Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 15:30
Behavioral task
behavioral1
Sample
WhatsApp Images - INVACO PVT.exe
Resource
win7-20240221-en
General
-
Target
WhatsApp Images - INVACO PVT.exe
-
Size
647KB
-
MD5
f62ce68dfaa4fedd2fa52462cacfb469
-
SHA1
08b72552d6b1dd32700b2f793c808693a4149709
-
SHA256
d35ce3c05cc9670b5f3f0ec95f63e0ac8d3df6aae8bb2243cda70f9ceb99230d
-
SHA512
a96ce720d33c425f1ff4816b1b715a3843161d301d805d5593f150a419387bf3b1fa16b94e1cdaa6a9c25a018592d127b90d47c19b44a9a080da77826ca81b68
-
SSDEEP
12288:2sHzOUNUSB/o5LsI1uwajJ5yvv1l2HiG84Ol2YK7AP/0oBW4D+:ZiUmSB/o5d1ubcvqgtltOA0oh+
Malware Config
Extracted
formbook
4.1
kh11
theluckypaddle.net
assurelinkenterprises.com
gazpachogroup.com
worxservicesllc.com
bestecankurban.com
cotebrief.com
899173.com
navist.io
metaverseharem.com
genpower-plus.com
drhandgrip.com
jessicachristina.com
eidura.com
cat2000andhope1izfanfiction.com
nywaiverlatam.com
cdlb9twt.shop
j2mjewerly.com
itsmisshodges.com
timeis.shop
santefe4g.com
ongame.cloud
guard-dd.online
rutgersorthopedics.com
rkbengg.com
dentalemergencybakersfield.com
jansirani.com
gadilglobal.com
unitygiftingco.store
enxk-32.com
northcuttmediacompany.com
hyyhldz.site
stripperscontest.com
lexcomtech.com
issndiploma.com
shopynuts.site
shpoifypos.app
gamer24.top
dibujosparapintar.net
healthinsuranceudeserve.com
pampadev.tech
whefgf.club
riversandcapital.com
foroupskirt.com
wocan92.top
onehourbookclub.com
brochuresenligne.site
suv-deals-85472.bond
coalswap.com
tresxop.xyz
juniortrevisol.com
it-jobs-87776.bond
black-loan3.shop
chicprems.xyz
pmheiouassessment.shop
186489.support
88mahadewa.vip
vn90129.me
cattaillake.com
jmknoh1r.shop
attitudedancefitness.com
eventcrrate.com
autonomoangola.com
jollshopp.com
thesimplestudio.io
gltip2le.shop
Signatures
-
Formbook payload 4 IoCs
resource yara_rule behavioral2/memory/396-18-0x0000000000620000-0x000000000064F000-memory.dmp formbook behavioral2/memory/396-87-0x0000000000620000-0x000000000064F000-memory.dmp formbook behavioral2/memory/1920-100-0x0000000001010000-0x000000000103F000-memory.dmp formbook behavioral2/memory/1920-102-0x0000000001010000-0x000000000103F000-memory.dmp formbook -
resource yara_rule behavioral2/memory/2692-0-0x00000000005F0000-0x000000000075F000-memory.dmp upx behavioral2/memory/2692-24-0x00000000005F0000-0x000000000075F000-memory.dmp upx -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2692-24-0x00000000005F0000-0x000000000075F000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 12 IoCs
description pid Process procid_target PID 2692 set thread context of 396 2692 WhatsApp Images - INVACO PVT.exe 94 PID 396 set thread context of 3532 396 svchost.exe 56 PID 1920 set thread context of 3532 1920 cmmon32.exe 56 PID 1920 set thread context of 4156 1920 cmmon32.exe 91 PID 1920 set thread context of 4576 1920 cmmon32.exe 92 PID 1920 set thread context of 5104 1920 cmmon32.exe 93 PID 1920 set thread context of 792 1920 cmmon32.exe 95 PID 1920 set thread context of 2600 1920 cmmon32.exe 96 PID 1920 set thread context of 1444 1920 cmmon32.exe 97 PID 1920 set thread context of 4968 1920 cmmon32.exe 100 PID 1920 set thread context of 1556 1920 cmmon32.exe 101 PID 1920 set thread context of 2364 1920 cmmon32.exe 102 -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings firefox.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 396 svchost.exe 396 svchost.exe 396 svchost.exe 396 svchost.exe 396 svchost.exe 396 svchost.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3532 Explorer.EXE -
Suspicious behavior: MapViewOfSection 25 IoCs
pid Process 2692 WhatsApp Images - INVACO PVT.exe 2692 WhatsApp Images - INVACO PVT.exe 396 svchost.exe 396 svchost.exe 396 svchost.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe 1920 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeDebugPrivilege 4156 firefox.exe Token: SeDebugPrivilege 4156 firefox.exe Token: SeDebugPrivilege 396 svchost.exe Token: SeDebugPrivilege 1920 cmmon32.exe Token: SeShutdownPrivilege 3532 Explorer.EXE Token: SeCreatePagefilePrivilege 3532 Explorer.EXE Token: SeShutdownPrivilege 3532 Explorer.EXE Token: SeCreatePagefilePrivilege 3532 Explorer.EXE Token: SeDebugPrivilege 4156 firefox.exe Token: SeDebugPrivilege 4156 firefox.exe Token: SeDebugPrivilege 4156 firefox.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 2692 WhatsApp Images - INVACO PVT.exe 2692 WhatsApp Images - INVACO PVT.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2692 WhatsApp Images - INVACO PVT.exe 2692 WhatsApp Images - INVACO PVT.exe 4156 firefox.exe 4156 firefox.exe 4156 firefox.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4156 firefox.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 1408 wrote to memory of 4156 1408 firefox.exe 91 PID 4156 wrote to memory of 4576 4156 firefox.exe 92 PID 4156 wrote to memory of 4576 4156 firefox.exe 92 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 5104 4156 firefox.exe 93 PID 4156 wrote to memory of 792 4156 firefox.exe 95 PID 4156 wrote to memory of 792 4156 firefox.exe 95 PID 4156 wrote to memory of 792 4156 firefox.exe 95 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe"C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\WhatsApp Images - INVACO PVT.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:396
-
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.0.1752752567\291694843" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {725c76c9-dd12-4ed1-9650-cf26f487926c} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 1976 219f3a05f58 gpu4⤵PID:4576
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.1.477317733\823419807" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c331f82d-a0ae-463b-a3e0-c2e31cb9faa7} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 2376 219f26fcc58 socket4⤵PID:5104
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.2.400485127\2067507420" -childID 1 -isForBrowser -prefsHandle 3348 -prefMapHandle 3344 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd6231af-d15c-415b-b402-051f221eba09} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 3356 219f296a358 tab4⤵PID:792
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.3.1629347841\912802169" -childID 2 -isForBrowser -prefsHandle 3224 -prefMapHandle 3020 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1797c465-dc5b-4f66-b3b1-0431375b51a4} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 3708 219f5411958 tab4⤵PID:2600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.4.14321588\710378841" -childID 3 -isForBrowser -prefsHandle 3020 -prefMapHandle 4360 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ebad744-4a51-4caa-9832-908000a92a2e} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 4388 219f8765558 tab4⤵PID:1444
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.5.1710711545\1709942947" -childID 4 -isForBrowser -prefsHandle 5108 -prefMapHandle 5104 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e1eabe0-fab9-43d7-bc60-483a918f9890} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 4984 219f8b33158 tab4⤵PID:4968
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.6.284460748\1881223573" -childID 5 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b7e94e9-3cc4-422e-8027-efef5c24b469} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 5232 219f8b33a58 tab4⤵PID:1556
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4156.7.2028663452\768060704" -childID 6 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1400 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {171edad9-30dd-482f-adbd-769f3abeee05} 4156 "\\.\pipe\gecko-crash-server-pipe.4156" 5424 219f8b34f58 tab4⤵PID:2364
-
-
-
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1920 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"3⤵PID:5180
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\datareporting\glean\db\data.safe.bin
Filesize2KB
MD55a6e94467a42b8c2785351d812adc8bc
SHA1d805d96194b8f4f418d339613eec4b9202a1f457
SHA256d3582870ba401b2537057c917d5b6e3096ac7f9f8b4d9245417758cb391c568c
SHA5128c9deec35be9d70ff07a48883d469cd643d368b3a73b5e6a826115efb416e661d57d4a58208c415380f49d5b2d90127bfb4e9268e7aa52c1948992988f98bb0e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\datareporting\glean\pending_pings\a42cd239-a14c-4c8a-a2c2-b3a96e189d7f
Filesize746B
MD5deb4d24dcbc3d8dd09d3d9a348449460
SHA1d549ede7ab0ef7f8575a630a17f1f586512c21b9
SHA2567d31f03177f206866cde023b5a6c371f472828e46ad854a48227e675e51603f1
SHA51266c43aa95370352db0fe3e03d7a876e46ea850c982187d658685fbac00d60ffb672abaf34928b3a346ad2664e7da6b876070b3c2e6a00b936ca036b7f1d989c1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\datareporting\glean\pending_pings\d1b8eab2-c196-4e2a-8d42-5912864fe2ec
Filesize11KB
MD536f1a36a7431f1198190738f84d8d2e9
SHA147d38dc8e149e09b3f9c9e7853944b64cc2d6af1
SHA256dff67d748ce923f32b9a7989e1a7ebc6fe6531389c8a2130c8d429d2bb100031
SHA512eba23d982cabc52dcf0b467690555b3133b03cc59519cc10104f9008eb160d4603bf0d86bba70b9578491832ac7266f7f26eaa1a4dc1a23d9c830198839b7b76
-
Filesize
6KB
MD58d690a015863c72b0902ec6767476afc
SHA10b7895c7b1e359a42ccd0856a9a924ca1694459a
SHA2569b37add15034f182ec02e4cd4c7acd7f2745d6f2ae9212021b6bf766557e99d9
SHA512c6ce19be207516d75baef12fcd3dcf5396d40cc78136cc4d811ee1fcdf77c52b4f3dfc316a11a575df7360a78d16d01bcaddf0c2b3fb7ef080430131714e9726
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7nvvjyxe.default-release\sessionstore-backups\recovery.jsonlz4
Filesize1KB
MD509457632160d5749ec888511f6f2b6b6
SHA1b06cef4d99c146374ed2ad39741ba819b35ec165
SHA2566fba0fda16a9dbdbda2c0812c189bdcc50a62db047a3cdf020b4e5a5a9cc7054
SHA5123587dd5a288a6fe5d3d65cf8c374eba45ed2df0d0d6a7214f2111ba7a9e8e14a3f8da62ea0f2586d1856ffb7b166d9030da5f556ebcb34cfdcbf3d95ccbfa934