Analysis Overview
SHA256
5d79ea664c17c4e122a2444d57d1414e49754ab63811874e44ae3c6acb43de11
Threat Level: Known bad
The file 24092024_1125_23092024_Quotation #10091.zip was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook payload
UPX packed file
Suspicious use of SetThreadContext
AutoIT Executable
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Gathers network information
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-24 11:25
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-24 11:25
Reported
2024-09-24 11:30
Platform
win10v2004-20240802-en
Max time kernel
295s
Max time network
281s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2924 set thread context of 2184 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2184 set thread context of 3492 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2512 set thread context of 3492 | N/A | C:\Windows\SysWOW64\ipconfig.exe | C:\Windows\Explorer.EXE |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hapanda.fun | udp |
| US | 8.8.8.8:53 | www.ransportationmmsytpro.top | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.lood-test-jp-1.bond | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.aycare-service-99683.bond | udp |
| US | 8.8.8.8:53 | www.usymomsmakingmoney.online | udp |
| US | 8.8.8.8:53 | www.rail.cruises | udp |
| DE | 217.160.0.10:80 | www.rail.cruises | tcp |
| US | 8.8.8.8:53 | 10.0.160.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.69-11-luxury-watches.shop | udp |
| US | 8.8.8.8:53 | www.ftersaleb.top | udp |
| US | 8.8.8.8:53 | www.igmoto.info | udp |
| DE | 89.31.143.90:80 | www.igmoto.info | tcp |
| US | 8.8.8.8:53 | 90.143.31.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.r64mh1.vip | udp |
| US | 8.8.8.8:53 | www.okenexchange.art | udp |
| US | 8.8.8.8:53 | www.iam-saaab.buzz | udp |
Files
memory/2924-0-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2924-3-0x0000000004030000-0x0000000004230000-memory.dmp
memory/2184-4-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2924-6-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2184-7-0x0000000001600000-0x000000000194A000-memory.dmp
memory/2184-10-0x0000000001570000-0x0000000001584000-memory.dmp
memory/2184-9-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3492-11-0x0000000002630000-0x00000000026F2000-memory.dmp
memory/2512-12-0x00000000004E0000-0x00000000004EB000-memory.dmp
memory/2512-13-0x00000000004E0000-0x00000000004EB000-memory.dmp
memory/2512-14-0x0000000000B40000-0x0000000000B6F000-memory.dmp
memory/3492-15-0x0000000002630000-0x00000000026F2000-memory.dmp
memory/3492-19-0x0000000007B60000-0x0000000007C41000-memory.dmp
memory/3492-20-0x0000000007B60000-0x0000000007C41000-memory.dmp
memory/3492-22-0x0000000007B60000-0x0000000007C41000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-24 11:25
Reported
2024-09-24 11:30
Platform
win7-20240903-en
Max time kernel
300s
Max time network
269s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2984 set thread context of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2544 set thread context of 1192 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2100 set thread context of 1192 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Quotation #10091.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.uickautoquote.net | udp |
| US | 8.8.8.8:53 | www.oursmile.vip | udp |
| US | 8.8.8.8:53 | www.osmits.net | udp |
| US | 8.8.8.8:53 | www.acuum-cleaner-84018.bond | udp |
| US | 8.8.8.8:53 | www.astysavor.website | udp |
| US | 8.8.8.8:53 | www.rail.cruises | udp |
| DE | 217.160.0.10:80 | www.rail.cruises | tcp |
| US | 8.8.8.8:53 | www.aycare-service-99683.bond | udp |
| US | 8.8.8.8:53 | www.ransportationmmsytpro.top | udp |
| US | 8.8.8.8:53 | www.areerfest.xyz | udp |
| US | 8.8.8.8:53 | www.j7zd12m.xyz | udp |
| US | 8.8.8.8:53 | www.innivip.bio | udp |
| US | 8.8.8.8:53 | www.bsboffchatrussummsa.online | udp |
Files
memory/2984-0-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2984-3-0x0000000002E40000-0x0000000003040000-memory.dmp
memory/2544-4-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2984-6-0x0000000000400000-0x00000000004C2000-memory.dmp
memory/2544-7-0x00000000009D0000-0x0000000000CD3000-memory.dmp
memory/2544-10-0x00000000001F0000-0x0000000000204000-memory.dmp
memory/2544-9-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1192-11-0x0000000006FC0000-0x000000000716A000-memory.dmp
memory/2100-12-0x0000000000220000-0x0000000000246000-memory.dmp
memory/2100-13-0x0000000000220000-0x0000000000246000-memory.dmp
memory/2100-14-0x00000000001D0000-0x00000000001FF000-memory.dmp
memory/1192-15-0x0000000006FC0000-0x000000000716A000-memory.dmp
memory/1192-20-0x00000000051D0000-0x000000000528C000-memory.dmp
memory/1192-21-0x00000000051D0000-0x000000000528C000-memory.dmp
memory/1192-23-0x00000000051D0000-0x000000000528C000-memory.dmp