2684 invoice.exe Token: SeShutdownPrivilege 2756 Explorer.EXE Token: SeCreatePagefilePrivilege 2756 Explorer.EXE Token: SeShutdownPrivilege 2756 Explorer.EXE Token: SeCreatePagefilePrivilege 2756 Explorer.EXE Token: SeDebugPrivilege 3996 msdt.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 2756 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
invoice.exeExplorer.EXEmsdt.exedescription pid process target process PID 3108 wrote to memory of 2684 3108 invoice.exe invoice.exe PID 3108 wrote to memory of 2684 3108 invoice.exe invoice.exe PID 3108 wrote to memory of 2684 3108 invoice.exe invoice.exe PID 3108 wrote to memory of 2684 3108 invoice.exe invoice.exe PID 2756 wrote to memory of 3996 2756 Explorer.EXE msdt.exe PID 2756 wrote to memory of 3996 2756 Explorer.EXE msdt.exe PID 2756 wrote to memory of 3996 2756 Explorer.EXE msdt.exe PID 3996 wrote to memory of 2708 3996 msdt.exe cmd.exe PID 3996 wrote to memory of 2708 3996 msdt.exe cmd.exe PID 3996 wrote to memory of 2708 3996 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\invoice.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2684-2-0x000000000041ED40-mapping.dmp
-
memory/2684-3-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2684-5-0x0000000001330000-0x0000000001650000-memory.dmpFilesize
3.1MB
-
memory/2684-6-0x00000000010E0000-0x00000000010F4000-memory.dmpFilesize
80KB
-
memory/2708-12-0x0000000000000000-mapping.dmp
-
memory/2756-7-0x00000000065A0000-0x00000000066FD000-memory.dmpFilesize
1.4MB
-
memory/2756-15-0x0000000002BF0000-0x0000000002CCA000-memory.dmpFilesize
872KB
-
memory/3996-8-0x0000000000000000-mapping.dmp
-
memory/3996-9-0x00000000011F0000-0x0000000001363000-memory.dmpFilesize
1.4MB
-
memory/3996-10-0x0000000000B20000-0x0000000000B4E000-memory.dmpFilesize
184KB
-
memory/3996-11-0x0000000004FB0000-0x00000000052D0000-memory.dmpFilesize
3.1MB
-
memory/3996-14-0x0000000004DB0000-0x0000000004E43000-memory.dmpFilesize
588KB