Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
20-04-2021 14:38
Static task
static1
Behavioral task
behavioral1
Sample
Invoice pdf.exe
Resource
win7v20210410
General
-
Target
Invoice pdf.exe
-
Size
661KB
-
MD5
95ad0de0d121d51993dc0e546f82772c
-
SHA1
e2830744f6497321e7b4c2a49d8270ea91b923c8
-
SHA256
494b892495fb6f002fd36477446bfc59f686fe73710d55dc782de8512452e535
-
SHA512
07b83558bd2269cdafd56ca91ddbe396b1d76cc5466fe13f2fff102ce49afedcb446b734922cd4dd6f8f9d2ac80bdcd8f9287ac11415c3c1d3f6dceaef8fe5ae
Malware Config
Extracted
formbook
4.1
http://w����5 �@q[*��S=���m
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1176-118-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/1176-119-0x000000000041EAC0-mapping.dmp formbook behavioral2/memory/2080-126-0x0000000000960000-0x000000000098E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Invoice pdf.exeInvoice pdf.exewlanext.exedescription pid process target process PID 796 set thread context of 1176 796 Invoice pdf.exe Invoice pdf.exe PID 1176 set thread context of 3024 1176 Invoice pdf.exe Explorer.EXE PID 2080 set thread context of 3024 2080 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
Invoice pdf.exeInvoice pdf.exewlanext.exepid process 796 Invoice pdf.exe 796 Invoice pdf.exe 796 Invoice pdf.exe 796 Invoice pdf.exe 1176 Invoice pdf.exe 1176 Invoice pdf.exe 1176 Invoice pdf.exe 1176 Invoice pdf.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe 2080 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Invoice pdf.exewlanext.exepid process 1176 Invoice pdf.exe 1176 Invoice pdf.exe 1176 Invoice pdf.exe 2080 wlanext.exe 2080 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Invoice pdf.exeInvoice pdf.exewlanext.exedescription pid process Token: SeDebugPrivilege 796 Invoice pdf.exe Token: SeDebugPrivilege 1176 Invoice pdf.exe Token: SeDebugPrivilege 2080 wlanext.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Invoice pdf.exeExplorer.EXEwlanext.exedescription pid process target process PID 796 wrote to memory of 1564 796 Invoice pdf.exe schtasks.exe PID 796 wrote to memory of 1564 796 Invoice pdf.exe schtasks.exe PID 796 wrote to memory of 1564 796 Invoice pdf.exe schtasks.exe PID 796 wrote to memory of 1176 796 Invoice pdf.exe Invoice pdf.exe PID 796 wrote to memory of 1176 796 Invoice pdf.exe Invoice pdf.exe PID 796 wrote to memory of 1176 796 Invoice pdf.exe Invoice pdf.exe PID 796 wrote to memory of 1176 796 Invoice pdf.exe Invoice pdf.exe PID 796 wrote to memory of 1176 796 Invoice pdf.exe Invoice pdf.exe PID 796 wrote to memory of 1176 796 Invoice pdf.exe Invoice pdf.exe PID 3024 wrote to memory of 2080 3024 Explorer.EXE wlanext.exe PID 3024 wrote to memory of 2080 3024 Explorer.EXE wlanext.exe PID 3024 wrote to memory of 2080 3024 Explorer.EXE wlanext.exe PID 2080 wrote to memory of 3940 2080 wlanext.exe cmd.exe PID 2080 wrote to memory of 3940 2080 wlanext.exe cmd.exe PID 2080 wrote to memory of 3940 2080 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gXUZJVkFviCTU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2CA9.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice pdf.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2CA9.tmpMD5
25d997f10b981cee06e6a4c61f340459
SHA169a80086691ec17c5105b5c975171dab49ca4b40
SHA2568bd26a03d59f2a918c40fc35faf713a2c6294149b1fdb0fa5f6ab06fc8287ee0
SHA512cee61f586dada604129d4caf950f301d9f5f39a27f3675165b109f488f8f35cd2121ba24f20e98fa5fe3de4e0332baeb48b1b5a3b188aa00f4c400df10156eec
-
memory/796-115-0x000000007F920000-0x000000007F921000-memory.dmpFilesize
4KB
-
memory/796-114-0x0000000002C10000-0x0000000002C11000-memory.dmpFilesize
4KB
-
memory/1176-121-0x0000000001900000-0x0000000001C20000-memory.dmpFilesize
3.1MB
-
memory/1176-118-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1176-119-0x000000000041EAC0-mapping.dmp
-
memory/1176-122-0x00000000017C0000-0x00000000017D4000-memory.dmpFilesize
80KB
-
memory/1564-116-0x0000000000000000-mapping.dmp
-
memory/2080-127-0x0000000003310000-0x0000000003630000-memory.dmpFilesize
3.1MB
-
memory/2080-124-0x0000000000000000-mapping.dmp
-
memory/2080-125-0x0000000000A10000-0x0000000000A27000-memory.dmpFilesize
92KB
-
memory/2080-126-0x0000000000960000-0x000000000098E000-memory.dmpFilesize
184KB
-
memory/2080-129-0x0000000003180000-0x0000000003213000-memory.dmpFilesize
588KB
-
memory/3024-123-0x0000000004DA0000-0x0000000004F03000-memory.dmpFilesize
1.4MB
-
memory/3024-130-0x0000000005E30000-0x0000000005F3F000-memory.dmpFilesize
1.1MB
-
memory/3940-128-0x0000000000000000-mapping.dmp