Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2022 17:27
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE.exe
Resource
win7-20220812-en
General
-
Target
INVOICE.exe
-
Size
900KB
-
MD5
94fbca3f42d439bed773a04e82b29827
-
SHA1
e804a967276c25df1b48e8b5f35109a2559cc55d
-
SHA256
3903f75f7f0106aa34486f7c546b98a1eba03b1a0d901ccd09fb90294de857a4
-
SHA512
21d8802c3bca47ba6d8fcbc20a1bd6a6502d32a5dad4fc1fa6e4b79266734046efa9e4ed807b99129ecf3427b9a4b2ec644e29a2f18d249081074aa99a7a2fd1
-
SSDEEP
12288:jXNIMvqVefEu5JunXd0qe06DgKWlkmaWpJOBqm3xraOVbp1G+B/NP:7NICSapUKVmaM/AbLn
Malware Config
Extracted
formbook
4.1
p94a
wishgrove.com
parqueveiculos.com
spiderwebs.online
chulkanadham.com
cdtuan.net
zxazm.com
payment6528832.xyz
fengtaiol.com
bffsmovie.com
aliceseagerfitness.com
garisluruskonsulindo.website
analytical-gutter.net
ahcq8.com
fenyoga.com
ecleptic.cat
conjurecrafts.com
aquaway.date
apenpokkenschoonmaakbedrijf.com
zgramr.top
boweknives.site
wf825.com
tonysdiary.com
alttxt.space
digz.us
mailim.xyz
chromebarbangkok.com
toyookahana.com
jornalaquadra.net
cloudpackages.online
xfew.top
atherenergy.uk
allentownfilmcrew.com
gym323.com
ballbyball.online
youyiw.com
mehdifarzi.com
dinobro.com
bonanzapratamaabadi.com
trailer.vegas
retro241.space
ecole-universite.com
magentodesigndublin.com
ilovechutney.info
451338.com
vintagewriting.site
008420.com
sussexfoodie.co.uk
matrix-101.com
carolina3dproperties.com
clairecorrie.co.uk
asafosa.xyz
yashpestcontrol.com
keilewn.online
nirmalmirchandani.com
familyibis.sbs
anthropologybythewire.com
invidgekets.xyz
1stconstiution.com
byxre.com
andresraiter.com
1stpartynft.com
25thdayoffer.xyz
nicehaus.space
mhjys.com
muuritutkimus.info
Signatures
-
Formbook payload 5 IoCs
Processes:
resource yara_rule behavioral2/memory/1596-139-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1596-144-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1596-148-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2132-151-0x00000000001A0000-0x00000000001CF000-memory.dmp formbook behavioral2/memory/2132-155-0x00000000001A0000-0x00000000001CF000-memory.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
Processes:
INVOICE.exeINVOICE.exenetsh.exedescription pid process target process PID 1036 set thread context of 1596 1036 INVOICE.exe INVOICE.exe PID 1596 set thread context of 2592 1596 INVOICE.exe Explorer.EXE PID 1596 set thread context of 2592 1596 INVOICE.exe Explorer.EXE PID 2132 set thread context of 2592 2132 netsh.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
INVOICE.exenetsh.exepid process 1596 INVOICE.exe 1596 INVOICE.exe 1596 INVOICE.exe 1596 INVOICE.exe 1596 INVOICE.exe 1596 INVOICE.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe 2132 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 2592 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
INVOICE.exenetsh.exepid process 1596 INVOICE.exe 1596 INVOICE.exe 1596 INVOICE.exe 1596 INVOICE.exe 2132 netsh.exe 2132 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
INVOICE.exenetsh.exedescription pid process Token: SeDebugPrivilege 1596 INVOICE.exe Token: SeDebugPrivilege 2132 netsh.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
INVOICE.exeExplorer.EXEnetsh.exedescription pid process target process PID 1036 wrote to memory of 1596 1036 INVOICE.exe INVOICE.exe PID 1036 wrote to memory of 1596 1036 INVOICE.exe INVOICE.exe PID 1036 wrote to memory of 1596 1036 INVOICE.exe INVOICE.exe PID 1036 wrote to memory of 1596 1036 INVOICE.exe INVOICE.exe PID 1036 wrote to memory of 1596 1036 INVOICE.exe INVOICE.exe PID 1036 wrote to memory of 1596 1036 INVOICE.exe INVOICE.exe PID 2592 wrote to memory of 2132 2592 Explorer.EXE netsh.exe PID 2592 wrote to memory of 2132 2592 Explorer.EXE netsh.exe PID 2592 wrote to memory of 2132 2592 Explorer.EXE netsh.exe PID 2132 wrote to memory of 4724 2132 netsh.exe cmd.exe PID 2132 wrote to memory of 4724 2132 netsh.exe cmd.exe PID 2132 wrote to memory of 4724 2132 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\INVOICE.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1036-132-0x0000000000C10000-0x0000000000CF8000-memory.dmpFilesize
928KB
-
memory/1036-133-0x0000000005AE0000-0x0000000006084000-memory.dmpFilesize
5.6MB
-
memory/1036-134-0x00000000055D0000-0x0000000005662000-memory.dmpFilesize
584KB
-
memory/1036-135-0x0000000005570000-0x000000000557A000-memory.dmpFilesize
40KB
-
memory/1036-136-0x000000000B8C0000-0x000000000B95C000-memory.dmpFilesize
624KB
-
memory/1036-137-0x000000000B960000-0x000000000B9C6000-memory.dmpFilesize
408KB
-
memory/1596-145-0x0000000002FB0000-0x0000000002FC4000-memory.dmpFilesize
80KB
-
memory/1596-148-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1596-141-0x0000000001240000-0x000000000158A000-memory.dmpFilesize
3.3MB
-
memory/1596-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1596-142-0x00000000016F0000-0x0000000001704000-memory.dmpFilesize
80KB
-
memory/1596-144-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1596-138-0x0000000000000000-mapping.dmp
-
memory/2132-147-0x0000000000000000-mapping.dmp
-
memory/2132-150-0x0000000000BB0000-0x0000000000BCE000-memory.dmpFilesize
120KB
-
memory/2132-152-0x0000000000F30000-0x000000000127A000-memory.dmpFilesize
3.3MB
-
memory/2132-151-0x00000000001A0000-0x00000000001CF000-memory.dmpFilesize
188KB
-
memory/2132-153-0x0000000000CD0000-0x0000000000D63000-memory.dmpFilesize
588KB
-
memory/2132-155-0x00000000001A0000-0x00000000001CF000-memory.dmpFilesize
188KB
-
memory/2592-146-0x00000000026A0000-0x0000000002752000-memory.dmpFilesize
712KB
-
memory/2592-143-0x0000000007EB0000-0x0000000007FE1000-memory.dmpFilesize
1.2MB
-
memory/2592-154-0x000000000AB30000-0x000000000ACBC000-memory.dmpFilesize
1.5MB
-
memory/2592-156-0x000000000AB30000-0x000000000ACBC000-memory.dmpFilesize
1.5MB
-
memory/4724-149-0x0000000000000000-mapping.dmp