Analysis Overview
SHA256
ba67d6bb2d0999ec60d8f95bddb0cf5386a00a8bea67a72f2886ecdfebff10de
Threat Level: Known bad
The file 269066cb8351bfe6a7922e64ef467c8c.bin was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-31 01:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-31 01:08
Reported
2024-08-31 01:10
Platform
win7-20240704-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2540 set thread context of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe | C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe
"C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe"
C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe
"C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe"
Network
Files
memory/2540-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp
memory/2540-1-0x0000000000BE0000-0x0000000000C82000-memory.dmp
memory/2540-2-0x0000000074E30000-0x000000007551E000-memory.dmp
memory/2540-3-0x0000000000980000-0x0000000000998000-memory.dmp
memory/2540-4-0x0000000074E30000-0x000000007551E000-memory.dmp
memory/2540-5-0x0000000005230000-0x00000000052A6000-memory.dmp
memory/2756-6-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2756-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2756-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2756-7-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2540-12-0x0000000074E30000-0x000000007551E000-memory.dmp
memory/2756-13-0x0000000000840000-0x0000000000B43000-memory.dmp
memory/2756-14-0x0000000000840000-0x0000000000B43000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-31 01:08
Reported
2024-08-31 01:10
Platform
win10v2004-20240802-en
Max time kernel
135s
Max time network
107s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4884 set thread context of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe | C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe
"C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe"
C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe
"C:\Users\Admin\AppData\Local\Temp\f19194ff1ec767b06e63a0239670106f598b4df2b660c5c2e6f6707646c07d2c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4884-0-0x0000000074B5E000-0x0000000074B5F000-memory.dmp
memory/4884-1-0x00000000001D0000-0x0000000000272000-memory.dmp
memory/4884-2-0x00000000052D0000-0x0000000005874000-memory.dmp
memory/4884-3-0x0000000004C70000-0x0000000004D02000-memory.dmp
memory/4884-4-0x0000000004E10000-0x0000000004E1A000-memory.dmp
memory/4884-5-0x0000000074B50000-0x0000000075300000-memory.dmp
memory/4884-6-0x00000000052A0000-0x00000000052B8000-memory.dmp
memory/4884-7-0x0000000074B5E000-0x0000000074B5F000-memory.dmp
memory/4884-8-0x0000000074B50000-0x0000000075300000-memory.dmp
memory/4884-9-0x0000000005E80000-0x0000000005EF6000-memory.dmp
memory/4884-10-0x0000000006140000-0x00000000061DC000-memory.dmp
memory/2808-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4884-13-0x0000000074B50000-0x0000000075300000-memory.dmp
memory/2808-14-0x0000000000FD0000-0x000000000131A000-memory.dmp