Analysis Overview
SHA256
314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd
Threat Level: Known bad
The file 314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe was found to be: Known bad.
Malicious Activity Summary
Formbook family
Formbook
Formbook payload
AutoIT Executable
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 02:15
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 02:15
Reported
2024-11-13 02:17
Platform
win7-20240903-en
Max time kernel
147s
Max time network
122s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2352 set thread context of 2160 | N/A | C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2160 set thread context of 1136 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2800 set thread context of 1136 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe
"C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
Files
memory/2352-11-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2160-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2160-13-0x0000000000870000-0x0000000000B73000-memory.dmp
memory/2160-16-0x0000000000110000-0x0000000000125000-memory.dmp
memory/2160-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1136-17-0x0000000006ED0000-0x000000000702A000-memory.dmp
memory/2800-18-0x0000000000590000-0x0000000000598000-memory.dmp
memory/2800-20-0x0000000000590000-0x0000000000598000-memory.dmp
memory/2800-21-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1136-22-0x0000000006ED0000-0x000000000702A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 02:15
Reported
2024-11-13 02:17
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
139s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1148 set thread context of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 2912 set thread context of 3500 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 3804 set thread context of 3500 | N/A | C:\Windows\SysWOW64\chkdsk.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe
"C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\314b33c9d7bf26f5a9bc21461cc8cf49c65737e69e01e3237c598568961672cd.exe"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.earch-lawyer-consultation.today | udp |
| US | 8.8.8.8:53 | www.ivglass.xyz | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.rbuds.shop | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.wner-nyquh.xyz | udp |
| US | 8.8.8.8:53 | www.ool-covers76.xyz | udp |
| US | 8.8.8.8:53 | www.ffect-xedzl.xyz | udp |
Files
memory/1148-11-0x0000000003EE0000-0x0000000003FE0000-memory.dmp
memory/2912-12-0x0000000000380000-0x00000000003AF000-memory.dmp
memory/2912-15-0x0000000000F00000-0x000000000124A000-memory.dmp
memory/2912-17-0x0000000000E90000-0x0000000000EA5000-memory.dmp
memory/2912-16-0x0000000000380000-0x00000000003AF000-memory.dmp
memory/3500-18-0x0000000003D60000-0x0000000003E21000-memory.dmp
memory/3804-19-0x0000000000A20000-0x0000000000A2A000-memory.dmp
memory/3804-20-0x0000000000A20000-0x0000000000A2A000-memory.dmp
memory/3804-21-0x0000000001240000-0x000000000126F000-memory.dmp
memory/3500-22-0x0000000003D60000-0x0000000003E21000-memory.dmp
memory/3500-26-0x0000000007940000-0x0000000007A72000-memory.dmp
memory/3500-27-0x0000000007940000-0x0000000007A72000-memory.dmp
memory/3500-29-0x0000000007940000-0x0000000007A72000-memory.dmp