Analysis
-
max time kernel
145s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 19:02
Static task
static1
Behavioral task
behavioral1
Sample
PO181219.exe
Resource
win7-20240221-en
General
-
Target
PO181219.exe
-
Size
466KB
-
MD5
9f1c4ea29a9490e84c85ee622ebbee83
-
SHA1
03eb6bec9ca71f61726134e031ef1c96609c6fbf
-
SHA256
4cf3f2e4957d449f51f1a5dd6b20765aa7a1fe89231f1ea3748cd0c0e90d74c4
-
SHA512
2eccd244877aae74692294905fa6d11e7b1d67d03c44147f59dddf1b6d6ffe849529bf1e0ccd1b142d5767c281e229053d6d5d513bcc3c0ec9b428a735ed5f97
-
SSDEEP
12288:jGNJ561IweViPtQjDMEnSHTigQWX+T/XRfoxwo4P:jGGy+t8kTEOY/4wo4
Malware Config
Extracted
formbook
3.9
h332
mericashoppe.com
campbneiakiva.com
retronix.info
capellisnyc.com
lapcameratot.com
otheroffice.win
biofrez.com
servo-electric.com
hfhkjd.com
chemungccecornell.com
leanneetsaparure.com
collaboraveit.com
thecarewear.info
truymanhaaseinsurance.com
krishnagruhudhyog.com
maxwellbeing.store
cgevent35.com
easyclick.directory
andseniorhomesok.live
dagashiya-bitcoin.com
oww8bei.info
crackdownnews.com
manga888.com
ashleyandgeorge.com
niviram.com
masa-yoga.net
yourbigandgoodfreeupdate.win
centresystems.net
communitiology.com
preta.online
intelvn.com
570secure.com
broadiq.net
manuelanselmi.com
xiaosanduo.com
yvngb.info
gpr-survey.net
amalliboutique.com
cyberlab-forensics.com
centraleoop.com
download-files-storage.review
256ope.com
niajaappday.com
latinamericaexperienced.com
automoderna.com
blockchainassetshi.com
foley-garciafraile.com
zahnlexikon.online
benallaaeroclub.com
qnhtravel.com
gwhred.men
xn--love-412j.net
inkneyelash.com
gyogyszer.online
collarbguru.info
maxprozone.com
yena.ltd
visitflorenceaz.net
museodeamerica.com
frutasmazal.com
srimanasa.com
wohnmobilekaufen.com
xn--m7r99sv3rn1c9y9a.com
spcelectronics.net
muzary.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2512-19-0x0000000000080000-0x00000000000AA000-memory.dmp formbook behavioral1/memory/2512-22-0x0000000000080000-0x00000000000AA000-memory.dmp formbook -
Executes dropped EXE 2 IoCs
Processes:
thxx.exethxx.exepid process 2608 thxx.exe 2512 thxx.exe -
Loads dropped DLL 1 IoCs
Processes:
cmd.exepid process 2720 cmd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
thxx.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Application = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\thxx.exe -boot" thxx.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
thxx.exethxx.exechkdsk.exedescription pid process target process PID 2608 set thread context of 2512 2608 thxx.exe thxx.exe PID 2512 set thread context of 1204 2512 thxx.exe Explorer.EXE PID 2512 set thread context of 1204 2512 thxx.exe Explorer.EXE PID 1384 set thread context of 1204 1384 chkdsk.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 1 IoCs
Processes:
chkdsk.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
thxx.exechkdsk.exepid process 2512 thxx.exe 2512 thxx.exe 2512 thxx.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe 1384 chkdsk.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
thxx.exechkdsk.exepid process 2512 thxx.exe 2512 thxx.exe 2512 thxx.exe 2512 thxx.exe 1384 chkdsk.exe 1384 chkdsk.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
PO181219.exethxx.exethxx.exechkdsk.exedescription pid process Token: SeDebugPrivilege 1740 PO181219.exe Token: SeDebugPrivilege 2608 thxx.exe Token: SeDebugPrivilege 2512 thxx.exe Token: SeDebugPrivilege 1384 chkdsk.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
PO181219.execmd.exethxx.exeExplorer.EXEchkdsk.exedescription pid process target process PID 1740 wrote to memory of 2116 1740 PO181219.exe cmd.exe PID 1740 wrote to memory of 2116 1740 PO181219.exe cmd.exe PID 1740 wrote to memory of 2116 1740 PO181219.exe cmd.exe PID 1740 wrote to memory of 2116 1740 PO181219.exe cmd.exe PID 1740 wrote to memory of 2720 1740 PO181219.exe cmd.exe PID 1740 wrote to memory of 2720 1740 PO181219.exe cmd.exe PID 1740 wrote to memory of 2720 1740 PO181219.exe cmd.exe PID 1740 wrote to memory of 2720 1740 PO181219.exe cmd.exe PID 2720 wrote to memory of 2608 2720 cmd.exe thxx.exe PID 2720 wrote to memory of 2608 2720 cmd.exe thxx.exe PID 2720 wrote to memory of 2608 2720 cmd.exe thxx.exe PID 2720 wrote to memory of 2608 2720 cmd.exe thxx.exe PID 2608 wrote to memory of 2512 2608 thxx.exe thxx.exe PID 2608 wrote to memory of 2512 2608 thxx.exe thxx.exe PID 2608 wrote to memory of 2512 2608 thxx.exe thxx.exe PID 2608 wrote to memory of 2512 2608 thxx.exe thxx.exe PID 2608 wrote to memory of 2512 2608 thxx.exe thxx.exe PID 2608 wrote to memory of 2512 2608 thxx.exe thxx.exe PID 2608 wrote to memory of 2512 2608 thxx.exe thxx.exe PID 1204 wrote to memory of 1384 1204 Explorer.EXE chkdsk.exe PID 1204 wrote to memory of 1384 1204 Explorer.EXE chkdsk.exe PID 1204 wrote to memory of 1384 1204 Explorer.EXE chkdsk.exe PID 1204 wrote to memory of 1384 1204 Explorer.EXE chkdsk.exe PID 1384 wrote to memory of 3024 1384 chkdsk.exe cmd.exe PID 1384 wrote to memory of 3024 1384 chkdsk.exe cmd.exe PID 1384 wrote to memory of 3024 1384 chkdsk.exe cmd.exe PID 1384 wrote to memory of 3024 1384 chkdsk.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\PO181219.exe"C:\Users\Admin\AppData\Local\Temp\PO181219.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\PO181219.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"3⤵PID:2116
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2512 -
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:3064
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1796
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2376
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2796
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2840
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2848
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2820
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2836
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2864
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2880
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2896
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2912
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2852
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2868
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2884
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2900
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1456
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2908
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2560
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2920
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1652
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2028
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1224
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1640
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2444
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2364
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1568
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:1508
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:2552
-
C:\Windows\SysWOW64\autofmt.exe"C:\Windows\SysWOW64\autofmt.exe"2⤵PID:772
-
C:\Windows\SysWOW64\chkdsk.exe"C:\Windows\SysWOW64\chkdsk.exe"2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\thxx.exe"3⤵PID:3024
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
466KB
MD59f1c4ea29a9490e84c85ee622ebbee83
SHA103eb6bec9ca71f61726134e031ef1c96609c6fbf
SHA2564cf3f2e4957d449f51f1a5dd6b20765aa7a1fe89231f1ea3748cd0c0e90d74c4
SHA5122eccd244877aae74692294905fa6d11e7b1d67d03c44147f59dddf1b6d6ffe849529bf1e0ccd1b142d5767c281e229053d6d5d513bcc3c0ec9b428a735ed5f97