Overview

overview

10

Static

static

Invoice.exe

windows7-x64

10

Invoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    09-12-2022 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice.exe

  • Size

    993KB

  • MD5

    6f4d64fcfbc82b91eb1f5e9fcffd15d3

  • SHA1

    1ebe973942db3da29de1dc292b8a0c8601f1e7a0

  • SHA256

    b747df969c4c80638e92b68759a8ced53c3d14bf705ad0fece792a566c9f3de9

  • SHA512

    073b24ff9c67c8005419678674f2aa79b72a38566a5496023def857379a7a2b8e4468d3f2803da81900eb3c8d80809e6d9a20fea2ef9c7a94f726f27cabc038c

  • SSDEEP

    24576:LIfkZ8IvMSd+WmvcGi+Dgr1hJsOSt3RpLJjpF:LNhvgOGNDO7Hyp

Score
10/10
formbookwu27ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

wu27

Decoy

69/AbbgufRx7loCQ5G4WYQ==

uydiDFvHsFxlIrdq

NBlmCe8ii+DEa2ye5G4WYQ==

LicGnHCl/UZ2UMg=

e2lQ8e1lsXvAeX+U5G4WYQ==

2bF/M54rOGusdYqc5G4WYQ==

mQLidD9i82JIsrqysw==

ZdlDYrcsl/L9eH+U5G4WYQ==

80ucyjCJdqXkcNI=

/eg6aKbVvNkwOcxzZyAx3cCTN5E=

lflaF0MvE+fHXoWmrg==

qRfykIXbxMkND1kwe3I=

s6iSNSVOMwnpvFDxdFLlOfqBMw==

imkLObSlIdc=

oBUBm36yNaZ99JYxenA=

ngFE7+IP8Te6N75o

O6Htl8Oyjb0Msrqysw==

f4JgCEnC0LEC9w==

9+dNeq/hVxaAhxzT1pbgzZ2mb3Nf

980jQpYF3y1wMomLfWU=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
      "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
        "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
        3⤵
          PID:268
        • C:\Users\Admin\AppData\Local\Temp\Invoice.exe
          "C:\Users\Admin\AppData\Local\Temp\Invoice.exe"
          3⤵
          • Checks computer location settings
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1720
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:1712
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:2020
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:1372
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:584
              • C:\Windows\SysWOW64\autochk.exe
                "C:\Windows\SysWOW64\autochk.exe"
                2⤵
                  PID:1564
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:1384
                  • C:\Windows\SysWOW64\help.exe
                    "C:\Windows\SysWOW64\help.exe"
                    2⤵
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • Modifies Internet Explorer settings
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1540
                    • C:\Program Files\Mozilla Firefox\Firefox.exe
                      "C:\Program Files\Mozilla Firefox\Firefox.exe"
                      3⤵
                        PID:1092

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • \Users\Admin\AppData\Local\Temp\sqlite3.dll
                    Filesize

                    807KB

                    MD5

                    16a1612789dc9063ebea1cb55433b45b

                    SHA1

                    438fde2939bbb9b5b437f64f21c316c17ce4a7f6

                    SHA256

                    6deaec2f96c8a1c20698a93ddd468d5447b55ac426dc381eef5d91b19953bb7b

                    SHA512

                    d727ce8cd793c09a8688accb7a2eb5d8f84cc198b8e9d51c21e2dfb11d850f3ac64a58d07ff7fe9d1a2fdb613567e4790866c08a423176216ff310bf24a5a7e3

                    Download Submit
                  • memory/1200-71-0x0000000007B00000-0x0000000007C09000-memory.dmp
                    Filesize

                    1.0MB

                    Download
                  • memory/1200-77-0x000000000A530000-0x000000000A691000-memory.dmp
                    Filesize

                    1.4MB

                    Download
                  • memory/1200-80-0x000000000A530000-0x000000000A691000-memory.dmp
                    Filesize

                    1.4MB

                    Download
                  • memory/1284-58-0x0000000007DE0000-0x0000000007E9C000-memory.dmp
                    Filesize

                    752KB

                    Download
                  • memory/1284-59-0x0000000005E50000-0x0000000005ED4000-memory.dmp
                    Filesize

                    528KB

                    Download
                  • memory/1284-54-0x0000000001370000-0x000000000146E000-memory.dmp
                    Filesize

                    1016KB

                    Download
                  • memory/1284-57-0x00000000008F0000-0x00000000008FE000-memory.dmp
                    Filesize

                    56KB

                    Download
                  • memory/1284-56-0x0000000000730000-0x000000000074A000-memory.dmp
                    Filesize

                    104KB

                    Download
                  • memory/1284-55-0x00000000762E1000-0x00000000762E3000-memory.dmp
                    Filesize

                    8KB

                    Download
                  • memory/1540-72-0x0000000000000000-mapping.dmp
                    Download
                  • memory/1540-78-0x00000000000D0000-0x00000000000FD000-memory.dmp
                    Filesize

                    180KB

                    Download
                  • memory/1540-76-0x00000000006C0000-0x000000000074F000-memory.dmp
                    Filesize

                    572KB

                    Download
                  • memory/1540-75-0x0000000000850000-0x0000000000B53000-memory.dmp
                    Filesize

                    3.0MB

                    Download
                  • memory/1540-74-0x00000000000D0000-0x00000000000FD000-memory.dmp
                    Filesize

                    180KB

                    Download
                  • memory/1540-73-0x0000000000110000-0x0000000000116000-memory.dmp
                    Filesize

                    24KB

                    Download
                  • memory/1720-60-0x0000000000400000-0x000000000042F000-memory.dmp
                    Filesize

                    188KB

                    Download
                  • memory/1720-70-0x0000000000150000-0x0000000000160000-memory.dmp
                    Filesize

                    64KB

                    Download
                  • memory/1720-69-0x0000000000930000-0x0000000000C33000-memory.dmp
                    Filesize

                    3.0MB

                    Download
                  • memory/1720-68-0x0000000000401000-0x000000000042F000-memory.dmp
                    Filesize

                    184KB

                    Download
                  • memory/1720-67-0x0000000000400000-0x000000000042F000-memory.dmp
                    Filesize

                    188KB

                    Download
                  • memory/1720-66-0x0000000000400000-0x000000000042F000-memory.dmp
                    Filesize

                    188KB

                    Download
                  • memory/1720-63-0x0000000000400000-0x000000000042F000-memory.dmp
                    Filesize

                    188KB

                    Download
                  • memory/1720-64-0x00000000004012B0-mapping.dmp
                    Download
                  • memory/1720-61-0x0000000000400000-0x000000000042F000-memory.dmp
                    Filesize

                    188KB

                    Download