Analysis Overview
SHA256
7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a
Threat Level: Known bad
The file 7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a was found to be: Known bad.
Malicious Activity Summary
Formbook
Guloader,Cloudeye
Formbook payload
Loads dropped DLL
Checks QEMU agent file
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
NSIS installer
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-13 20:08
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-13 20:08
Reported
2023-07-13 20:11
Platform
win10-20230703-en
Max time kernel
143s
Max time network
131s
Command Line
Signatures
Formbook
Guloader,Cloudeye
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4956 set thread context of 3128 | N/A | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe
"C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe"
C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe
"C:\Users\Admin\AppData\Local\Temp\7644456ea433ce8755d64746d7420bcc88df377ac1242657f6428c4a9c51173a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 192.3.179.134:80 | 192.3.179.134 | tcp |
| US | 8.8.8.8:53 | 134.179.3.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
Files
\Users\Admin\AppData\Local\Temp\nsoA857.tmp\System.dll
| MD5 | 2ae993a2ffec0c137eb51c8832691bcb |
| SHA1 | 98e0b37b7c14890f8a599f35678af5e9435906e1 |
| SHA256 | 681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59 |
| SHA512 | 2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9 |
memory/4956-125-0x00007FF9DB070000-0x00007FF9DB24B000-memory.dmp
memory/4956-126-0x0000000077AE1000-0x0000000077BF4000-memory.dmp
memory/4956-127-0x0000000010000000-0x0000000010006000-memory.dmp
memory/3128-128-0x0000000000400000-0x0000000001783000-memory.dmp
memory/3128-130-0x0000000000400000-0x0000000001783000-memory.dmp
memory/3128-131-0x00007FF9DB070000-0x00007FF9DB24B000-memory.dmp
memory/3128-132-0x0000000077B66000-0x0000000077B67000-memory.dmp
memory/3128-133-0x0000000000400000-0x0000000001783000-memory.dmp
memory/3128-134-0x0000000001790000-0x0000000005CF0000-memory.dmp
memory/3128-135-0x0000000036020000-0x0000000036340000-memory.dmp
memory/3128-136-0x0000000001790000-0x0000000005CF0000-memory.dmp
memory/3128-139-0x0000000077AE1000-0x0000000077BF4000-memory.dmp