Analysis
-
max time kernel
151s -
max time network
147s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
08-04-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
Revised Invoice No CU 7035.exe
Resource
win7v20201028
General
-
Target
Revised Invoice No CU 7035.exe
-
Size
469KB
-
MD5
a0b32e96914dfe7d50cc7a56d4939c2f
-
SHA1
3b3033ac851d71711ea10b263cf2b398833316b7
-
SHA256
2e10edfbe7c4a7c9220db55d3c6f921262366908277a5483ff0faf5579e194f4
-
SHA512
ee8f0b1dfefb45ab7188b4bb60bb175a2a71ad58fa1083059f98d81a54d7ec03a63fb0ab9f1897f2d8c9224468a9230b8acb936ac82d54c743e72eab5480508a
Malware Config
Extracted
formbook
4.1
http://www.the-techs.info/chue/
wowmovies.today
magentos6.com
bi-nav.com
atlantahawks.sucks
wluabjy.icu
kevableinsights.com
lavidaenaustralia.com
stonermadeapparel.net
sondein.com
cirquedusoleilartist.com
kanjitem.com
tomofalltrades.site
mecanico.guru
tech2020s.com
amesoneco.com
theawfulliar.com
californiaadugurus.com
rentalservicesolutions.com
fsxbhd.club
casino-seo.com
asknesto.com
get-rangextd.com
gkwill.com
juliegiles.net
pagosafreedom.com
wbpossiblellc.com
fhjfyutotyhfse.com
sexshopsatelite.com
shellykraftlaw.com
motherhenscoop.com
mboklanjar.com
redwoodcityswing.com
haier-mz.com
metalinjectionltd.asia
franquiaoriginal.com
mcronaldfood.com
mobilegymconcierge.com
haifu168.com
apeiro.life
thejosephnashvilletn.com
bensbrickstore.com
sanctumwell.com
beanexthomie.com
stylazhaircare.com
jordanvanvleet.com
jdwx400.com
francescoricco.com
gameshowsatschool.com
alqymist-monaco.com
infinitysportsmassage.com
algorithmrecruitment.com
tanyasubatang.com
impressivebackyard.com
wwwgocashwire.com
visual-pioneers.net
thememo-mobilebar.com
wagner-fahrschulegmbh.com
minterfortexas.com
codelopers.com
inyarsb.icu
ravenlightproductions.com
germiblock.com
coutinhoefelipeadv.com
diegobr1307.life
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/284-30-0x000000000041ED80-mapping.dmp formbook behavioral1/memory/284-29-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1176-38-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Nirsoft 13 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft \Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepid process 1792 AdvancedRun.exe 1704 AdvancedRun.exe 1652 AdvancedRun.exe 684 AdvancedRun.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 516 cmd.exe -
Loads dropped DLL 8 IoCs
Processes:
Revised Invoice No CU 7035.exeAdvancedRun.exeAdvancedRun.exepid process 1924 Revised Invoice No CU 7035.exe 1924 Revised Invoice No CU 7035.exe 1792 AdvancedRun.exe 1792 AdvancedRun.exe 1924 Revised Invoice No CU 7035.exe 1924 Revised Invoice No CU 7035.exe 1652 AdvancedRun.exe 1652 AdvancedRun.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Revised Invoice No CU 7035.exeRevised Invoice No CU 7035.exesystray.exedescription pid process target process PID 1924 set thread context of 284 1924 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 284 set thread context of 1276 284 Revised Invoice No CU 7035.exe Explorer.EXE PID 1176 set thread context of 1276 1176 systray.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeRevised Invoice No CU 7035.exeRevised Invoice No CU 7035.exesystray.exepid process 1792 AdvancedRun.exe 1792 AdvancedRun.exe 1704 AdvancedRun.exe 1704 AdvancedRun.exe 1652 AdvancedRun.exe 1652 AdvancedRun.exe 684 AdvancedRun.exe 684 AdvancedRun.exe 1924 Revised Invoice No CU 7035.exe 1924 Revised Invoice No CU 7035.exe 284 Revised Invoice No CU 7035.exe 284 Revised Invoice No CU 7035.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe 1176 systray.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Revised Invoice No CU 7035.exesystray.exepid process 284 Revised Invoice No CU 7035.exe 284 Revised Invoice No CU 7035.exe 284 Revised Invoice No CU 7035.exe 1176 systray.exe 1176 systray.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeRevised Invoice No CU 7035.exeRevised Invoice No CU 7035.exesystray.exedescription pid process Token: SeDebugPrivilege 1792 AdvancedRun.exe Token: SeImpersonatePrivilege 1792 AdvancedRun.exe Token: SeDebugPrivilege 1704 AdvancedRun.exe Token: SeImpersonatePrivilege 1704 AdvancedRun.exe Token: SeDebugPrivilege 1652 AdvancedRun.exe Token: SeImpersonatePrivilege 1652 AdvancedRun.exe Token: SeDebugPrivilege 684 AdvancedRun.exe Token: SeImpersonatePrivilege 684 AdvancedRun.exe Token: SeDebugPrivilege 1924 Revised Invoice No CU 7035.exe Token: SeDebugPrivilege 284 Revised Invoice No CU 7035.exe Token: SeDebugPrivilege 1176 systray.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE 1276 Explorer.EXE -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
Revised Invoice No CU 7035.exeAdvancedRun.exeAdvancedRun.exeExplorer.EXEsystray.exedescription pid process target process PID 1924 wrote to memory of 1792 1924 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 1924 wrote to memory of 1792 1924 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 1924 wrote to memory of 1792 1924 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 1924 wrote to memory of 1792 1924 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 1792 wrote to memory of 1704 1792 AdvancedRun.exe AdvancedRun.exe PID 1792 wrote to memory of 1704 1792 AdvancedRun.exe AdvancedRun.exe PID 1792 wrote to memory of 1704 1792 AdvancedRun.exe AdvancedRun.exe PID 1792 wrote to memory of 1704 1792 AdvancedRun.exe AdvancedRun.exe PID 1924 wrote to memory of 1652 1924 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 1924 wrote to memory of 1652 1924 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 1924 wrote to memory of 1652 1924 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 1924 wrote to memory of 1652 1924 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 1652 wrote to memory of 684 1652 AdvancedRun.exe AdvancedRun.exe PID 1652 wrote to memory of 684 1652 AdvancedRun.exe AdvancedRun.exe PID 1652 wrote to memory of 684 1652 AdvancedRun.exe AdvancedRun.exe PID 1652 wrote to memory of 684 1652 AdvancedRun.exe AdvancedRun.exe PID 1924 wrote to memory of 284 1924 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 1924 wrote to memory of 284 1924 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 1924 wrote to memory of 284 1924 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 1924 wrote to memory of 284 1924 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 1924 wrote to memory of 284 1924 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 1924 wrote to memory of 284 1924 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 1924 wrote to memory of 284 1924 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 1276 wrote to memory of 1176 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 1176 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 1176 1276 Explorer.EXE systray.exe PID 1276 wrote to memory of 1176 1276 Explorer.EXE systray.exe PID 1176 wrote to memory of 516 1176 systray.exe cmd.exe PID 1176 wrote to memory of 516 1176 systray.exe cmd.exe PID 1176 wrote to memory of 516 1176 systray.exe cmd.exe PID 1176 wrote to memory of 516 1176 systray.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 17924⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 16524⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/284-33-0x0000000000280000-0x0000000000294000-memory.dmpFilesize
80KB
-
memory/284-29-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/284-32-0x00000000008F0000-0x0000000000BF3000-memory.dmpFilesize
3.0MB
-
memory/284-30-0x000000000041ED80-mapping.dmp
-
memory/516-36-0x0000000000000000-mapping.dmp
-
memory/684-26-0x0000000000000000-mapping.dmp
-
memory/1176-38-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1176-37-0x00000000007F0000-0x00000000007F5000-memory.dmpFilesize
20KB
-
memory/1176-35-0x0000000000000000-mapping.dmp
-
memory/1176-39-0x0000000001F20000-0x0000000002223000-memory.dmpFilesize
3.0MB
-
memory/1176-40-0x0000000000720000-0x00000000007B3000-memory.dmpFilesize
588KB
-
memory/1276-34-0x0000000003E60000-0x0000000003F35000-memory.dmpFilesize
852KB
-
memory/1276-41-0x0000000003F40000-0x0000000004006000-memory.dmpFilesize
792KB
-
memory/1652-21-0x0000000000000000-mapping.dmp
-
memory/1704-16-0x0000000000000000-mapping.dmp
-
memory/1792-12-0x0000000075AE1000-0x0000000075AE3000-memory.dmpFilesize
8KB
-
memory/1792-10-0x0000000000000000-mapping.dmp
-
memory/1924-3-0x0000000000EC0000-0x0000000000EC1000-memory.dmpFilesize
4KB
-
memory/1924-5-0x00000000048B0000-0x00000000048B1000-memory.dmpFilesize
4KB
-
memory/1924-2-0x00000000742C0000-0x00000000749AE000-memory.dmpFilesize
6.9MB
-
memory/1924-6-0x0000000000360000-0x0000000000362000-memory.dmpFilesize
8KB
-
memory/1924-7-0x00000000005D0000-0x0000000000624000-memory.dmpFilesize
336KB