Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 06:01
Static task
static1
Behavioral task
behavioral1
Sample
INVOICEKOMB20220001-03-10-22.pdf.exe
Resource
win7-20220812-en
General
-
Target
INVOICEKOMB20220001-03-10-22.pdf.exe
-
Size
1.2MB
-
MD5
cbe324036a077d5b84d4c22788ff0027
-
SHA1
5526abc6eb697c083d3071bd5b6cf8fb67f617af
-
SHA256
67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901
-
SHA512
dd81a4fb9c160d96c9443e0e310c203f79573a71c54d404a0ada191d2d6224f440c899482df8d06a1ea871a98ae3e9c3e40d606b127be33478ed1d8afb955896
-
SSDEEP
24576:0AOcZ2i7W4sb3Vm6XYbh1GIoQHXehUcztVqEubl83o9Zkbg5:iv5EKhQOKWfqEUU2ZkM
Malware Config
Extracted
formbook
4.1
mh76
healthgovcalottery.net
wenxinliao.com
rooterphd.com
bbobbo.one
american-mes-de-dezembro.xyz
mintager.com
thespecialtstore.com
wemakegreenhomes.com
occurandmental.xyz
fidelityrealtytitle.com
numerisat.asia
wearestallions.com
supxl.com
rajacumi.com
renaziv.online
blixtindustries.com
fjljq.com
exploretrivenicamping.com
authenticusspa.com
uucloud.press
conclaveraleighapts.com
moqaq.com
graphicressie.com
homebest.online
yisaco.com
thedrybonesareawakening.com
browardhomeappraisal.com
xn--agroisleos-09a.com
clinchrecovery.com
rekoladev.com
mlbl1.xyz
tunecaring.com
avconstant.com
chelseavictorioustravels.com
esrfy.xyz
frijolitoswey.com
zsfsidltd.com
natashasadler.com
kice1.xyz
drivemytrains.xyz
shopalthosa.xyz
merendri.com
yetkiliveznem7.xyz
milestonesconstruction.com
apparodeoexpos.com
momotou.xyz
chatkhoneh.com
cacconsults.com
kigif-indonesia.com
segurambiental.com
verynicegirls.com
curearrow.com
fdupcoffee.com
theclevergolfers.com
moushimonster.com
qdchuangyedaikuan.com
hopefortodayrecovery.com
wk6agoboyxg6.xyz
giybetfm.com
completedn.xyz
eluawastudio.com
legacysportsusatexas.com
comgmaik.com
intelsearchtech.com
northpierangling.info
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/980-70-0x000000000041F1A0-mapping.dmp formbook behavioral1/memory/980-69-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/980-72-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/560-78-0x0000000000090000-0x00000000000BF000-memory.dmp formbook behavioral1/memory/560-83-0x0000000000090000-0x00000000000BF000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
kvkpltj.exepid process 1788 kvkpltj.exe -
Loads dropped DLL 1 IoCs
Processes:
WScript.exepid process 1564 WScript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kvkpltj.exeRegSvcs.exewuapp.exedescription pid process target process PID 1788 set thread context of 980 1788 kvkpltj.exe RegSvcs.exe PID 980 set thread context of 1284 980 RegSvcs.exe Explorer.EXE PID 560 set thread context of 1284 560 wuapp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 25 IoCs
Processes:
RegSvcs.exewuapp.exepid process 980 RegSvcs.exe 980 RegSvcs.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe 560 wuapp.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exewuapp.exepid process 980 RegSvcs.exe 980 RegSvcs.exe 980 RegSvcs.exe 560 wuapp.exe 560 wuapp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RegSvcs.exewuapp.exedescription pid process Token: SeDebugPrivilege 980 RegSvcs.exe Token: SeDebugPrivilege 560 wuapp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1284 Explorer.EXE 1284 Explorer.EXE -
Suspicious use of WriteProcessMemory 39 IoCs
Processes:
INVOICEKOMB20220001-03-10-22.pdf.exeWScript.exekvkpltj.exeExplorer.EXEwuapp.exedescription pid process target process PID 1948 wrote to memory of 1564 1948 INVOICEKOMB20220001-03-10-22.pdf.exe WScript.exe PID 1948 wrote to memory of 1564 1948 INVOICEKOMB20220001-03-10-22.pdf.exe WScript.exe PID 1948 wrote to memory of 1564 1948 INVOICEKOMB20220001-03-10-22.pdf.exe WScript.exe PID 1948 wrote to memory of 1564 1948 INVOICEKOMB20220001-03-10-22.pdf.exe WScript.exe PID 1564 wrote to memory of 1788 1564 WScript.exe kvkpltj.exe PID 1564 wrote to memory of 1788 1564 WScript.exe kvkpltj.exe PID 1564 wrote to memory of 1788 1564 WScript.exe kvkpltj.exe PID 1564 wrote to memory of 1788 1564 WScript.exe kvkpltj.exe PID 1564 wrote to memory of 1788 1564 WScript.exe kvkpltj.exe PID 1564 wrote to memory of 1788 1564 WScript.exe kvkpltj.exe PID 1564 wrote to memory of 1788 1564 WScript.exe kvkpltj.exe PID 1788 wrote to memory of 956 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 956 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 956 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 956 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 956 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 956 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 956 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 980 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 980 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 980 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 980 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 980 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 980 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 980 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 980 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 980 1788 kvkpltj.exe RegSvcs.exe PID 1788 wrote to memory of 980 1788 kvkpltj.exe RegSvcs.exe PID 1284 wrote to memory of 560 1284 Explorer.EXE wuapp.exe PID 1284 wrote to memory of 560 1284 Explorer.EXE wuapp.exe PID 1284 wrote to memory of 560 1284 Explorer.EXE wuapp.exe PID 1284 wrote to memory of 560 1284 Explorer.EXE wuapp.exe PID 1284 wrote to memory of 560 1284 Explorer.EXE wuapp.exe PID 1284 wrote to memory of 560 1284 Explorer.EXE wuapp.exe PID 1284 wrote to memory of 560 1284 Explorer.EXE wuapp.exe PID 560 wrote to memory of 1832 560 wuapp.exe cmd.exe PID 560 wrote to memory of 1832 560 wuapp.exe cmd.exe PID 560 wrote to memory of 1832 560 wuapp.exe cmd.exe PID 560 wrote to memory of 1832 560 wuapp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\INVOICEKOMB20220001-03-10-22.pdf.exe"C:\Users\Admin\AppData\Local\Temp\INVOICEKOMB20220001-03-10-22.pdf.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\4_41\vcfvn.vbe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe"C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe" rncmatmqvf.src4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:956
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:980 -
C:\Windows\SysWOW64\wuapp.exe"C:\Windows\SysWOW64\wuapp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:1832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exeFilesize
999KB
MD51dbba7abb9198c4247cbfb258fe5233d
SHA1cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be
SHA2566a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88
SHA512503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98
-
C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exeFilesize
999KB
MD51dbba7abb9198c4247cbfb258fe5233d
SHA1cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be
SHA2566a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88
SHA512503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98
-
C:\Users\Admin\AppData\Roaming\4_41\muqal.hkoFilesize
371KB
MD501089645fc52b19921f23b83030e8d3d
SHA1a5218ba5f4f551b100bb8344eba21a05f2e59ca1
SHA256ab19240660f7105fd6b10c78a0e680bd62c7a7e27044fe768222050c3a46239d
SHA5128639a003f916c68a841d23fff3d26a0fecd43fb74b61a816e0aef236a9c9348d6a9625a4e0c19db8f9f8b3d342ac981535479152194a11c13144c5260851eee1
-
C:\Users\Admin\AppData\Roaming\4_41\rncmatmqvf.srcFilesize
199.4MB
MD5b08d93f474f93437234952ee10d683a1
SHA1495c4b4e35397d05fcc5794a4212d88813122f47
SHA256b2f3178a3244c0a3212a36af3bfb4064e0b83271a1f5c95ac9213a2ae527ef74
SHA51275740ee71896b50d33388b5a0da0aa3b374266f60c3542f71d6ca7d9fcf6ab8610d555a7c07ce7e5f6419575d2310b6a02d8aa9b1db3a4799242a4a94c19c6a2
-
C:\Users\Admin\AppData\Roaming\4_41\vcfvn.vbeFilesize
29KB
MD5227aa95434fd067fb526d1d5fe99bd13
SHA164b5f54a1166e976b855df86eec3326b57f0bbfd
SHA2564d6709916c6c310172df66122d6c3373cded99c46b6beae078bf0b7f36072d40
SHA51220b1db0192958fdd8d451faf23159771fe5db4abfdb6fbdad1c3a9fd1277879c4ffec3c84037fe2b987c8c0b89a2b57b2914aaa99097f896a129b7938ed9228f
-
C:\Users\Admin\AppData\Roaming\4_41\vdawpc.xmlFilesize
48KB
MD56578e73332fcb06109246e684f411292
SHA1eeb7a9df0ee6bbc82b20886574fc5af0f4130ef0
SHA256c8ceba6692fec5da092951ebb7aad343178a8213cd9f730ba12ffb5f0f9aeb33
SHA51233418dd335730759fd1b6b861453eb7a9673ab7abafa2908d8c441f9ed6ac7a2f92a85aeb42f6146aee672fea53598899f625c8f87e3407b42d13f5a147bc6e8
-
\Users\Admin\AppData\Roaming\4_41\kvkpltj.exeFilesize
999KB
MD51dbba7abb9198c4247cbfb258fe5233d
SHA1cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be
SHA2566a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88
SHA512503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98
-
memory/560-76-0x0000000000000000-mapping.dmp
-
memory/560-77-0x00000000011F0000-0x00000000011FB000-memory.dmpFilesize
44KB
-
memory/560-83-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/560-81-0x0000000000990000-0x0000000000A24000-memory.dmpFilesize
592KB
-
memory/560-80-0x0000000000BE0000-0x0000000000EE3000-memory.dmpFilesize
3.0MB
-
memory/560-78-0x0000000000090000-0x00000000000BF000-memory.dmpFilesize
188KB
-
memory/980-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/980-69-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/980-73-0x0000000000910000-0x0000000000C13000-memory.dmpFilesize
3.0MB
-
memory/980-74-0x0000000000190000-0x00000000001A5000-memory.dmpFilesize
84KB
-
memory/980-72-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/980-70-0x000000000041F1A0-mapping.dmp
-
memory/980-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1284-75-0x00000000041C0000-0x0000000004289000-memory.dmpFilesize
804KB
-
memory/1284-82-0x0000000006B70000-0x0000000006CBB000-memory.dmpFilesize
1.3MB
-
memory/1284-84-0x0000000006B70000-0x0000000006CBB000-memory.dmpFilesize
1.3MB
-
memory/1564-55-0x0000000000000000-mapping.dmp
-
memory/1788-60-0x0000000000000000-mapping.dmp
-
memory/1832-79-0x0000000000000000-mapping.dmp
-
memory/1948-54-0x0000000076031000-0x0000000076033000-memory.dmpFilesize
8KB