Analysis Overview
SHA256
a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a
Threat Level: Known bad
The file a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
Suspicious use of SetThreadContext
AutoIT Executable
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-23 01:24
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-23 01:24
Reported
2024-09-23 01:27
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
141s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 60 set thread context of 980 | N/A | C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 980 set thread context of 3436 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4548 set thread context of 3436 | N/A | C:\Windows\SysWOW64\systray.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\systray.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\systray.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe
"C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe"
C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.commerce-74302.bond | udp |
| US | 8.8.8.8:53 | www.ealerslot.net | udp |
| US | 8.8.8.8:53 | www.dcnn.net | udp |
| US | 129.146.58.91:80 | www.dcnn.net | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dcnn.net | udp |
| US | 8.8.8.8:53 | www.02s-pest-control-us-ze.fun | udp |
| US | 129.146.58.91:80 | www.dcnn.net | tcp |
| US | 8.8.8.8:53 | www.yrhbt.shop | udp |
| US | 8.8.8.8:53 | www.j88.travel | udp |
| US | 172.67.160.191:80 | www.j88.travel | tcp |
| US | 8.8.8.8:53 | 191.160.67.172.in-addr.arpa | udp |
Files
memory/60-2-0x00000000042E0000-0x00000000046E0000-memory.dmp
memory/980-3-0x0000000000400000-0x000000000042F000-memory.dmp
memory/980-4-0x0000000001200000-0x000000000154A000-memory.dmp
memory/980-7-0x00000000016C0000-0x00000000016D4000-memory.dmp
memory/980-6-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3436-8-0x00000000030E0000-0x00000000031FF000-memory.dmp
memory/4548-10-0x0000000000F90000-0x0000000000F96000-memory.dmp
memory/4548-9-0x0000000000F90000-0x0000000000F96000-memory.dmp
memory/4548-11-0x0000000000880000-0x00000000008AF000-memory.dmp
memory/3436-12-0x00000000030E0000-0x00000000031FF000-memory.dmp
memory/3436-16-0x0000000003300000-0x0000000003456000-memory.dmp
memory/3436-17-0x0000000003300000-0x0000000003456000-memory.dmp
memory/3436-19-0x0000000003300000-0x0000000003456000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-23 01:24
Reported
2024-09-23 01:27
Platform
win7-20240903-en
Max time kernel
150s
Max time network
118s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2080 set thread context of 2668 | N/A | C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2668 set thread context of 1228 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2776 set thread context of 1228 | N/A | C:\Windows\SysWOW64\netsh.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe
"C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\a0ec8ea072fa0a81fb5e660f8aa278d9c06bb361080845911208d6579d15605a.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
Files
memory/2080-2-0x0000000003580000-0x0000000003980000-memory.dmp
memory/2668-3-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2668-4-0x0000000000850000-0x0000000000B53000-memory.dmp
memory/2668-6-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2668-7-0x00000000001C0000-0x00000000001D4000-memory.dmp
memory/1228-8-0x0000000004E80000-0x0000000004FCF000-memory.dmp
memory/2776-9-0x00000000008F0000-0x000000000090B000-memory.dmp
memory/2776-10-0x00000000008F0000-0x000000000090B000-memory.dmp
memory/2776-11-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1228-12-0x0000000004E80000-0x0000000004FCF000-memory.dmp