Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
20-04-2021 14:38
Static task
static1
Behavioral task
behavioral1
Sample
Invoice pdf.exe
Resource
win7v20210410
General
-
Target
Invoice pdf.exe
-
Size
661KB
-
MD5
95ad0de0d121d51993dc0e546f82772c
-
SHA1
e2830744f6497321e7b4c2a49d8270ea91b923c8
-
SHA256
494b892495fb6f002fd36477446bfc59f686fe73710d55dc782de8512452e535
-
SHA512
07b83558bd2269cdafd56ca91ddbe396b1d76cc5466fe13f2fff102ce49afedcb446b734922cd4dd6f8f9d2ac80bdcd8f9287ac11415c3c1d3f6dceaef8fe5ae
Malware Config
Extracted
formbook
4.1
http://w����5 �@q[*��S=���m
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1520-67-0x000000000041EAC0-mapping.dmp formbook behavioral1/memory/1520-66-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1556-77-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1576 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
Invoice pdf.exeInvoice pdf.execmmon32.exedescription pid process target process PID 1048 set thread context of 1520 1048 Invoice pdf.exe Invoice pdf.exe PID 1520 set thread context of 1208 1520 Invoice pdf.exe Explorer.EXE PID 1520 set thread context of 1208 1520 Invoice pdf.exe Explorer.EXE PID 1556 set thread context of 1208 1556 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
Invoice pdf.exeInvoice pdf.execmmon32.exepid process 1048 Invoice pdf.exe 1048 Invoice pdf.exe 1048 Invoice pdf.exe 1520 Invoice pdf.exe 1520 Invoice pdf.exe 1520 Invoice pdf.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe 1556 cmmon32.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
Invoice pdf.execmmon32.exepid process 1520 Invoice pdf.exe 1520 Invoice pdf.exe 1520 Invoice pdf.exe 1520 Invoice pdf.exe 1556 cmmon32.exe 1556 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Invoice pdf.exeInvoice pdf.execmmon32.exedescription pid process Token: SeDebugPrivilege 1048 Invoice pdf.exe Token: SeDebugPrivilege 1520 Invoice pdf.exe Token: SeDebugPrivilege 1556 cmmon32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
Invoice pdf.exeInvoice pdf.execmmon32.exedescription pid process target process PID 1048 wrote to memory of 1016 1048 Invoice pdf.exe schtasks.exe PID 1048 wrote to memory of 1016 1048 Invoice pdf.exe schtasks.exe PID 1048 wrote to memory of 1016 1048 Invoice pdf.exe schtasks.exe PID 1048 wrote to memory of 1016 1048 Invoice pdf.exe schtasks.exe PID 1048 wrote to memory of 1520 1048 Invoice pdf.exe Invoice pdf.exe PID 1048 wrote to memory of 1520 1048 Invoice pdf.exe Invoice pdf.exe PID 1048 wrote to memory of 1520 1048 Invoice pdf.exe Invoice pdf.exe PID 1048 wrote to memory of 1520 1048 Invoice pdf.exe Invoice pdf.exe PID 1048 wrote to memory of 1520 1048 Invoice pdf.exe Invoice pdf.exe PID 1048 wrote to memory of 1520 1048 Invoice pdf.exe Invoice pdf.exe PID 1048 wrote to memory of 1520 1048 Invoice pdf.exe Invoice pdf.exe PID 1520 wrote to memory of 1556 1520 Invoice pdf.exe cmmon32.exe PID 1520 wrote to memory of 1556 1520 Invoice pdf.exe cmmon32.exe PID 1520 wrote to memory of 1556 1520 Invoice pdf.exe cmmon32.exe PID 1520 wrote to memory of 1556 1520 Invoice pdf.exe cmmon32.exe PID 1556 wrote to memory of 1576 1556 cmmon32.exe cmd.exe PID 1556 wrote to memory of 1576 1556 cmmon32.exe cmd.exe PID 1556 wrote to memory of 1576 1556 cmmon32.exe cmd.exe PID 1556 wrote to memory of 1576 1556 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gXUZJVkFviCTU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB0E.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"5⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAB0E.tmpMD5
913058c6cc7688e86d18c1325942fe21
SHA124256bd5b231aa9c6d52b7304adaa685d8ada878
SHA2562ee0dbcbf46a558b45959063f8666636d0333df1a1b22dde760fae3ce7757ede
SHA51289952ea1c3fe61c73508802408e3bb6d6dfdf43b59e674513eca213aa5ed7c9819d5dbb98cd3a1b8e8988947614b2e0c8791837e4991b244cdf89825677f4d34
-
memory/1016-64-0x0000000000000000-mapping.dmp
-
memory/1048-60-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/1048-62-0x00000000001A1000-0x00000000001A2000-memory.dmpFilesize
4KB
-
memory/1048-61-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/1048-63-0x000000007EF50000-0x000000007EF51000-memory.dmpFilesize
4KB
-
memory/1208-71-0x0000000005010000-0x00000000050F2000-memory.dmpFilesize
904KB
-
memory/1208-80-0x0000000004A10000-0x0000000004AD9000-memory.dmpFilesize
804KB
-
memory/1208-73-0x0000000006FC0000-0x000000000713A000-memory.dmpFilesize
1.5MB
-
memory/1520-69-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/1520-70-0x0000000000310000-0x0000000000324000-memory.dmpFilesize
80KB
-
memory/1520-67-0x000000000041EAC0-mapping.dmp
-
memory/1520-72-0x0000000000350000-0x0000000000364000-memory.dmpFilesize
80KB
-
memory/1520-66-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1556-74-0x0000000000000000-mapping.dmp
-
memory/1556-76-0x0000000000FD0000-0x0000000000FDD000-memory.dmpFilesize
52KB
-
memory/1556-77-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1556-78-0x0000000000A80000-0x0000000000D83000-memory.dmpFilesize
3.0MB
-
memory/1556-79-0x00000000009B0000-0x0000000000A43000-memory.dmpFilesize
588KB
-
memory/1576-75-0x0000000000000000-mapping.dmp