Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-11-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
fattura di pagamento.exe
Resource
win7-20240903-en
General
-
Target
fattura di pagamento.exe
-
Size
1.1MB
-
MD5
1b279ea4e3f5c082c7ec98c138e86c1c
-
SHA1
7f4a38dadd8891334f49d07359933d41c8830f67
-
SHA256
77fa31d14cbf45df9fb36ebe8a7252e18cffca5add1d9a52a601b44367b5aad5
-
SHA512
e441b8967f27a4f03fd5bbd1140e00394190cb92afd9c4eb3c7076ac50a424ed2102ce3e478f4550f5e3f03cb87f892733703d745637a3cdafe834b1ea4a46ca
-
SSDEEP
24576:0RmJkcoQricOIQxiZY1iaBPXyiJqQEa7bEw20doU7OiCjNd:RJZoQrbTFZY1iaBPseEw20frid
Malware Config
Extracted
formbook
4.1
nu01
ickleball.codes
avornow.top
rejike.shop
zean.pro
yanbeyan.net
atwithsushi.fun
heimpactphilanthropy.info
ersonal-loans-82514.bond
pringfestpro.xyz
eniorhousings.live
anda-tax.online
d8ul135j.top
nder168.xyz
ealthcare-softwares-my-pl.xyz
7w1q.bond
83167836550.online
etinjo.net
hukira.xyz
ocalip.cloud
cqnh6.digital
503.top
lockchaincommunity.africa
q2vtm.club
6yy.xyz
inling.world
edroomsinmx-in.bond
oing3.cfd
ite.style
v7spf78.christmas
lein-curacao.info
rkyzgnmwd.xyz
ar-loans-86831.bond
outh32hubs.top
agamento-aiiepress.online
utritionistscourse.shop
nvaya.info
ygqntly.shop
heur365swiss.net
uelcard112.shop
eluniverses.xyz
panish-classes-62417.bond
ndsm.top
g6z5ndpx.mobi
ociobuzzyour.top
hiagency.net
ankeverything.net
nline-dating-sf-dz.online
all.school
0f57.bond
arinelayersaleshops.shop
askuda.pro
pttraining.info
riginaltheme.shop
nlinesuccesswithben.biz
jane1620.club
ysnails.net
ompleteconciergeliving.xyz
u-opts.shop
eamkakakads177.buzz
ealthcare-trends-60670.bond
t0rm23.top
gfdro.xyz
oundwav.xyz
ugarshift.net
trategicgrowthpartner.app
Signatures
-
Formbook family
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1180-3-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1180-6-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1180-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3152-17-0x00000000007A0000-0x00000000007CF000-memory.dmp formbook -
Suspicious use of SetThreadContext 4 IoCs
Processes:
fattura di pagamento.exesvchost.exenetsh.exedescription pid Process procid_target PID 2612 set thread context of 1180 2612 fattura di pagamento.exe 87 PID 1180 set thread context of 3484 1180 svchost.exe 56 PID 1180 set thread context of 3484 1180 svchost.exe 56 PID 3152 set thread context of 3484 3152 netsh.exe 56 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1020 2612 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
netsh.execmd.exefattura di pagamento.exesvchost.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fattura di pagamento.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Modifies registry class 3 IoCs
Processes:
Explorer.EXEdescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 60 IoCs
Processes:
svchost.exenetsh.exepid Process 1180 svchost.exe 1180 svchost.exe 1180 svchost.exe 1180 svchost.exe 1180 svchost.exe 1180 svchost.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe 3152 netsh.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
fattura di pagamento.exesvchost.exenetsh.exepid Process 2612 fattura di pagamento.exe 1180 svchost.exe 1180 svchost.exe 1180 svchost.exe 1180 svchost.exe 3152 netsh.exe 3152 netsh.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
Processes:
svchost.exeExplorer.EXEnetsh.exedescription pid Process Token: SeDebugPrivilege 1180 svchost.exe Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE Token: SeDebugPrivilege 3152 netsh.exe Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE Token: SeShutdownPrivilege 3484 Explorer.EXE Token: SeCreatePagefilePrivilege 3484 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid Process 3484 Explorer.EXE 3484 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid Process 3484 Explorer.EXE -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
fattura di pagamento.exesvchost.exenetsh.exedescription pid Process procid_target PID 2612 wrote to memory of 1180 2612 fattura di pagamento.exe 87 PID 2612 wrote to memory of 1180 2612 fattura di pagamento.exe 87 PID 2612 wrote to memory of 1180 2612 fattura di pagamento.exe 87 PID 2612 wrote to memory of 1180 2612 fattura di pagamento.exe 87 PID 1180 wrote to memory of 3152 1180 svchost.exe 103 PID 1180 wrote to memory of 3152 1180 svchost.exe 103 PID 1180 wrote to memory of 3152 1180 svchost.exe 103 PID 3152 wrote to memory of 3472 3152 netsh.exe 104 PID 3152 wrote to memory of 3472 3152 netsh.exe 104 PID 3152 wrote to memory of 3472 3152 netsh.exe 104
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\fattura di pagamento.exe"C:\Users\Admin\AppData\Local\Temp\fattura di pagamento.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\fattura di pagamento.exe"3⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"4⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\svchost.exe"5⤵
- System Location Discovery: System Language Discovery
PID:3472
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2612 -s 7443⤵
- Program crash
PID:1020
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2612 -ip 26121⤵PID:5008