Analysis
-
max time kernel
146s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
20-04-2021 14:38
Static task
static1
Behavioral task
behavioral1
Sample
Invoice pdf.exe
Resource
win7v20210410
General
-
Target
Invoice pdf.exe
-
Size
661KB
-
MD5
95ad0de0d121d51993dc0e546f82772c
-
SHA1
e2830744f6497321e7b4c2a49d8270ea91b923c8
-
SHA256
494b892495fb6f002fd36477446bfc59f686fe73710d55dc782de8512452e535
-
SHA512
07b83558bd2269cdafd56ca91ddbe396b1d76cc5466fe13f2fff102ce49afedcb446b734922cd4dd6f8f9d2ac80bdcd8f9287ac11415c3c1d3f6dceaef8fe5ae
Malware Config
Extracted
formbook
4.1
http://w����5 �@q[*��S=���m
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3436-118-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3436-119-0x000000000041EAC0-mapping.dmp formbook behavioral2/memory/1308-128-0x0000000000E60000-0x0000000000E8E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Invoice pdf.exeInvoice pdf.exemsiexec.exedescription pid process target process PID 3656 set thread context of 3436 3656 Invoice pdf.exe Invoice pdf.exe PID 3436 set thread context of 3040 3436 Invoice pdf.exe Explorer.EXE PID 1308 set thread context of 3040 1308 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
Invoice pdf.exeInvoice pdf.exemsiexec.exepid process 3656 Invoice pdf.exe 3656 Invoice pdf.exe 3656 Invoice pdf.exe 3656 Invoice pdf.exe 3436 Invoice pdf.exe 3436 Invoice pdf.exe 3436 Invoice pdf.exe 3436 Invoice pdf.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe 1308 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Invoice pdf.exemsiexec.exepid process 3436 Invoice pdf.exe 3436 Invoice pdf.exe 3436 Invoice pdf.exe 1308 msiexec.exe 1308 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Invoice pdf.exeInvoice pdf.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3656 Invoice pdf.exe Token: SeDebugPrivilege 3436 Invoice pdf.exe Token: SeDebugPrivilege 1308 msiexec.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Invoice pdf.exeExplorer.EXEmsiexec.exedescription pid process target process PID 3656 wrote to memory of 412 3656 Invoice pdf.exe schtasks.exe PID 3656 wrote to memory of 412 3656 Invoice pdf.exe schtasks.exe PID 3656 wrote to memory of 412 3656 Invoice pdf.exe schtasks.exe PID 3656 wrote to memory of 3436 3656 Invoice pdf.exe Invoice pdf.exe PID 3656 wrote to memory of 3436 3656 Invoice pdf.exe Invoice pdf.exe PID 3656 wrote to memory of 3436 3656 Invoice pdf.exe Invoice pdf.exe PID 3656 wrote to memory of 3436 3656 Invoice pdf.exe Invoice pdf.exe PID 3656 wrote to memory of 3436 3656 Invoice pdf.exe Invoice pdf.exe PID 3656 wrote to memory of 3436 3656 Invoice pdf.exe Invoice pdf.exe PID 3040 wrote to memory of 1308 3040 Explorer.EXE msiexec.exe PID 3040 wrote to memory of 1308 3040 Explorer.EXE msiexec.exe PID 3040 wrote to memory of 1308 3040 Explorer.EXE msiexec.exe PID 1308 wrote to memory of 3960 1308 msiexec.exe cmd.exe PID 1308 wrote to memory of 3960 1308 msiexec.exe cmd.exe PID 1308 wrote to memory of 3960 1308 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gXUZJVkFviCTU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB5D4.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpB5D4.tmpMD5
866d9e36ff8786b19bd8b20acb3d5774
SHA154f6abc84743f6c19f54fc9b6a30b00e7cad1fa2
SHA256010a1ac25c5f3ba8bfc0d69a5c63678c88a287e9ba55f24a608bd7594b667820
SHA51232f1471ad44daea73444ebf3a220afde33ea11d44866cc28ed564496ec140204b71e2ab554d6f8727152e8dc97336d35a352c3a129552f5615ebfa98263d2382
-
memory/412-116-0x0000000000000000-mapping.dmp
-
memory/1308-124-0x0000000000000000-mapping.dmp
-
memory/1308-131-0x0000000004E80000-0x0000000004F13000-memory.dmpFilesize
588KB
-
memory/1308-129-0x0000000005010000-0x0000000005330000-memory.dmpFilesize
3.1MB
-
memory/1308-128-0x0000000000E60000-0x0000000000E8E000-memory.dmpFilesize
184KB
-
memory/1308-127-0x0000000000FE0000-0x0000000000FF2000-memory.dmpFilesize
72KB
-
memory/3040-123-0x0000000003280000-0x000000000333B000-memory.dmpFilesize
748KB
-
memory/3040-132-0x0000000006870000-0x0000000006918000-memory.dmpFilesize
672KB
-
memory/3436-122-0x00000000016D0000-0x00000000016E4000-memory.dmpFilesize
80KB
-
memory/3436-121-0x0000000001770000-0x0000000001A90000-memory.dmpFilesize
3.1MB
-
memory/3436-119-0x000000000041EAC0-mapping.dmp
-
memory/3436-118-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3656-114-0x00000000026C0000-0x00000000026C1000-memory.dmpFilesize
4KB
-
memory/3656-115-0x000000007F0E0000-0x000000007F0E1000-memory.dmpFilesize
4KB
-
memory/3960-130-0x0000000000000000-mapping.dmp