Analysis Overview
SHA256
f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9
Threat Level: Known bad
The file f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9 was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-09 05:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 05:15
Reported
2024-05-09 05:17
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
98s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1100 set thread context of 4508 | N/A | C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe | C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe
"C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe"
C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe
"C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/1100-0-0x000000007467E000-0x000000007467F000-memory.dmp
memory/1100-1-0x0000000000900000-0x00000000009AA000-memory.dmp
memory/1100-2-0x00000000059E0000-0x0000000005F84000-memory.dmp
memory/1100-3-0x0000000005430000-0x00000000054C2000-memory.dmp
memory/1100-4-0x00000000053B0000-0x00000000053BA000-memory.dmp
memory/1100-5-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/1100-6-0x0000000005660000-0x00000000056FC000-memory.dmp
memory/1100-7-0x0000000005620000-0x000000000563C000-memory.dmp
memory/1100-8-0x0000000005990000-0x000000000599E000-memory.dmp
memory/1100-9-0x00000000059C0000-0x00000000059D6000-memory.dmp
memory/1100-10-0x0000000006B80000-0x0000000006BF6000-memory.dmp
memory/4508-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1100-13-0x0000000074670000-0x0000000074E20000-memory.dmp
memory/4508-14-0x00000000016F0000-0x0000000001A3A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 05:15
Reported
2024-05-09 05:17
Platform
win11-20240508-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 552 set thread context of 4120 | N/A | C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe | C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe
"C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe"
C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe
"C:\Users\Admin\AppData\Local\Temp\f23b020b5a3aab42525b80bef3474df287cc7fa80dc3c13229c571e32fb99fe9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/552-0-0x00000000743CE000-0x00000000743CF000-memory.dmp
memory/552-1-0x0000000000120000-0x00000000001CA000-memory.dmp
memory/552-2-0x0000000005170000-0x0000000005716000-memory.dmp
memory/552-3-0x0000000004BC0000-0x0000000004C52000-memory.dmp
memory/552-4-0x0000000004B30000-0x0000000004B3A000-memory.dmp
memory/552-5-0x0000000004E40000-0x0000000004EDC000-memory.dmp
memory/552-6-0x00000000743C0000-0x0000000074B71000-memory.dmp
memory/552-7-0x0000000004FE0000-0x0000000004FFC000-memory.dmp
memory/552-8-0x0000000005020000-0x000000000502E000-memory.dmp
memory/552-9-0x0000000005030000-0x0000000005046000-memory.dmp
memory/552-10-0x0000000006310000-0x0000000006386000-memory.dmp
memory/4120-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/552-13-0x00000000743C0000-0x0000000074B71000-memory.dmp
memory/4120-14-0x0000000001350000-0x00000000016A6000-memory.dmp