Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 07:31
Static task
static1
Behavioral task
behavioral1
Sample
Asiaction__ Purchase Order_Specification.exe
Resource
win7-20240221-en
General
-
Target
Asiaction__ Purchase Order_Specification.exe
-
Size
616KB
-
MD5
19e12707415e84553f9743a4d109ef73
-
SHA1
96fc30b169baa93b1c45cac3de430cb52cfad229
-
SHA256
56e0ddbe7333484dbf0251177a4fd5fa51cce0b5cd42efcc7f9c312b1818be56
-
SHA512
5cbb44f5894e8cb139e54d9cc664ff00e3a1dde901fc9dc3017f49ae03e382bf648164526d233c869c48fdbda7c0ae2a23b4d70229de986341d1c26d5120b988
-
SSDEEP
12288:SIKHQ8nWqI00M5PKTOd5iudnHR+vzjKQqePFLVoq3Fw:SIKH5fI0B5Pr57dnHMLqePRVoMF
Malware Config
Extracted
formbook
4.1
sg36
cookfranschhoek.com
rajaslot138.today
eightfigureroundtable.com
sdklwdz.com
novaturienthealth.com
sk87k.xyz
defoutenmakers.online
eadsanuncios.com
drewkav.com
car-insurance-94416.bond
m3nm.site
6vab.site
towing-barnesville.top
authentifizierung-beginnen.com
thejmfc.com
beggiapizza.site
gttsfibermill.com
cdugood.com
dominiongeneralcontractors.com
deprepagos.com
writetoday.app
kinleysbeatyreveiws.com
ah-ysdl.com
pj2698.com
prosource-eu.com
realizzazionesitiinternet.net
hoidap360.com
poncetruckingshop.online
momsmobilegrooming.com
ghafirer.store
dhl.cyou
dalvalynch.net
14wow.com
bulletinod.lat
aisubrosa.com
ligneap.pics
nobusinessplan.com
callumwallace.com
kaisen-ebizo.com
bouhabba.com
onlyrl.com
dancokerss.online
sustainablepartners-la.com
wqks7.site
bzxtor.xyz
tecgulf.com
dailydei.com
summitpointkeyword.top
aniba.foundation
coolfashions.shop
bestmindbodyhealingpodcast.com
fulfide.com
va4is5w.sbs
reddy-fairplay.shop
bitflyer.global
menomonietowing.top
vwjq3.site
bbetslo.top
goldwin-open.online
totalpriceforyourhome.com
realestateadvice.site
dip2024.com
ashvalueprofilereport.com
mcdowelltowing.top
ldvicecream.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2852-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2516-24-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 556 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeAsiaction__ Purchase Order_Specification.exeexplorer.exedescription pid process target process PID 2420 set thread context of 2852 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2852 set thread context of 1212 2852 Asiaction__ Purchase Order_Specification.exe Explorer.EXE PID 2516 set thread context of 1212 2516 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeAsiaction__ Purchase Order_Specification.exepowershell.exeexplorer.exepid process 2420 Asiaction__ Purchase Order_Specification.exe 2420 Asiaction__ Purchase Order_Specification.exe 2420 Asiaction__ Purchase Order_Specification.exe 2420 Asiaction__ Purchase Order_Specification.exe 2852 Asiaction__ Purchase Order_Specification.exe 2852 Asiaction__ Purchase Order_Specification.exe 2676 powershell.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe 2516 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeexplorer.exepid process 2852 Asiaction__ Purchase Order_Specification.exe 2852 Asiaction__ Purchase Order_Specification.exe 2852 Asiaction__ Purchase Order_Specification.exe 2516 explorer.exe 2516 explorer.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeAsiaction__ Purchase Order_Specification.exepowershell.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2420 Asiaction__ Purchase Order_Specification.exe Token: SeDebugPrivilege 2852 Asiaction__ Purchase Order_Specification.exe Token: SeDebugPrivilege 2676 powershell.exe Token: SeDebugPrivilege 2516 explorer.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeExplorer.EXEexplorer.exedescription pid process target process PID 2420 wrote to memory of 2676 2420 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 2420 wrote to memory of 2676 2420 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 2420 wrote to memory of 2676 2420 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 2420 wrote to memory of 2676 2420 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 2420 wrote to memory of 2716 2420 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 2420 wrote to memory of 2716 2420 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 2420 wrote to memory of 2716 2420 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 2420 wrote to memory of 2716 2420 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 2420 wrote to memory of 2768 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2420 wrote to memory of 2768 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2420 wrote to memory of 2768 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2420 wrote to memory of 2768 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2420 wrote to memory of 2852 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2420 wrote to memory of 2852 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2420 wrote to memory of 2852 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2420 wrote to memory of 2852 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2420 wrote to memory of 2852 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2420 wrote to memory of 2852 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2420 wrote to memory of 2852 2420 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 1212 wrote to memory of 2516 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2516 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2516 1212 Explorer.EXE explorer.exe PID 1212 wrote to memory of 2516 1212 Explorer.EXE explorer.exe PID 2516 wrote to memory of 556 2516 explorer.exe cmd.exe PID 2516 wrote to memory of 556 2516 explorer.exe cmd.exe PID 2516 wrote to memory of 556 2516 explorer.exe cmd.exe PID 2516 wrote to memory of 556 2516 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nRGThSlhfFI.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nRGThSlhfFI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A9E.tmp"3⤵
- Creates scheduled task(s)
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"3⤵PID:2768
-
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"3⤵
- Deletes itself
PID:556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5bbdabfa864bce45996d6303cc6484929
SHA1d6c0a66e1c809fc87aa3c3903266d4064031f3f1
SHA256e79697bb5d61e643d828ca798b6af1d9449c6ea89d4ea6f5efd3b7c41d667b46
SHA512b6a7f64ac5e0dc7c02bf5af81bbea1348e3a4b7545e5cc336dccf9c705b20b45cb4d8f1ace023ff300c7c3324ffb28efb4d79e20cbb4c64fc1f5529880bfd905