Analysis Overview
SHA256
2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1
Threat Level: Known bad
The file 2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-05 01:08
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-05 01:08
Reported
2024-04-05 01:11
Platform
win7-20240221-en
Max time kernel
146s
Max time network
135s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2200 set thread context of 2288 | N/A | C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2288 set thread context of 1356 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2952 set thread context of 1356 | N/A | C:\Windows\SysWOW64\control.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe
"C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.coalswap.com | udp |
| US | 76.76.21.142:80 | www.coalswap.com | tcp |
| US | 8.8.8.8:53 | www.autonomoangola.com | udp |
| US | 75.2.115.196:80 | www.autonomoangola.com | tcp |
| US | 8.8.8.8:53 | www.enxk-32.com | udp |
| US | 107.154.132.32:80 | www.enxk-32.com | tcp |
| US | 8.8.8.8:53 | www.foroupskirt.com | udp |
Files
memory/2200-10-0x00000000006E0000-0x00000000006E4000-memory.dmp
memory/2288-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2288-12-0x0000000000AB0000-0x0000000000DB3000-memory.dmp
memory/2288-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2288-15-0x0000000000180000-0x0000000000194000-memory.dmp
memory/1356-16-0x0000000008820000-0x00000000089C2000-memory.dmp
memory/2952-17-0x0000000000080000-0x000000000009F000-memory.dmp
memory/2952-18-0x0000000000080000-0x000000000009F000-memory.dmp
memory/2952-19-0x00000000000A0000-0x00000000000CF000-memory.dmp
memory/2952-20-0x0000000001EB0000-0x00000000021B3000-memory.dmp
memory/2952-21-0x00000000000A0000-0x00000000000CF000-memory.dmp
memory/2952-23-0x0000000001CD0000-0x0000000001D63000-memory.dmp
memory/1356-25-0x0000000008820000-0x00000000089C2000-memory.dmp
memory/1356-29-0x0000000004DB0000-0x0000000004EC8000-memory.dmp
memory/1356-30-0x0000000004DB0000-0x0000000004EC8000-memory.dmp
memory/1356-33-0x0000000004DB0000-0x0000000004EC8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-05 01:08
Reported
2024-04-05 01:11
Platform
win10v2004-20240226-en
Max time kernel
152s
Max time network
158s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 976 set thread context of 216 | N/A | C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 216 set thread context of 3372 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 3852 set thread context of 3372 | N/A | C:\Windows\SysWOW64\msdt.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe
"C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\2313d25e7bb4affb7cb69890d851e061e013d079c012932d4f08275443d626d1.exe"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3552 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| GB | 172.217.169.74:443 | tcp | |
| US | 8.8.8.8:53 | www.riversandcapital.com | udp |
| US | 66.29.146.95:80 | www.riversandcapital.com | tcp |
| US | 8.8.8.8:53 | 95.146.29.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.it-jobs-87776.bond | udp |
| US | 8.8.8.8:53 | 241.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.coalswap.com | udp |
| US | 76.76.21.142:80 | www.coalswap.com | tcp |
| US | 8.8.8.8:53 | 142.21.76.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.issndiploma.com | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.healthinsuranceudeserve.com | udp |
| US | 72.52.178.23:80 | www.healthinsuranceudeserve.com | tcp |
| US | 8.8.8.8:53 | 23.178.52.72.in-addr.arpa | udp |
Files
memory/976-10-0x0000000000FD0000-0x0000000000FD4000-memory.dmp
memory/216-11-0x0000000000330000-0x000000000035F000-memory.dmp
memory/216-14-0x0000000000F00000-0x000000000124A000-memory.dmp
memory/216-15-0x0000000000330000-0x000000000035F000-memory.dmp
memory/216-16-0x0000000000E70000-0x0000000000E84000-memory.dmp
memory/3372-17-0x0000000008B20000-0x0000000008CB5000-memory.dmp
memory/3852-18-0x0000000000700000-0x0000000000757000-memory.dmp
memory/3852-19-0x0000000000700000-0x0000000000757000-memory.dmp
memory/3852-20-0x0000000001020000-0x000000000104F000-memory.dmp
memory/3852-21-0x0000000003140000-0x000000000348A000-memory.dmp
memory/3852-22-0x0000000001020000-0x000000000104F000-memory.dmp
memory/3852-24-0x0000000002E70000-0x0000000002F03000-memory.dmp
memory/3372-25-0x0000000008B20000-0x0000000008CB5000-memory.dmp
memory/3372-27-0x0000000008330000-0x00000000083F8000-memory.dmp
memory/3372-28-0x0000000008330000-0x00000000083F8000-memory.dmp
memory/3372-31-0x0000000008330000-0x00000000083F8000-memory.dmp