Analysis Overview
SHA256
9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46
Threat Level: Known bad
The file 9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook family
Formbook payload
AutoIT Executable
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 02:50
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 02:50
Reported
2024-11-14 02:53
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1336 set thread context of 4528 | N/A | C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 4528 set thread context of 3520 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1588 set thread context of 3520 | N/A | C:\Windows\SysWOW64\chkdsk.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe
"C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.hqm-during.xyz | udp |
| US | 8.8.8.8:53 | www.ocockbowerlybrawer.cfd | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.zoc-marriage.xyz | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.reyhazeusa.shop | udp |
| US | 8.8.8.8:53 | www.hild-fcudh.xyz | udp |
| US | 8.8.8.8:53 | www.ood-packaging-jobs-brasil.today | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/1336-11-0x00000000011B0000-0x00000000015B0000-memory.dmp
memory/4528-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4528-13-0x0000000001400000-0x000000000174A000-memory.dmp
memory/4528-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/4528-16-0x00000000013D0000-0x00000000013E5000-memory.dmp
memory/3520-17-0x00000000030A0000-0x00000000031FC000-memory.dmp
memory/1588-18-0x0000000000AF0000-0x0000000000AFA000-memory.dmp
memory/1588-19-0x0000000000AF0000-0x0000000000AFA000-memory.dmp
memory/1588-20-0x0000000000D70000-0x0000000000D9F000-memory.dmp
memory/3520-21-0x00000000030A0000-0x00000000031FC000-memory.dmp
memory/3520-25-0x0000000008E70000-0x0000000008FEE000-memory.dmp
memory/3520-26-0x0000000008E70000-0x0000000008FEE000-memory.dmp
memory/3520-28-0x0000000008E70000-0x0000000008FEE000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 02:50
Reported
2024-11-14 02:53
Platform
win7-20240903-en
Max time kernel
145s
Max time network
122s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1708 set thread context of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 1224 set thread context of 1188 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 2128 set thread context of 1188 | N/A | C:\Windows\SysWOW64\netsh.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe
"C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\9b250f96c8e383893d2c2f0ae940312d86e6aec8d0e27aadd9087dce67d17c46.exe"
C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
Files
memory/1708-11-0x0000000000020000-0x000000000012D000-memory.dmp
memory/1224-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1708-13-0x0000000000020000-0x000000000012D000-memory.dmp
memory/1224-14-0x0000000000830000-0x0000000000B33000-memory.dmp
memory/1224-17-0x0000000000110000-0x0000000000125000-memory.dmp
memory/1188-18-0x00000000061C0000-0x0000000006340000-memory.dmp
memory/1224-16-0x0000000000400000-0x000000000042F000-memory.dmp
memory/2128-19-0x0000000000CB0000-0x0000000000CCB000-memory.dmp
memory/2128-21-0x0000000000CB0000-0x0000000000CCB000-memory.dmp
memory/2128-22-0x0000000000080000-0x00000000000AF000-memory.dmp
memory/1188-23-0x00000000061C0000-0x0000000006340000-memory.dmp