Overview

overview

10

Static

static

Invoice.exe

windows7-x64

10

Invoice.exe

windows10-2004-x64

10

Resubmissions

18/10/2022, 08:40

221018-kk8wpsfdcr 10

18/10/2022, 08:36

221018-khmkpafdbq 10

Analysis

  • max time kernel
    1200s
  • max time network
    1200s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/10/2022, 08:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice.exe

  • Size

    1.1MB

  • MD5

    fb009fdbd8542d823c4cc9fb02ecc6dc

  • SHA1

    76837f628081a7e7f620de9d44c92ead052efe46

  • SHA256

    527d523ec8da849e44e381f4cd8feaa74af309972ef59d505193cf56f8223fb1

  • SHA512

    637e8a164ca98b0d5187030ce6eebdd2297efbe8ac4dcf2aaa27f003fae23778c8f3547b4bea4504ec7660de00cbe818f96bcddc56dd7c281af1b9bf97707e4c

  • SSDEEP

    24576:QxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxNussxvfCBBVa:5vfovu8yBthQoJFdj

Score
10/10
formbookxoqdpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

xoqd

Decoy

H5Xrxamh0f+N/tax

kD7yxmoTHSewkFqlnqV14wuw

RLsWzULVoCMc+A==

SOzPYHAMr8HKhU4b3XZSPb+gnUc=

Li195vujSFxYOpMGx2n2

kH4rLttwbW703GwH2z4=

uWRYsosnwsGcigoCt4ePgDDQZzr3d9ST

OrIL0WgG9VNBHvP2lkE1vnt0oE0=

NG2ALNd/l8Mw4WwH2z4=

VgnfELdrcdvMsD0uz3t3gBWUyas7gw==

DxNwymeJ/lPRqndL+WzAVUy4

mYxRaXV1X6WuqB4Op2d5MgrgIg==

8Um50qpVPodey2OVew==

irKA6NyNP0oxy2OVew==

KVo8zsszovt9JkmEbxfAVUy4

ZrSnCLtRSTV9Ujx9LigBEFq+

ty/Fn16LA2isSw5fYg==

MLFtv3Tmp+zu0Rr3nEhJLnt0oE0=

qTDnPBatWH9CF5jPvmhnVr+gnUc=

SXhRqlXv6M8V8d0hJ/93b/g=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Program Files directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4940
      • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
        "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2392
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:816
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4012
      • C:\Program Files (x86)\Jynj4ane0\gjohsxap02tq4y8.exe
        "C:\Program Files (x86)\Jynj4ane0\gjohsxap02tq4y8.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:3932
        • C:\Program Files (x86)\Jynj4ane0\gjohsxap02tq4y8.exe
          "C:\Program Files (x86)\Jynj4ane0\gjohsxap02tq4y8.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1692

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Jynj4ane0\gjohsxap02tq4y8.exe
      Filesize

      1.1MB

      MD5

      f308eb7c798f843c7a3d37d28f9af637

      SHA1

      38506955b3972ba3b76c85e8a06e060fdb8fd035

      SHA256

      7f570c49739babdc7e61bf275cc98414d278144b0af6a275f39004f6bd18f149

      SHA512

      7d75ec67fae66b6ea086b813a17ac8a7236967108150a3139a146262652615b3656984e2a1c832b97b39ad4d28e4c389342c396ad0cc1cf8416a90209b62e1f7

      Download Submit

    • C:\Program Files (x86)\Jynj4ane0\gjohsxap02tq4y8.exe
      Filesize

      1.1MB

      MD5

      f308eb7c798f843c7a3d37d28f9af637

      SHA1

      38506955b3972ba3b76c85e8a06e060fdb8fd035

      SHA256

      7f570c49739babdc7e61bf275cc98414d278144b0af6a275f39004f6bd18f149

      SHA512

      7d75ec67fae66b6ea086b813a17ac8a7236967108150a3139a146262652615b3656984e2a1c832b97b39ad4d28e4c389342c396ad0cc1cf8416a90209b62e1f7

      Download Submit

    • C:\Program Files (x86)\Jynj4ane0\gjohsxap02tq4y8.exe
      Filesize

      1.1MB

      MD5

      f308eb7c798f843c7a3d37d28f9af637

      SHA1

      38506955b3972ba3b76c85e8a06e060fdb8fd035

      SHA256

      7f570c49739babdc7e61bf275cc98414d278144b0af6a275f39004f6bd18f149

      SHA512

      7d75ec67fae66b6ea086b813a17ac8a7236967108150a3139a146262652615b3656984e2a1c832b97b39ad4d28e4c389342c396ad0cc1cf8416a90209b62e1f7

      Download Submit

    • memory/816-150-0x0000000000EA0000-0x0000000000ECB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/816-149-0x0000000003090000-0x000000000311F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/816-148-0x0000000002D40000-0x000000000308A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/816-147-0x0000000000EA0000-0x0000000000ECB000-memory.dmp

      Filesize

      172KB

      Download

    • memory/816-146-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1692-160-0x0000000001810000-0x0000000001B5A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2392-139-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/2392-143-0x0000000001760000-0x0000000001770000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2392-142-0x0000000001850000-0x0000000001B9A000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2392-141-0x0000000000400000-0x000000000042B000-memory.dmp

      Filesize

      172KB

      Download

    • memory/3048-151-0x0000000007EF0000-0x0000000008007000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3048-144-0x00000000031D0000-0x0000000003328000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3048-152-0x0000000007EF0000-0x0000000008007000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3932-156-0x0000000000A40000-0x0000000000B58000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4940-132-0x0000000000840000-0x0000000000958000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4940-137-0x000000000BEB0000-0x000000000BF16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4940-136-0x000000000BE10000-0x000000000BEAC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4940-135-0x00000000052F0000-0x00000000052FA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4940-134-0x0000000005310000-0x00000000053A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4940-133-0x00000000058C0000-0x0000000005E64000-memory.dmp

      Filesize

      5.6MB

      Download