Analysis Overview
SHA256
354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579
Threat Level: Known bad
The file NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-23 16:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-23 16:47
Reported
2023-10-23 16:55
Platform
win7-20231020-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2044 set thread context of 2636 | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe |
| PID 2636 set thread context of 1364 | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | C:\Windows\Explorer.EXE |
| PID 2736 set thread context of 1364 | N/A | C:\Windows\SysWOW64\chkdsk.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
"C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
"C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.motorcycleglassesshop.com | udp |
| US | 104.21.10.223:80 | www.motorcycleglassesshop.com | tcp |
| US | 8.8.8.8:53 | www.cjk66.online | udp |
| US | 8.8.8.8:53 | www.dryadai.com | udp |
| DE | 3.64.163.50:80 | www.dryadai.com | tcp |
| US | 8.8.8.8:53 | www.wilhouettteamerica.com | udp |
| US | 167.172.228.26:80 | www.wilhouettteamerica.com | tcp |
| US | 8.8.8.8:53 | www.displayfridges.fun | udp |
| US | 64.225.91.73:80 | www.displayfridges.fun | tcp |
| US | 8.8.8.8:53 | www.funwarsztat.com | udp |
| PL | 185.253.212.22:80 | www.funwarsztat.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
| MD5 | 9e519a78d2ee0e4fa641187866bc9703 |
| SHA1 | 549dc42c936b4bc2612c20c668f94b37bb5163cc |
| SHA256 | c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26 |
| SHA512 | a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c |
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
| MD5 | 9e519a78d2ee0e4fa641187866bc9703 |
| SHA1 | 549dc42c936b4bc2612c20c668f94b37bb5163cc |
| SHA256 | c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26 |
| SHA512 | a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c |
memory/2044-6-0x00000000001E0000-0x00000000001E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iomgmdsgtbq.p
| MD5 | 60d116c175aabe2c06bdd949a101127c |
| SHA1 | 63bb316383b4706d43f7882ee545031c4cac2505 |
| SHA256 | ee52d5afe32c612681d16c9bfee4cdb923ee5e54b84196b7b5ecc0aa4ad1df76 |
| SHA512 | d90f9148243101db90de1945854a9dd1e6aa6fd59ff0ccb1ff0053f7f91b8b40176a7d5401e63a5600474bfc8749733ff55cc76fa2094a697eb14726241a2fe9 |
\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
| MD5 | 9e519a78d2ee0e4fa641187866bc9703 |
| SHA1 | 549dc42c936b4bc2612c20c668f94b37bb5163cc |
| SHA256 | c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26 |
| SHA512 | a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c |
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
| MD5 | 9e519a78d2ee0e4fa641187866bc9703 |
| SHA1 | 549dc42c936b4bc2612c20c668f94b37bb5163cc |
| SHA256 | c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26 |
| SHA512 | a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c |
memory/2636-10-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
| MD5 | 9e519a78d2ee0e4fa641187866bc9703 |
| SHA1 | 549dc42c936b4bc2612c20c668f94b37bb5163cc |
| SHA256 | c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26 |
| SHA512 | a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c |
memory/2636-12-0x0000000000850000-0x0000000000B53000-memory.dmp
memory/1364-15-0x0000000002BB0000-0x0000000002CB0000-memory.dmp
memory/2636-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2636-16-0x00000000002C0000-0x00000000002D4000-memory.dmp
memory/1364-17-0x0000000006FA0000-0x000000000711B000-memory.dmp
memory/2736-19-0x00000000001D0000-0x00000000001D7000-memory.dmp
memory/2736-21-0x00000000001D0000-0x00000000001D7000-memory.dmp
memory/2736-22-0x00000000000C0000-0x00000000000EF000-memory.dmp
memory/2736-23-0x0000000002010000-0x0000000002313000-memory.dmp
memory/2736-24-0x00000000000C0000-0x00000000000EF000-memory.dmp
memory/1364-25-0x0000000006FA0000-0x000000000711B000-memory.dmp
memory/2736-27-0x0000000001D40000-0x0000000001DD3000-memory.dmp
memory/1364-29-0x0000000007210000-0x0000000007337000-memory.dmp
memory/1364-30-0x0000000007210000-0x0000000007337000-memory.dmp
memory/1364-32-0x0000000007210000-0x0000000007337000-memory.dmp
memory/1364-35-0x000007FEF57D0000-0x000007FEF5913000-memory.dmp
memory/1364-36-0x000007FE86530000-0x000007FE8653A000-memory.dmp
memory/1364-38-0x000007FEF57D0000-0x000007FEF5913000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-23 16:47
Reported
2023-10-23 16:54
Platform
win10v2004-20231023-en
Max time kernel
158s
Max time network
151s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1872 set thread context of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe |
| PID 2872 set thread context of 3328 | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | C:\Windows\Explorer.EXE |
| PID 5048 set thread context of 3328 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.354bb2d5a03e3c1d041730e3478e80ab5a264fd852e146e880834a346fc63579exe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
"C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
"C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.sx15k.com | udp |
| CN | 211.149.249.34:80 | www.sx15k.com | tcp |
| US | 8.8.8.8:53 | 34.249.149.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.motorcycleglassesshop.com | udp |
| US | 104.21.10.223:80 | www.motorcycleglassesshop.com | tcp |
| US | 8.8.8.8:53 | 223.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.zhperviepixie.com | udp |
| US | 167.172.228.26:80 | www.zhperviepixie.com | tcp |
| US | 8.8.8.8:53 | 26.228.172.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.sarthaksrishticreation.com | udp |
| IN | 119.18.49.69:80 | www.sarthaksrishticreation.com | tcp |
| US | 8.8.8.8:53 | 69.49.18.119.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.alcmcyu.com | udp |
| HK | 45.196.82.124:80 | www.alcmcyu.com | tcp |
| US | 8.8.8.8:53 | 124.82.196.45.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
| MD5 | 9e519a78d2ee0e4fa641187866bc9703 |
| SHA1 | 549dc42c936b4bc2612c20c668f94b37bb5163cc |
| SHA256 | c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26 |
| SHA512 | a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c |
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
| MD5 | 9e519a78d2ee0e4fa641187866bc9703 |
| SHA1 | 549dc42c936b4bc2612c20c668f94b37bb5163cc |
| SHA256 | c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26 |
| SHA512 | a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c |
memory/1872-5-0x00000000021C0000-0x00000000021C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iomgmdsgtbq.p
| MD5 | 60d116c175aabe2c06bdd949a101127c |
| SHA1 | 63bb316383b4706d43f7882ee545031c4cac2505 |
| SHA256 | ee52d5afe32c612681d16c9bfee4cdb923ee5e54b84196b7b5ecc0aa4ad1df76 |
| SHA512 | d90f9148243101db90de1945854a9dd1e6aa6fd59ff0ccb1ff0053f7f91b8b40176a7d5401e63a5600474bfc8749733ff55cc76fa2094a697eb14726241a2fe9 |
memory/2872-7-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ohtfjmxqk.exe
| MD5 | 9e519a78d2ee0e4fa641187866bc9703 |
| SHA1 | 549dc42c936b4bc2612c20c668f94b37bb5163cc |
| SHA256 | c54c9db30df0d4fc34dcb8fece51fe3089d38283665cdd5af2c4846fa26f8e26 |
| SHA512 | a04afae9d0a2143f4ea5d1754fb1b162571275af935fda205d327765c1181d235a13d76bd204b2517d0a100c58956bd47880f8aad1d8da1b9bc5c8691e80a92c |
memory/2872-9-0x0000000000B00000-0x0000000000E4A000-memory.dmp
memory/2872-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2872-12-0x00000000009D0000-0x00000000009E4000-memory.dmp
memory/3328-13-0x0000000002B40000-0x0000000002C2E000-memory.dmp
memory/5048-16-0x00000000002A0000-0x00000000002C7000-memory.dmp
memory/5048-17-0x00000000002A0000-0x00000000002C7000-memory.dmp
memory/5048-18-0x0000000000370000-0x000000000039F000-memory.dmp
memory/5048-19-0x00000000027A0000-0x0000000002AEA000-memory.dmp
memory/3328-20-0x0000000002B40000-0x0000000002C2E000-memory.dmp
memory/5048-21-0x0000000000370000-0x000000000039F000-memory.dmp
memory/5048-23-0x00000000025E0000-0x0000000002673000-memory.dmp
memory/3328-24-0x0000000008820000-0x0000000008980000-memory.dmp
memory/3328-25-0x0000000008820000-0x0000000008980000-memory.dmp
memory/3328-27-0x0000000008820000-0x0000000008980000-memory.dmp