Analysis
-
max time kernel
151s -
max time network
125s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-04-2021 07:05
Static task
static1
Behavioral task
behavioral1
Sample
Revised Invoice No CU 7035.exe
Resource
win7v20201028
General
-
Target
Revised Invoice No CU 7035.exe
-
Size
469KB
-
MD5
a0b32e96914dfe7d50cc7a56d4939c2f
-
SHA1
3b3033ac851d71711ea10b263cf2b398833316b7
-
SHA256
2e10edfbe7c4a7c9220db55d3c6f921262366908277a5483ff0faf5579e194f4
-
SHA512
ee8f0b1dfefb45ab7188b4bb60bb175a2a71ad58fa1083059f98d81a54d7ec03a63fb0ab9f1897f2d8c9224468a9230b8acb936ac82d54c743e72eab5480508a
Malware Config
Extracted
formbook
4.1
http://www.the-techs.info/chue/
wowmovies.today
magentos6.com
bi-nav.com
atlantahawks.sucks
wluabjy.icu
kevableinsights.com
lavidaenaustralia.com
stonermadeapparel.net
sondein.com
cirquedusoleilartist.com
kanjitem.com
tomofalltrades.site
mecanico.guru
tech2020s.com
amesoneco.com
theawfulliar.com
californiaadugurus.com
rentalservicesolutions.com
fsxbhd.club
casino-seo.com
asknesto.com
get-rangextd.com
gkwill.com
juliegiles.net
pagosafreedom.com
wbpossiblellc.com
fhjfyutotyhfse.com
sexshopsatelite.com
shellykraftlaw.com
motherhenscoop.com
mboklanjar.com
redwoodcityswing.com
haier-mz.com
metalinjectionltd.asia
franquiaoriginal.com
mcronaldfood.com
mobilegymconcierge.com
haifu168.com
apeiro.life
thejosephnashvilletn.com
bensbrickstore.com
sanctumwell.com
beanexthomie.com
stylazhaircare.com
jordanvanvleet.com
jdwx400.com
francescoricco.com
gameshowsatschool.com
alqymist-monaco.com
infinitysportsmassage.com
algorithmrecruitment.com
tanyasubatang.com
impressivebackyard.com
wwwgocashwire.com
visual-pioneers.net
thememo-mobilebar.com
wagner-fahrschulegmbh.com
minterfortexas.com
codelopers.com
inyarsb.icu
ravenlightproductions.com
germiblock.com
coutinhoefelipeadv.com
diegobr1307.life
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3812-19-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3812-20-0x000000000041ED80-mapping.dmp formbook behavioral2/memory/736-28-0x0000000000B80000-0x0000000000BAE000-memory.dmp formbook -
Nirsoft 5 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe Nirsoft -
Executes dropped EXE 4 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exepid process 3056 AdvancedRun.exe 3356 AdvancedRun.exe 208 AdvancedRun.exe 2360 AdvancedRun.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Revised Invoice No CU 7035.exeRevised Invoice No CU 7035.exemsdt.exedescription pid process target process PID 496 set thread context of 3812 496 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 3812 set thread context of 3048 3812 Revised Invoice No CU 7035.exe Explorer.EXE PID 736 set thread context of 3048 736 msdt.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeRevised Invoice No CU 7035.exeRevised Invoice No CU 7035.exemsdt.exepid process 3056 AdvancedRun.exe 3056 AdvancedRun.exe 3056 AdvancedRun.exe 3056 AdvancedRun.exe 3356 AdvancedRun.exe 3356 AdvancedRun.exe 3356 AdvancedRun.exe 3356 AdvancedRun.exe 208 AdvancedRun.exe 208 AdvancedRun.exe 208 AdvancedRun.exe 208 AdvancedRun.exe 2360 AdvancedRun.exe 2360 AdvancedRun.exe 2360 AdvancedRun.exe 2360 AdvancedRun.exe 496 Revised Invoice No CU 7035.exe 496 Revised Invoice No CU 7035.exe 496 Revised Invoice No CU 7035.exe 496 Revised Invoice No CU 7035.exe 496 Revised Invoice No CU 7035.exe 496 Revised Invoice No CU 7035.exe 3812 Revised Invoice No CU 7035.exe 3812 Revised Invoice No CU 7035.exe 3812 Revised Invoice No CU 7035.exe 3812 Revised Invoice No CU 7035.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe 736 msdt.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Revised Invoice No CU 7035.exemsdt.exepid process 3812 Revised Invoice No CU 7035.exe 3812 Revised Invoice No CU 7035.exe 3812 Revised Invoice No CU 7035.exe 736 msdt.exe 736 msdt.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
AdvancedRun.exeAdvancedRun.exeAdvancedRun.exeAdvancedRun.exeRevised Invoice No CU 7035.exeRevised Invoice No CU 7035.exemsdt.exedescription pid process Token: SeDebugPrivilege 3056 AdvancedRun.exe Token: SeImpersonatePrivilege 3056 AdvancedRun.exe Token: SeDebugPrivilege 3356 AdvancedRun.exe Token: SeImpersonatePrivilege 3356 AdvancedRun.exe Token: SeDebugPrivilege 208 AdvancedRun.exe Token: SeImpersonatePrivilege 208 AdvancedRun.exe Token: SeDebugPrivilege 2360 AdvancedRun.exe Token: SeImpersonatePrivilege 2360 AdvancedRun.exe Token: SeDebugPrivilege 496 Revised Invoice No CU 7035.exe Token: SeDebugPrivilege 3812 Revised Invoice No CU 7035.exe Token: SeDebugPrivilege 736 msdt.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Revised Invoice No CU 7035.exeAdvancedRun.exeAdvancedRun.exeExplorer.EXEmsdt.exedescription pid process target process PID 496 wrote to memory of 3056 496 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 496 wrote to memory of 3056 496 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 496 wrote to memory of 3056 496 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 3056 wrote to memory of 3356 3056 AdvancedRun.exe AdvancedRun.exe PID 3056 wrote to memory of 3356 3056 AdvancedRun.exe AdvancedRun.exe PID 3056 wrote to memory of 3356 3056 AdvancedRun.exe AdvancedRun.exe PID 496 wrote to memory of 208 496 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 496 wrote to memory of 208 496 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 496 wrote to memory of 208 496 Revised Invoice No CU 7035.exe AdvancedRun.exe PID 208 wrote to memory of 2360 208 AdvancedRun.exe AdvancedRun.exe PID 208 wrote to memory of 2360 208 AdvancedRun.exe AdvancedRun.exe PID 208 wrote to memory of 2360 208 AdvancedRun.exe AdvancedRun.exe PID 496 wrote to memory of 4016 496 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 496 wrote to memory of 4016 496 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 496 wrote to memory of 4016 496 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 496 wrote to memory of 3812 496 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 496 wrote to memory of 3812 496 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 496 wrote to memory of 3812 496 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 496 wrote to memory of 3812 496 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 496 wrote to memory of 3812 496 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 496 wrote to memory of 3812 496 Revised Invoice No CU 7035.exe Revised Invoice No CU 7035.exe PID 3048 wrote to memory of 736 3048 Explorer.EXE msdt.exe PID 3048 wrote to memory of 736 3048 Explorer.EXE msdt.exe PID 3048 wrote to memory of 736 3048 Explorer.EXE msdt.exe PID 736 wrote to memory of 4048 736 msdt.exe cmd.exe PID 736 wrote to memory of 4048 736 msdt.exe cmd.exe PID 736 wrote to memory of 4048 736 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 30564⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2084⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"3⤵
-
C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Revised Invoice No CU 7035.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exeMD5
17fc12902f4769af3a9271eb4e2dacce
SHA19a4a1581cc3971579574f837e110f3bd6d529dab
SHA25629ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b
SHA512036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a
-
memory/208-15-0x0000000000000000-mapping.dmp
-
memory/496-6-0x00000000012D0000-0x00000000012D2000-memory.dmpFilesize
8KB
-
memory/496-2-0x0000000073360000-0x0000000073A4E000-memory.dmpFilesize
6.9MB
-
memory/496-9-0x0000000005F30000-0x0000000005F31000-memory.dmpFilesize
4KB
-
memory/496-8-0x0000000005640000-0x0000000005641000-memory.dmpFilesize
4KB
-
memory/496-7-0x0000000005520000-0x0000000005574000-memory.dmpFilesize
336KB
-
memory/496-5-0x0000000005790000-0x0000000005791000-memory.dmpFilesize
4KB
-
memory/496-3-0x0000000000C70000-0x0000000000C71000-memory.dmpFilesize
4KB
-
memory/736-25-0x0000000000000000-mapping.dmp
-
memory/736-27-0x0000000000E60000-0x0000000000FD3000-memory.dmpFilesize
1.4MB
-
memory/736-30-0x0000000004D90000-0x0000000004E23000-memory.dmpFilesize
588KB
-
memory/736-29-0x0000000004F30000-0x0000000005250000-memory.dmpFilesize
3.1MB
-
memory/736-28-0x0000000000B80000-0x0000000000BAE000-memory.dmpFilesize
184KB
-
memory/2360-17-0x0000000000000000-mapping.dmp
-
memory/3048-24-0x0000000006AD0000-0x0000000006BD6000-memory.dmpFilesize
1.0MB
-
memory/3048-31-0x0000000006BE0000-0x0000000006D38000-memory.dmpFilesize
1.3MB
-
memory/3056-10-0x0000000000000000-mapping.dmp
-
memory/3356-13-0x0000000000000000-mapping.dmp
-
memory/3812-23-0x0000000001030000-0x0000000001044000-memory.dmpFilesize
80KB
-
memory/3812-22-0x0000000001070000-0x0000000001390000-memory.dmpFilesize
3.1MB
-
memory/3812-20-0x000000000041ED80-mapping.dmp
-
memory/3812-19-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4048-26-0x0000000000000000-mapping.dmp