Analysis
-
max time kernel
149s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-07-2024 08:09
Static task
static1
Behavioral task
behavioral1
Sample
FedEx Invoice_7447707012.exe
Resource
win7-20240704-en
General
-
Target
FedEx Invoice_7447707012.exe
-
Size
1.1MB
-
MD5
e8b684a181e745c7e80acaa0dfa96193
-
SHA1
cf5c3059ac345cb5fd3d943e3a5a27642ad2da0f
-
SHA256
412f36cadb0568c43f0738c6a832f9096fa5692c8271b1e322b570152084dc31
-
SHA512
69f505d8bcc98a657b847ebc7a30e33c2f80394cc92dc7dca2fc2af7566678f4929324ffa73d5fc42a7bd8e17940ebcf108b6b75eca10cb3e196b104c8fdcc2c
-
SSDEEP
24576:ypwQaLmSnf3XrxwPr/Od/wLq7Mm9OCH8MIRi4Kq2:ypimentiWd7PX4R2
Malware Config
Extracted
formbook
4.1
dk07
reclam.xyz
parchmentmediaadd.com
gaolibai.site
menage-exclusif.com
ceremoniesbyjade.com
5663876.com
take3.xyz
environmentaladvocacygroup.com
fp38z.rest
elektro-vlasic.com
bollybytestv.com
udfunsd.cloud
studiomiraiarq.com
e-commercebrasil.shop
sansiddhiedu.com
draaronroughan.net
24angel.com
rjh-equestrian.com
22db3rgdg6a73pea7.vip
mintygreen-wellnessportal.com
dewakipas88.art
fauteam.top
elyridia.com
msmotorsjp.com
arm-uk.com
wukunstudio.com
96503862.com
ygsj009.xyz
tbstli119w.top
correctionia.com
howdowear.com
760sun.com
1win-yyy-official7.xyz
colmeiaofertasloja.com
megadealsonline.shop
mumuvpn.life
vialglass.website
charliebearventures.com
lynxpire.com
labnicear.shop
thrillhouse.fail
biamane.com
celestialcharts.network
bt365231.com
247866.top
dungcamvu.com
floraperfumaria.com
connectedword.site
pamanwin.com
jbovietnam.vin
tanomi.dev
globalsupdate.xyz
santandecentral.com
xewaov.xyz
384058.com
kindya.xyz
pan-ason19.com
getpurvivee.online
17tk555j.com
fullmoondating.com
mu-vietco.com
cohailpros.com
8uh85t.xyz
slotcuan88login.com
nonewaveneb.live
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/3048-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2532-29-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2892 powershell.exe 2640 powershell.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2488 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
FedEx Invoice_7447707012.exeFedEx Invoice_7447707012.exesvchost.exedescription pid process target process PID 828 set thread context of 3048 828 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 3048 set thread context of 1252 3048 FedEx Invoice_7447707012.exe Explorer.EXE PID 2532 set thread context of 1252 2532 svchost.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
FedEx Invoice_7447707012.exepowershell.exepowershell.exesvchost.exepid process 3048 FedEx Invoice_7447707012.exe 3048 FedEx Invoice_7447707012.exe 2892 powershell.exe 2640 powershell.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe 2532 svchost.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
FedEx Invoice_7447707012.exesvchost.exepid process 3048 FedEx Invoice_7447707012.exe 3048 FedEx Invoice_7447707012.exe 3048 FedEx Invoice_7447707012.exe 2532 svchost.exe 2532 svchost.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FedEx Invoice_7447707012.exepowershell.exepowershell.exesvchost.exedescription pid process Token: SeDebugPrivilege 3048 FedEx Invoice_7447707012.exe Token: SeDebugPrivilege 2892 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2532 svchost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
FedEx Invoice_7447707012.exeExplorer.EXEsvchost.exedescription pid process target process PID 828 wrote to memory of 2892 828 FedEx Invoice_7447707012.exe powershell.exe PID 828 wrote to memory of 2892 828 FedEx Invoice_7447707012.exe powershell.exe PID 828 wrote to memory of 2892 828 FedEx Invoice_7447707012.exe powershell.exe PID 828 wrote to memory of 2892 828 FedEx Invoice_7447707012.exe powershell.exe PID 828 wrote to memory of 2640 828 FedEx Invoice_7447707012.exe powershell.exe PID 828 wrote to memory of 2640 828 FedEx Invoice_7447707012.exe powershell.exe PID 828 wrote to memory of 2640 828 FedEx Invoice_7447707012.exe powershell.exe PID 828 wrote to memory of 2640 828 FedEx Invoice_7447707012.exe powershell.exe PID 828 wrote to memory of 2796 828 FedEx Invoice_7447707012.exe schtasks.exe PID 828 wrote to memory of 2796 828 FedEx Invoice_7447707012.exe schtasks.exe PID 828 wrote to memory of 2796 828 FedEx Invoice_7447707012.exe schtasks.exe PID 828 wrote to memory of 2796 828 FedEx Invoice_7447707012.exe schtasks.exe PID 828 wrote to memory of 3048 828 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 828 wrote to memory of 3048 828 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 828 wrote to memory of 3048 828 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 828 wrote to memory of 3048 828 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 828 wrote to memory of 3048 828 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 828 wrote to memory of 3048 828 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 828 wrote to memory of 3048 828 FedEx Invoice_7447707012.exe FedEx Invoice_7447707012.exe PID 1252 wrote to memory of 2532 1252 Explorer.EXE svchost.exe PID 1252 wrote to memory of 2532 1252 Explorer.EXE svchost.exe PID 1252 wrote to memory of 2532 1252 Explorer.EXE svchost.exe PID 1252 wrote to memory of 2532 1252 Explorer.EXE svchost.exe PID 2532 wrote to memory of 2488 2532 svchost.exe cmd.exe PID 2532 wrote to memory of 2488 2532 svchost.exe cmd.exe PID 2532 wrote to memory of 2488 2532 svchost.exe cmd.exe PID 2532 wrote to memory of 2488 2532 svchost.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uGpLwm.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGpLwm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2796 -
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3048 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\SysWOW64\svchost.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"3⤵
- Deletes itself
PID:2488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58080a9bd7c6bca4e9fffc820338f99d9
SHA17725a69b2f509f1a97138d77ef6dac4100faf7ac
SHA256fd1406ecfa13544e82ffb61987747f6fed8f0715df925b5086b0df8b1c061437
SHA512c0735da3be1c84e9e286c4b17b261dab80b50d29edd0986572350e0eca7e47a24765ac26b50326b499bb06ac8eb0f89add294a6c216d2b11962956b662230a6f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD59ef02dd9863536dc4a4f0b3f89294d6d
SHA1b06fb3d309b6f27017cfa935ac09aefcf8c5d7ca
SHA256914743f09ae4f4517616edbafca2fa78bb08659b590abef57bb376423115c677
SHA512cf524d72d8dbd2067baf063b1e7d967b495071ac49793401e37b571d52f9e646672428df97619dbfdbc8b6261d5d34c5a4a5afe3b66cf669b8525fc6ee5f9081