Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 07:33
Static task
static1
Behavioral task
behavioral1
Sample
Asiaction__ Purchase Order_Specification.exe
Resource
win7-20240508-en
General
-
Target
Asiaction__ Purchase Order_Specification.exe
-
Size
616KB
-
MD5
19e12707415e84553f9743a4d109ef73
-
SHA1
96fc30b169baa93b1c45cac3de430cb52cfad229
-
SHA256
56e0ddbe7333484dbf0251177a4fd5fa51cce0b5cd42efcc7f9c312b1818be56
-
SHA512
5cbb44f5894e8cb139e54d9cc664ff00e3a1dde901fc9dc3017f49ae03e382bf648164526d233c869c48fdbda7c0ae2a23b4d70229de986341d1c26d5120b988
-
SSDEEP
12288:SIKHQ8nWqI00M5PKTOd5iudnHR+vzjKQqePFLVoq3Fw:SIKH5fI0B5Pr57dnHMLqePRVoMF
Malware Config
Extracted
formbook
4.1
sg36
cookfranschhoek.com
rajaslot138.today
eightfigureroundtable.com
sdklwdz.com
novaturienthealth.com
sk87k.xyz
defoutenmakers.online
eadsanuncios.com
drewkav.com
car-insurance-94416.bond
m3nm.site
6vab.site
towing-barnesville.top
authentifizierung-beginnen.com
thejmfc.com
beggiapizza.site
gttsfibermill.com
cdugood.com
dominiongeneralcontractors.com
deprepagos.com
writetoday.app
kinleysbeatyreveiws.com
ah-ysdl.com
pj2698.com
prosource-eu.com
realizzazionesitiinternet.net
hoidap360.com
poncetruckingshop.online
momsmobilegrooming.com
ghafirer.store
dhl.cyou
dalvalynch.net
14wow.com
bulletinod.lat
aisubrosa.com
ligneap.pics
nobusinessplan.com
callumwallace.com
kaisen-ebizo.com
bouhabba.com
onlyrl.com
dancokerss.online
sustainablepartners-la.com
wqks7.site
bzxtor.xyz
tecgulf.com
dailydei.com
summitpointkeyword.top
aniba.foundation
coolfashions.shop
bestmindbodyhealingpodcast.com
fulfide.com
va4is5w.sbs
reddy-fairplay.shop
bitflyer.global
menomonietowing.top
vwjq3.site
bbetslo.top
goldwin-open.online
totalpriceforyourhome.com
realestateadvice.site
dip2024.com
ashvalueprofilereport.com
mcdowelltowing.top
ldvicecream.com
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3876-20-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3876-30-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/3680-74-0x00000000010F0000-0x000000000111F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Asiaction__ Purchase Order_Specification.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Asiaction__ Purchase Order_Specification.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeAsiaction__ Purchase Order_Specification.exeexplorer.exedescription pid process target process PID 1476 set thread context of 3876 1476 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 3876 set thread context of 3552 3876 Asiaction__ Purchase Order_Specification.exe Explorer.EXE PID 3680 set thread context of 3552 3680 explorer.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exepowershell.exeAsiaction__ Purchase Order_Specification.exeexplorer.exepid process 1476 Asiaction__ Purchase Order_Specification.exe 1476 Asiaction__ Purchase Order_Specification.exe 1476 Asiaction__ Purchase Order_Specification.exe 1960 powershell.exe 3876 Asiaction__ Purchase Order_Specification.exe 3876 Asiaction__ Purchase Order_Specification.exe 3876 Asiaction__ Purchase Order_Specification.exe 3876 Asiaction__ Purchase Order_Specification.exe 1960 powershell.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe 3680 explorer.exe -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeexplorer.exepid process 3876 Asiaction__ Purchase Order_Specification.exe 3876 Asiaction__ Purchase Order_Specification.exe 3876 Asiaction__ Purchase Order_Specification.exe 3680 explorer.exe 3680 explorer.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exepowershell.exeAsiaction__ Purchase Order_Specification.exeExplorer.EXEexplorer.exedescription pid process Token: SeDebugPrivilege 1476 Asiaction__ Purchase Order_Specification.exe Token: SeDebugPrivilege 1960 powershell.exe Token: SeDebugPrivilege 3876 Asiaction__ Purchase Order_Specification.exe Token: SeShutdownPrivilege 3552 Explorer.EXE Token: SeCreatePagefilePrivilege 3552 Explorer.EXE Token: SeDebugPrivilege 3680 explorer.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3552 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Asiaction__ Purchase Order_Specification.exeExplorer.EXEexplorer.exedescription pid process target process PID 1476 wrote to memory of 1960 1476 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 1476 wrote to memory of 1960 1476 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 1476 wrote to memory of 1960 1476 Asiaction__ Purchase Order_Specification.exe powershell.exe PID 1476 wrote to memory of 4212 1476 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 1476 wrote to memory of 4212 1476 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 1476 wrote to memory of 4212 1476 Asiaction__ Purchase Order_Specification.exe schtasks.exe PID 1476 wrote to memory of 3876 1476 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 1476 wrote to memory of 3876 1476 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 1476 wrote to memory of 3876 1476 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 1476 wrote to memory of 3876 1476 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 1476 wrote to memory of 3876 1476 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 1476 wrote to memory of 3876 1476 Asiaction__ Purchase Order_Specification.exe Asiaction__ Purchase Order_Specification.exe PID 3552 wrote to memory of 3680 3552 Explorer.EXE explorer.exe PID 3552 wrote to memory of 3680 3552 Explorer.EXE explorer.exe PID 3552 wrote to memory of 3680 3552 Explorer.EXE explorer.exe PID 3680 wrote to memory of 2276 3680 explorer.exe cmd.exe PID 3680 wrote to memory of 2276 3680 explorer.exe cmd.exe PID 3680 wrote to memory of 2276 3680 explorer.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nRGThSlhfFI.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nRGThSlhfFI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7280.tmp"3⤵
- Creates scheduled task(s)
PID:4212 -
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3876 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"3⤵PID:2276
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5ad3fdf3e46be0a94e6347cf79a937818
SHA16dfd25d5ed48736ff5d33baa3df1d7aed085bcd4
SHA25617a7138a327b1fc2025cf0abb3dc5903587ae8975aa9b707fa43ac9700c89d2e
SHA5122146e1af4f630959db7dc6589daf63820056e790a5a4215ac417342423c9c154cfe336185f08ba54567538c29e989edcabdf4dc5aa39ebe20fcccd981900f7b5