Analysis
-
max time kernel
153s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 11:03
Static task
static1
Behavioral task
behavioral1
Sample
Invo458_Signed_.exe
Resource
win7-20220414-en
General
-
Target
Invo458_Signed_.exe
-
Size
1.1MB
-
MD5
386a65d6fb3e5a13d690c20474e6c342
-
SHA1
3084a0d410b1b1ee0bc5a5308a8f65124b574e56
-
SHA256
4a5f33710715ce37a266d1848db4599be8ede6fe3f1070aa49b3bcca352f3f46
-
SHA512
e571e72487787b174c862a26ce03a3736b9f56361e091684f991821924eee2a3941664164f2714ba078cc78e178d69491610d076147f940415ca6027b8f6cea9
Malware Config
Extracted
formbook
4.1
n8x
xn--bwwn53bbqc.net
theschooloftheinvisual.net
highseqanalysis.info
fengkuanghanyu.com
myexecutivejourney.com
rfwtje.info
amilcarspencerdemelo.com
cryptodreaming.info
astoundingvogueboutique.com
ytjulin.com
croxventure.com
panstarv.com
fatimahinayet.com
mattyboysparrow.com
dtfftfut.com
y0uhdporno.com
91av5.com
coralchau.com
f98fhr567a.info
aengion.com
motitepi.com
istpars.com
nowatakravmaga.com
tyson-vodka.com
property-hero.com
box-roi.com
weiweigl.com
xn--7or10a28bm2i532bhf2bsxh.com
itscatlove.com
stripealotco.com
direct-contact-media.com
natsigtech.net
ancbotanicals.com
fitfeature.net
andersonrealtycollc.com
yuho.ltd
tuteurs.net
ethicallyglam.com
zhailajiang.com
future-flight.com
lpfjks.com
shelleyfarm.com
allnva.com
7tkse.com
nungcat.net
solarpowerforhomeowners.com
streamwirelessco.com
julian-scheel-coaching.com
safeico.net
ukrainian-translators.com
idwebappsw21.com
skyviewterraceaw.com
penelope.film
ianimoji.com
storage-files-archive.win
gonefromthenest.com
tennesseebasket.com
np939.com
fittsecure.com
icmdhealth.com
horoscope-chinois.info
texasgatekeepers.com
luxsbags.com
entretrainers.com
artiyonq.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3256-130-0x0000000005250000-0x0000000005390000-memory.dmp formbook behavioral2/memory/3264-136-0x0000000000A70000-0x0000000000A9D000-memory.dmp formbook -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Invo458_Signed_.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Xwxl = "C:\\Users\\Admin\\AppData\\Local\\Xwxl.url" Invo458_Signed_.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Invo458_Signed_.exewlanext.exedescription pid process target process PID 3256 set thread context of 3060 3256 Invo458_Signed_.exe Explorer.EXE PID 3264 set thread context of 3060 3264 wlanext.exe Explorer.EXE -
Processes:
wlanext.exedescription ioc process Key created \Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 wlanext.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 29 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
Invo458_Signed_.exewlanext.exepid process 3256 Invo458_Signed_.exe 3256 Invo458_Signed_.exe 3256 Invo458_Signed_.exe 3256 Invo458_Signed_.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Invo458_Signed_.exewlanext.exepid process 3256 Invo458_Signed_.exe 3256 Invo458_Signed_.exe 3256 Invo458_Signed_.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe 3264 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
Invo458_Signed_.exewlanext.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3256 Invo458_Signed_.exe Token: SeDebugPrivilege 3264 wlanext.exe Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Explorer.EXEwlanext.exedescription pid process target process PID 3060 wrote to memory of 3264 3060 Explorer.EXE wlanext.exe PID 3060 wrote to memory of 3264 3060 Explorer.EXE wlanext.exe PID 3060 wrote to memory of 3264 3060 Explorer.EXE wlanext.exe PID 3264 wrote to memory of 2580 3264 wlanext.exe cmd.exe PID 3264 wrote to memory of 2580 3264 wlanext.exe cmd.exe PID 3264 wrote to memory of 2580 3264 wlanext.exe cmd.exe PID 3264 wrote to memory of 232 3264 wlanext.exe Firefox.exe PID 3264 wrote to memory of 232 3264 wlanext.exe Firefox.exe PID 3264 wrote to memory of 232 3264 wlanext.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invo458_Signed_.exe"C:\Users\Admin\AppData\Local\Temp\Invo458_Signed_.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\DB1Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Roaming\83M6P6QB\83Mlogim.jpegFilesize
75KB
MD559ee31f967e36a274c4960966bc7c60e
SHA1a00748bb21ce0e3d397157386a397d1766da6807
SHA256100a0c9842695548eafeedce2ce9537d3d558962fc5f66bbca6ad5349a6cda49
SHA5120caf99dd273905154e8291e96d63f0eec1114a2b954bf0cc15ccdb73835221335b804c806ad658372f4b4f8c1a3a745305acbb58f22e507858854ea417fb919c
-
C:\Users\Admin\AppData\Roaming\83M6P6QB\83Mlogrf.iniFilesize
40B
MD52f245469795b865bdd1b956c23d7893d
SHA16ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA2561662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f
-
C:\Users\Admin\AppData\Roaming\83M6P6QB\83Mlogrg.iniFilesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
C:\Users\Admin\AppData\Roaming\83M6P6QB\83Mlogri.iniFilesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
C:\Users\Admin\AppData\Roaming\83M6P6QB\83Mlogrv.iniFilesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
memory/2580-138-0x0000000000000000-mapping.dmp
-
memory/3060-141-0x0000000008070000-0x0000000008153000-memory.dmpFilesize
908KB
-
memory/3060-133-0x0000000002E50000-0x0000000002F3E000-memory.dmpFilesize
952KB
-
memory/3256-130-0x0000000005250000-0x0000000005390000-memory.dmpFilesize
1.2MB
-
memory/3256-132-0x00000000054F0000-0x0000000005504000-memory.dmpFilesize
80KB
-
memory/3256-131-0x00000000056F0000-0x0000000005A3A000-memory.dmpFilesize
3.3MB
-
memory/3264-137-0x0000000001330000-0x000000000167A000-memory.dmpFilesize
3.3MB
-
memory/3264-136-0x0000000000A70000-0x0000000000A9D000-memory.dmpFilesize
180KB
-
memory/3264-140-0x0000000001720000-0x00000000017B3000-memory.dmpFilesize
588KB
-
memory/3264-135-0x0000000000A50000-0x0000000000A67000-memory.dmpFilesize
92KB
-
memory/3264-134-0x0000000000000000-mapping.dmp