Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
21-03-2024 19:02
Static task
static1
Behavioral task
behavioral1
Sample
General Specification -INVACO PVT.exe
Resource
win7-20240221-en
General
-
Target
General Specification -INVACO PVT.exe
-
Size
1.0MB
-
MD5
0ed3e74eedb79951944237b0a560fb11
-
SHA1
0e88c313525bcb312baf633aef56caf70fcee969
-
SHA256
41885886b8b5d925c8efc8ba5ccb8a3f40eb5b218cbd124fac0a81e467ce0d90
-
SHA512
609800df42d85306c75f44a9ead946e50feb45989028c40ef204be109a87656d77c722f4c73a62216c041b183cb8c900e0473c555bb3479326ea92d0173325b6
-
SSDEEP
24576:hAHnh+eWsN3skA4RV1Hom2KXMmHatcyzAaubWi5:4h+ZkldoPK8Yatcr1
Malware Config
Extracted
formbook
4.1
kh11
theluckypaddle.net
assurelinkenterprises.com
gazpachogroup.com
worxservicesllc.com
bestecankurban.com
cotebrief.com
899173.com
navist.io
metaverseharem.com
genpower-plus.com
drhandgrip.com
jessicachristina.com
eidura.com
cat2000andhope1izfanfiction.com
nywaiverlatam.com
cdlb9twt.shop
j2mjewerly.com
itsmisshodges.com
timeis.shop
santefe4g.com
ongame.cloud
guard-dd.online
rutgersorthopedics.com
rkbengg.com
dentalemergencybakersfield.com
jansirani.com
gadilglobal.com
unitygiftingco.store
enxk-32.com
northcuttmediacompany.com
hyyhldz.site
stripperscontest.com
lexcomtech.com
issndiploma.com
shopynuts.site
shpoifypos.app
gamer24.top
dibujosparapintar.net
healthinsuranceudeserve.com
pampadev.tech
whefgf.club
riversandcapital.com
foroupskirt.com
wocan92.top
onehourbookclub.com
brochuresenligne.site
suv-deals-85472.bond
coalswap.com
tresxop.xyz
juniortrevisol.com
it-jobs-87776.bond
black-loan3.shop
chicprems.xyz
pmheiouassessment.shop
186489.support
88mahadewa.vip
vn90129.me
cattaillake.com
jmknoh1r.shop
attitudedancefitness.com
eventcrrate.com
autonomoangola.com
jollshopp.com
thesimplestudio.io
gltip2le.shop
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4540-11-0x0000000000370000-0x000000000039F000-memory.dmp formbook behavioral2/memory/4540-15-0x0000000000370000-0x000000000039F000-memory.dmp formbook behavioral2/memory/2092-21-0x00000000003C0000-0x00000000003EF000-memory.dmp formbook behavioral2/memory/2092-23-0x00000000003C0000-0x00000000003EF000-memory.dmp formbook -
Blocklisted process makes network request 1 IoCs
Processes:
cmd.exeflow pid process 92 2092 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
General Specification -INVACO PVT.exesvchost.execmd.exedescription pid process target process PID 5000 set thread context of 4540 5000 General Specification -INVACO PVT.exe svchost.exe PID 4540 set thread context of 3380 4540 svchost.exe Explorer.EXE PID 2092 set thread context of 3380 2092 cmd.exe Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.execmd.exepid process 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe 2092 cmd.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
General Specification -INVACO PVT.exesvchost.execmd.exepid process 5000 General Specification -INVACO PVT.exe 5000 General Specification -INVACO PVT.exe 4540 svchost.exe 4540 svchost.exe 4540 svchost.exe 2092 cmd.exe 2092 cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.execmd.exedescription pid process Token: SeDebugPrivilege 4540 svchost.exe Token: SeDebugPrivilege 2092 cmd.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
General Specification -INVACO PVT.exepid process 5000 General Specification -INVACO PVT.exe 5000 General Specification -INVACO PVT.exe 5000 General Specification -INVACO PVT.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
General Specification -INVACO PVT.exepid process 5000 General Specification -INVACO PVT.exe 5000 General Specification -INVACO PVT.exe 5000 General Specification -INVACO PVT.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3380 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
General Specification -INVACO PVT.exeExplorer.EXEcmd.exedescription pid process target process PID 5000 wrote to memory of 4540 5000 General Specification -INVACO PVT.exe svchost.exe PID 5000 wrote to memory of 4540 5000 General Specification -INVACO PVT.exe svchost.exe PID 5000 wrote to memory of 4540 5000 General Specification -INVACO PVT.exe svchost.exe PID 5000 wrote to memory of 4540 5000 General Specification -INVACO PVT.exe svchost.exe PID 3380 wrote to memory of 2092 3380 Explorer.EXE cmd.exe PID 3380 wrote to memory of 2092 3380 Explorer.EXE cmd.exe PID 3380 wrote to memory of 2092 3380 Explorer.EXE cmd.exe PID 2092 wrote to memory of 2496 2092 cmd.exe cmd.exe PID 2092 wrote to memory of 2496 2092 cmd.exe cmd.exe PID 2092 wrote to memory of 2496 2092 cmd.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2092-18-0x0000000000D00000-0x0000000000D5A000-memory.dmpFilesize
360KB
-
memory/2092-25-0x0000000000E30000-0x0000000000EC3000-memory.dmpFilesize
588KB
-
memory/2092-23-0x00000000003C0000-0x00000000003EF000-memory.dmpFilesize
188KB
-
memory/2092-22-0x0000000001260000-0x00000000015AA000-memory.dmpFilesize
3.3MB
-
memory/2092-21-0x00000000003C0000-0x00000000003EF000-memory.dmpFilesize
188KB
-
memory/2092-20-0x0000000000D00000-0x0000000000D5A000-memory.dmpFilesize
360KB
-
memory/3380-26-0x0000000009520000-0x0000000009685000-memory.dmpFilesize
1.4MB
-
memory/3380-17-0x0000000009520000-0x0000000009685000-memory.dmpFilesize
1.4MB
-
memory/3380-28-0x0000000009090000-0x00000000091FA000-memory.dmpFilesize
1.4MB
-
memory/3380-30-0x0000000009090000-0x00000000091FA000-memory.dmpFilesize
1.4MB
-
memory/3380-33-0x0000000009090000-0x00000000091FA000-memory.dmpFilesize
1.4MB
-
memory/4540-16-0x0000000000A80000-0x0000000000A94000-memory.dmpFilesize
80KB
-
memory/4540-15-0x0000000000370000-0x000000000039F000-memory.dmpFilesize
188KB
-
memory/4540-14-0x0000000001000000-0x000000000134A000-memory.dmpFilesize
3.3MB
-
memory/4540-11-0x0000000000370000-0x000000000039F000-memory.dmpFilesize
188KB
-
memory/5000-10-0x00000000040D0000-0x00000000040D4000-memory.dmpFilesize
16KB