Analysis
-
max time kernel
148s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 07:33
Static task
static1
Behavioral task
behavioral1
Sample
Asiaction__ Purchase Order_Specification.exe
Resource
win7-20240508-en
General
-
Target
Asiaction__ Purchase Order_Specification.exe
-
Size
616KB
-
MD5
19e12707415e84553f9743a4d109ef73
-
SHA1
96fc30b169baa93b1c45cac3de430cb52cfad229
-
SHA256
56e0ddbe7333484dbf0251177a4fd5fa51cce0b5cd42efcc7f9c312b1818be56
-
SHA512
5cbb44f5894e8cb139e54d9cc664ff00e3a1dde901fc9dc3017f49ae03e382bf648164526d233c869c48fdbda7c0ae2a23b4d70229de986341d1c26d5120b988
-
SSDEEP
12288:SIKHQ8nWqI00M5PKTOd5iudnHR+vzjKQqePFLVoq3Fw:SIKH5fI0B5Pr57dnHMLqePRVoMF
Malware Config
Extracted
formbook
4.1
sg36
cookfranschhoek.com
rajaslot138.today
eightfigureroundtable.com
sdklwdz.com
novaturienthealth.com
sk87k.xyz
defoutenmakers.online
eadsanuncios.com
drewkav.com
car-insurance-94416.bond
m3nm.site
6vab.site
towing-barnesville.top
authentifizierung-beginnen.com
thejmfc.com
beggiapizza.site
gttsfibermill.com
cdugood.com
dominiongeneralcontractors.com
deprepagos.com
writetoday.app
kinleysbeatyreveiws.com
ah-ysdl.com
pj2698.com
prosource-eu.com
realizzazionesitiinternet.net
hoidap360.com
poncetruckingshop.online
momsmobilegrooming.com
ghafirer.store
dhl.cyou
dalvalynch.net
14wow.com
bulletinod.lat
aisubrosa.com
ligneap.pics
nobusinessplan.com
callumwallace.com
kaisen-ebizo.com
bouhabba.com
onlyrl.com
dancokerss.online
sustainablepartners-la.com
wqks7.site
bzxtor.xyz
tecgulf.com
dailydei.com
summitpointkeyword.top
aniba.foundation
coolfashions.shop
bestmindbodyhealingpodcast.com
fulfide.com
va4is5w.sbs
reddy-fairplay.shop
bitflyer.global
menomonietowing.top
vwjq3.site
bbetslo.top
goldwin-open.online
totalpriceforyourhome.com
realestateadvice.site
dip2024.com
ashvalueprofilereport.com
mcdowelltowing.top
ldvicecream.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2660-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2760-26-0x00000000000D0000-0x00000000000FF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2924 cmd.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeAsiaction__ Purchase Order_Specification.exemsiexec.exedescription pid process target process PID 848 set thread context of 2660 848 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 2660 set thread context of 1192 2660 Asiaction__ Purchase Order_Specification.exe Explorer.EXE PID 2760 set thread context of 1192 2760 msiexec.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 31 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeAsiaction__ Purchase Order_Specification.exepowershell.exemsiexec.exepid process 848 Asiaction__ Purchase Order_Specification.exe 848 Asiaction__ Purchase Order_Specification.exe 2660 Asiaction__ Purchase Order_Specification.exe 2660 Asiaction__ Purchase Order_Specification.exe 2684 powershell.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe 2760 msiexec.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exemsiexec.exepid process 2660 Asiaction__ Purchase Order_Specification.exe 2660 Asiaction__ Purchase Order_Specification.exe 2660 Asiaction__ Purchase Order_Specification.exe 2760 msiexec.exe 2760 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeAsiaction__ Purchase Order_Specification.exepowershell.exemsiexec.exedescription pid process Token: SeDebugPrivilege 848 Asiaction__ Purchase Order_Specification.exe Token: SeDebugPrivilege 2660 Asiaction__ Purchase Order_Specification.exe Token: SeDebugPrivilege 2684 powershell.exe Token: SeDebugPrivilege 2760 msiexec.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeExplorer.EXEmsiexec.exedescription pid process target process PID 848 wrote to memory of 2684 848 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 848 wrote to memory of 2684 848 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 848 wrote to memory of 2684 848 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 848 wrote to memory of 2684 848 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 848 wrote to memory of 2728 848 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 848 wrote to memory of 2728 848 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 848 wrote to memory of 2728 848 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 848 wrote to memory of 2728 848 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 848 wrote to memory of 2660 848 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 848 wrote to memory of 2660 848 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 848 wrote to memory of 2660 848 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 848 wrote to memory of 2660 848 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 848 wrote to memory of 2660 848 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 848 wrote to memory of 2660 848 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 848 wrote to memory of 2660 848 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 1192 wrote to memory of 2760 1192 Explorer.EXE msiexec.exe PID 1192 wrote to memory of 2760 1192 Explorer.EXE msiexec.exe PID 1192 wrote to memory of 2760 1192 Explorer.EXE msiexec.exe PID 1192 wrote to memory of 2760 1192 Explorer.EXE msiexec.exe PID 1192 wrote to memory of 2760 1192 Explorer.EXE msiexec.exe PID 1192 wrote to memory of 2760 1192 Explorer.EXE msiexec.exe PID 1192 wrote to memory of 2760 1192 Explorer.EXE msiexec.exe PID 2760 wrote to memory of 2924 2760 msiexec.exe cmd.exe PID 2760 wrote to memory of 2924 2760 msiexec.exe cmd.exe PID 2760 wrote to memory of 2924 2760 msiexec.exe cmd.exe PID 2760 wrote to memory of 2924 2760 msiexec.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nRGThSlhfFI.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nRGThSlhfFI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp677A.tmp"3⤵
- Creates scheduled task(s)
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"3⤵
- Deletes itself
PID:2924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5963bad9a208e910f2564295499d7f6ae
SHA12fee43c44e15299e40a96b150f1a5e5876c8e560
SHA2564335348bd9b7d19e43494057605100a1bb07fa5e39d1f3d363d7cc4474602b69
SHA5124637a29c434f877a92921f655dc7d53bd818d5c29217ce0550a10e0eaf8f20861c886fa2e0f06684a57d89316787d7c5146866dd72ba6808776e6bf8d402f56e