Analysis Overview
SHA256
69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2
Threat Level: Known bad
The file NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-23 17:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-23 17:15
Reported
2023-10-23 17:22
Platform
win7-20231020-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2492 set thread context of 2148 | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe |
| PID 2148 set thread context of 1236 | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | C:\Windows\Explorer.EXE |
| PID 2148 set thread context of 1236 | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | C:\Windows\Explorer.EXE |
| PID 2848 set thread context of 1236 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe
"C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe
"C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.qianxz109.xyz | udp |
| US | 8.8.8.8:53 | www.centralngs.com | udp |
| US | 3.33.130.190:80 | www.centralngs.com | tcp |
| US | 8.8.8.8:53 | www.dingg.net | udp |
| US | 76.223.26.96:80 | www.dingg.net | tcp |
| US | 8.8.8.8:53 | www.waveoflife.pro | udp |
| US | 66.96.162.150:80 | www.waveoflife.pro | tcp |
| US | 8.8.8.8:53 | www.sxchenggu.com | udp |
| US | 38.11.36.68:80 | www.sxchenggu.com | tcp |
| US | 8.8.8.8:53 | www.youtube-manager.site | udp |
| US | 104.21.5.182:80 | www.youtube-manager.site | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe
| MD5 | a7282a909f46de953ab33416ab47ae18 |
| SHA1 | 53c5e1d282046364186554b2a93f1eb0c13ae909 |
| SHA256 | 603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b |
| SHA512 | 1e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b |
\Users\Admin\AppData\Local\Temp\heooiabir.exe
| MD5 | a7282a909f46de953ab33416ab47ae18 |
| SHA1 | 53c5e1d282046364186554b2a93f1eb0c13ae909 |
| SHA256 | 603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b |
| SHA512 | 1e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b |
memory/2492-6-0x0000000000230000-0x0000000000232000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fqytpufty.s
| MD5 | f8dfd353d09136096e0996463892f727 |
| SHA1 | 33ded541f75bc169cd2410cb5105b1fd9b372eb6 |
| SHA256 | 9fffdcedea07e45d8f46ece1949d1ab372c89ee427a6015bb99bd40fa2c9e09b |
| SHA512 | e0d7db124617b31f350411fd9b4d683b7aa0adbb839696b77a7fc4e0dfcbe72ba4ae58727f490733583adde19120ce700066d15b687ef082e83d1716fd696004 |
\Users\Admin\AppData\Local\Temp\heooiabir.exe
| MD5 | a7282a909f46de953ab33416ab47ae18 |
| SHA1 | 53c5e1d282046364186554b2a93f1eb0c13ae909 |
| SHA256 | 603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b |
| SHA512 | 1e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b |
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe
| MD5 | a7282a909f46de953ab33416ab47ae18 |
| SHA1 | 53c5e1d282046364186554b2a93f1eb0c13ae909 |
| SHA256 | 603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b |
| SHA512 | 1e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b |
memory/2148-10-0x0000000000400000-0x000000000042F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe
| MD5 | a7282a909f46de953ab33416ab47ae18 |
| SHA1 | 53c5e1d282046364186554b2a93f1eb0c13ae909 |
| SHA256 | 603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b |
| SHA512 | 1e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b |
memory/2148-12-0x0000000000740000-0x0000000000A43000-memory.dmp
memory/1236-14-0x0000000000010000-0x0000000000020000-memory.dmp
memory/2148-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2148-16-0x0000000000370000-0x0000000000384000-memory.dmp
memory/1236-17-0x0000000004130000-0x00000000041F0000-memory.dmp
memory/2148-19-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2148-20-0x00000000003B0000-0x00000000003C4000-memory.dmp
memory/1236-21-0x0000000006030000-0x000000000610F000-memory.dmp
memory/1236-22-0x0000000004130000-0x00000000041F0000-memory.dmp
memory/2848-24-0x0000000000910000-0x0000000000936000-memory.dmp
memory/2848-26-0x0000000000910000-0x0000000000936000-memory.dmp
memory/2848-27-0x0000000000070000-0x000000000009F000-memory.dmp
memory/2848-28-0x0000000002060000-0x0000000002363000-memory.dmp
memory/2848-29-0x0000000000070000-0x000000000009F000-memory.dmp
memory/1236-30-0x0000000006030000-0x000000000610F000-memory.dmp
memory/2848-32-0x0000000001ED0000-0x0000000001F63000-memory.dmp
memory/1236-33-0x0000000000010000-0x0000000000020000-memory.dmp
memory/1236-34-0x0000000006330000-0x0000000006489000-memory.dmp
memory/1236-35-0x0000000006330000-0x0000000006489000-memory.dmp
memory/1236-36-0x000007FEF5DE0000-0x000007FEF5F23000-memory.dmp
memory/1236-37-0x000007FF21EE0000-0x000007FF21EEA000-memory.dmp
memory/1236-38-0x0000000006330000-0x0000000006489000-memory.dmp
memory/1236-40-0x000007FEF5DE0000-0x000007FEF5F23000-memory.dmp
memory/1236-41-0x000007FF21EE0000-0x000007FF21EEA000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-23 17:15
Reported
2023-10-23 17:21
Platform
win10v2004-20231023-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2088 set thread context of 3556 | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe |
| PID 3556 set thread context of 3264 | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | C:\Windows\Explorer.EXE |
| PID 3064 set thread context of 3264 | N/A | C:\Windows\SysWOW64\cmmon32.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\heooiabir.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.69585ae659cf7e13dd4c48f8d3109c5e219cb37f266a3aed6d0e0aac051e89b2exe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe
"C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe
"C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"
C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\heooiabir.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hndswicco.best | udp |
| US | 15.197.204.56:80 | www.hndswicco.best | tcp |
| US | 8.8.8.8:53 | 56.204.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.newswirex.com | udp |
| US | 172.67.183.162:80 | www.newswirex.com | tcp |
| US | 8.8.8.8:53 | 162.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.yqsoysy.com | udp |
| US | 104.194.8.4:80 | www.anakmedan3.click | tcp |
| US | 8.8.8.8:53 | 4.8.194.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.fakeittilyoumakeitfinance.com | udp |
| US | 3.33.130.190:80 | www.fakeittilyoumakeitfinance.com | tcp |
| US | 8.8.8.8:53 | 190.130.33.3.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe
| MD5 | a7282a909f46de953ab33416ab47ae18 |
| SHA1 | 53c5e1d282046364186554b2a93f1eb0c13ae909 |
| SHA256 | 603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b |
| SHA512 | 1e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b |
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe
| MD5 | a7282a909f46de953ab33416ab47ae18 |
| SHA1 | 53c5e1d282046364186554b2a93f1eb0c13ae909 |
| SHA256 | 603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b |
| SHA512 | 1e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b |
memory/2088-5-0x0000000000540000-0x0000000000542000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fqytpufty.s
| MD5 | f8dfd353d09136096e0996463892f727 |
| SHA1 | 33ded541f75bc169cd2410cb5105b1fd9b372eb6 |
| SHA256 | 9fffdcedea07e45d8f46ece1949d1ab372c89ee427a6015bb99bd40fa2c9e09b |
| SHA512 | e0d7db124617b31f350411fd9b4d683b7aa0adbb839696b77a7fc4e0dfcbe72ba4ae58727f490733583adde19120ce700066d15b687ef082e83d1716fd696004 |
C:\Users\Admin\AppData\Local\Temp\heooiabir.exe
| MD5 | a7282a909f46de953ab33416ab47ae18 |
| SHA1 | 53c5e1d282046364186554b2a93f1eb0c13ae909 |
| SHA256 | 603f1db91199b78cf2623f62ebaaa2ea2250a37a09b769ff82d1eade19b6b25b |
| SHA512 | 1e77062609fe86c88d932f649dfc32d58064add893318bb3e27d303a3db7d752704252c74255a4628fe558fb2c15f8c137693455886ae6e722a07d3d133a7b1b |
memory/3556-7-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3556-9-0x0000000000B70000-0x0000000000EBA000-memory.dmp
memory/3556-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3556-12-0x00000000006D0000-0x00000000006E4000-memory.dmp
memory/3264-13-0x00000000081E0000-0x00000000082F3000-memory.dmp
memory/3064-15-0x0000000000810000-0x000000000081C000-memory.dmp
memory/3064-17-0x0000000000810000-0x000000000081C000-memory.dmp
memory/3064-18-0x0000000000BA0000-0x0000000000BCF000-memory.dmp
memory/3064-19-0x0000000002D70000-0x00000000030BA000-memory.dmp
memory/3064-20-0x0000000000BA0000-0x0000000000BCF000-memory.dmp
memory/3264-21-0x00000000081E0000-0x00000000082F3000-memory.dmp
memory/3064-23-0x0000000002AC0000-0x0000000002B53000-memory.dmp
memory/3264-24-0x0000000002EA0000-0x0000000002F53000-memory.dmp
memory/3264-25-0x0000000002EA0000-0x0000000002F53000-memory.dmp
memory/3264-27-0x0000000002EA0000-0x0000000002F53000-memory.dmp