Analysis Overview
SHA256
2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1
Threat Level: Known bad
The file General Specification -INVACO PVT.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Gathers network information
Suspicious use of UnmapMainImage
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-04 05:14
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-04 05:14
Reported
2024-04-04 05:16
Platform
win7-20240221-en
Max time kernel
150s
Max time network
134s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1936 set thread context of 2512 | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2512 set thread context of 1404 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2616 set thread context of 1404 | N/A | C:\Windows\SysWOW64\wininit.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wininit.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe
"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"
C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.northcuttmediacompany.com | udp |
| US | 34.149.87.45:80 | www.northcuttmediacompany.com | tcp |
| US | 8.8.8.8:53 | www.onehourbookclub.com | udp |
| US | 3.33.130.190:80 | www.onehourbookclub.com | tcp |
| US | 8.8.8.8:53 | www.thesimplestudio.io | udp |
| US | 198.185.159.144:80 | www.thesimplestudio.io | tcp |
| US | 8.8.8.8:53 | www.chicprems.xyz | udp |
| DE | 91.195.240.19:80 | www.chicprems.xyz | tcp |
| US | 8.8.8.8:53 | www.shpoifypos.app | udp |
| US | 99.83.176.46:80 | www.shpoifypos.app | tcp |
Files
memory/1936-10-0x0000000000120000-0x0000000000124000-memory.dmp
memory/2512-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2512-12-0x0000000000720000-0x0000000000A23000-memory.dmp
memory/2512-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1404-15-0x0000000002940000-0x0000000002A40000-memory.dmp
memory/2512-16-0x0000000000360000-0x0000000000374000-memory.dmp
memory/1404-17-0x0000000007210000-0x000000000739E000-memory.dmp
memory/2616-18-0x00000000006F0000-0x000000000070A000-memory.dmp
memory/2616-19-0x00000000006F0000-0x000000000070A000-memory.dmp
memory/2616-20-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/2616-21-0x0000000001FC0000-0x00000000022C3000-memory.dmp
memory/2616-22-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/2616-24-0x0000000000580000-0x0000000000613000-memory.dmp
memory/1404-26-0x0000000007210000-0x000000000739E000-memory.dmp
memory/1404-30-0x00000000074A0000-0x00000000075A7000-memory.dmp
memory/1404-31-0x00000000074A0000-0x00000000075A7000-memory.dmp
memory/1404-34-0x00000000074A0000-0x00000000075A7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-04 05:14
Reported
2024-04-04 05:16
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
159s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4620 set thread context of 4892 | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4892 set thread context of 3448 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 496 set thread context of 3448 | N/A | C:\Windows\SysWOW64\ipconfig.exe | C:\Windows\Explorer.EXE |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe
"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\General Specification -INVACO PVT.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.33.115.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.coalswap.com | udp |
| US | 76.76.21.61:80 | www.coalswap.com | tcp |
| US | 8.8.8.8:53 | 61.21.76.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dentalemergencybakersfield.com | udp |
| US | 66.235.200.22:80 | www.dentalemergencybakersfield.com | tcp |
| US | 8.8.8.8:53 | 22.200.235.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.itsmisshodges.com | udp |
| CA | 23.227.38.74:80 | www.itsmisshodges.com | tcp |
| US | 8.8.8.8:53 | 74.38.227.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.worxservicesllc.com | udp |
| US | 198.185.159.144:80 | www.worxservicesllc.com | tcp |
| US | 8.8.8.8:53 | 144.159.185.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.foroupskirt.com | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
memory/4620-10-0x0000000000C40000-0x0000000000C44000-memory.dmp
memory/4892-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4892-12-0x0000000001800000-0x0000000001B4A000-memory.dmp
memory/4892-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4892-15-0x0000000000DE0000-0x0000000000DF4000-memory.dmp
memory/3448-16-0x0000000008630000-0x000000000877F000-memory.dmp
memory/496-17-0x0000000000AB0000-0x0000000000ABB000-memory.dmp
memory/496-18-0x0000000000AB0000-0x0000000000ABB000-memory.dmp
memory/496-19-0x0000000000FD0000-0x0000000000FFF000-memory.dmp
memory/496-20-0x00000000019B0000-0x0000000001CFA000-memory.dmp
memory/496-21-0x0000000000FD0000-0x0000000000FFF000-memory.dmp
memory/496-23-0x00000000017F0000-0x0000000001883000-memory.dmp
memory/3448-24-0x0000000008630000-0x000000000877F000-memory.dmp
memory/3448-26-0x0000000008780000-0x000000000889E000-memory.dmp
memory/3448-27-0x0000000008780000-0x000000000889E000-memory.dmp
memory/3448-31-0x0000000008780000-0x000000000889E000-memory.dmp