Analysis
-
max time kernel
150s -
max time network
167s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
11/10/2023, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
Invoice#23615B001.exe
Resource
win7-20230831-en
General
-
Target
Invoice#23615B001.exe
-
Size
642KB
-
MD5
2673a176c9729737316a6e6d660f0f79
-
SHA1
f3466f9e8e6d1c9e9d22e6fe9e2ee601d9c22788
-
SHA256
02971b038e3224fb89a5aa824cd4388ab3108e86571312d127e32b6a59b1b3ec
-
SHA512
9e6d7703c8993e27b86bc5d4549e224db18176034e6d4331ab483dc187c77c543084cef2468a368a1dd48b0d678dc8f509ababb185b97d7756c426948442e958
-
SSDEEP
12288:KayccWwjCUqEupAtlUpQSkHBkiyrhKwAKNdI0U+VRslA7jbA:0CdEupkl4RmkvyeI0TR17j
Malware Config
Extracted
formbook
4.1
sn26
resenha10.bet
gulshan-rajput.com
xbus.tech
z813my.cfd
wlxzjlny.cfd
auntengotiempo.com
canada-reservation.com
thegiftcompany.shop
esthersilveirapropiedades.com
1wapws.top
ymjblnvo.cfd
termokimik.net
kushiro-artist-school.com
bmmboo.com
caceresconstructionservices.com
kentuckywalkabout.com
bringyourcart.com
miamiwinetour.com
bobcatsocial.site
thirdmind.network
4tbbwa.com
rhinosecurellc.net
rdparadise.com
radpm.xyz
thewhiteorchidspa.com
clhynfco.cfd
ngohcvja.cfd
woodennickelcandles.com
gg18rb.cfd
qcdrxwr.cfd
974dp.com
lagardere-vivendi-corp.net
chestnutmaretraining.com
seosjekk.online
ahevrlh.xyz
uedam.xyz
natrada.love
yoywvfw.top
unifiedtradingjapan.com
chinakaldi.com
agenciacolmeiadigital.com
wdlzzfkc.cfd
097850.com
xingcansy.com
uahrbqtj.cfd
charliehaywood.com
witheres.shop
sqiyvdrx.cfd
biopfizer.com
tiktokviewer.com
prftwgmw.cfd
sfsdnwpf.cfd
linkboladewahub.xyz
orvados.com
goodshepherdopcesva.com
christianlovewv.com
cdicontrols.com
hawskio26.click
ownlegalhelp.com
tiydmdzp.cfd
ppirr.biz
stonyatrick.com
itsamazingbarley.com
msjbaddf.cfd
zachmahl.com
Signatures
-
Formbook payload 5 IoCs
resource yara_rule behavioral1/memory/2752-12-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2752-16-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2752-20-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2536-27-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook behavioral1/memory/2536-29-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Deletes itself 1 IoCs
pid Process 2668 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2260 set thread context of 2752 2260 Invoice#23615B001.exe 30 PID 2752 set thread context of 1208 2752 Invoice#23615B001.exe 10 PID 2752 set thread context of 1208 2752 Invoice#23615B001.exe 10 PID 2536 set thread context of 1208 2536 cmd.exe 10 -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 2752 Invoice#23615B001.exe 2752 Invoice#23615B001.exe 2752 Invoice#23615B001.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe 2536 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1208 Explorer.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2752 Invoice#23615B001.exe 2752 Invoice#23615B001.exe 2752 Invoice#23615B001.exe 2752 Invoice#23615B001.exe 2536 cmd.exe 2536 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2752 Invoice#23615B001.exe Token: SeDebugPrivilege 2536 cmd.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2752 2260 Invoice#23615B001.exe 30 PID 2260 wrote to memory of 2752 2260 Invoice#23615B001.exe 30 PID 2260 wrote to memory of 2752 2260 Invoice#23615B001.exe 30 PID 2260 wrote to memory of 2752 2260 Invoice#23615B001.exe 30 PID 2260 wrote to memory of 2752 2260 Invoice#23615B001.exe 30 PID 2260 wrote to memory of 2752 2260 Invoice#23615B001.exe 30 PID 2260 wrote to memory of 2752 2260 Invoice#23615B001.exe 30 PID 2752 wrote to memory of 2536 2752 Invoice#23615B001.exe 31 PID 2752 wrote to memory of 2536 2752 Invoice#23615B001.exe 31 PID 2752 wrote to memory of 2536 2752 Invoice#23615B001.exe 31 PID 2752 wrote to memory of 2536 2752 Invoice#23615B001.exe 31 PID 2536 wrote to memory of 2668 2536 cmd.exe 32 PID 2536 wrote to memory of 2668 2536 cmd.exe 32 PID 2536 wrote to memory of 2668 2536 cmd.exe 32 PID 2536 wrote to memory of 2668 2536 cmd.exe 32
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\Invoice#23615B001.exe"C:\Users\Admin\AppData\Local\Temp\Invoice#23615B001.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Users\Admin\AppData\Local\Temp\Invoice#23615B001.exe"{path}"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Invoice#23615B001.exe"5⤵
- Deletes itself
PID:2668
-
-
-
-