Analysis Overview
SHA256
fc46187003aa1a9985cee2654c50b04faa8167ac6f2e0a18234707fc7b8414af
Threat Level: Known bad
The file 16072024_1535_16072024_DHL_UOC2_240708172813545.pdf.z was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Blocklisted process makes network request
Drops startup file
Executes dropped EXE
Loads dropped DLL
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-16 15:35
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-16 15:35
Reported
2024-07-16 15:38
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5072 set thread context of 3332 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3332 set thread context of 3344 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 3332 set thread context of 3344 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1240 set thread context of 3344 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cognigrid.com | udp |
| DE | 3.64.163.50:80 | www.cognigrid.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cognigrid.com | udp |
| DE | 3.64.163.50:80 | www.cognigrid.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.bdkasinoxox.xyz | udp |
| US | 162.0.209.7:80 | www.bdkasinoxox.xyz | tcp |
| US | 8.8.8.8:53 | www.bdkasinoxox.xyz | udp |
| US | 162.0.209.7:80 | www.bdkasinoxox.xyz | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.sangforln.tech | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.laske.xyz | udp |
| US | 8.8.8.8:53 | www.cameras-30514.bond | udp |
| DE | 185.53.179.93:80 | www.cameras-30514.bond | tcp |
| US | 8.8.8.8:53 | 93.179.53.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.st68v.xyz | udp |
Files
memory/1656-10-0x00000000005B0000-0x00000000005B4000-memory.dmp
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 2465ce9d09372c4daf8a9d6d36c11915 |
| SHA1 | 08e205473e1bf912fe01e7183cc4e7f880f0e86c |
| SHA256 | fa9ea4e8935d55eb5ef1846b525f02572e147be07c11588e55475e1d7a173676 |
| SHA512 | 137e60039c82e7ace769a7914050b0dd7152a57780f4dcb7e6df0ad818fe38f45b2fc0e1ff4eb0d2f0d86cbc6fb0b1cdb74aafb224709755c390a2c390f5fed4 |
C:\Users\Admin\AppData\Local\Temp\unnervousness
| MD5 | 8de38e7797a6470be9995a7f809b0ce1 |
| SHA1 | 663e73bb07e0aa3927fdab180dbc970f3372d190 |
| SHA256 | e53119a0212391d5aa8a43826a8a166b46f001ecdff29b4f9f25f231dcaea54d |
| SHA512 | c9f7293ead1816f44132daf867ee18fcc744754dac83d4eb2101ff00e2c3a096ade79d766e7a45e12989e13ec93a8a469f82dd8f0b850870bf16cf702756e7eb |
C:\Users\Admin\AppData\Local\Temp\anaboly
| MD5 | 1c95c1e5415911bbac633536ebceabda |
| SHA1 | 2c71566ac288b115b4b94d4b0facfad2f5643483 |
| SHA256 | 475a0354d1eae20ebbdb55e8ba86a4eef341b22246cf202ec834c4af03980a3a |
| SHA512 | e606df44ff8871d14ff84ebb0781b15884c2df36100ecd3b7dc9c7407761494a7ab3e9f1ddc8eeecf79d051416ece07fe54a9735738f04bf3a1b8d4be38c43e3 |
memory/3332-28-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3332-29-0x0000000001A00000-0x0000000001D4A000-memory.dmp
memory/3332-31-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3332-32-0x00000000017C0000-0x00000000017D5000-memory.dmp
memory/3344-33-0x00000000087A0000-0x000000000890E000-memory.dmp
memory/3344-37-0x00000000084E0000-0x000000000861F000-memory.dmp
memory/3332-36-0x00000000038E0000-0x00000000038F5000-memory.dmp
memory/3332-35-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1240-39-0x0000000000050000-0x0000000000077000-memory.dmp
memory/1240-38-0x0000000000050000-0x0000000000077000-memory.dmp
memory/1240-40-0x0000000000980000-0x00000000009AF000-memory.dmp
memory/3344-42-0x00000000084E0000-0x000000000861F000-memory.dmp
memory/3344-44-0x0000000008280000-0x000000000837E000-memory.dmp
memory/3344-45-0x0000000008280000-0x000000000837E000-memory.dmp
memory/3344-49-0x0000000008280000-0x000000000837E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-16 15:35
Reported
2024-07-16 15:38
Platform
win7-20240704-en
Max time kernel
148s
Max time network
118s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2888 set thread context of 2548 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2548 set thread context of 1164 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2544 set thread context of 1164 | N/A | C:\Windows\SysWOW64\colorcpl.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\colorcpl.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\DHL_UOC2_240708172813545.pdf.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
Files
memory/2636-10-0x0000000000370000-0x0000000000374000-memory.dmp
\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 2465ce9d09372c4daf8a9d6d36c11915 |
| SHA1 | 08e205473e1bf912fe01e7183cc4e7f880f0e86c |
| SHA256 | fa9ea4e8935d55eb5ef1846b525f02572e147be07c11588e55475e1d7a173676 |
| SHA512 | 137e60039c82e7ace769a7914050b0dd7152a57780f4dcb7e6df0ad818fe38f45b2fc0e1ff4eb0d2f0d86cbc6fb0b1cdb74aafb224709755c390a2c390f5fed4 |
C:\Users\Admin\AppData\Local\Temp\unnervousness
| MD5 | 8de38e7797a6470be9995a7f809b0ce1 |
| SHA1 | 663e73bb07e0aa3927fdab180dbc970f3372d190 |
| SHA256 | e53119a0212391d5aa8a43826a8a166b46f001ecdff29b4f9f25f231dcaea54d |
| SHA512 | c9f7293ead1816f44132daf867ee18fcc744754dac83d4eb2101ff00e2c3a096ade79d766e7a45e12989e13ec93a8a469f82dd8f0b850870bf16cf702756e7eb |
C:\Users\Admin\AppData\Local\Temp\anaboly
| MD5 | 1c95c1e5415911bbac633536ebceabda |
| SHA1 | 2c71566ac288b115b4b94d4b0facfad2f5643483 |
| SHA256 | 475a0354d1eae20ebbdb55e8ba86a4eef341b22246cf202ec834c4af03980a3a |
| SHA512 | e606df44ff8871d14ff84ebb0781b15884c2df36100ecd3b7dc9c7407761494a7ab3e9f1ddc8eeecf79d051416ece07fe54a9735738f04bf3a1b8d4be38c43e3 |
memory/2548-30-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2548-32-0x00000000008F0000-0x0000000000BF3000-memory.dmp
memory/2548-34-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2548-33-0x0000000000270000-0x0000000000285000-memory.dmp
memory/1164-35-0x0000000005040000-0x0000000005155000-memory.dmp
memory/2544-36-0x0000000000920000-0x0000000000938000-memory.dmp
memory/2544-37-0x0000000000920000-0x0000000000938000-memory.dmp
memory/2544-38-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1164-41-0x0000000005040000-0x0000000005155000-memory.dmp