Analysis Overview
SHA256
412f36cadb0568c43f0738c6a832f9096fa5692c8271b1e322b570152084dc31
Threat Level: Known bad
The file FedEx Invoice_7447707012.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Deletes itself
Suspicious use of SetThreadContext
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-14 08:09
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-14 08:09
Reported
2024-07-14 08:12
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2292 set thread context of 5084 | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe |
| PID 5084 set thread context of 3544 | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | C:\Windows\Explorer.EXE |
| PID 4808 set thread context of 3544 | N/A | C:\Windows\SysWOW64\mstsc.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\mstsc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uGpLwm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGpLwm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA8F2.tmp"
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.fullmoondating.com | udp |
| US | 67.205.29.177:80 | www.fullmoondating.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.fullmoondating.com | udp |
| US | 67.205.29.177:80 | www.fullmoondating.com | tcp |
| US | 8.8.8.8:53 | www.reclam.xyz | udp |
| DE | 3.64.163.50:80 | www.reclam.xyz | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.reclam.xyz | udp |
| US | 8.8.8.8:53 | www.getpurvivee.online | udp |
| DE | 3.64.163.50:80 | www.reclam.xyz | tcp |
| BR | 195.35.41.191:80 | www.getpurvivee.online | tcp |
| US | 8.8.8.8:53 | www.draaronroughan.net | udp |
| US | 198.185.159.145:80 | www.draaronroughan.net | tcp |
| US | 8.8.8.8:53 | 145.159.185.198.in-addr.arpa | udp |
Files
memory/2292-0-0x000000007497E000-0x000000007497F000-memory.dmp
memory/2292-1-0x0000000000330000-0x000000000045A000-memory.dmp
memory/2292-2-0x0000000005360000-0x0000000005904000-memory.dmp
memory/2292-3-0x0000000004E50000-0x0000000004EE2000-memory.dmp
memory/2292-4-0x00000000048B0000-0x00000000048BA000-memory.dmp
memory/2292-5-0x0000000074970000-0x0000000075120000-memory.dmp
memory/2292-6-0x00000000089F0000-0x0000000008A7A000-memory.dmp
memory/2292-7-0x00000000052D0000-0x00000000052E0000-memory.dmp
memory/2292-8-0x0000000005300000-0x000000000530E000-memory.dmp
memory/2292-9-0x0000000008720000-0x0000000008796000-memory.dmp
memory/2292-10-0x00000000069B0000-0x0000000006A4C000-memory.dmp
memory/728-15-0x0000000002810000-0x0000000002846000-memory.dmp
memory/728-16-0x0000000005440000-0x0000000005A68000-memory.dmp
memory/728-17-0x0000000074970000-0x0000000075120000-memory.dmp
memory/728-18-0x0000000074970000-0x0000000075120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpA8F2.tmp
| MD5 | 6d23905af857995ce44dea7da3c18456 |
| SHA1 | 85cd15018de80e629b0730764b6bea90f0b4c580 |
| SHA256 | aa3759e99fe4e206db283031a5b917fe7b84ab6aec7e83549565faac0135b704 |
| SHA512 | a85c71044b1a4b863c30ded7212947f59a301b2125b62b3b0a6c38b4e66871834a14dac2e005536135f183511c432e5167ffab113d57dd12c325235fa75f673f |
memory/2216-20-0x0000000004D70000-0x0000000004D92000-memory.dmp
memory/728-22-0x0000000005AF0000-0x0000000005B56000-memory.dmp
memory/728-23-0x0000000074970000-0x0000000075120000-memory.dmp
memory/728-24-0x0000000005B60000-0x0000000005EB4000-memory.dmp
memory/5084-25-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2216-27-0x0000000074970000-0x0000000075120000-memory.dmp
memory/2216-21-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/2216-29-0x0000000074970000-0x0000000075120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yotsme23.bnl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2292-28-0x0000000074970000-0x0000000075120000-memory.dmp
memory/728-49-0x0000000006140000-0x000000000615E000-memory.dmp
memory/728-50-0x0000000006160000-0x00000000061AC000-memory.dmp
memory/2216-53-0x0000000075200000-0x000000007524C000-memory.dmp
memory/728-52-0x0000000075200000-0x000000007524C000-memory.dmp
memory/728-51-0x0000000006700000-0x0000000006732000-memory.dmp
memory/2216-72-0x0000000006DB0000-0x0000000006DCE000-memory.dmp
memory/2216-73-0x0000000006E30000-0x0000000006ED3000-memory.dmp
memory/728-75-0x0000000007460000-0x000000000747A000-memory.dmp
memory/2216-74-0x00000000077A0000-0x0000000007E1A000-memory.dmp
memory/2216-76-0x00000000071D0000-0x00000000071DA000-memory.dmp
memory/2216-77-0x00000000073E0000-0x0000000007476000-memory.dmp
memory/728-78-0x0000000007660000-0x0000000007671000-memory.dmp
memory/2216-79-0x0000000007390000-0x000000000739E000-memory.dmp
memory/728-80-0x00000000076A0000-0x00000000076B4000-memory.dmp
memory/2216-81-0x00000000074A0000-0x00000000074BA000-memory.dmp
memory/2216-82-0x0000000007480000-0x0000000007488000-memory.dmp
memory/4808-83-0x00000000005D0000-0x000000000070A000-memory.dmp
memory/4808-84-0x00000000005D0000-0x000000000070A000-memory.dmp
memory/2216-90-0x0000000074970000-0x0000000075120000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | de7efc356c96e5e27774b9166b73f588 |
| SHA1 | c8fd11bc830bd0679ce7f1622d54c1dde1bd181b |
| SHA256 | 24a11a0ad433ee778cd67b1744fd5146e5ee31c92e4a4b50d9c3081d29be715a |
| SHA512 | c9d784cc2be273c4dbc3a8a0ac06209c504cd8992b97c548ebc6f89a7d988ef241b1ea29fb9f5e5cdf869ea2879af79021f87906afdc4db5fe165e46b64a0875 |
memory/728-91-0x0000000074970000-0x0000000075120000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/4808-92-0x0000000000B80000-0x0000000000BAF000-memory.dmp
memory/3544-96-0x0000000008A00000-0x0000000008B69000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-14 08:09
Reported
2024-07-14 08:12
Platform
win7-20240704-en
Max time kernel
149s
Max time network
19s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 828 set thread context of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe |
| PID 3048 set thread context of 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | C:\Windows\Explorer.EXE |
| PID 2532 set thread context of 1252 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uGpLwm.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uGpLwm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp"
C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe
"C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\FedEx Invoice_7447707012.exe"
Network
Files
memory/828-0-0x000000007485E000-0x000000007485F000-memory.dmp
memory/828-1-0x0000000000E40000-0x0000000000F6A000-memory.dmp
memory/828-2-0x0000000074850000-0x0000000074F3E000-memory.dmp
memory/828-3-0x0000000000A90000-0x0000000000B1A000-memory.dmp
memory/828-4-0x00000000004F0000-0x0000000000500000-memory.dmp
memory/828-5-0x00000000007C0000-0x00000000007CE000-memory.dmp
memory/828-6-0x0000000000BB0000-0x0000000000C26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2462.tmp
| MD5 | 8080a9bd7c6bca4e9fffc820338f99d9 |
| SHA1 | 7725a69b2f509f1a97138d77ef6dac4100faf7ac |
| SHA256 | fd1406ecfa13544e82ffb61987747f6fed8f0715df925b5086b0df8b1c061437 |
| SHA512 | c0735da3be1c84e9e286c4b17b261dab80b50d29edd0986572350e0eca7e47a24765ac26b50326b499bb06ac8eb0f89add294a6c216d2b11962956b662230a6f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 9ef02dd9863536dc4a4f0b3f89294d6d |
| SHA1 | b06fb3d309b6f27017cfa935ac09aefcf8c5d7ca |
| SHA256 | 914743f09ae4f4517616edbafca2fa78bb08659b590abef57bb376423115c677 |
| SHA512 | cf524d72d8dbd2067baf063b1e7d967b495071ac49793401e37b571d52f9e646672428df97619dbfdbc8b6261d5d34c5a4a5afe3b66cf669b8525fc6ee5f9081 |
memory/3048-20-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3048-24-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3048-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3048-21-0x0000000000400000-0x000000000042F000-memory.dmp
memory/828-25-0x0000000074850000-0x0000000074F3E000-memory.dmp
memory/1252-27-0x0000000003B60000-0x0000000003D60000-memory.dmp
memory/2532-28-0x00000000005F0000-0x00000000005F8000-memory.dmp
memory/2532-29-0x00000000000D0000-0x00000000000FF000-memory.dmp