Analysis
-
max time kernel
190s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 06:01
Static task
static1
Behavioral task
behavioral1
Sample
INVOICEKOMB20220001-03-10-22.pdf.exe
Resource
win7-20220812-en
General
-
Target
INVOICEKOMB20220001-03-10-22.pdf.exe
-
Size
1.2MB
-
MD5
cbe324036a077d5b84d4c22788ff0027
-
SHA1
5526abc6eb697c083d3071bd5b6cf8fb67f617af
-
SHA256
67e6fd61e128d5649045a4fc55fc6c287722b5c92e65eef35ce0838d6210d901
-
SHA512
dd81a4fb9c160d96c9443e0e310c203f79573a71c54d404a0ada191d2d6224f440c899482df8d06a1ea871a98ae3e9c3e40d606b127be33478ed1d8afb955896
-
SSDEEP
24576:0AOcZ2i7W4sb3Vm6XYbh1GIoQHXehUcztVqEubl83o9Zkbg5:iv5EKhQOKWfqEUU2ZkM
Malware Config
Extracted
formbook
4.1
mh76
healthgovcalottery.net
wenxinliao.com
rooterphd.com
bbobbo.one
american-mes-de-dezembro.xyz
mintager.com
thespecialtstore.com
wemakegreenhomes.com
occurandmental.xyz
fidelityrealtytitle.com
numerisat.asia
wearestallions.com
supxl.com
rajacumi.com
renaziv.online
blixtindustries.com
fjljq.com
exploretrivenicamping.com
authenticusspa.com
uucloud.press
conclaveraleighapts.com
moqaq.com
graphicressie.com
homebest.online
yisaco.com
thedrybonesareawakening.com
browardhomeappraisal.com
xn--agroisleos-09a.com
clinchrecovery.com
rekoladev.com
mlbl1.xyz
tunecaring.com
avconstant.com
chelseavictorioustravels.com
esrfy.xyz
frijolitoswey.com
zsfsidltd.com
natashasadler.com
kice1.xyz
drivemytrains.xyz
shopalthosa.xyz
merendri.com
yetkiliveznem7.xyz
milestonesconstruction.com
apparodeoexpos.com
momotou.xyz
chatkhoneh.com
cacconsults.com
kigif-indonesia.com
segurambiental.com
verynicegirls.com
curearrow.com
fdupcoffee.com
theclevergolfers.com
moushimonster.com
qdchuangyedaikuan.com
hopefortodayrecovery.com
wk6agoboyxg6.xyz
giybetfm.com
completedn.xyz
eluawastudio.com
legacysportsusatexas.com
comgmaik.com
intelsearchtech.com
northpierangling.info
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/3696-140-0x0000000000000000-mapping.dmp formbook behavioral2/memory/3696-141-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3696-143-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3468-149-0x0000000000930000-0x000000000095F000-memory.dmp formbook behavioral2/memory/3468-153-0x0000000000930000-0x000000000095F000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
kvkpltj.exepid process 5096 kvkpltj.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
INVOICEKOMB20220001-03-10-22.pdf.exeWScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation INVOICEKOMB20220001-03-10-22.pdf.exe Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
kvkpltj.exeRegSvcs.exehelp.exedescription pid process target process PID 5096 set thread context of 3696 5096 kvkpltj.exe RegSvcs.exe PID 3696 set thread context of 3060 3696 RegSvcs.exe Explorer.EXE PID 3468 set thread context of 3060 3468 help.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 2 IoCs
Processes:
INVOICEKOMB20220001-03-10-22.pdf.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings INVOICEKOMB20220001-03-10-22.pdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WScript.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
RegSvcs.exehelp.exepid process 3696 RegSvcs.exe 3696 RegSvcs.exe 3696 RegSvcs.exe 3696 RegSvcs.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe 3468 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3060 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exehelp.exepid process 3696 RegSvcs.exe 3696 RegSvcs.exe 3696 RegSvcs.exe 3468 help.exe 3468 help.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
RegSvcs.exeExplorer.EXEhelp.exedescription pid process Token: SeDebugPrivilege 3696 RegSvcs.exe Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeShutdownPrivilege 3060 Explorer.EXE Token: SeCreatePagefilePrivilege 3060 Explorer.EXE Token: SeDebugPrivilege 3468 help.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
INVOICEKOMB20220001-03-10-22.pdf.exeWScript.exekvkpltj.exeExplorer.EXEhelp.exedescription pid process target process PID 1332 wrote to memory of 3100 1332 INVOICEKOMB20220001-03-10-22.pdf.exe WScript.exe PID 1332 wrote to memory of 3100 1332 INVOICEKOMB20220001-03-10-22.pdf.exe WScript.exe PID 1332 wrote to memory of 3100 1332 INVOICEKOMB20220001-03-10-22.pdf.exe WScript.exe PID 3100 wrote to memory of 5096 3100 WScript.exe kvkpltj.exe PID 3100 wrote to memory of 5096 3100 WScript.exe kvkpltj.exe PID 3100 wrote to memory of 5096 3100 WScript.exe kvkpltj.exe PID 5096 wrote to memory of 1348 5096 kvkpltj.exe RegSvcs.exe PID 5096 wrote to memory of 1348 5096 kvkpltj.exe RegSvcs.exe PID 5096 wrote to memory of 1348 5096 kvkpltj.exe RegSvcs.exe PID 5096 wrote to memory of 3696 5096 kvkpltj.exe RegSvcs.exe PID 5096 wrote to memory of 3696 5096 kvkpltj.exe RegSvcs.exe PID 5096 wrote to memory of 3696 5096 kvkpltj.exe RegSvcs.exe PID 5096 wrote to memory of 3696 5096 kvkpltj.exe RegSvcs.exe PID 5096 wrote to memory of 3696 5096 kvkpltj.exe RegSvcs.exe PID 5096 wrote to memory of 3696 5096 kvkpltj.exe RegSvcs.exe PID 3060 wrote to memory of 3468 3060 Explorer.EXE help.exe PID 3060 wrote to memory of 3468 3060 Explorer.EXE help.exe PID 3060 wrote to memory of 3468 3060 Explorer.EXE help.exe PID 3468 wrote to memory of 3652 3468 help.exe cmd.exe PID 3468 wrote to memory of 3652 3468 help.exe cmd.exe PID 3468 wrote to memory of 3652 3468 help.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\INVOICEKOMB20220001-03-10-22.pdf.exe"C:\Users\Admin\AppData\Local\Temp\INVOICEKOMB20220001-03-10-22.pdf.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\4_41\vcfvn.vbe"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe"C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exe" rncmatmqvf.src4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵PID:1348
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3696 -
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵PID:3652
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exeFilesize
999KB
MD51dbba7abb9198c4247cbfb258fe5233d
SHA1cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be
SHA2566a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88
SHA512503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98
-
C:\Users\Admin\AppData\Roaming\4_41\kvkpltj.exeFilesize
999KB
MD51dbba7abb9198c4247cbfb258fe5233d
SHA1cd5a35e75ec61b6d7c3bbeb7b882d0d2d79b05be
SHA2566a18e69d28b177619e672f93fd97bdbfd13160faecd63f942728dc18254afb88
SHA512503cb461c0f60c62bada9b1aefa787ed97480192d8f91455e08ac8781919c1b61751a091ce647d9c92995e925429f0ae616f4d7c2187717397f7a1e6fd811e98
-
C:\Users\Admin\AppData\Roaming\4_41\muqal.hkoFilesize
371KB
MD501089645fc52b19921f23b83030e8d3d
SHA1a5218ba5f4f551b100bb8344eba21a05f2e59ca1
SHA256ab19240660f7105fd6b10c78a0e680bd62c7a7e27044fe768222050c3a46239d
SHA5128639a003f916c68a841d23fff3d26a0fecd43fb74b61a816e0aef236a9c9348d6a9625a4e0c19db8f9f8b3d342ac981535479152194a11c13144c5260851eee1
-
C:\Users\Admin\AppData\Roaming\4_41\rncmatmqvf.srcFilesize
199.4MB
MD5b08d93f474f93437234952ee10d683a1
SHA1495c4b4e35397d05fcc5794a4212d88813122f47
SHA256b2f3178a3244c0a3212a36af3bfb4064e0b83271a1f5c95ac9213a2ae527ef74
SHA51275740ee71896b50d33388b5a0da0aa3b374266f60c3542f71d6ca7d9fcf6ab8610d555a7c07ce7e5f6419575d2310b6a02d8aa9b1db3a4799242a4a94c19c6a2
-
C:\Users\Admin\AppData\Roaming\4_41\vcfvn.vbeFilesize
29KB
MD5227aa95434fd067fb526d1d5fe99bd13
SHA164b5f54a1166e976b855df86eec3326b57f0bbfd
SHA2564d6709916c6c310172df66122d6c3373cded99c46b6beae078bf0b7f36072d40
SHA51220b1db0192958fdd8d451faf23159771fe5db4abfdb6fbdad1c3a9fd1277879c4ffec3c84037fe2b987c8c0b89a2b57b2914aaa99097f896a129b7938ed9228f
-
C:\Users\Admin\AppData\Roaming\4_41\vdawpc.xmlFilesize
48KB
MD56578e73332fcb06109246e684f411292
SHA1eeb7a9df0ee6bbc82b20886574fc5af0f4130ef0
SHA256c8ceba6692fec5da092951ebb7aad343178a8213cd9f730ba12ffb5f0f9aeb33
SHA51233418dd335730759fd1b6b861453eb7a9673ab7abafa2908d8c441f9ed6ac7a2f92a85aeb42f6146aee672fea53598899f625c8f87e3407b42d13f5a147bc6e8
-
memory/3060-146-0x0000000002BE0000-0x0000000002D3D000-memory.dmpFilesize
1.4MB
-
memory/3060-155-0x00000000082D0000-0x0000000008404000-memory.dmpFilesize
1.2MB
-
memory/3060-154-0x00000000082D0000-0x0000000008404000-memory.dmpFilesize
1.2MB
-
memory/3100-132-0x0000000000000000-mapping.dmp
-
memory/3468-149-0x0000000000930000-0x000000000095F000-memory.dmpFilesize
188KB
-
memory/3468-147-0x0000000000000000-mapping.dmp
-
memory/3468-148-0x00000000004E0000-0x00000000004E7000-memory.dmpFilesize
28KB
-
memory/3468-151-0x0000000001470000-0x00000000017BA000-memory.dmpFilesize
3.3MB
-
memory/3468-152-0x0000000001100000-0x0000000001194000-memory.dmpFilesize
592KB
-
memory/3468-153-0x0000000000930000-0x000000000095F000-memory.dmpFilesize
188KB
-
memory/3652-150-0x0000000000000000-mapping.dmp
-
memory/3696-144-0x0000000001650000-0x000000000199A000-memory.dmpFilesize
3.3MB
-
memory/3696-145-0x00000000015F0000-0x0000000001605000-memory.dmpFilesize
84KB
-
memory/3696-143-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3696-141-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3696-140-0x0000000000000000-mapping.dmp
-
memory/5096-135-0x0000000000000000-mapping.dmp