Analysis Overview
SHA256
56e0ddbe7333484dbf0251177a4fd5fa51cce0b5cd42efcc7f9c312b1818be56
Threat Level: Known bad
The file Asiaction__ Purchase Order_Specification.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Deletes itself
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of UnmapMainImage
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 07:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 07:33
Reported
2024-05-10 07:36
Platform
win7-20240508-en
Max time kernel
148s
Max time network
120s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 848 set thread context of 2660 | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe |
| PID 2660 set thread context of 1192 | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | C:\Windows\Explorer.EXE |
| PID 2760 set thread context of 1192 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nRGThSlhfFI.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nRGThSlhfFI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp677A.tmp"
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"
Network
Files
memory/848-0-0x000000007425E000-0x000000007425F000-memory.dmp
memory/848-1-0x0000000000AE0000-0x0000000000B80000-memory.dmp
memory/848-2-0x0000000074250000-0x000000007493E000-memory.dmp
memory/848-3-0x0000000000980000-0x00000000009A0000-memory.dmp
memory/848-4-0x0000000000430000-0x000000000043A000-memory.dmp
memory/848-5-0x0000000000450000-0x000000000045E000-memory.dmp
memory/848-6-0x0000000005D90000-0x0000000005DFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp677A.tmp
| MD5 | 963bad9a208e910f2564295499d7f6ae |
| SHA1 | 2fee43c44e15299e40a96b150f1a5e5876c8e560 |
| SHA256 | 4335348bd9b7d19e43494057605100a1bb07fa5e39d1f3d363d7cc4474602b69 |
| SHA512 | 4637a29c434f877a92921f655dc7d53bd818d5c29217ce0550a10e0eaf8f20861c886fa2e0f06684a57d89316787d7c5146866dd72ba6808776e6bf8d402f56e |
memory/2660-19-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2660-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2660-16-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2660-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/848-22-0x0000000074250000-0x000000007493E000-memory.dmp
memory/1192-21-0x0000000000310000-0x0000000000410000-memory.dmp
memory/2760-23-0x00000000006B0000-0x00000000006C4000-memory.dmp
memory/2760-25-0x00000000006B0000-0x00000000006C4000-memory.dmp
memory/2760-26-0x00000000000D0000-0x00000000000FF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 07:33
Reported
2024-05-10 07:36
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
140s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1476 set thread context of 3876 | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe |
| PID 3876 set thread context of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | C:\Windows\Explorer.EXE |
| PID 3680 set thread context of 3552 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\nRGThSlhfFI.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nRGThSlhfFI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7280.tmp"
C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe
"C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Asiaction__ Purchase Order_Specification.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.ldvicecream.com | udp |
| US | 38.165.101.240:80 | www.ldvicecream.com | tcp |
| US | 8.8.8.8:53 | 240.101.165.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.beggiapizza.site | udp |
| IT | 195.110.124.133:80 | www.beggiapizza.site | tcp |
| US | 8.8.8.8:53 | 133.124.110.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.reddy-fairplay.shop | udp |
| US | 170.39.213.43:80 | www.reddy-fairplay.shop | tcp |
| US | 8.8.8.8:53 | 43.213.39.170.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.14wow.com | udp |
Files
memory/1476-0-0x00000000747BE000-0x00000000747BF000-memory.dmp
memory/1476-1-0x0000000000EC0000-0x0000000000F60000-memory.dmp
memory/1476-2-0x0000000005EA0000-0x0000000006444000-memory.dmp
memory/1476-3-0x0000000005990000-0x0000000005A22000-memory.dmp
memory/1476-5-0x00000000747B0000-0x0000000074F60000-memory.dmp
memory/1476-4-0x0000000005C30000-0x0000000005C3A000-memory.dmp
memory/1476-6-0x0000000008610000-0x0000000008630000-memory.dmp
memory/1476-7-0x0000000007090000-0x000000000709A000-memory.dmp
memory/1476-8-0x0000000006D90000-0x0000000006D9E000-memory.dmp
memory/1476-9-0x0000000008460000-0x00000000084CE000-memory.dmp
memory/1476-10-0x0000000011750000-0x00000000117EC000-memory.dmp
memory/1960-15-0x0000000002900000-0x0000000002936000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7280.tmp
| MD5 | ad3fdf3e46be0a94e6347cf79a937818 |
| SHA1 | 6dfd25d5ed48736ff5d33baa3df1d7aed085bcd4 |
| SHA256 | 17a7138a327b1fc2025cf0abb3dc5903587ae8975aa9b707fa43ac9700c89d2e |
| SHA512 | 2146e1af4f630959db7dc6589daf63820056e790a5a4215ac417342423c9c154cfe336185f08ba54567538c29e989edcabdf4dc5aa39ebe20fcccd981900f7b5 |
memory/1960-17-0x00000000747B0000-0x0000000074F60000-memory.dmp
memory/1960-18-0x0000000005540000-0x0000000005B68000-memory.dmp
memory/3876-20-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1476-23-0x00000000747B0000-0x0000000074F60000-memory.dmp
memory/1476-24-0x00000000747B0000-0x0000000074F60000-memory.dmp
memory/1960-21-0x00000000747B0000-0x0000000074F60000-memory.dmp
memory/1476-19-0x00000000747BE000-0x00000000747BF000-memory.dmp
memory/1960-25-0x0000000005240000-0x0000000005262000-memory.dmp
memory/1960-27-0x0000000005450000-0x00000000054B6000-memory.dmp
memory/1960-26-0x00000000053E0000-0x0000000005446000-memory.dmp
memory/3876-28-0x00000000011A0000-0x00000000014EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0yt5s0g.ji0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3552-42-0x0000000009210000-0x00000000093BD000-memory.dmp
memory/1960-37-0x0000000005C40000-0x0000000005F94000-memory.dmp
memory/3876-31-0x0000000001000000-0x0000000001014000-memory.dmp
memory/3876-30-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1960-43-0x0000000006210000-0x000000000622E000-memory.dmp
memory/1960-44-0x00000000062A0000-0x00000000062EC000-memory.dmp
memory/1960-59-0x00000000074A0000-0x0000000007543000-memory.dmp
memory/1960-58-0x0000000004F00000-0x0000000004F10000-memory.dmp
memory/1960-57-0x00000000067F0000-0x000000000680E000-memory.dmp
memory/1960-47-0x0000000072620000-0x000000007266C000-memory.dmp
memory/1960-46-0x0000000006810000-0x0000000006842000-memory.dmp
memory/1960-45-0x000000007FC40000-0x000000007FC50000-memory.dmp
memory/1960-61-0x0000000007550000-0x000000000756A000-memory.dmp
memory/1960-60-0x0000000007BD0000-0x000000000824A000-memory.dmp
memory/1960-62-0x00000000075C0000-0x00000000075CA000-memory.dmp
memory/1960-63-0x00000000077D0000-0x0000000007866000-memory.dmp
memory/1960-64-0x0000000007750000-0x0000000007761000-memory.dmp
memory/1960-66-0x0000000007790000-0x00000000077A4000-memory.dmp
memory/1960-67-0x0000000007890000-0x00000000078AA000-memory.dmp
memory/1960-68-0x0000000007870000-0x0000000007878000-memory.dmp
memory/1960-65-0x0000000007780000-0x000000000778E000-memory.dmp
memory/1960-71-0x00000000747B0000-0x0000000074F60000-memory.dmp
memory/3680-72-0x0000000000580000-0x00000000009B3000-memory.dmp
memory/3680-73-0x0000000000580000-0x00000000009B3000-memory.dmp
memory/3680-74-0x00000000010F0000-0x000000000111F000-memory.dmp
memory/3552-77-0x0000000009210000-0x00000000093BD000-memory.dmp
memory/3552-79-0x00000000034B0000-0x0000000003563000-memory.dmp