Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
16-08-2023 12:27
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20230712-en
General
-
Target
invoice.exe
-
Size
926KB
-
MD5
f93b86ab785cc1422188c476d3483ad5
-
SHA1
cb8e9cedad42afbf0a32cdc58643450fd149e6ad
-
SHA256
6217071ee755bb3de9914c5ee71161ed5666acd77c7cb6bd972d465707bf0613
-
SHA512
b7161e145dcf2ab24816866980f8afb42f0535e75a66c870c86f043140580203d94bd754ee35a52f2dc6722d282fdf48aa6f87b85ec7d97c8a6b80efc3258c63
-
SSDEEP
12288:D1PDogOtA1MUII0a6PCKv3rBtOpxP2eZrW2uvMrxJ8mJAsjFmR00lqTjgidAA:STUIIN6PCKCpxDrFyOxJ8aAwAgTjjA
Malware Config
Extracted
formbook
4.1
e14e
bekamwanitajogja.com
dysae21.xyz
warehouse-top-jobs.today
h53h.com
fertility.builders
coincallpro.com
gdlinternational.sale
r3hews.shop
sg199.com
whitehillmemorials.com
nadadedor.com
pamphletbox.com
4dsmartglass.com
avaluxuryliving.com
fatdog.club
insightinvention.com
exmigraine.com
bridxo.xyz
wy6zbsa.xyz
jithinvijay.com
chequeaste.com
import-car-support.link
acre-int-com.com
nakamastreetwear.com
yubangsanbao.com
lwion.com
croc-tarts.com
seniors.properties
mailerbs.com
homebaristanz.store
ky888q.net
codelearnacademy.com
notary-gold.com
usanews77.com
thebridgeacupuncture.com
falaparispodcast.com
promptize.xyz
noobcampers.com
promo121.com
laconicapps.com
xn--bespinprocuralcaiz-20b.com
healthgoodtime.com
6077760.com
www-okontorcu.online
phoenixplm.com
fero.store
ourfransuccess.com
zfgj14.art
lottoball.work
avilabind.com
denebcreativellc.com
eazylivin.store
x4uup.cfd
patrick-frank.com
ss9828c.sbs
tiffin-express.com
the38thhouseontheleft.com
onlookshoot.site
ioooppk.com
statenislanddisability.com
fanuelirnaldi.com
mayqpaqswit.info
choosearrive.com
waggingwords.com
1120hjl.top
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral1/memory/2968-67-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2968-71-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2844-76-0x0000000000080000-0x00000000000AF000-memory.dmp formbook behavioral1/memory/2844-78-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2708 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2680 set thread context of 2968 2680 invoice.exe 30 PID 2968 set thread context of 1188 2968 invoice.exe 22 PID 2844 set thread context of 1188 2844 systray.exe 22 -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2968 invoice.exe 2968 invoice.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe 2844 systray.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1188 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 2968 invoice.exe 2968 invoice.exe 2968 invoice.exe 2844 systray.exe 2844 systray.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2968 invoice.exe Token: SeDebugPrivilege 2844 systray.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2968 2680 invoice.exe 30 PID 2680 wrote to memory of 2968 2680 invoice.exe 30 PID 2680 wrote to memory of 2968 2680 invoice.exe 30 PID 2680 wrote to memory of 2968 2680 invoice.exe 30 PID 2680 wrote to memory of 2968 2680 invoice.exe 30 PID 2680 wrote to memory of 2968 2680 invoice.exe 30 PID 2680 wrote to memory of 2968 2680 invoice.exe 30 PID 1188 wrote to memory of 2844 1188 Explorer.EXE 31 PID 1188 wrote to memory of 2844 1188 Explorer.EXE 31 PID 1188 wrote to memory of 2844 1188 Explorer.EXE 31 PID 1188 wrote to memory of 2844 1188 Explorer.EXE 31 PID 2844 wrote to memory of 2708 2844 systray.exe 32 PID 2844 wrote to memory of 2708 2844 systray.exe 32 PID 2844 wrote to memory of 2708 2844 systray.exe 32 PID 2844 wrote to memory of 2708 2844 systray.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1188 -
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Users\Admin\AppData\Local\Temp\invoice.exe"C:\Users\Admin\AppData\Local\Temp\invoice.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2968
-
-
-
C:\Windows\SysWOW64\systray.exe"C:\Windows\SysWOW64\systray.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\invoice.exe"3⤵
- Deletes itself
PID:2708
-
-