Analysis Overview
SHA256
493c4a1e5d1dc441a17c45f95bd2f4a586dccdd2c877fa1e2749f8c24a699117
Threat Level: Known bad
The file 8e0cab6e15c8ecf53d170b396a5cdb6db74f1a8cc5bfd408ef5d480f25fa358c.zip was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Deletes itself
Suspicious use of SetThreadContext
Suspicious behavior: MapViewOfSection
Gathers network information
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-02 10:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-02 10:15
Reported
2024-04-02 10:18
Platform
win7-20231129-en
Max time kernel
148s
Max time network
119s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1752 set thread context of 3056 | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe |
| PID 3056 set thread context of 1400 | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | C:\Windows\Explorer.EXE |
| PID 2644 set thread context of 1400 | N/A | C:\Windows\SysWOW64\netsh.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
"C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"
C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
"C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"
Network
Files
memory/1752-1-0x0000000074060000-0x000000007474E000-memory.dmp
memory/1752-0-0x0000000000B00000-0x0000000000B9C000-memory.dmp
memory/1752-2-0x0000000004E50000-0x0000000004E90000-memory.dmp
memory/1752-3-0x0000000000390000-0x00000000003A4000-memory.dmp
memory/1752-4-0x00000000004C0000-0x00000000004CA000-memory.dmp
memory/1752-5-0x0000000000520000-0x000000000052C000-memory.dmp
memory/1752-6-0x0000000004900000-0x0000000004976000-memory.dmp
memory/3056-7-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3056-9-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3056-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3056-13-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1752-14-0x0000000074060000-0x000000007474E000-memory.dmp
memory/3056-15-0x0000000000BA0000-0x0000000000EA3000-memory.dmp
memory/3056-19-0x00000000002A0000-0x00000000002B4000-memory.dmp
memory/1400-20-0x0000000004F50000-0x000000000500F000-memory.dmp
memory/3056-18-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1400-17-0x0000000003A40000-0x0000000003B40000-memory.dmp
memory/2644-21-0x00000000009C0000-0x00000000009DB000-memory.dmp
memory/2644-22-0x00000000009C0000-0x00000000009DB000-memory.dmp
memory/2644-23-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/2644-24-0x0000000001FC0000-0x00000000022C3000-memory.dmp
memory/2644-25-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/2644-28-0x0000000000A80000-0x0000000000B13000-memory.dmp
memory/1400-29-0x0000000004F50000-0x000000000500F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-02 10:15
Reported
2024-04-02 10:18
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1864 set thread context of 3252 | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe |
| PID 3252 set thread context of 3500 | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | C:\Windows\Explorer.EXE |
| PID 3252 set thread context of 3500 | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | C:\Windows\Explorer.EXE |
| PID 3716 set thread context of 3500 | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | C:\Windows\Explorer.EXE |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NETSTAT.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
"C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"
C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe
"C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"
C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bnY2j1hTDlb4vxF.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.vb4n53g4fh354gf5jh.top | udp |
| US | 8.8.8.8:53 | www.kukrejaassociates.in | udp |
| IN | 68.178.145.116:80 | www.kukrejaassociates.in | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 116.145.178.68.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.110.86.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.grupooceanique.com | udp |
| US | 8.8.8.8:53 | www.circly.net | udp |
| DE | 3.64.163.50:80 | www.circly.net | tcp |
| US | 8.8.8.8:53 | 50.163.64.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1864-0-0x0000000000F00000-0x0000000000F9C000-memory.dmp
memory/1864-1-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/1864-2-0x0000000005FB0000-0x0000000006554000-memory.dmp
memory/1864-3-0x0000000005A00000-0x0000000005A92000-memory.dmp
memory/1864-4-0x0000000005900000-0x0000000005910000-memory.dmp
memory/1864-5-0x0000000005990000-0x000000000599A000-memory.dmp
memory/1864-6-0x0000000005C10000-0x0000000005C24000-memory.dmp
memory/1864-7-0x0000000005C30000-0x0000000005C3A000-memory.dmp
memory/1864-8-0x0000000005DE0000-0x0000000005DEC000-memory.dmp
memory/1864-9-0x0000000006CE0000-0x0000000006D56000-memory.dmp
memory/1864-10-0x00000000095F0000-0x000000000968C000-memory.dmp
memory/3252-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1864-13-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/3252-14-0x00000000014D0000-0x000000000181A000-memory.dmp
memory/3252-16-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3252-17-0x00000000014B0000-0x00000000014C4000-memory.dmp
memory/3500-18-0x0000000009470000-0x00000000095DA000-memory.dmp
memory/3252-20-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3252-21-0x0000000003130000-0x0000000003144000-memory.dmp
memory/3500-22-0x000000000AF00000-0x000000000B03C000-memory.dmp
memory/3716-23-0x0000000000300000-0x000000000030B000-memory.dmp
memory/3716-24-0x0000000000300000-0x000000000030B000-memory.dmp
memory/3716-25-0x0000000000F90000-0x0000000000FBF000-memory.dmp
memory/3716-26-0x0000000001960000-0x0000000001CAA000-memory.dmp
memory/3716-27-0x0000000000F90000-0x0000000000FBF000-memory.dmp
memory/3716-30-0x0000000001800000-0x0000000001893000-memory.dmp
memory/3500-29-0x0000000009470000-0x00000000095DA000-memory.dmp
memory/3500-31-0x0000000008D70000-0x0000000008ED2000-memory.dmp
memory/3500-32-0x0000000008D70000-0x0000000008ED2000-memory.dmp
memory/3500-35-0x0000000008D70000-0x0000000008ED2000-memory.dmp