Analysis Overview
SHA256
b64d445b57b68f8150535a837f45c57ae912f6276cb35422bf82a2822ffc3c70
Threat Level: Known bad
The file COMMERCAILINVOICEANDDHLAWBTRACKINGDETAILS.PDF.zip was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Loads dropped DLL
Drops startup file
Executes dropped EXE
AutoIT Executable
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-20 19:30
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-20 19:30
Reported
2024-09-20 19:32
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
142s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1768 set thread context of 4968 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4968 set thread context of 3432 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4968 set thread context of 3432 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4240 set thread context of 3432 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.forklift-jobs-29768.bond | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.alqahtani.site | udp |
| US | 15.197.148.33:80 | www.alqahtani.site | tcp |
| US | 8.8.8.8:53 | 33.148.197.15.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cyber-eu.digital | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.nextdoor3.store | udp |
| US | 8.8.8.8:53 | www.r86gd377hi.rent | udp |
| US | 8.8.8.8:53 | www.weight-loss-003.today | udp |
| US | 172.67.155.61:80 | www.weight-loss-003.today | tcp |
| US | 8.8.8.8:53 | 61.155.67.172.in-addr.arpa | udp |
Files
memory/1944-11-0x0000000003D20000-0x0000000003D24000-memory.dmp
C:\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 6bbfded2baa5a18cc97d10516ee91c78 |
| SHA1 | 9e39944c9d057d134b119c677be07975704e546e |
| SHA256 | 636597dd8c59135be43119197ee60db2268abaa5d8a60f4c0ac296acd9dc444f |
| SHA512 | 4d952c2ed6a876bd639b2a9e4baa5eeadbf01f314bcd1a2c80da564c4594330a5b26dc351c528b5c0d574e7013b387349ce77a274257b0df902a48e707545605 |
C:\Users\Admin\AppData\Local\Temp\Okeghem
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\molecast
| MD5 | ee4cf49f57dbe9b317975148fc646c5a |
| SHA1 | d108703eb6fcd1cce8ec0d2ef6cd0a8724de207d |
| SHA256 | b9d18f83221f16f2f21ff6596e108562172c0e51ee1e78fae29fd4d512f9dc54 |
| SHA512 | 5178a4e46d5d964f6ae9352749dcb29402ac6f75f85b117d4179fb04af1fd4faf8c2f588d1cb62d107e67fa9a3c4212c5c60bd9ada662f7989eec9acdf6732da |
memory/4968-30-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4968-31-0x0000000001500000-0x000000000184A000-memory.dmp
memory/3432-35-0x0000000002CE0000-0x0000000002DFE000-memory.dmp
memory/4968-34-0x0000000001460000-0x0000000001475000-memory.dmp
memory/4968-33-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3432-39-0x00000000083F0000-0x000000000854A000-memory.dmp
memory/4968-38-0x00000000014D0000-0x00000000014E5000-memory.dmp
memory/4968-37-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3432-40-0x0000000002CE0000-0x0000000002DFE000-memory.dmp
memory/4240-42-0x00000000003C0000-0x00000000003E7000-memory.dmp
memory/4240-41-0x00000000003C0000-0x00000000003E7000-memory.dmp
memory/4240-43-0x0000000000800000-0x000000000082F000-memory.dmp
memory/3432-44-0x00000000083F0000-0x000000000854A000-memory.dmp
memory/3432-47-0x0000000002EF0000-0x0000000002F8F000-memory.dmp
memory/3432-48-0x0000000002EF0000-0x0000000002F8F000-memory.dmp
memory/3432-50-0x0000000002EF0000-0x0000000002F8F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-20 19:30
Reported
2024-09-20 19:32
Platform
win7-20240903-en
Max time kernel
146s
Max time network
145s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2328 set thread context of 2168 | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2168 set thread context of 1208 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2236 set thread context of 1208 | N/A | C:\Windows\SysWOW64\explorer.exe | C:\Windows\Explorer.EXE |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\directory\name.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\directory\name.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 316
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.pools-99305.bond | udp |
| DE | 185.53.179.93:80 | www.pools-99305.bond | tcp |
| US | 8.8.8.8:53 | www.bobbyharvey.store | udp |
| CA | 23.227.38.74:80 | www.bobbyharvey.store | tcp |
| US | 8.8.8.8:53 | www.slab-leak-repair-74697.bond | udp |
| US | 8.8.8.8:53 | www.thetrue.one | udp |
| US | 8.8.8.8:53 | www.scw-iot.net | udp |
| US | 8.8.8.8:53 | www.mvtb.pics | udp |
| US | 172.67.185.75:80 | www.mvtb.pics | tcp |
Files
memory/2368-11-0x00000000005F0000-0x00000000005F4000-memory.dmp
\Users\Admin\AppData\Local\directory\name.exe
| MD5 | 6bbfded2baa5a18cc97d10516ee91c78 |
| SHA1 | 9e39944c9d057d134b119c677be07975704e546e |
| SHA256 | 636597dd8c59135be43119197ee60db2268abaa5d8a60f4c0ac296acd9dc444f |
| SHA512 | 4d952c2ed6a876bd639b2a9e4baa5eeadbf01f314bcd1a2c80da564c4594330a5b26dc351c528b5c0d574e7013b387349ce77a274257b0df902a48e707545605 |
C:\Users\Admin\AppData\Local\Temp\Okeghem
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\molecast
| MD5 | ee4cf49f57dbe9b317975148fc646c5a |
| SHA1 | d108703eb6fcd1cce8ec0d2ef6cd0a8724de207d |
| SHA256 | b9d18f83221f16f2f21ff6596e108562172c0e51ee1e78fae29fd4d512f9dc54 |
| SHA512 | 5178a4e46d5d964f6ae9352749dcb29402ac6f75f85b117d4179fb04af1fd4faf8c2f588d1cb62d107e67fa9a3c4212c5c60bd9ada662f7989eec9acdf6732da |
memory/2168-32-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2168-41-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1208-40-0x0000000004D30000-0x0000000004DE6000-memory.dmp
memory/2168-39-0x0000000000180000-0x0000000000195000-memory.dmp
memory/2168-38-0x0000000000A60000-0x0000000000D63000-memory.dmp
memory/2236-44-0x00000000006F0000-0x0000000000971000-memory.dmp
memory/2236-43-0x00000000006F0000-0x0000000000971000-memory.dmp
memory/2236-45-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1208-46-0x0000000004D30000-0x0000000004DE6000-memory.dmp
memory/1208-50-0x0000000006690000-0x00000000067D0000-memory.dmp