Analysis Overview
SHA256
9bf158493325eef78727b2115b1046a345fbefea0d14c45d801dc0504c04ec0c
Threat Level: Known bad
The file f6ed869b733b1f2aa3bdd06040f3372a.bin was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Loads dropped DLL
Executes dropped EXE
Drops startup file
Suspicious use of SetThreadContext
AutoIT Executable
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-18 03:38
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-18 03:38
Reported
2024-07-18 03:41
Platform
win7-20240708-en
Max time kernel
147s
Max time network
119s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3028 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2668 set thread context of 1216 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2668 set thread context of 1216 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2828 set thread context of 1216 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe
"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
Files
memory/1484-10-0x0000000000320000-0x0000000000430000-memory.dmp
\Users\Admin\AppData\Local\directory\name.exe
| MD5 | f6ed869b733b1f2aa3bdd06040f3372a |
| SHA1 | 7075acf1c62e44653f5c834a14b56cd342f0ae5a |
| SHA256 | 05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1 |
| SHA512 | cba7753022eaa43f2d1bc77c73c7276824545e3083eee5e321f8be5b729bad3b01fe84108cbc5bdbe5fca7df1e802a55b36ef19292b1874a1cb514af5c16c582 |
memory/1484-16-0x0000000000320000-0x0000000000430000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\niellists
| MD5 | 58078733b08c9abd4a1d6945eedd33f7 |
| SHA1 | 9d3b0fa2d1d78bc91875e656c82ac9c0a78ab5e2 |
| SHA256 | b9934664b8c472743c1170afd0acfbbc1d6a299ade5451e4dfd7dee18d1a60c7 |
| SHA512 | 87b2f00bb55166bfc1d3da8a3f65648fb9cc0690ccd47ec70f589be1808351c13904fc9ab8e2b253e59ff1e8d90e4e75d22f106627312ca26d2ff098166a2f40 |
C:\Users\Admin\AppData\Local\Temp\Mazatl
| MD5 | e0a5cf114d58f8ee0ff4291a867fd137 |
| SHA1 | 1b158ff65388347954508f5b7f199371e19223e3 |
| SHA256 | eafeb8c80d4ad126dadef3f52db44f656a8aeef68287af04a50e6fa881b9140e |
| SHA512 | 8546fef189b766616f1d99e98dba8b46809e2f5097c7ab931096ff3838439a2e18b4a2a61cbd0d318c0aa0ff014e883711210f5cdeaa6a021aaa57f628fb7ac4 |
memory/3028-30-0x0000000000110000-0x0000000000114000-memory.dmp
memory/2668-32-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2668-33-0x0000000000930000-0x0000000000C33000-memory.dmp
memory/2668-36-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2668-35-0x0000000000150000-0x0000000000165000-memory.dmp
memory/1216-37-0x00000000043A0000-0x00000000045A0000-memory.dmp
memory/1216-38-0x0000000004B00000-0x0000000004C00000-memory.dmp
memory/1216-42-0x0000000004FE0000-0x000000000513A000-memory.dmp
memory/2668-41-0x0000000000280000-0x0000000000295000-memory.dmp
memory/2668-40-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2828-44-0x0000000000F00000-0x0000000000F06000-memory.dmp
memory/2828-43-0x0000000000F00000-0x0000000000F06000-memory.dmp
memory/2828-45-0x00000000000C0000-0x00000000000EF000-memory.dmp
memory/1216-46-0x0000000004FE0000-0x000000000513A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-18 03:38
Reported
2024-07-18 03:41
Platform
win10v2004-20240709-en
Max time kernel
146s
Max time network
123s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2928 set thread context of 4208 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4208 set thread context of 3460 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4208 set thread context of 3460 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe
"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
memory/3080-10-0x0000000000D90000-0x0000000000D94000-memory.dmp
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | f6ed869b733b1f2aa3bdd06040f3372a |
| SHA1 | 7075acf1c62e44653f5c834a14b56cd342f0ae5a |
| SHA256 | 05b3ae9c167cf06edf52dc99127dfd516e24ead51e9da7d3fbf230124e7063e1 |
| SHA512 | cba7753022eaa43f2d1bc77c73c7276824545e3083eee5e321f8be5b729bad3b01fe84108cbc5bdbe5fca7df1e802a55b36ef19292b1874a1cb514af5c16c582 |
C:\Users\Admin\AppData\Local\Temp\Mazatl
| MD5 | e0a5cf114d58f8ee0ff4291a867fd137 |
| SHA1 | 1b158ff65388347954508f5b7f199371e19223e3 |
| SHA256 | eafeb8c80d4ad126dadef3f52db44f656a8aeef68287af04a50e6fa881b9140e |
| SHA512 | 8546fef189b766616f1d99e98dba8b46809e2f5097c7ab931096ff3838439a2e18b4a2a61cbd0d318c0aa0ff014e883711210f5cdeaa6a021aaa57f628fb7ac4 |
C:\Users\Admin\AppData\Local\Temp\niellists
| MD5 | 58078733b08c9abd4a1d6945eedd33f7 |
| SHA1 | 9d3b0fa2d1d78bc91875e656c82ac9c0a78ab5e2 |
| SHA256 | b9934664b8c472743c1170afd0acfbbc1d6a299ade5451e4dfd7dee18d1a60c7 |
| SHA512 | 87b2f00bb55166bfc1d3da8a3f65648fb9cc0690ccd47ec70f589be1808351c13904fc9ab8e2b253e59ff1e8d90e4e75d22f106627312ca26d2ff098166a2f40 |
memory/4208-28-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4208-29-0x0000000001400000-0x000000000174A000-memory.dmp
memory/4208-31-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4208-32-0x0000000001920000-0x0000000001935000-memory.dmp
memory/3460-33-0x00000000030B0000-0x0000000003176000-memory.dmp
memory/4208-35-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4208-36-0x00000000032C0000-0x00000000032D5000-memory.dmp
memory/3460-37-0x0000000008CA0000-0x0000000008E35000-memory.dmp
memory/3460-38-0x0000000008CA0000-0x0000000008E35000-memory.dmp