Malware Analysis Report

2024-10-19 09:27

Sample ID 240714-j2lbasvfjg
Target FedEx Invoice_7447707012.exe
SHA256 412f36cadb0568c43f0738c6a832f9096fa5692c8271b1e322b570152084dc31
Tags
formbook dk07 execution rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

412f36cadb0568c43f0738c6a832f9096fa5692c8271b1e322b570152084dc31

Threat Level: Known bad

The file FedEx Invoice_7447707012.exe was found to be: Known bad.

Malicious Activity Summary

formbook dk07 execution rat spyware stealer trojan

Formbook

Formbook payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Deletes itself

Suspicious use of SetThreadContext

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of UnmapMainImage

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-14 08:09

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-14 08:09

Reported

2024-07-14 08:12

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

140s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2292 set thread context of 5084 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 5084 set thread context of 3544 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\Explorer.EXE
PID 4808 set thread context of 3544 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A
N/A N/A C:\Windows\SysWOW64\mstsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\mstsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\schtasks.exe
PID 2292 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\schtasks.exe
PID 2292 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\schtasks.exe
PID 2292 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 2292 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 2292 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 2292 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 2292 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 2292 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 3544 wrote to memory of 4808 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 3544 wrote to memory of 4808 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 3544 wrote to memory of 4808 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\mstsc.exe
PID 4808 wrote to memory of 3764 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 3764 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe
PID 4808 wrote to memory of 3764 N/A C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe

"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uGpLwm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGpLwm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8F2.tmp"

C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe

"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"

C:\Windows\SysWOW64\mstsc.exe

"C:\Windows\SysWOW64\mstsc.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 www.fullmoondating.com udp
US 67.205.29.177:80 www.fullmoondating.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.fullmoondating.com udp
US 67.205.29.177:80 www.fullmoondating.com tcp
US 8.8.8.8:53 www.reclam.xyz udp
DE 3.64.163.50:80 www.reclam.xyz tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.reclam.xyz udp
US 8.8.8.8:53 www.getpurvivee.online udp
DE 3.64.163.50:80 www.reclam.xyz tcp
BR 195.35.41.191:80 www.getpurvivee.online tcp
US 8.8.8.8:53 www.draaronroughan.net udp
US 198.185.159.145:80 www.draaronroughan.net tcp
US 8.8.8.8:53 145.159.185.198.in-addr.arpa udp

Files

memory/2292-0-0x000000007497E000-0x000000007497F000-memory.dmp

memory/2292-1-0x0000000000330000-0x000000000045A000-memory.dmp

memory/2292-2-0x0000000005360000-0x0000000005904000-memory.dmp

memory/2292-3-0x0000000004E50000-0x0000000004EE2000-memory.dmp

memory/2292-4-0x00000000048B0000-0x00000000048BA000-memory.dmp

memory/2292-5-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2292-6-0x00000000089F0000-0x0000000008A7A000-memory.dmp

memory/2292-7-0x00000000052D0000-0x00000000052E0000-memory.dmp

memory/2292-8-0x0000000005300000-0x000000000530E000-memory.dmp

memory/2292-9-0x0000000008720000-0x0000000008796000-memory.dmp

memory/2292-10-0x00000000069B0000-0x0000000006A4C000-memory.dmp

memory/728-15-0x0000000002810000-0x0000000002846000-memory.dmp

memory/728-16-0x0000000005440000-0x0000000005A68000-memory.dmp

memory/728-17-0x0000000074970000-0x0000000075120000-memory.dmp

memory/728-18-0x0000000074970000-0x0000000075120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA8F2.tmp

MD5 6d23905af857995ce44dea7da3c18456
SHA1 85cd15018de80e629b0730764b6bea90f0b4c580
SHA256 aa3759e99fe4e206db283031a5b917fe7b84ab6aec7e83549565faac0135b704
SHA512 a85c71044b1a4b863c30ded7212947f59a301b2125b62b3b0a6c38b4e66871834a14dac2e005536135f183511c432e5167ffab113d57dd12c325235fa75f673f

memory/2216-20-0x0000000004D70000-0x0000000004D92000-memory.dmp

memory/728-22-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/728-23-0x0000000074970000-0x0000000075120000-memory.dmp

memory/728-24-0x0000000005B60000-0x0000000005EB4000-memory.dmp

memory/5084-25-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2216-27-0x0000000074970000-0x0000000075120000-memory.dmp

memory/2216-21-0x0000000005590000-0x00000000055F6000-memory.dmp

memory/2216-29-0x0000000074970000-0x0000000075120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yotsme23.bnl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2292-28-0x0000000074970000-0x0000000075120000-memory.dmp

memory/728-49-0x0000000006140000-0x000000000615E000-memory.dmp

memory/728-50-0x0000000006160000-0x00000000061AC000-memory.dmp

memory/2216-53-0x0000000075200000-0x000000007524C000-memory.dmp

memory/728-52-0x0000000075200000-0x000000007524C000-memory.dmp

memory/728-51-0x0000000006700000-0x0000000006732000-memory.dmp

memory/2216-72-0x0000000006DB0000-0x0000000006DCE000-memory.dmp

memory/2216-73-0x0000000006E30000-0x0000000006ED3000-memory.dmp

memory/728-75-0x0000000007460000-0x000000000747A000-memory.dmp

memory/2216-74-0x00000000077A0000-0x0000000007E1A000-memory.dmp

memory/2216-76-0x00000000071D0000-0x00000000071DA000-memory.dmp

memory/2216-77-0x00000000073E0000-0x0000000007476000-memory.dmp

memory/728-78-0x0000000007660000-0x0000000007671000-memory.dmp

memory/2216-79-0x0000000007390000-0x000000000739E000-memory.dmp

memory/728-80-0x00000000076A0000-0x00000000076B4000-memory.dmp

memory/2216-81-0x00000000074A0000-0x00000000074BA000-memory.dmp

memory/2216-82-0x0000000007480000-0x0000000007488000-memory.dmp

memory/4808-83-0x00000000005D0000-0x000000000070A000-memory.dmp

memory/4808-84-0x00000000005D0000-0x000000000070A000-memory.dmp

memory/2216-90-0x0000000074970000-0x0000000075120000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 de7efc356c96e5e27774b9166b73f588
SHA1 c8fd11bc830bd0679ce7f1622d54c1dde1bd181b
SHA256 24a11a0ad433ee778cd67b1744fd5146e5ee31c92e4a4b50d9c3081d29be715a
SHA512 c9d784cc2be273c4dbc3a8a0ac06209c504cd8992b97c548ebc6f89a7d988ef241b1ea29fb9f5e5cdf869ea2879af79021f87906afdc4db5fe165e46b64a0875

memory/728-91-0x0000000074970000-0x0000000075120000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4808-92-0x0000000000B80000-0x0000000000BAF000-memory.dmp

memory/3544-96-0x0000000008A00000-0x0000000008B69000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-14 08:09

Reported

2024-07-14 08:12

Platform

win7-20240704-en

Max time kernel

149s

Max time network

19s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 828 set thread context of 3048 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 3048 set thread context of 1252 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\Explorer.EXE
PID 2532 set thread context of 1252 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 828 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 828 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Windows\SysWOW64\schtasks.exe
PID 828 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 828 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 828 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 828 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 828 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 828 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 828 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
PID 1252 wrote to memory of 2532 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2532 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2532 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 1252 wrote to memory of 2532 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 2532 wrote to memory of 2488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2532 wrote to memory of 2488 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe

"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uGpLwm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGpLwm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp"

C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe

"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"

Network

N/A

Files

memory/828-0-0x000000007485E000-0x000000007485F000-memory.dmp

memory/828-1-0x0000000000E40000-0x0000000000F6A000-memory.dmp

memory/828-2-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/828-3-0x0000000000A90000-0x0000000000B1A000-memory.dmp

memory/828-4-0x00000000004F0000-0x0000000000500000-memory.dmp

memory/828-5-0x00000000007C0000-0x00000000007CE000-memory.dmp

memory/828-6-0x0000000000BB0000-0x0000000000C26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp

MD5 8080a9bd7c6bca4e9fffc820338f99d9
SHA1 7725a69b2f509f1a97138d77ef6dac4100faf7ac
SHA256 fd1406ecfa13544e82ffb61987747f6fed8f0715df925b5086b0df8b1c061437
SHA512 c0735da3be1c84e9e286c4b17b261dab80b50d29edd0986572350e0eca7e47a24765ac26b50326b499bb06ac8eb0f89add294a6c216d2b11962956b662230a6f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 9ef02dd9863536dc4a4f0b3f89294d6d
SHA1 b06fb3d309b6f27017cfa935ac09aefcf8c5d7ca
SHA256 914743f09ae4f4517616edbafca2fa78bb08659b590abef57bb376423115c677
SHA512 cf524d72d8dbd2067baf063b1e7d967b495071ac49793401e37b571d52f9e646672428df97619dbfdbc8b6261d5d34c5a4a5afe3b66cf669b8525fc6ee5f9081

memory/3048-20-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3048-24-0x0000000000400000-0x000000000042F000-memory.dmp

memory/3048-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3048-21-0x0000000000400000-0x000000000042F000-memory.dmp

memory/828-25-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/1252-27-0x0000000003B60000-0x0000000003D60000-memory.dmp

memory/2532-28-0x00000000005F0000-0x00000000005F8000-memory.dmp

memory/2532-29-0x00000000000D0000-0x00000000000FF000-memory.dmp