Overview

overview

10

Static

static

3

invoice copypdf.exe

windows7-x64

10

invoice copypdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-06-2024 22:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    invoice copypdf.exe

  • Size

    408KB

  • MD5

    d9ae02ae949ec2aba95cda647fe09240

  • SHA1

    3858a6e45d0031fcbd9081dee453fdf196cc95a4

  • SHA256

    75a0f38d45e726a70992f82304bfb85b127c37e591c02c59fe5750d308a95bd6

  • SHA512

    f724c3ab608fdd6393147a2534d035b2211848efc091bcf73fb20ef2476a1705df9a423ccfe732903b8ed4fd6bef1d361e9881d5c767089ae2f5377049c97a46

  • SSDEEP

    12288:KnzmVzil201tDwa2rGcLSY5ndlqChvqeA:KnzmVzK5S0cLSY5ndlqov

Score
10/10
formbookmnfratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mnf

Decoy

freeedomfencemn.com

corse-pollens.com

gellyc.com

mindplusgrind.com

gzrikang.com

horukac.com

aswaqina.com

lawofficeofjimhankey.com

everyoneshoroscope.com

freisaq.com

khimyoga.com

usmarketingdigital.com

artistagospel.com

stop-moskitos.com

sertecbasicos.com

mvmontessori.net

duke-a-website.com

arcaneunlocked.com

turnershydrographics.com

bipbopbling.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe
      "C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2968
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nojDVIgkBT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:2980
      • C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe
        "C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe"
        3⤵
          PID:2636
        • C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe
          "C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe"
          3⤵
            PID:2472
          • C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe
            "C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2716
        • C:\Windows\SysWOW64\cmstp.exe
          "C:\Windows\SysWOW64\cmstp.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:332
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\invoice copypdf.exe"
            3⤵
            • Deletes itself
            PID:1664

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp3830.tmp
        Filesize

        1KB

        MD5

        e7809a4bf4812104fbf0823d36e5f1a3

        SHA1

        cda4290ba9b34e8531e7085ecdaf328149ce6222

        SHA256

        cf38292505633220d70beecd9a766bc94e186d30c427005594c1e6b6999ca625

        SHA512

        ef9443182d38aa826b9ffe32aff97a9cccd856e322a04261258da8ebfcbcb1fe914ec49d4d9a3b3a2370267465e7b284b0a2c5a7f2536e0a898e3cfda86589df

        Download Submit
      • memory/332-30-0x0000000000430000-0x0000000000448000-memory.dmp
        Filesize

        96KB

        Download
      • memory/332-29-0x0000000000430000-0x0000000000448000-memory.dmp
        Filesize

        96KB

        Download
      • memory/1180-21-0x0000000002FF0000-0x00000000030F0000-memory.dmp
        Filesize

        1024KB

        Download
      • memory/1180-34-0x0000000006E30000-0x0000000006FCC000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1180-28-0x0000000006E30000-0x0000000006FCC000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/1180-25-0x0000000005010000-0x0000000005131000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/1180-22-0x0000000005010000-0x0000000005131000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2716-17-0x0000000000770000-0x0000000000A73000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/2716-27-0x0000000000610000-0x0000000000624000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2716-26-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2716-20-0x00000000002B0000-0x00000000002C4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2716-19-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2716-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2716-16-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2716-12-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2716-10-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2968-4-0x00000000747D0000-0x0000000074D7B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2968-23-0x00000000747D0000-0x0000000074D7B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2968-0-0x00000000747D1000-0x00000000747D2000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2968-3-0x00000000747D0000-0x0000000074D7B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2968-2-0x00000000747D0000-0x0000000074D7B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/2968-1-0x00000000747D0000-0x0000000074D7B000-memory.dmp
        Filesize

        5.7MB

        Download