Analysis Overview
SHA256
b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b
Threat Level: Known bad
The file b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe was found to be: Known bad.
Malicious Activity Summary
Formbook
Formbook family
Formbook payload
AutoIT Executable
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 03:00
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 03:00
Reported
2024-11-14 03:03
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1680 set thread context of 3284 | N/A | C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3284 set thread context of 3428 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 3284 set thread context of 3428 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 4436 set thread context of 3428 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe
"C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.sfmoreservicesllc.lat | udp |
| US | 8.8.8.8:53 | www.pipagtxcorrelo.xyz | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.9net88.net | udp |
| US | 8.8.8.8:53 | www.eries-htii.xyz | udp |
| US | 8.8.8.8:53 | www.rasko.net | udp |
| PL | 89.184.73.149:80 | www.rasko.net | tcp |
| US | 8.8.8.8:53 | 149.73.184.89.in-addr.arpa | udp |
Files
memory/1680-11-0x0000000001500000-0x0000000001900000-memory.dmp
memory/3284-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3284-13-0x0000000001200000-0x000000000154A000-memory.dmp
memory/3428-17-0x0000000007100000-0x00000000071DA000-memory.dmp
memory/3284-16-0x00000000009E0000-0x00000000009F5000-memory.dmp
memory/3284-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3284-20-0x0000000002ED0000-0x0000000002EE5000-memory.dmp
memory/3284-19-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3428-21-0x0000000008A60000-0x0000000008B16000-memory.dmp
memory/3428-22-0x0000000007100000-0x00000000071DA000-memory.dmp
memory/4436-23-0x0000000000260000-0x00000000002BA000-memory.dmp
memory/4436-25-0x0000000000260000-0x00000000002BA000-memory.dmp
memory/4436-26-0x0000000000200000-0x000000000022F000-memory.dmp
memory/3428-27-0x0000000008A60000-0x0000000008B16000-memory.dmp
memory/3428-30-0x0000000008B20000-0x0000000008C3D000-memory.dmp
memory/3428-31-0x0000000008B20000-0x0000000008C3D000-memory.dmp
memory/3428-33-0x0000000008B20000-0x0000000008C3D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 03:00
Reported
2024-11-14 03:03
Platform
win7-20241023-en
Max time kernel
146s
Max time network
121s
Command Line
Signatures
Formbook
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2788 set thread context of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe | C:\Windows\SysWOW64\svchost.exe |
| PID 3048 set thread context of 1208 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
| PID 1760 set thread context of 1208 | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | C:\Windows\Explorer.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\NAPSTAT.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe
"C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\b7c14a475a2ba29399c424d9dfc6198d534713945e434a021fcf9c6c34e3826b.exe"
C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
Network
Files
memory/2788-11-0x0000000000A60000-0x0000000000E60000-memory.dmp
memory/3048-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/3048-13-0x0000000000700000-0x0000000000A03000-memory.dmp
memory/3048-16-0x00000000003C0000-0x00000000003D5000-memory.dmp
memory/3048-15-0x0000000000400000-0x000000000042F000-memory.dmp
memory/1208-18-0x00000000052B0000-0x0000000005435000-memory.dmp
memory/1208-17-0x0000000003110000-0x0000000003210000-memory.dmp
memory/1760-19-0x0000000000450000-0x0000000000496000-memory.dmp
memory/1760-21-0x0000000000450000-0x0000000000496000-memory.dmp
memory/1760-22-0x00000000000C0000-0x00000000000EF000-memory.dmp
memory/1208-23-0x00000000052B0000-0x0000000005435000-memory.dmp