Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 12:50
Static task
static1
Behavioral task
behavioral1
Sample
PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe
Resource
win7-20240221-en
General
-
Target
PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe
-
Size
1.0MB
-
MD5
f44bc4e0027f0f44d75fed04b8416be2
-
SHA1
70fffcae8382f82570ec5b8e0389e7378c5db522
-
SHA256
c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe
-
SHA512
506d386d7fbd7506930017ba869573bb1e21762c002fb686740ef9cfd906459886fba519486600582f5ab903a958ddfeed81d5df92af6a16c2cc6951e34e9458
-
SSDEEP
12288:5D9Q6t+p9J/s61NobMm1k4Wcqx9cpwtNHdlIoXcPANAe5WdNH6gsmxhgR6ZdEyGk:yoYck4JqncElfcINPewgsw26ZdxAx87
Malware Config
Extracted
formbook
4.1
ps94
gokorgiboard.com
17tk558f.com
xbtdlz.com
agence-dyf.com
azovtour.com
refreshoutdoors.shop
muyidajs.com
bull007s.autos
huskyacres.net
nryijx628b.xyz
romansotam.com
norlac.xyz
dorsetbusinessforum.com
prpasti.shop
amycostellospeech.com
dpaijvpiajvpin.top
rinabet371.com
corporatebushcraft.com
0755xx.com
wxsjlwkj2019.com
cjyegfoj.net
t5u2s.xyz
light-in-the-heavens.com
forluvofcomedy.com
modevow.com
doising.com
mpcihjpo.xyz
readysetmarkit.com
0909000000.com
checkout4xgrow.shop
whatsapp-p.vip
vpdyt637j.xyz
sunnykiki.net
yesspin.vip
mbduattf.net
gkjjic1ti9.xyz
coindoody.com
st-petersburghpirates.com
khsv4r.top
xsmci844n.xyz
lottiedottieclayco.com
hregrhherdhretdhrt.xyz
rd15.top
parsendustriyel.com
southernsweetsboxco.com
swattonracing.com
streamfly.video
everygrow.xyz
4iszk17p.top
roofing-jobs-97892.bond
625251.com
slotgacor4dline.site
marykellerbechem.com
mjdwmft.life
theip.pro
htgithub.com
aianswerforaluminium.com
vtscw364x.xyz
eroshiroutomatomekojin.com
datanexusmarketing.com
premierdrops.agency
fareast-trading.com
ddsmb.club
transpecosexpress.com
rgrogerscreations.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2140-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2140-16-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2580-22-0x00000000000C0000-0x00000000000EF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2616 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exePROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exewininit.exedescription pid process target process PID 2088 set thread context of 2140 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PID 2140 set thread context of 1200 2140 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe Explorer.EXE PID 2580 set thread context of 1200 2580 wininit.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exepowershell.exewininit.exepid process 2140 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe 2140 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe 2312 powershell.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe 2580 wininit.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exewininit.exepid process 2140 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe 2140 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe 2140 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe 2580 wininit.exe 2580 wininit.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exepowershell.exewininit.exedescription pid process Token: SeDebugPrivilege 2140 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe Token: SeDebugPrivilege 2312 powershell.exe Token: SeDebugPrivilege 2580 wininit.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exeExplorer.EXEwininit.exedescription pid process target process PID 2088 wrote to memory of 2312 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe powershell.exe PID 2088 wrote to memory of 2312 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe powershell.exe PID 2088 wrote to memory of 2312 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe powershell.exe PID 2088 wrote to memory of 2312 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe powershell.exe PID 2088 wrote to memory of 2140 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PID 2088 wrote to memory of 2140 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PID 2088 wrote to memory of 2140 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PID 2088 wrote to memory of 2140 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PID 2088 wrote to memory of 2140 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PID 2088 wrote to memory of 2140 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PID 2088 wrote to memory of 2140 2088 PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe PID 1200 wrote to memory of 2580 1200 Explorer.EXE wininit.exe PID 1200 wrote to memory of 2580 1200 Explorer.EXE wininit.exe PID 1200 wrote to memory of 2580 1200 Explorer.EXE wininit.exe PID 1200 wrote to memory of 2580 1200 Explorer.EXE wininit.exe PID 2580 wrote to memory of 2616 2580 wininit.exe cmd.exe PID 2580 wrote to memory of 2616 2580 wininit.exe cmd.exe PID 2580 wrote to memory of 2616 2580 wininit.exe cmd.exe PID 2580 wrote to memory of 2616 2580 wininit.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe"C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wininit.exe"C:\Windows\SysWOW64\wininit.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe"3⤵
- Deletes itself
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1200-15-0x0000000003B40000-0x0000000003C40000-memory.dmpFilesize
1024KB
-
memory/1200-25-0x0000000008CD0000-0x0000000008E49000-memory.dmpFilesize
1.5MB
-
memory/1200-18-0x0000000008CD0000-0x0000000008E49000-memory.dmpFilesize
1.5MB
-
memory/2088-4-0x0000000000660000-0x000000000066C000-memory.dmpFilesize
48KB
-
memory/2088-0-0x000000007406E000-0x000000007406F000-memory.dmpFilesize
4KB
-
memory/2088-5-0x0000000004D80000-0x0000000004DF6000-memory.dmpFilesize
472KB
-
memory/2088-1-0x0000000000D60000-0x0000000000E6A000-memory.dmpFilesize
1.0MB
-
memory/2088-2-0x0000000074060000-0x000000007474E000-memory.dmpFilesize
6.9MB
-
memory/2088-3-0x00000000005E0000-0x00000000005F0000-memory.dmpFilesize
64KB
-
memory/2088-13-0x0000000074060000-0x000000007474E000-memory.dmpFilesize
6.9MB
-
memory/2140-12-0x0000000000A40000-0x0000000000D43000-memory.dmpFilesize
3.0MB
-
memory/2140-7-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2140-11-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2140-17-0x0000000000130000-0x0000000000144000-memory.dmpFilesize
80KB
-
memory/2140-16-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2140-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2140-6-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2580-21-0x0000000000FE0000-0x0000000000FFA000-memory.dmpFilesize
104KB
-
memory/2580-22-0x00000000000C0000-0x00000000000EF000-memory.dmpFilesize
188KB