Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
09-12-2022 14:16
Static task
static1
Behavioral task
behavioral1
Sample
Invoice.exe
Resource
win7-20220901-en
General
-
Target
Invoice.exe
-
Size
993KB
-
MD5
6f4d64fcfbc82b91eb1f5e9fcffd15d3
-
SHA1
1ebe973942db3da29de1dc292b8a0c8601f1e7a0
-
SHA256
b747df969c4c80638e92b68759a8ced53c3d14bf705ad0fece792a566c9f3de9
-
SHA512
073b24ff9c67c8005419678674f2aa79b72a38566a5496023def857379a7a2b8e4468d3f2803da81900eb3c8d80809e6d9a20fea2ef9c7a94f726f27cabc038c
-
SSDEEP
24576:LIfkZ8IvMSd+WmvcGi+Dgr1hJsOSt3RpLJjpF:LNhvgOGNDO7Hyp
Malware Config
Extracted
formbook
wu27
69/AbbgufRx7loCQ5G4WYQ==
uydiDFvHsFxlIrdq
NBlmCe8ii+DEa2ye5G4WYQ==
LicGnHCl/UZ2UMg=
e2lQ8e1lsXvAeX+U5G4WYQ==
2bF/M54rOGusdYqc5G4WYQ==
mQLidD9i82JIsrqysw==
ZdlDYrcsl/L9eH+U5G4WYQ==
80ucyjCJdqXkcNI=
/eg6aKbVvNkwOcxzZyAx3cCTN5E=
lflaF0MvE+fHXoWmrg==
qRfykIXbxMkND1kwe3I=
s6iSNSVOMwnpvFDxdFLlOfqBMw==
imkLObSlIdc=
oBUBm36yNaZ99JYxenA=
ngFE7+IP8Te6N75o
O6Htl8Oyjb0Msrqysw==
f4JgCEnC0LEC9w==
9+dNeq/hVxaAhxzT1pbgzZ2mb3Nf
980jQpYF3y1wMomLfWU=
S7CXLmSvnae6N75o
LBsMM7E1hfqVbco=
SEmi10GnjKIC6T/PG9vpot2mb3Nf
6N2zXagR4zO6N75o
Y0MbsfJvYcM0QFR/yF43rH/WOQ==
4FvE6St/5VeaknSQ5G4WYQ==
FfvsmYGmgr8mMUN2yF43rH/WOQ==
sZeFLWrFrbutSaQ7S92VaLlsEdqDAw==
GAtfhcHou9EYD1kwe3I=
K5TzEFu9HopZDGwZK5fekyc=
yhtuD9/zPeh7cNJ1
oBFUB0rNZ9UJtoKh5G4WYQ==
htsvVpfFs/hvRmJrdiz3aQ==
zkURs/JLt1O2s3+Q5G4WYQ==
YtItQ4f8Z8uWQVkwe3I=
TKgCIWWoGbgHsrqysw==
IY19JVOJgLkbJzhgayaKol308Bm3Hg==
EI3wCpvRR9Yg0e0RXTvsJdqoIZ6NfxeeCw==
dcaSQpkcgvqVbco=
i3LR8zl6Q4ES1Li7uw==
zU2iXqctzPaGh2+K08GQzt13MQ==
+vNEAOcjj/qVbco=
n4PyGmPPxsmoGkJ5gyJ4
42JPceRLN2LLp/J9fBwczl9uB5ohvsI=
hQDekPl/6Eob4PLRVmo=
tCZ5ldT9DNUX/Q==
zLGkPk9ZW5hNJgT+VMBIfWsw
8eEl1y6bl8w4HwYQYlOgnwOCqYM110TkHA==
y63rGlN+VWFNIAS/UTZw
TCdmmNUE3f1fPFkwe3I=
zjF2JXfZpoNK+dsaJtaSBcCTN5E=
DOA6audAeWU5
E+5C9MobExoL3MzxRz6+zt13MQ==
uK35B1bZy62abf1z7dVKfA==
avJCc7T0V9MKsrqysw==
ugpaFO0zNWfJpn1rt38fYw==
1MGtUYv0v/dkdYCn5G4WYQ==
KZT2GIMGUw9EBHgva09Hf2Ux
GhNjEWToYe7ddkhnsYtIv3Lz8Bm3Hg==
zi1OxCCLk1bvzK7OEZud3sJ9Jg==
WU0txI+4FsP7kfGNm0tHf2Ux
hmdH59P8VKbSjdc=
x7oPsXu0jYXBsfiIyMIyWwuUuR4tEQ==
EG3AXyZo4XFZsrqysw==
cailiotweet.store
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Invoice.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation Invoice.exe -
Loads dropped DLL 1 IoCs
Processes:
help.exepid process 1540 help.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Invoice.exeInvoice.exehelp.exedescription pid process target process PID 1284 set thread context of 1720 1284 Invoice.exe Invoice.exe PID 1720 set thread context of 1200 1720 Invoice.exe Explorer.EXE PID 1540 set thread context of 1200 1540 help.exe Explorer.EXE -
Processes:
help.exedescription ioc process Key created \Registry\User\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
Invoice.exeInvoice.exehelp.exepid process 1284 Invoice.exe 1720 Invoice.exe 1720 Invoice.exe 1720 Invoice.exe 1720 Invoice.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
Invoice.exehelp.exepid process 1720 Invoice.exe 1720 Invoice.exe 1720 Invoice.exe 1540 help.exe 1540 help.exe 1540 help.exe 1540 help.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Invoice.exeInvoice.exehelp.exedescription pid process Token: SeDebugPrivilege 1284 Invoice.exe Token: SeDebugPrivilege 1720 Invoice.exe Token: SeDebugPrivilege 1540 help.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 1200 Explorer.EXE 1200 Explorer.EXE -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
Invoice.exeExplorer.EXEhelp.exedescription pid process target process PID 1284 wrote to memory of 268 1284 Invoice.exe Invoice.exe PID 1284 wrote to memory of 268 1284 Invoice.exe Invoice.exe PID 1284 wrote to memory of 268 1284 Invoice.exe Invoice.exe PID 1284 wrote to memory of 268 1284 Invoice.exe Invoice.exe PID 1284 wrote to memory of 1720 1284 Invoice.exe Invoice.exe PID 1284 wrote to memory of 1720 1284 Invoice.exe Invoice.exe PID 1284 wrote to memory of 1720 1284 Invoice.exe Invoice.exe PID 1284 wrote to memory of 1720 1284 Invoice.exe Invoice.exe PID 1284 wrote to memory of 1720 1284 Invoice.exe Invoice.exe PID 1284 wrote to memory of 1720 1284 Invoice.exe Invoice.exe PID 1284 wrote to memory of 1720 1284 Invoice.exe Invoice.exe PID 1200 wrote to memory of 1540 1200 Explorer.EXE help.exe PID 1200 wrote to memory of 1540 1200 Explorer.EXE help.exe PID 1200 wrote to memory of 1540 1200 Explorer.EXE help.exe PID 1200 wrote to memory of 1540 1200 Explorer.EXE help.exe PID 1540 wrote to memory of 1092 1540 help.exe Firefox.exe PID 1540 wrote to memory of 1092 1540 help.exe Firefox.exe PID 1540 wrote to memory of 1092 1540 help.exe Firefox.exe PID 1540 wrote to memory of 1092 1540 help.exe Firefox.exe PID 1540 wrote to memory of 1092 1540 help.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"3⤵PID:268
-
C:\Users\Admin\AppData\Local\Temp\Invoice.exe"C:\Users\Admin\AppData\Local\Temp\Invoice.exe"3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1720 -
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1712
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:2020
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1372
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:584
-
C:\Windows\SysWOW64\autochk.exe"C:\Windows\SysWOW64\autochk.exe"2⤵PID:1564
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1384
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1092
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\sqlite3.dllFilesize
807KB
MD516a1612789dc9063ebea1cb55433b45b
SHA1438fde2939bbb9b5b437f64f21c316c17ce4a7f6
SHA2566deaec2f96c8a1c20698a93ddd468d5447b55ac426dc381eef5d91b19953bb7b
SHA512d727ce8cd793c09a8688accb7a2eb5d8f84cc198b8e9d51c21e2dfb11d850f3ac64a58d07ff7fe9d1a2fdb613567e4790866c08a423176216ff310bf24a5a7e3
-
memory/1200-71-0x0000000007B00000-0x0000000007C09000-memory.dmpFilesize
1.0MB
-
memory/1200-77-0x000000000A530000-0x000000000A691000-memory.dmpFilesize
1.4MB
-
memory/1200-80-0x000000000A530000-0x000000000A691000-memory.dmpFilesize
1.4MB
-
memory/1284-58-0x0000000007DE0000-0x0000000007E9C000-memory.dmpFilesize
752KB
-
memory/1284-59-0x0000000005E50000-0x0000000005ED4000-memory.dmpFilesize
528KB
-
memory/1284-54-0x0000000001370000-0x000000000146E000-memory.dmpFilesize
1016KB
-
memory/1284-57-0x00000000008F0000-0x00000000008FE000-memory.dmpFilesize
56KB
-
memory/1284-56-0x0000000000730000-0x000000000074A000-memory.dmpFilesize
104KB
-
memory/1284-55-0x00000000762E1000-0x00000000762E3000-memory.dmpFilesize
8KB
-
memory/1540-72-0x0000000000000000-mapping.dmp
-
memory/1540-78-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/1540-76-0x00000000006C0000-0x000000000074F000-memory.dmpFilesize
572KB
-
memory/1540-75-0x0000000000850000-0x0000000000B53000-memory.dmpFilesize
3.0MB
-
memory/1540-74-0x00000000000D0000-0x00000000000FD000-memory.dmpFilesize
180KB
-
memory/1540-73-0x0000000000110000-0x0000000000116000-memory.dmpFilesize
24KB
-
memory/1720-60-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1720-70-0x0000000000150000-0x0000000000160000-memory.dmpFilesize
64KB
-
memory/1720-69-0x0000000000930000-0x0000000000C33000-memory.dmpFilesize
3.0MB
-
memory/1720-68-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1720-67-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1720-66-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1720-63-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1720-64-0x00000000004012B0-mapping.dmp
-
memory/1720-61-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB