Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-07-2024 08:09
Static task
static1
Behavioral task
behavioral1
Sample
FedEx Invoice_7447707012.exe
Resource
win7-20240708-en
General
-
Target
FedEx Invoice_7447707012.exe
-
Size
1.1MB
-
MD5
e8b684a181e745c7e80acaa0dfa96193
-
SHA1
cf5c3059ac345cb5fd3d943e3a5a27642ad2da0f
-
SHA256
412f36cadb0568c43f0738c6a832f9096fa5692c8271b1e322b570152084dc31
-
SHA512
69f505d8bcc98a657b847ebc7a30e33c2f80394cc92dc7dca2fc2af7566678f4929324ffa73d5fc42a7bd8e17940ebcf108b6b75eca10cb3e196b104c8fdcc2c
-
SSDEEP
24576:ypwQaLmSnf3XrxwPr/Od/wLq7Mm9OCH8MIRi4Kq2:ypimentiWd7PX4R2
Malware Config
Extracted
formbook
4.1
dk07
reclam.xyz
parchmentmediaadd.com
gaolibai.site
menage-exclusif.com
ceremoniesbyjade.com
5663876.com
take3.xyz
environmentaladvocacygroup.com
fp38z.rest
elektro-vlasic.com
bollybytestv.com
udfunsd.cloud
studiomiraiarq.com
e-commercebrasil.shop
sansiddhiedu.com
draaronroughan.net
24angel.com
rjh-equestrian.com
22db3rgdg6a73pea7.vip
mintygreen-wellnessportal.com
dewakipas88.art
fauteam.top
elyridia.com
msmotorsjp.com
arm-uk.com
wukunstudio.com
96503862.com
ygsj009.xyz
tbstli119w.top
correctionia.com
howdowear.com
760sun.com
1win-yyy-official7.xyz
colmeiaofertasloja.com
megadealsonline.shop
mumuvpn.life
vialglass.website
charliebearventures.com
lynxpire.com
labnicear.shop
thrillhouse.fail
biamane.com
celestialcharts.network
bt365231.com
247866.top
dungcamvu.com
floraperfumaria.com
connectedword.site
pamanwin.com
jbovietnam.vin
tanomi.dev
globalsupdate.xyz
santandecentral.com
xewaov.xyz
384058.com
kindya.xyz
pan-ason19.com
getpurvivee.online
17tk555j.com
fullmoondating.com
mu-vietco.com
cohailpros.com
8uh85t.xyz
slotcuan88login.com
nonewaveneb.live
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2572-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2544-28-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2176 powershell.exe 2980 powershell.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 568 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
FedEx Invoice_7447707012.exeFedEx Invoice_7447707012.exemstsc.exedescription pid process target process PID 1984 set thread context of 2572 1984 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 2572 set thread context of 1220 2572 FedEx Invoice_7447707012.exe Explorer.EXE PID 2544 set thread context of 1220 2544 mstsc.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
FedEx Invoice_7447707012.exepowershell.exepowershell.exemstsc.exepid process 2572 FedEx Invoice_7447707012.exe 2572 FedEx Invoice_7447707012.exe 2980 powershell.exe 2176 powershell.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe 2544 mstsc.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
FedEx Invoice_7447707012.exemstsc.exepid process 2572 FedEx Invoice_7447707012.exe 2572 FedEx Invoice_7447707012.exe 2572 FedEx Invoice_7447707012.exe 2544 mstsc.exe 2544 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FedEx Invoice_7447707012.exepowershell.exepowershell.exemstsc.exedescription pid process Token: SeDebugPrivilege 2572 FedEx Invoice_7447707012.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeDebugPrivilege 2176 powershell.exe Token: SeDebugPrivilege 2544 mstsc.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
FedEx Invoice_7447707012.exeExplorer.EXEmstsc.exedescription pid process target process PID 1984 wrote to memory of 2176 1984 FedEx Invoice_7447707012.exe powershell.exe PID 1984 wrote to memory of 2176 1984 FedEx Invoice_7447707012.exe powershell.exe PID 1984 wrote to memory of 2176 1984 FedEx Invoice_7447707012.exe powershell.exe PID 1984 wrote to memory of 2176 1984 FedEx Invoice_7447707012.exe powershell.exe PID 1984 wrote to memory of 2980 1984 FedEx Invoice_7447707012.exe powershell.exe PID 1984 wrote to memory of 2980 1984 FedEx Invoice_7447707012.exe powershell.exe PID 1984 wrote to memory of 2980 1984 FedEx Invoice_7447707012.exe powershell.exe PID 1984 wrote to memory of 2980 1984 FedEx Invoice_7447707012.exe powershell.exe PID 1984 wrote to memory of 2848 1984 FedEx Invoice_7447707012.exe schtasks.exe PID 1984 wrote to memory of 2848 1984 FedEx Invoice_7447707012.exe schtasks.exe PID 1984 wrote to memory of 2848 1984 FedEx Invoice_7447707012.exe schtasks.exe PID 1984 wrote to memory of 2848 1984 FedEx Invoice_7447707012.exe schtasks.exe PID 1984 wrote to memory of 2572 1984 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 1984 wrote to memory of 2572 1984 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 1984 wrote to memory of 2572 1984 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 1984 wrote to memory of 2572 1984 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 1984 wrote to memory of 2572 1984 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 1984 wrote to memory of 2572 1984 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 1984 wrote to memory of 2572 1984 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 1220 wrote to memory of 2544 1220 Explorer.EXE mstsc.exe PID 1220 wrote to memory of 2544 1220 Explorer.EXE mstsc.exe PID 1220 wrote to memory of 2544 1220 Explorer.EXE mstsc.exe PID 1220 wrote to memory of 2544 1220 Explorer.EXE mstsc.exe PID 2544 wrote to memory of 568 2544 mstsc.exe cmd.exe PID 2544 wrote to memory of 568 2544 mstsc.exe cmd.exe PID 2544 wrote to memory of 568 2544 mstsc.exe cmd.exe PID 2544 wrote to memory of 568 2544 mstsc.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uGpLwm.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGpLwm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EF6.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2572 -
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\SysWOW64\mstsc.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"3⤵
- Deletes itself
PID:568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52108242f0829132d655d828721f3001a
SHA131176384fa8f58648319ba10725a5a19069bd4ce
SHA2565c2795c3c352ffb5c16fd3e613a480e885fcc07baec2b5a864e1aeca93a5b035
SHA51220c7367bdabbd70a6cbb0c001f39a504bc563f97600ce0e8662ae06bfc85d13dd1b41bca3f61ae9ea0b16447c85c758e52443468f395fc61cc3ba5b54ab4baf7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD549f4710688dd0368cea232b908716af7
SHA196fe9763398af27c4d55cb0760dcd095bdb3ba1c
SHA256eb4b25493d0cc8abb7f4cba445e07421d06b137f7720823f75407991d1d033ea
SHA51234c1bc00560cfe9b8b5e5328a843afb416afab25f1df5cac7332d0310204cecf2d14cab4d7922fb19669a5fa9372331c62b66a320f93f6d5bdfa7e3c9139352a