Analysis
-
max time kernel
150s -
max time network
163s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-07-2021 09:37
Static task
static1
Behavioral task
behavioral1
Sample
invoice.lzh.exe
Resource
win7v20210408
General
-
Target
invoice.lzh.exe
-
Size
530KB
-
MD5
d8135073743eead59a3ecde61bf051ca
-
SHA1
11a89d02e31a429b48295da8cd1c760a7ceae38d
-
SHA256
b506bb786b2b45d252f9886ad94e63cb60b60544dade0680b096f80c84cada7a
-
SHA512
15fe12c916712fab35377a7459da35624b5ed3d218c0bb7beab17a932a1883a333e0679122ce70130278d34dba9fc2d2033c8cec4024646bd73ab8702b28210b
Malware Config
Extracted
formbook
4.1
http://www.knighttechinca.com/dxe/
sardarfarm.com
959tremont.com
privat-livecam.net
ansel-homebakery.com
joysupermarket.com
peninsulamatchmakers.net
northsytyle.com
radioconexaoubermusic.com
relocatingrealtor.com
desyrnan.com
onlinehoortoestel.online
enpointe.online
rvvikings.com
paulpoirier.com
shitarpa.net
kerneis.net
rokitreach.com
essentiallygaia.com
prestiged.net
fuerzaagavera.com
soukid.com
moderndatingcoach.com
mentalfreedom.guru
bullishsoftware.com
sectorulb.com
outletyana.com
fptplaybox.website
artinmemory.com
buyruon.com
ljd.xyz
mondaysmatters.com
spiritsoundart.net
ixiangzu.com
lacompagniadelfardello.com
bnctly.com
sarasvati-yoga.com
0055game.com
lagrangewildliferemoval.com
umlausa.com
chaytel.com
kkkc5.com
union-green.com
philreid4cc.com
theanimehat.com
redlightlegal.com
myaustraliarewards.com
barkinlot.com
mujahidservice.online
nugeneraonline.com
sopplugin.com
makemyroom.design
ferienschweden.com
fps2020dkasphotoop.com
stylezbykay.com
royalpropertiesgurugram.com
birzulova.com
cosmicmtn.com
kissanime.press
poweringprogress.today
omsamedic.com
drunkpoetsociety.com
hostbison.com
asapdecor.com
houseofsisson.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/8-129-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/8-130-0x000000000041EAF0-mapping.dmp formbook behavioral2/memory/1360-137-0x00000000026E0000-0x000000000270E000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
invoice.lzh.exeinvoice.lzh.exeNETSTAT.EXEdescription pid process target process PID 2016 set thread context of 8 2016 invoice.lzh.exe invoice.lzh.exe PID 8 set thread context of 3036 8 invoice.lzh.exe Explorer.EXE PID 1360 set thread context of 3036 1360 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 1360 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
invoice.lzh.exeinvoice.lzh.exeNETSTAT.EXEpid process 2016 invoice.lzh.exe 8 invoice.lzh.exe 8 invoice.lzh.exe 8 invoice.lzh.exe 8 invoice.lzh.exe 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE 1360 NETSTAT.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3036 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
invoice.lzh.exeNETSTAT.EXEpid process 8 invoice.lzh.exe 8 invoice.lzh.exe 8 invoice.lzh.exe 1360 NETSTAT.EXE 1360 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
invoice.lzh.exeinvoice.lzh.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 2016 invoice.lzh.exe Token: SeDebugPrivilege 8 invoice.lzh.exe Token: SeDebugPrivilege 1360 NETSTAT.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3036 Explorer.EXE -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
invoice.lzh.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 2016 wrote to memory of 3576 2016 invoice.lzh.exe schtasks.exe PID 2016 wrote to memory of 3576 2016 invoice.lzh.exe schtasks.exe PID 2016 wrote to memory of 3576 2016 invoice.lzh.exe schtasks.exe PID 2016 wrote to memory of 8 2016 invoice.lzh.exe invoice.lzh.exe PID 2016 wrote to memory of 8 2016 invoice.lzh.exe invoice.lzh.exe PID 2016 wrote to memory of 8 2016 invoice.lzh.exe invoice.lzh.exe PID 2016 wrote to memory of 8 2016 invoice.lzh.exe invoice.lzh.exe PID 2016 wrote to memory of 8 2016 invoice.lzh.exe invoice.lzh.exe PID 2016 wrote to memory of 8 2016 invoice.lzh.exe invoice.lzh.exe PID 3036 wrote to memory of 1360 3036 Explorer.EXE NETSTAT.EXE PID 3036 wrote to memory of 1360 3036 Explorer.EXE NETSTAT.EXE PID 3036 wrote to memory of 1360 3036 Explorer.EXE NETSTAT.EXE PID 1360 wrote to memory of 3184 1360 NETSTAT.EXE cmd.exe PID 1360 wrote to memory of 3184 1360 NETSTAT.EXE cmd.exe PID 1360 wrote to memory of 3184 1360 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\invoice.lzh.exe"C:\Users\Admin\AppData\Local\Temp\invoice.lzh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HPjuSZknbJLLSG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE4A9.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\invoice.lzh.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\invoice.lzh.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpE4A9.tmpMD5
303b5de4931c2a16c9a0aec17f9ccec9
SHA1b4c2744984a4ba746771f12bfaa1b14e3693a76a
SHA256911cb439a3595b40373bc91dfdd91014a7f964e497d6f8d8c138adb1f7e14239
SHA512d7e673664e1688040d697c3d5b7719aa4b70ffbc13efe2c92838f4ad4ec1728b689f72303c74ca2891b3119783414d652a2dabd15189e514676e0a91a795dffa
-
memory/8-131-0x0000000001290000-0x00000000015B0000-memory.dmpFilesize
3.1MB
-
memory/8-132-0x00000000015E0000-0x00000000015F4000-memory.dmpFilesize
80KB
-
memory/8-130-0x000000000041EAF0-mapping.dmp
-
memory/8-129-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/1360-139-0x00000000029E0000-0x0000000002A73000-memory.dmpFilesize
588KB
-
memory/1360-137-0x00000000026E0000-0x000000000270E000-memory.dmpFilesize
184KB
-
memory/1360-136-0x0000000000050000-0x000000000005B000-memory.dmpFilesize
44KB
-
memory/1360-134-0x0000000000000000-mapping.dmp
-
memory/1360-138-0x0000000002B50000-0x0000000002E70000-memory.dmpFilesize
3.1MB
-
memory/2016-120-0x0000000004BD0000-0x0000000004BD1000-memory.dmpFilesize
4KB
-
memory/2016-126-0x00000000051A0000-0x00000000051D9000-memory.dmpFilesize
228KB
-
memory/2016-125-0x0000000005230000-0x00000000052B9000-memory.dmpFilesize
548KB
-
memory/2016-124-0x0000000004C03000-0x0000000004C05000-memory.dmpFilesize
8KB
-
memory/2016-123-0x0000000004CC0000-0x0000000004CC1000-memory.dmpFilesize
4KB
-
memory/2016-122-0x0000000004C10000-0x0000000004C12000-memory.dmpFilesize
8KB
-
memory/2016-121-0x000000000E1A0000-0x000000000E1A1000-memory.dmpFilesize
4KB
-
memory/2016-119-0x0000000004C00000-0x0000000004C01000-memory.dmpFilesize
4KB
-
memory/2016-114-0x0000000000130000-0x0000000000131000-memory.dmpFilesize
4KB
-
memory/2016-118-0x0000000009ED0000-0x0000000009ED1000-memory.dmpFilesize
4KB
-
memory/2016-117-0x000000000A3D0000-0x000000000A3D1000-memory.dmpFilesize
4KB
-
memory/2016-116-0x0000000006E60000-0x0000000006EC6000-memory.dmpFilesize
408KB
-
memory/3036-133-0x00000000058A0000-0x0000000005964000-memory.dmpFilesize
784KB
-
memory/3036-140-0x0000000005A30000-0x0000000005BA2000-memory.dmpFilesize
1.4MB
-
memory/3184-135-0x0000000000000000-mapping.dmp
-
memory/3576-127-0x0000000000000000-mapping.dmp