Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-04-2021 13:09
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING INVOICE DOCUMENTS.exe
Resource
win7v20210410
General
-
Target
SHIPPING INVOICE DOCUMENTS.exe
-
Size
853KB
-
MD5
04baf056bf4494fe6036d5be3a89c8f1
-
SHA1
a8bc3fa679c03f5889719f083c9f6e03d6b7eba1
-
SHA256
cf9638dcb0bcb52595ec1c4b79240f69536124fd85c9a07395dc563d19677a68
-
SHA512
1f228fe6f66ede703f764bfab3f28fd27610cd2c6a33f9509fa0d87384a101b7ed4fd3c8fe4b365cabd0486454b3bdd82631b49115679216d8686f49c185c747
Malware Config
Extracted
formbook
4.1
http://www.onlytwod.xyz/htl/
bankeveyone.com
dumbmask.info
otrazhenie.space
pindd2.com
176whalebeachroad.com
onebook.world
mymuslimlawyer.com
xkhfw.com
bensbbq5931.com
pirateequitypatrick.com
medwebconsult.com
dungeonrunarena.com
friendlyukes.club
17pk.world
srtravails.com
kai-arts.com
fyuvpn.com
floryi.com
festesni.com
assroyalty.club
shalomconstructioncompany.com
jpmorganchasebank-germany.com
peakhomeimprovements1.com
abundentlifemarket.com
zpgzh.com
spasbody.com
qaatsv.com
kcgertfarm.com
kenteauthentic.com
ellendegenerates.com
mccolganimports.com
amrdiabcafe.com
401ne19thstapt51.com
europeaircrew.online
quapropertygroup.com
indetheheeler.com
pacifichealth1.com
q8ah.net
top10p.com
ichineselife.com
telegraphnews24.com
twochickswithapickup.com
jieliangcaifu.com
treeiam.com
solidrockrv.com
emirateshotelug.com
capahomeistanbul.com
shekhawatipgcollege.com
dasili588.com
bestnewcars2022.com
myperxe.com
visityourself.store
reimaginedhomedecor.com
reynoldshome.site
pcsourcebd.com
bakeoclockcakes.com
goodsandvibes.com
linusandco.com
artaria.net
timothykamil.com
tucre.com
urara-sedori.com
formationplusmature.com
aperocart.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/556-63-0x000000000041EB10-mapping.dmp formbook behavioral1/memory/556-62-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral1/memory/1388-72-0x0000000000080000-0x00000000000AE000-memory.dmp formbook -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 332 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SHIPPING INVOICE DOCUMENTS.exeSHIPPING INVOICE DOCUMENTS.exeNETSTAT.EXEdescription pid process target process PID 2004 set thread context of 556 2004 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 556 set thread context of 1256 556 SHIPPING INVOICE DOCUMENTS.exe Explorer.EXE PID 1388 set thread context of 1256 1388 NETSTAT.EXE Explorer.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1388 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
SHIPPING INVOICE DOCUMENTS.exeNETSTAT.EXEpid process 556 SHIPPING INVOICE DOCUMENTS.exe 556 SHIPPING INVOICE DOCUMENTS.exe 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE 1388 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
SHIPPING INVOICE DOCUMENTS.exeNETSTAT.EXEpid process 556 SHIPPING INVOICE DOCUMENTS.exe 556 SHIPPING INVOICE DOCUMENTS.exe 556 SHIPPING INVOICE DOCUMENTS.exe 1388 NETSTAT.EXE 1388 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SHIPPING INVOICE DOCUMENTS.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 556 SHIPPING INVOICE DOCUMENTS.exe Token: SeDebugPrivilege 1388 NETSTAT.EXE -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
Explorer.EXEpid process 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE 1256 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SHIPPING INVOICE DOCUMENTS.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2004 wrote to memory of 556 2004 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 2004 wrote to memory of 556 2004 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 2004 wrote to memory of 556 2004 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 2004 wrote to memory of 556 2004 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 2004 wrote to memory of 556 2004 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 2004 wrote to memory of 556 2004 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 2004 wrote to memory of 556 2004 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 1256 wrote to memory of 1388 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 1388 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 1388 1256 Explorer.EXE NETSTAT.EXE PID 1256 wrote to memory of 1388 1256 Explorer.EXE NETSTAT.EXE PID 1388 wrote to memory of 332 1388 NETSTAT.EXE cmd.exe PID 1388 wrote to memory of 332 1388 NETSTAT.EXE cmd.exe PID 1388 wrote to memory of 332 1388 NETSTAT.EXE cmd.exe PID 1388 wrote to memory of 332 1388 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE DOCUMENTS.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE DOCUMENTS.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE DOCUMENTS.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/332-70-0x0000000000000000-mapping.dmp
-
memory/556-62-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/556-63-0x000000000041EB10-mapping.dmp
-
memory/556-66-0x0000000000860000-0x0000000000B63000-memory.dmpFilesize
3.0MB
-
memory/556-67-0x0000000000210000-0x0000000000224000-memory.dmpFilesize
80KB
-
memory/1256-68-0x0000000005080000-0x0000000005139000-memory.dmpFilesize
740KB
-
memory/1256-75-0x0000000007030000-0x000000000718A000-memory.dmpFilesize
1.4MB
-
memory/1388-69-0x0000000000000000-mapping.dmp
-
memory/1388-71-0x0000000000590000-0x0000000000599000-memory.dmpFilesize
36KB
-
memory/1388-72-0x0000000000080000-0x00000000000AE000-memory.dmpFilesize
184KB
-
memory/1388-73-0x0000000002310000-0x0000000002613000-memory.dmpFilesize
3.0MB
-
memory/1388-74-0x00000000005F0000-0x0000000000683000-memory.dmpFilesize
588KB
-
memory/2004-64-0x0000000000321000-0x0000000000322000-memory.dmpFilesize
4KB
-
memory/2004-61-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/2004-60-0x00000000765F1000-0x00000000765F3000-memory.dmpFilesize
8KB