Analysis Overview
SHA256
310e4968f6dd734749703e76c6806a20458f29970e415303d4eef6609004232b
Threat Level: Known bad
The file 2039747489.rar was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-11 14:22
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-11 14:22
Reported
2023-10-12 03:30
Platform
win7-20230831-en
Max time kernel
209s
Max time network
246s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rockro9902.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2104 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe |
| PID 2668 set thread context of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | C:\Windows\Explorer.EXE |
| PID 2668 set thread context of 1280 | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | C:\Windows\Explorer.EXE |
| PID 2580 set thread context of 1280 | N/A | C:\Windows\SysWOW64\wuapp.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wuapp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wuapp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wuapp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\rockro9902.exe
"C:\Users\Admin\AppData\Local\Temp\rockro9902.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe
"C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe
"C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"
C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.vivasbet352.com | udp |
| US | 188.114.97.0:80 | www.vivasbet352.com | tcp |
| US | 8.8.8.8:53 | www.cmryan.com | udp |
| US | 15.197.142.173:80 | www.cmryan.com | tcp |
| US | 8.8.8.8:53 | www.hamburg-boxt.com | udp |
| DE | 81.169.145.93:80 | www.hamburg-boxt.com | tcp |
| US | 8.8.8.8:53 | www.iammgmt.com | udp |
| AU | 103.169.142.0:80 | www.iammgmt.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\qshilspv.exe
| MD5 | 3e653d351f5dbbe07ff27813467d9166 |
| SHA1 | 043e028f34111d6598e1a23b77b20da234a0d0dd |
| SHA256 | 36a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4 |
| SHA512 | be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674 |
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe
| MD5 | 3e653d351f5dbbe07ff27813467d9166 |
| SHA1 | 043e028f34111d6598e1a23b77b20da234a0d0dd |
| SHA256 | 36a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4 |
| SHA512 | be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674 |
memory/2104-6-0x00000000000F0000-0x00000000000F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uztvody.ny
| MD5 | b2f36e78f5f6497ae8c5ab24bb3a9992 |
| SHA1 | 30bd084cef9a5a6fb327add9c6e27bff786115d5 |
| SHA256 | 3c40338dd227b2d2455656908669acc9ad018696d83d9ef636347032024eb329 |
| SHA512 | 8ee713b9c2fe61559d8f952696c1b03f69a3b42da694b0afd3b5e923e8f67ccb44b667f1472d6370d563e566523a92c61a9fb1f22c26507d55649843e3ad81f5 |
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe
| MD5 | 3e653d351f5dbbe07ff27813467d9166 |
| SHA1 | 043e028f34111d6598e1a23b77b20da234a0d0dd |
| SHA256 | 36a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4 |
| SHA512 | be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674 |
\Users\Admin\AppData\Local\Temp\qshilspv.exe
| MD5 | 3e653d351f5dbbe07ff27813467d9166 |
| SHA1 | 043e028f34111d6598e1a23b77b20da234a0d0dd |
| SHA256 | 36a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4 |
| SHA512 | be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674 |
memory/2668-10-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe
| MD5 | 3e653d351f5dbbe07ff27813467d9166 |
| SHA1 | 043e028f34111d6598e1a23b77b20da234a0d0dd |
| SHA256 | 36a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4 |
| SHA512 | be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674 |
memory/2668-13-0x0000000000700000-0x0000000000A03000-memory.dmp
memory/2668-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2668-16-0x0000000000450000-0x0000000000464000-memory.dmp
memory/1280-17-0x0000000007400000-0x000000000759B000-memory.dmp
memory/2668-19-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2668-20-0x0000000000490000-0x00000000004A4000-memory.dmp
memory/1280-21-0x00000000000D0000-0x00000000001D0000-memory.dmp
memory/1280-22-0x0000000007770000-0x000000000790F000-memory.dmp
memory/2580-23-0x00000000002E0000-0x00000000002EB000-memory.dmp
memory/2580-24-0x00000000002E0000-0x00000000002EB000-memory.dmp
memory/2580-25-0x0000000000090000-0x00000000000BF000-memory.dmp
memory/2580-26-0x0000000001FD0000-0x00000000022D3000-memory.dmp
memory/1280-27-0x0000000007770000-0x000000000790F000-memory.dmp
memory/2580-29-0x0000000000090000-0x00000000000BF000-memory.dmp
memory/2580-30-0x0000000000090000-0x00000000000BF000-memory.dmp
memory/2580-31-0x0000000001E20000-0x0000000001EB3000-memory.dmp
memory/1280-32-0x0000000003B60000-0x0000000003D60000-memory.dmp
memory/1280-33-0x0000000004C50000-0x0000000004D01000-memory.dmp
memory/1280-35-0x0000000004C50000-0x0000000004D01000-memory.dmp
memory/1280-37-0x0000000004C50000-0x0000000004D01000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-11 14:22
Reported
2023-10-12 03:28
Platform
win10v2004-20230915-en
Max time kernel
151s
Max time network
154s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2104 set thread context of 4472 | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe |
| PID 4472 set thread context of 3276 | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | C:\Windows\Explorer.EXE |
| PID 3792 set thread context of 3276 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\qshilspv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\rockro9902.exe
"C:\Users\Admin\AppData\Local\Temp\rockro9902.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe
"C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe
"C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\qshilspv.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.gpggkhuxxpc.xyz | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 104.255.229.69:80 | www.gpggkhuxxpc.xyz | tcp |
| US | 8.8.8.8:53 | 69.229.255.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ambitionsofarose.com | udp |
| US | 8.8.8.8:53 | www.talkswdrick.com | udp |
| US | 76.223.105.230:80 | www.talkswdrick.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 230.105.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.heysongsale.shop | udp |
| US | 84.32.84.32:80 | www.heysongsale.shop | tcp |
| US | 8.8.8.8:53 | 32.84.32.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.interdisciplinaris.com | udp |
| DE | 168.119.43.205:80 | www.interdisciplinaris.com | tcp |
| US | 8.8.8.8:53 | 205.43.119.168.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.brewedburn.com | udp |
| US | 18.239.36.52:80 | www.brewedburn.com | tcp |
| US | 8.8.8.8:53 | 52.36.239.18.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe
| MD5 | 3e653d351f5dbbe07ff27813467d9166 |
| SHA1 | 043e028f34111d6598e1a23b77b20da234a0d0dd |
| SHA256 | 36a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4 |
| SHA512 | be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674 |
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe
| MD5 | 3e653d351f5dbbe07ff27813467d9166 |
| SHA1 | 043e028f34111d6598e1a23b77b20da234a0d0dd |
| SHA256 | 36a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4 |
| SHA512 | be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674 |
memory/2104-5-0x0000000000730000-0x0000000000732000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uztvody.ny
| MD5 | b2f36e78f5f6497ae8c5ab24bb3a9992 |
| SHA1 | 30bd084cef9a5a6fb327add9c6e27bff786115d5 |
| SHA256 | 3c40338dd227b2d2455656908669acc9ad018696d83d9ef636347032024eb329 |
| SHA512 | 8ee713b9c2fe61559d8f952696c1b03f69a3b42da694b0afd3b5e923e8f67ccb44b667f1472d6370d563e566523a92c61a9fb1f22c26507d55649843e3ad81f5 |
memory/4472-7-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\qshilspv.exe
| MD5 | 3e653d351f5dbbe07ff27813467d9166 |
| SHA1 | 043e028f34111d6598e1a23b77b20da234a0d0dd |
| SHA256 | 36a752605304acc2ae96583784d6aaa25d4cbb8a63b56d244bfad91ee7029fe4 |
| SHA512 | be8f0b2d2d583739851363c04b946a2a728e7e236718bd9717f8da1bce2656b374ae8ed42c458d0e22d390dc022a564d27c933c89b6b5dcbd3b514e9b7172674 |
memory/4472-10-0x0000000001600000-0x000000000194A000-memory.dmp
memory/4472-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4472-13-0x00000000014F0000-0x0000000001504000-memory.dmp
memory/3276-14-0x0000000009030000-0x0000000009110000-memory.dmp
memory/3792-15-0x0000000000370000-0x0000000000377000-memory.dmp
memory/3792-16-0x0000000000370000-0x0000000000377000-memory.dmp
memory/3792-17-0x0000000000880000-0x00000000008AF000-memory.dmp
memory/3792-18-0x0000000000EC0000-0x000000000120A000-memory.dmp
memory/3276-19-0x0000000009030000-0x0000000009110000-memory.dmp
memory/3792-20-0x0000000000880000-0x00000000008AF000-memory.dmp
memory/3792-22-0x0000000000DB0000-0x0000000000E43000-memory.dmp
memory/3276-23-0x0000000009110000-0x00000000091B4000-memory.dmp
memory/3276-24-0x0000000009110000-0x00000000091B4000-memory.dmp
memory/3276-26-0x0000000009110000-0x00000000091B4000-memory.dmp