Analysis Overview
SHA256
e2fb3e62884d3e10aa6340adc488e37ffb2b15cbfe4842ff4bc7c1c83b908305
Threat Level: Known bad
The file PURCHASING ORDER.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Deletes itself
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-18 05:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-18 05:47
Reported
2024-07-18 05:49
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2064 set thread context of 3708 | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe |
| PID 3708 set thread context of 3468 | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | C:\Windows\Explorer.EXE |
| PID 3264 set thread context of 3468 | N/A | C:\Windows\SysWOW64\msdt.exe | C:\Windows\Explorer.EXE |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msdt.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe"
C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.strategyguys.info | udp |
| BR | 89.116.213.227:80 | www.strategyguys.info | tcp |
| US | 8.8.8.8:53 | 227.213.116.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.b10a.shop | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wwwhg58a.com | udp |
| HK | 103.144.219.16:80 | www.wwwhg58a.com | tcp |
| US | 8.8.8.8:53 | 16.219.144.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.axgventures.com | udp |
| US | 76.223.105.230:80 | www.axgventures.com | tcp |
| US | 8.8.8.8:53 | 230.105.223.76.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.alivioquantico.com | udp |
| US | 192.185.209.182:80 | www.alivioquantico.com | tcp |
| US | 8.8.8.8:53 | 182.209.185.192.in-addr.arpa | udp |
Files
memory/2064-0-0x000000007523E000-0x000000007523F000-memory.dmp
memory/2064-1-0x0000000000560000-0x000000000060E000-memory.dmp
memory/2064-2-0x0000000005680000-0x0000000005C24000-memory.dmp
memory/2064-3-0x0000000004FC0000-0x0000000005052000-memory.dmp
memory/2064-4-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/2064-5-0x0000000005070000-0x000000000507A000-memory.dmp
memory/2064-6-0x0000000005260000-0x00000000055B4000-memory.dmp
memory/2064-7-0x0000000005630000-0x0000000005642000-memory.dmp
memory/2064-8-0x0000000005CC0000-0x0000000005CE2000-memory.dmp
memory/2064-9-0x0000000006D60000-0x0000000006D7A000-memory.dmp
memory/2064-10-0x0000000006610000-0x000000000661E000-memory.dmp
memory/2064-11-0x0000000006630000-0x00000000066A6000-memory.dmp
memory/2064-12-0x0000000006900000-0x000000000699C000-memory.dmp
memory/3708-13-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2064-15-0x0000000075230000-0x00000000759E0000-memory.dmp
memory/3708-16-0x0000000001200000-0x000000000154A000-memory.dmp
memory/3708-19-0x0000000000ED0000-0x0000000000EE5000-memory.dmp
memory/3708-18-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3468-20-0x0000000003540000-0x0000000003650000-memory.dmp
memory/3264-21-0x00000000007A0000-0x00000000007F7000-memory.dmp
memory/3264-22-0x00000000007A0000-0x00000000007F7000-memory.dmp
memory/3264-23-0x0000000000B10000-0x0000000000B3F000-memory.dmp
memory/3468-25-0x0000000003540000-0x0000000003650000-memory.dmp
memory/3468-27-0x00000000090B0000-0x00000000091F7000-memory.dmp
memory/3468-28-0x00000000090B0000-0x00000000091F7000-memory.dmp
memory/3468-31-0x00000000090B0000-0x00000000091F7000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-18 05:47
Reported
2024-07-18 05:49
Platform
win7-20240704-en
Max time kernel
145s
Max time network
119s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2732 set thread context of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe |
| PID 2616 set thread context of 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | C:\Windows\Explorer.EXE |
| PID 2616 set thread context of 1200 | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | C:\Windows\Explorer.EXE |
| PID 700 set thread context of 1200 | N/A | C:\Windows\SysWOW64\help.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\help.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe"
C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe"
C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe"
C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe"
C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe"
C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe
"C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe"
C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PURCHASING ORDER.exe"
Network
Files
memory/2732-0-0x0000000074C3E000-0x0000000074C3F000-memory.dmp
memory/2732-1-0x0000000000200000-0x00000000002AE000-memory.dmp
memory/2732-2-0x0000000074C30000-0x000000007531E000-memory.dmp
memory/2732-3-0x0000000000810000-0x000000000082A000-memory.dmp
memory/2732-4-0x0000000000840000-0x000000000084E000-memory.dmp
memory/2732-5-0x0000000004E70000-0x0000000004EE6000-memory.dmp
memory/2616-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2616-7-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2616-6-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2616-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2732-12-0x0000000074C30000-0x000000007531E000-memory.dmp
memory/2616-13-0x0000000000A20000-0x0000000000D23000-memory.dmp
memory/1200-17-0x0000000004EB0000-0x0000000005048000-memory.dmp
memory/2616-16-0x0000000000140000-0x0000000000155000-memory.dmp
memory/2616-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1200-19-0x0000000004EB0000-0x0000000005048000-memory.dmp
memory/1200-22-0x0000000004190000-0x0000000004282000-memory.dmp
memory/2616-21-0x00000000001D0000-0x00000000001E5000-memory.dmp
memory/2616-20-0x0000000000400000-0x000000000042F000-memory.dmp
memory/700-25-0x0000000000070000-0x0000000000076000-memory.dmp
memory/700-23-0x0000000000070000-0x0000000000076000-memory.dmp
memory/700-26-0x0000000000090000-0x00000000000BF000-memory.dmp
memory/1200-29-0x0000000004190000-0x0000000004282000-memory.dmp