Analysis
-
max time kernel
149s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 05:47
Static task
static1
Behavioral task
behavioral1
Sample
FedEx_ shipping documentations.exe
Resource
win7-20240708-en
General
-
Target
FedEx_ shipping documentations.exe
-
Size
691KB
-
MD5
47a2a7a19ce5697f30aec774d5b7f9b7
-
SHA1
dfa50083c7dd8caabdf1abf9a72cee128c32fe3c
-
SHA256
f8a6d38a7a548a8621059aaaa87265c7c8d164b0f8eac7f6c0f7e4ec201de4a2
-
SHA512
59c08155dce6e69a1d0abb43f0df5711f5dc40707f88e8dd12660092710f142d8b8a2fbf2c19b4f2deb7c637245914038f25bb586ce9e53b9ed6eb62fb072feb
-
SSDEEP
12288:baODWx2PQfDxCP5M90yYgo2HckARGXHn4tOBPb5np2Fna1u4HkR:bxawMDIGiIJ0GXHnaONnp8n2S
Malware Config
Extracted
formbook
4.1
dk07
reclam.xyz
parchmentmediaadd.com
gaolibai.site
menage-exclusif.com
ceremoniesbyjade.com
5663876.com
take3.xyz
environmentaladvocacygroup.com
fp38z.rest
elektro-vlasic.com
bollybytestv.com
udfunsd.cloud
studiomiraiarq.com
e-commercebrasil.shop
sansiddhiedu.com
draaronroughan.net
24angel.com
rjh-equestrian.com
22db3rgdg6a73pea7.vip
mintygreen-wellnessportal.com
dewakipas88.art
fauteam.top
elyridia.com
msmotorsjp.com
arm-uk.com
wukunstudio.com
96503862.com
ygsj009.xyz
tbstli119w.top
correctionia.com
howdowear.com
760sun.com
1win-yyy-official7.xyz
colmeiaofertasloja.com
megadealsonline.shop
mumuvpn.life
vialglass.website
charliebearventures.com
lynxpire.com
labnicear.shop
thrillhouse.fail
biamane.com
celestialcharts.network
bt365231.com
247866.top
dungcamvu.com
floraperfumaria.com
connectedword.site
pamanwin.com
jbovietnam.vin
tanomi.dev
globalsupdate.xyz
santandecentral.com
xewaov.xyz
384058.com
kindya.xyz
pan-ason19.com
getpurvivee.online
17tk555j.com
fullmoondating.com
mu-vietco.com
cohailpros.com
8uh85t.xyz
slotcuan88login.com
nonewaveneb.live
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2124-23-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/1780-28-0x0000000000100000-0x000000000012F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2660 powershell.exe 2116 powershell.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 3004 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
FedEx_ shipping documentations.exeFedEx_ shipping documentations.exeraserver.exedescription pid process target process PID 2172 set thread context of 2124 2172 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2124 set thread context of 1316 2124 FedEx_ shipping documentations.exe Explorer.EXE PID 1780 set thread context of 1316 1780 raserver.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
FedEx_ shipping documentations.exepowershell.exepowershell.exeraserver.exepid process 2124 FedEx_ shipping documentations.exe 2124 FedEx_ shipping documentations.exe 2116 powershell.exe 2660 powershell.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe 1780 raserver.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
FedEx_ shipping documentations.exeraserver.exepid process 2124 FedEx_ shipping documentations.exe 2124 FedEx_ shipping documentations.exe 2124 FedEx_ shipping documentations.exe 1780 raserver.exe 1780 raserver.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FedEx_ shipping documentations.exepowershell.exepowershell.exeraserver.exedescription pid process Token: SeDebugPrivilege 2124 FedEx_ shipping documentations.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 1780 raserver.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
FedEx_ shipping documentations.exeExplorer.EXEraserver.exedescription pid process target process PID 2172 wrote to memory of 2660 2172 FedEx_ shipping documentations.exe powershell.exe PID 2172 wrote to memory of 2660 2172 FedEx_ shipping documentations.exe powershell.exe PID 2172 wrote to memory of 2660 2172 FedEx_ shipping documentations.exe powershell.exe PID 2172 wrote to memory of 2660 2172 FedEx_ shipping documentations.exe powershell.exe PID 2172 wrote to memory of 2116 2172 FedEx_ shipping documentations.exe powershell.exe PID 2172 wrote to memory of 2116 2172 FedEx_ shipping documentations.exe powershell.exe PID 2172 wrote to memory of 2116 2172 FedEx_ shipping documentations.exe powershell.exe PID 2172 wrote to memory of 2116 2172 FedEx_ shipping documentations.exe powershell.exe PID 2172 wrote to memory of 2768 2172 FedEx_ shipping documentations.exe schtasks.exe PID 2172 wrote to memory of 2768 2172 FedEx_ shipping documentations.exe schtasks.exe PID 2172 wrote to memory of 2768 2172 FedEx_ shipping documentations.exe schtasks.exe PID 2172 wrote to memory of 2768 2172 FedEx_ shipping documentations.exe schtasks.exe PID 2172 wrote to memory of 2124 2172 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2172 wrote to memory of 2124 2172 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2172 wrote to memory of 2124 2172 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2172 wrote to memory of 2124 2172 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2172 wrote to memory of 2124 2172 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2172 wrote to memory of 2124 2172 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2172 wrote to memory of 2124 2172 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 1316 wrote to memory of 1780 1316 Explorer.EXE raserver.exe PID 1316 wrote to memory of 1780 1316 Explorer.EXE raserver.exe PID 1316 wrote to memory of 1780 1316 Explorer.EXE raserver.exe PID 1316 wrote to memory of 1780 1316 Explorer.EXE raserver.exe PID 1780 wrote to memory of 3004 1780 raserver.exe cmd.exe PID 1780 wrote to memory of 3004 1780 raserver.exe cmd.exe PID 1780 wrote to memory of 3004 1780 raserver.exe cmd.exe PID 1780 wrote to memory of 3004 1780 raserver.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NDvhFxac.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDvhFxac" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3237.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\SysWOW64\raserver.exe"C:\Windows\SysWOW64\raserver.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"3⤵
- Deletes itself
PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f05b4dfbbf1af8ccde5ee17b7f2162cb
SHA1eb84b8ddc12e6eda582822ea07c23117920e8be9
SHA256840d1dc3b170c845021582edc7ba2f296bf22dafe66dcec63542d8a4536fc1f1
SHA51281472af2c0eb02974e006c47a7f37f9b9c76f5774eefe610f9fa5c43aeba4ec633360fe9bc5044516a82e8912655f7ecf1a613a64a28b6c4c366334dcad79cc0
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KTIO61VWD7NDHUXIJMOR.temp
Filesize7KB
MD51cd2ac4766473fadf4660097a1b6b746
SHA1430125dcfccecc61fc7c0a16013983ab9f77b15b
SHA2568fdd2a0932b1084f71526e9cc77a417bb47eda41fa11cd4235a246f845eab262
SHA512e6fe2740f21871e1fe430eb9e685707066a9129c5861e8ac8da1c888d391d5119d85649a9f86810d508f6418045778e5447d5f13a2b8c6a091d81155735276dc