Analysis Overview
SHA256
ad796730fe76da567b892419b2cdba44eeaef29bf62b637c3c3af4cce42886ce
Threat Level: Known bad
The file Bill for the Month of August.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-02 12:08
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-02 12:08
Reported
2024-09-02 12:10
Platform
win7-20240704-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2388 set thread context of 2200 | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2200 set thread context of 1200 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1244 set thread context of 1200 | N/A | C:\Windows\SysWOW64\chkdsk.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe
"C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.wheresthechocolateat.com | udp |
| US | 13.248.243.5:80 | www.wheresthechocolateat.com | tcp |
| US | 8.8.8.8:53 | www.c21candacedevillier.com | udp |
| US | 198.185.159.144:80 | www.c21candacedevillier.com | tcp |
| US | 8.8.8.8:53 | www.healthsaveplus.com | udp |
| US | 199.116.255.220:80 | www.healthsaveplus.com | tcp |
| US | 8.8.8.8:53 | www.wvufcw948o.top | udp |
| HK | 103.235.47.188:80 | www.wvufcw948o.top | tcp |
| US | 8.8.8.8:53 | www.uddyen.shop | udp |
| US | 8.8.8.8:53 | www.strategiclogisticsagency.com | udp |
Files
memory/2388-10-0x00000000001E0000-0x00000000001E4000-memory.dmp
memory/2200-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2200-12-0x00000000009E0000-0x0000000000CE3000-memory.dmp
memory/2200-15-0x0000000000180000-0x0000000000194000-memory.dmp
memory/2200-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1200-16-0x0000000005120000-0x0000000005211000-memory.dmp
memory/1244-17-0x0000000000050000-0x0000000000057000-memory.dmp
memory/1244-18-0x0000000000050000-0x0000000000057000-memory.dmp
memory/1244-19-0x0000000000090000-0x00000000000BF000-memory.dmp
memory/1200-20-0x0000000005120000-0x0000000005211000-memory.dmp
memory/1200-25-0x0000000006B70000-0x0000000006C83000-memory.dmp
memory/1200-26-0x0000000006B70000-0x0000000006C83000-memory.dmp
memory/1200-28-0x0000000006B70000-0x0000000006C83000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-02 12:08
Reported
2024-09-02 12:10
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3400 set thread context of 3500 | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3500 set thread context of 3424 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 3500 set thread context of 3424 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4420 set thread context of 3424 | N/A | C:\Windows\SysWOW64\systray.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe
"C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Bill for the Month of August.exe"
C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dental-implants-89083.bond | udp |
| DE | 185.53.179.94:80 | www.dental-implants-89083.bond | tcp |
| US | 8.8.8.8:53 | 94.179.53.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.healthsaveplus.com | udp |
| US | 199.116.255.220:80 | www.healthsaveplus.com | tcp |
| US | 8.8.8.8:53 | 220.255.116.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dvdripguides.com | udp |
| US | 104.21.76.183:80 | www.dvdripguides.com | tcp |
| US | 8.8.8.8:53 | 183.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.eraplay88rtpgacor.lat | udp |
| US | 8.8.8.8:53 | www.wheresthechocolateat.com | udp |
| US | 13.248.243.5:80 | www.wheresthechocolateat.com | tcp |
| US | 8.8.8.8:53 | 5.243.248.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.gv3l1.vip | udp |
| HK | 93.179.124.74:80 | www.gv3l1.vip | tcp |
| US | 8.8.8.8:53 | 74.124.179.93.in-addr.arpa | udp |
Files
memory/3400-10-0x0000000001000000-0x0000000001004000-memory.dmp
memory/3500-11-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3500-12-0x0000000001500000-0x000000000184A000-memory.dmp
memory/3500-15-0x0000000001930000-0x0000000001944000-memory.dmp
memory/3500-14-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3424-16-0x0000000007D10000-0x0000000007DC6000-memory.dmp
memory/3424-20-0x00000000082F0000-0x00000000083EF000-memory.dmp
memory/3500-19-0x0000000003240000-0x0000000003254000-memory.dmp
memory/3500-18-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3424-21-0x0000000007D10000-0x0000000007DC6000-memory.dmp
memory/4420-23-0x0000000000210000-0x0000000000216000-memory.dmp
memory/4420-22-0x0000000000210000-0x0000000000216000-memory.dmp
memory/4420-24-0x0000000001070000-0x000000000109F000-memory.dmp
memory/3424-25-0x00000000082F0000-0x00000000083EF000-memory.dmp
memory/3424-28-0x00000000083F0000-0x0000000008553000-memory.dmp
memory/3424-30-0x00000000083F0000-0x0000000008553000-memory.dmp
memory/3424-31-0x00000000083F0000-0x0000000008553000-memory.dmp