Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 07:31
Static task
static1
Behavioral task
behavioral1
Sample
Asiaction__ Purchase Order_Specification.exe
Resource
win7-20240221-en
General
-
Target
Asiaction__ Purchase Order_Specification.exe
-
Size
616KB
-
MD5
19e12707415e84553f9743a4d109ef73
-
SHA1
96fc30b169baa93b1c45cac3de430cb52cfad229
-
SHA256
56e0ddbe7333484dbf0251177a4fd5fa51cce0b5cd42efcc7f9c312b1818be56
-
SHA512
5cbb44f5894e8cb139e54d9cc664ff00e3a1dde901fc9dc3017f49ae03e382bf648164526d233c869c48fdbda7c0ae2a23b4d70229de986341d1c26d5120b988
-
SSDEEP
12288:SIKHQ8nWqI00M5PKTOd5iudnHR+vzjKQqePFLVoq3Fw:SIKH5fI0B5Pr57dnHMLqePRVoMF
Malware Config
Extracted
formbook
4.1
sg36
cookfranschhoek.com
rajaslot138.today
eightfigureroundtable.com
sdklwdz.com
novaturienthealth.com
sk87k.xyz
defoutenmakers.online
eadsanuncios.com
drewkav.com
car-insurance-94416.bond
m3nm.site
6vab.site
towing-barnesville.top
authentifizierung-beginnen.com
thejmfc.com
beggiapizza.site
gttsfibermill.com
cdugood.com
dominiongeneralcontractors.com
deprepagos.com
writetoday.app
kinleysbeatyreveiws.com
ah-ysdl.com
pj2698.com
prosource-eu.com
realizzazionesitiinternet.net
hoidap360.com
poncetruckingshop.online
momsmobilegrooming.com
ghafirer.store
dhl.cyou
dalvalynch.net
14wow.com
bulletinod.lat
aisubrosa.com
ligneap.pics
nobusinessplan.com
callumwallace.com
kaisen-ebizo.com
bouhabba.com
onlyrl.com
dancokerss.online
sustainablepartners-la.com
wqks7.site
bzxtor.xyz
tecgulf.com
dailydei.com
summitpointkeyword.top
aniba.foundation
coolfashions.shop
bestmindbodyhealingpodcast.com
fulfide.com
va4is5w.sbs
reddy-fairplay.shop
bitflyer.global
menomonietowing.top
vwjq3.site
bbetslo.top
goldwin-open.online
totalpriceforyourhome.com
realestateadvice.site
dip2024.com
ashvalueprofilereport.com
mcdowelltowing.top
ldvicecream.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2696-28-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2696-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3660-77-0x0000000000DC0000-0x0000000000DEF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Asiaction__ Purchase Order_Specification.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Asiaction__ Purchase Order_Specification.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeAsiaction__ Purchase Order_Specification.exeexplorer.exedescription pid process target process PID 4344 set thread context of 2696 4344 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2696 set thread context of 3440 2696 Asiaction__ Purchase Order_Specification.exe Explorer.EXE PID 3660 set thread context of 3440 3660 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeAsiaction__ Purchase Order_Specification.exepowershell.exeexplorer.exepid process 4344 Asiaction__ Purchase Order_Specification.exe 4344 Asiaction__ Purchase Order_Specification.exe 4344 Asiaction__ Purchase Order_Specification.exe 2696 Asiaction__ Purchase Order_Specification.exe 2696 Asiaction__ Purchase Order_Specification.exe 2696 Asiaction__ Purchase Order_Specification.exe 2696 Asiaction__ Purchase Order_Specification.exe 4564 powershell.exe 4564 powershell.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe 3660 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeexplorer.exepid process 2696 Asiaction__ Purchase Order_Specification.exe 2696 Asiaction__ Purchase Order_Specification.exe 2696 Asiaction__ Purchase Order_Specification.exe 3660 explorer.exe 3660 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeAsiaction__ Purchase Order_Specification.exepowershell.exeexplorer.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 4344 Asiaction__ Purchase Order_Specification.exe Token: SeDebugPrivilege 2696 Asiaction__ Purchase Order_Specification.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 3660 explorer.exe Token: SeShutdownPrivilege 3440 Explorer.EXE Token: SeCreatePagefilePrivilege 3440 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeExplorer.EXEexplorer.exedescription pid process target process PID 4344 wrote to memory of 4564 4344 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 4344 wrote to memory of 4564 4344 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 4344 wrote to memory of 4564 4344 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 4344 wrote to memory of 3872 4344 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 4344 wrote to memory of 3872 4344 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 4344 wrote to memory of 3872 4344 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 4344 wrote to memory of 2696 4344 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 4344 wrote to memory of 2696 4344 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 4344 wrote to memory of 2696 4344 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 4344 wrote to memory of 2696 4344 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 4344 wrote to memory of 2696 4344 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 4344 wrote to memory of 2696 4344 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 3440 wrote to memory of 3660 3440 Explorer.EXE explorer.exe PID 3440 wrote to memory of 3660 3440 Explorer.EXE explorer.exe PID 3440 wrote to memory of 3660 3440 Explorer.EXE explorer.exe PID 3660 wrote to memory of 3496 3660 explorer.exe cmd.exe PID 3660 wrote to memory of 3496 3660 explorer.exe cmd.exe PID 3660 wrote to memory of 3496 3660 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nRGThSlhfFI.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4564 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nRGThSlhfFI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9E63.tmp"3⤵
- Creates scheduled task(s)
PID:3872 -
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2696 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"3⤵PID:3496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5b896cc8e496781520ab814edd118127e
SHA1b9a0cc0767200e412121d13edd22a6aa834c79e1
SHA2568dcdb5f5faec60d151e52e2ed43e3ff5739d64c1d5c2479edc8434ebd99545bb
SHA512077772ca3e894761a46be2309ae3629cb0b3e2c4a499b348a653af995c3558a570d70d132ea8f0df1533d2bada40047034074ea92f85f1cd5177b8fc2cb0dc4c