Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
18-07-2024 05:46
Static task
static1
Behavioral task
behavioral1
Sample
FedEx_ shipping documentations.exe
Resource
win7-20240704-en
General
-
Target
FedEx_ shipping documentations.exe
-
Size
691KB
-
MD5
47a2a7a19ce5697f30aec774d5b7f9b7
-
SHA1
dfa50083c7dd8caabdf1abf9a72cee128c32fe3c
-
SHA256
f8a6d38a7a548a8621059aaaa87265c7c8d164b0f8eac7f6c0f7e4ec201de4a2
-
SHA512
59c08155dce6e69a1d0abb43f0df5711f5dc40707f88e8dd12660092710f142d8b8a2fbf2c19b4f2deb7c637245914038f25bb586ce9e53b9ed6eb62fb072feb
-
SSDEEP
12288:baODWx2PQfDxCP5M90yYgo2HckARGXHn4tOBPb5np2Fna1u4HkR:bxawMDIGiIJ0GXHnaONnp8n2S
Malware Config
Extracted
formbook
4.1
dk07
reclam.xyz
parchmentmediaadd.com
gaolibai.site
menage-exclusif.com
ceremoniesbyjade.com
5663876.com
take3.xyz
environmentaladvocacygroup.com
fp38z.rest
elektro-vlasic.com
bollybytestv.com
udfunsd.cloud
studiomiraiarq.com
e-commercebrasil.shop
sansiddhiedu.com
draaronroughan.net
24angel.com
rjh-equestrian.com
22db3rgdg6a73pea7.vip
mintygreen-wellnessportal.com
dewakipas88.art
fauteam.top
elyridia.com
msmotorsjp.com
arm-uk.com
wukunstudio.com
96503862.com
ygsj009.xyz
tbstli119w.top
correctionia.com
howdowear.com
760sun.com
1win-yyy-official7.xyz
colmeiaofertasloja.com
megadealsonline.shop
mumuvpn.life
vialglass.website
charliebearventures.com
lynxpire.com
labnicear.shop
thrillhouse.fail
biamane.com
celestialcharts.network
bt365231.com
247866.top
dungcamvu.com
floraperfumaria.com
connectedword.site
pamanwin.com
jbovietnam.vin
tanomi.dev
globalsupdate.xyz
santandecentral.com
xewaov.xyz
384058.com
kindya.xyz
pan-ason19.com
getpurvivee.online
17tk555j.com
fullmoondating.com
mu-vietco.com
cohailpros.com
8uh85t.xyz
slotcuan88login.com
nonewaveneb.live
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2656-23-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/760-28-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2712 powershell.exe 2084 powershell.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2128 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
FedEx_ shipping documentations.exeFedEx_ shipping documentations.exewlanext.exedescription pid process target process PID 2672 set thread context of 2656 2672 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2656 set thread context of 1204 2656 FedEx_ shipping documentations.exe Explorer.EXE PID 760 set thread context of 1204 760 wlanext.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
FedEx_ shipping documentations.exepowershell.exepowershell.exewlanext.exepid process 2656 FedEx_ shipping documentations.exe 2656 FedEx_ shipping documentations.exe 2084 powershell.exe 2712 powershell.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe 760 wlanext.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
FedEx_ shipping documentations.exewlanext.exepid process 2656 FedEx_ shipping documentations.exe 2656 FedEx_ shipping documentations.exe 2656 FedEx_ shipping documentations.exe 760 wlanext.exe 760 wlanext.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FedEx_ shipping documentations.exepowershell.exepowershell.exewlanext.exedescription pid process Token: SeDebugPrivilege 2656 FedEx_ shipping documentations.exe Token: SeDebugPrivilege 2084 powershell.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 760 wlanext.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
FedEx_ shipping documentations.exeExplorer.EXEwlanext.exedescription pid process target process PID 2672 wrote to memory of 2712 2672 FedEx_ shipping documentations.exe powershell.exe PID 2672 wrote to memory of 2712 2672 FedEx_ shipping documentations.exe powershell.exe PID 2672 wrote to memory of 2712 2672 FedEx_ shipping documentations.exe powershell.exe PID 2672 wrote to memory of 2712 2672 FedEx_ shipping documentations.exe powershell.exe PID 2672 wrote to memory of 2084 2672 FedEx_ shipping documentations.exe powershell.exe PID 2672 wrote to memory of 2084 2672 FedEx_ shipping documentations.exe powershell.exe PID 2672 wrote to memory of 2084 2672 FedEx_ shipping documentations.exe powershell.exe PID 2672 wrote to memory of 2084 2672 FedEx_ shipping documentations.exe powershell.exe PID 2672 wrote to memory of 2604 2672 FedEx_ shipping documentations.exe schtasks.exe PID 2672 wrote to memory of 2604 2672 FedEx_ shipping documentations.exe schtasks.exe PID 2672 wrote to memory of 2604 2672 FedEx_ shipping documentations.exe schtasks.exe PID 2672 wrote to memory of 2604 2672 FedEx_ shipping documentations.exe schtasks.exe PID 2672 wrote to memory of 2656 2672 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2672 wrote to memory of 2656 2672 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2672 wrote to memory of 2656 2672 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2672 wrote to memory of 2656 2672 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2672 wrote to memory of 2656 2672 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2672 wrote to memory of 2656 2672 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 2672 wrote to memory of 2656 2672 FedEx_ shipping documentations.exe FedEx_ shipping documentations.exe PID 1204 wrote to memory of 760 1204 Explorer.EXE wlanext.exe PID 1204 wrote to memory of 760 1204 Explorer.EXE wlanext.exe PID 1204 wrote to memory of 760 1204 Explorer.EXE wlanext.exe PID 1204 wrote to memory of 760 1204 Explorer.EXE wlanext.exe PID 760 wrote to memory of 2128 760 wlanext.exe cmd.exe PID 760 wrote to memory of 2128 760 wlanext.exe cmd.exe PID 760 wrote to memory of 2128 760 wlanext.exe cmd.exe PID 760 wrote to memory of 2128 760 wlanext.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\NDvhFxac.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NDvhFxac" /XML "C:\Users\Admin\AppData\Local\Temp\tmpACE2.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2604 -
C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2656 -
C:\Windows\SysWOW64\wlanext.exe"C:\Windows\SysWOW64\wlanext.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\FedEx_ shipping documentations.exe"3⤵
- Deletes itself
PID:2128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cde7fd4842378efb8319298dd8eeb5cf
SHA1139b20775d2f9d67b0943a5f30a272ddaaa85a99
SHA25696d7440bb871b9d23e05666bf92fdf7e27bfbe34bca5cb488606ac8e0fbeccdd
SHA5127d71e63c948e65213a71734894f9e278519b910ae77675866a019a4494ef73911b3846c5be26bf4066f83367755f586ce2fbab83487d588b6887c202b224a3d6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZB7TPU64UXUWBAUJHK9E.temp
Filesize7KB
MD51b28971abb757bed98c3fa82d8db2d82
SHA1f90c16e59062de47489cc2f72bfca56b67d54c99
SHA256fa56b877135709c34176c2fdc0a4e7efe78e0f4a5054d0432f1d3e9924b95f3b
SHA512e4ada09314f196b04dcdbda91362d48918bbbe85f28ba03abc0fe8131754bd690d7e87e7c5d85913f84709b88083310bb3b29c32ddef87eddb44fc89686d35a6