Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
21-04-2021 13:09
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING INVOICE DOCUMENTS.exe
Resource
win7v20210410
General
-
Target
SHIPPING INVOICE DOCUMENTS.exe
-
Size
853KB
-
MD5
04baf056bf4494fe6036d5be3a89c8f1
-
SHA1
a8bc3fa679c03f5889719f083c9f6e03d6b7eba1
-
SHA256
cf9638dcb0bcb52595ec1c4b79240f69536124fd85c9a07395dc563d19677a68
-
SHA512
1f228fe6f66ede703f764bfab3f28fd27610cd2c6a33f9509fa0d87384a101b7ed4fd3c8fe4b365cabd0486454b3bdd82631b49115679216d8686f49c185c747
Malware Config
Extracted
formbook
4.1
http://www.onlytwod.xyz/htl/
bankeveyone.com
dumbmask.info
otrazhenie.space
pindd2.com
176whalebeachroad.com
onebook.world
mymuslimlawyer.com
xkhfw.com
bensbbq5931.com
pirateequitypatrick.com
medwebconsult.com
dungeonrunarena.com
friendlyukes.club
17pk.world
srtravails.com
kai-arts.com
fyuvpn.com
floryi.com
festesni.com
assroyalty.club
shalomconstructioncompany.com
jpmorganchasebank-germany.com
peakhomeimprovements1.com
abundentlifemarket.com
zpgzh.com
spasbody.com
qaatsv.com
kcgertfarm.com
kenteauthentic.com
ellendegenerates.com
mccolganimports.com
amrdiabcafe.com
401ne19thstapt51.com
europeaircrew.online
quapropertygroup.com
indetheheeler.com
pacifichealth1.com
q8ah.net
top10p.com
ichineselife.com
telegraphnews24.com
twochickswithapickup.com
jieliangcaifu.com
treeiam.com
solidrockrv.com
emirateshotelug.com
capahomeistanbul.com
shekhawatipgcollege.com
dasili588.com
bestnewcars2022.com
myperxe.com
visityourself.store
reimaginedhomedecor.com
reynoldshome.site
pcsourcebd.com
bakeoclockcakes.com
goodsandvibes.com
linusandco.com
artaria.net
timothykamil.com
tucre.com
urara-sedori.com
formationplusmature.com
aperocart.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3016-115-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3016-116-0x000000000041EB10-mapping.dmp formbook behavioral2/memory/1560-124-0x0000000002D20000-0x0000000002D4E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
SHIPPING INVOICE DOCUMENTS.exeSHIPPING INVOICE DOCUMENTS.exemsdt.exedescription pid process target process PID 776 set thread context of 3016 776 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 3016 set thread context of 3020 3016 SHIPPING INVOICE DOCUMENTS.exe Explorer.EXE PID 1560 set thread context of 3020 1560 msdt.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
SHIPPING INVOICE DOCUMENTS.exeSHIPPING INVOICE DOCUMENTS.exemsdt.exepid process 776 SHIPPING INVOICE DOCUMENTS.exe 776 SHIPPING INVOICE DOCUMENTS.exe 3016 SHIPPING INVOICE DOCUMENTS.exe 3016 SHIPPING INVOICE DOCUMENTS.exe 3016 SHIPPING INVOICE DOCUMENTS.exe 3016 SHIPPING INVOICE DOCUMENTS.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe 1560 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
SHIPPING INVOICE DOCUMENTS.exemsdt.exepid process 3016 SHIPPING INVOICE DOCUMENTS.exe 3016 SHIPPING INVOICE DOCUMENTS.exe 3016 SHIPPING INVOICE DOCUMENTS.exe 1560 msdt.exe 1560 msdt.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
SHIPPING INVOICE DOCUMENTS.exeSHIPPING INVOICE DOCUMENTS.exemsdt.exedescription pid process Token: SeDebugPrivilege 776 SHIPPING INVOICE DOCUMENTS.exe Token: SeDebugPrivilege 3016 SHIPPING INVOICE DOCUMENTS.exe Token: SeDebugPrivilege 1560 msdt.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
SHIPPING INVOICE DOCUMENTS.exeExplorer.EXEmsdt.exedescription pid process target process PID 776 wrote to memory of 408 776 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 776 wrote to memory of 408 776 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 776 wrote to memory of 408 776 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 776 wrote to memory of 3016 776 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 776 wrote to memory of 3016 776 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 776 wrote to memory of 3016 776 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 776 wrote to memory of 3016 776 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 776 wrote to memory of 3016 776 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 776 wrote to memory of 3016 776 SHIPPING INVOICE DOCUMENTS.exe SHIPPING INVOICE DOCUMENTS.exe PID 3020 wrote to memory of 1560 3020 Explorer.EXE msdt.exe PID 3020 wrote to memory of 1560 3020 Explorer.EXE msdt.exe PID 3020 wrote to memory of 1560 3020 Explorer.EXE msdt.exe PID 1560 wrote to memory of 2096 1560 msdt.exe cmd.exe PID 1560 wrote to memory of 2096 1560 msdt.exe cmd.exe PID 1560 wrote to memory of 2096 1560 msdt.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE DOCUMENTS.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE DOCUMENTS.exe"{path}"3⤵
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE DOCUMENTS.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\SHIPPING INVOICE DOCUMENTS.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/776-114-0x0000000002AB0000-0x0000000002AB1000-memory.dmpFilesize
4KB
-
memory/1560-124-0x0000000002D20000-0x0000000002D4E000-memory.dmpFilesize
184KB
-
memory/1560-121-0x0000000000000000-mapping.dmp
-
memory/1560-123-0x0000000000B80000-0x0000000000CF3000-memory.dmpFilesize
1.4MB
-
memory/1560-125-0x0000000005000000-0x0000000005320000-memory.dmpFilesize
3.1MB
-
memory/1560-126-0x0000000004E60000-0x0000000004EF3000-memory.dmpFilesize
588KB
-
memory/2096-122-0x0000000000000000-mapping.dmp
-
memory/3016-116-0x000000000041EB10-mapping.dmp
-
memory/3016-118-0x0000000001B00000-0x0000000001E20000-memory.dmpFilesize
3.1MB
-
memory/3016-119-0x00000000016B0000-0x00000000016C4000-memory.dmpFilesize
80KB
-
memory/3016-115-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3020-120-0x00000000024A0000-0x0000000002594000-memory.dmpFilesize
976KB
-
memory/3020-127-0x0000000005910000-0x00000000059BA000-memory.dmpFilesize
680KB