Analysis Overview
SHA256
2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1
Threat Level: Known bad
The file General Specification -INVACO PVT.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Blocklisted process makes network request
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-04 05:13
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 05:13
Reported
2024-04-04 05:15
Platform
win7-20240319-en
Max time kernel
146s
Max time network
136s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2528 set thread context of 1364 | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1364 set thread context of 1240 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2056 set thread context of 1240 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe
"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.gltip2le.shop | udp |
| HK | 47.243.184.4:80 | www.gltip2le.shop | tcp |
| US | 8.8.8.8:53 | www.gltip2le.shop | udp |
| HK | 47.243.184.4:80 | www.gltip2le.shop | tcp |
| US | 8.8.8.8:53 | www.assurelinkenterprises.com | udp |
| US | 8.8.8.8:53 | www.drhandgrip.com | udp |
| US | 8.8.8.8:53 | www.unitygiftingco.store | udp |
| US | 35.241.18.84:80 | www.unitygiftingco.store | tcp |
| US | 8.8.8.8:53 | www.cattaillake.com | udp |
| US | 3.33.130.190:80 | www.cattaillake.com | tcp |
Files
memory/2528-10-0x0000000000220000-0x0000000000224000-memory.dmp
memory/1364-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1364-12-0x0000000000710000-0x0000000000A13000-memory.dmp
memory/1364-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1364-16-0x0000000000190000-0x00000000001A4000-memory.dmp
memory/1240-15-0x0000000000320000-0x0000000000420000-memory.dmp
memory/1240-17-0x0000000006F80000-0x000000000710F000-memory.dmp
memory/2056-18-0x0000000000330000-0x0000000000336000-memory.dmp
memory/2056-19-0x0000000000330000-0x0000000000336000-memory.dmp
memory/2056-20-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/2056-21-0x0000000000820000-0x0000000000B23000-memory.dmp
memory/2056-22-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/2056-24-0x0000000000640000-0x00000000006D3000-memory.dmp
memory/1240-26-0x0000000006F80000-0x000000000710F000-memory.dmp
memory/1240-30-0x0000000004CC0000-0x0000000004E0D000-memory.dmp
memory/1240-31-0x0000000004CC0000-0x0000000004E0D000-memory.dmp
memory/1240-34-0x0000000004CC0000-0x0000000004E0D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 05:13
Reported
2024-04-04 05:16
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 644 set thread context of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1676 set thread context of 3408 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1676 set thread context of 3408 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1028 set thread context of 3408 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe
"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gadilglobal.com | udp |
| FR | 94.23.165.248:80 | www.gadilglobal.com | tcp |
| US | 8.8.8.8:53 | 248.165.23.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gamer24.top | udp |
| US | 172.67.220.25:80 | www.gamer24.top | tcp |
| US | 8.8.8.8:53 | 25.220.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.jessicachristina.com | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gltip2le.shop | udp |
| HK | 47.243.184.4:80 | www.gltip2le.shop | tcp |
| US | 8.8.8.8:53 | www.gltip2le.shop | udp |
| HK | 47.243.184.4:80 | www.gltip2le.shop | tcp |
| US | 8.8.8.8:53 | www.santefe4g.com | udp |
| US | 3.33.130.190:80 | www.santefe4g.com | tcp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.shopynuts.site | udp |
| US | 198.54.117.242:80 | www.shopynuts.site | tcp |
| US | 8.8.8.8:53 | 242.117.54.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/644-10-0x0000000000340000-0x0000000000344000-memory.dmp
memory/1676-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1676-12-0x0000000001800000-0x0000000001B4A000-memory.dmp
memory/1676-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1676-15-0x00000000015B0000-0x00000000015C4000-memory.dmp
memory/3408-16-0x00000000082F0000-0x00000000083CB000-memory.dmp
memory/1676-18-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1676-19-0x0000000003670000-0x0000000003684000-memory.dmp
memory/3408-20-0x0000000008CB0000-0x0000000008E22000-memory.dmp
memory/1028-21-0x0000000000D70000-0x0000000000D82000-memory.dmp
memory/1028-23-0x0000000000D70000-0x0000000000D82000-memory.dmp
memory/1028-25-0x0000000000D70000-0x0000000000D82000-memory.dmp
memory/1028-26-0x0000000000FD0000-0x0000000000FFF000-memory.dmp
memory/1028-27-0x00000000030A0000-0x00000000033EA000-memory.dmp
memory/1028-28-0x0000000000FD0000-0x0000000000FFF000-memory.dmp
memory/3408-30-0x00000000082F0000-0x00000000083CB000-memory.dmp
memory/1028-31-0x0000000002F00000-0x0000000002F93000-memory.dmp
memory/3408-32-0x0000000008CB0000-0x0000000008E22000-memory.dmp
memory/3408-34-0x0000000008E30000-0x0000000008F8E000-memory.dmp
memory/3408-35-0x0000000008E30000-0x0000000008F8E000-memory.dmp
memory/3408-38-0x0000000008E30000-0x0000000008F8E000-memory.dmp