formbook | 3f82447c548d6d623ddc3f9965363df07f52cdf8eda955c55332196ee409e4c6

Analysis

max time kernel
151s
max time network
184s
platform
windows7_x64
resource
win7v20210408
submitted
11-10-2021 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BOM Contracting and General Supplies.js
Size

22KB
MD5

81a0010758bb3da2796a7506bfd4aab3
SHA1

ffc61c27e1a58878878e7b2b44c97ec23c0e09d2
SHA256

3f82447c548d6d623ddc3f9965363df07f52cdf8eda955c55332196ee409e4c6
SHA512

9521ed85e7a83eb890f706add3da9c29d29bd5c5b4a535541df9eb4072f4944fff34643289955ddf37be16f3cf815a8f77392cc656c0bb85506211ec28680779

Score

10^/10

formbook vjw0rm k9d0 agilenet persistence rat spyware stealer suricata trojan worm

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k9d0

http://www.dotgroup-email.com/k9d0/

Decoy

flourishpodcast.xyz

xn--nga.group

music-tomato.com

motory.store

arrivehike.info

xn--diseowebseo-4db.com

centpourcentsons.com

qnnjja005.xyz

annielynnrose.com

darlaevans.com

door-maximum.com

chinataibaifen.com

stickerhicks.com

ta2gamesstudio.com

jendelanews.com

milestoneneuro.com

premierconciergehomes.com

exitcounter.com

jrsway.com

famurainmobiliaria.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\Windows Desktop.exe,"	reg.exe

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/816-90-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/816-91-0x000000000041F170-mapping.dmp	formbook
behavioral1/memory/816-97-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/388-103-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Blocklisted process makes network request 20 IoCs

Processes:

wscript.exewscript.exe

flow	pid	process
5	1860	wscript.exe
7	1860	wscript.exe
10	1956	wscript.exe
21	1956	wscript.exe
25	1956	wscript.exe
29	1956	wscript.exe
33	1956	wscript.exe
34	1956	wscript.exe
37	1956	wscript.exe
40	1956	wscript.exe
44	1956	wscript.exe
46	1956	wscript.exe
51	1956	wscript.exe
53	1956	wscript.exe
57	1956	wscript.exe
60	1956	wscript.exe
61	1956	wscript.exe
66	1956	wscript.exe
68	1956	wscript.exe
71	1956	wscript.exe

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

un.exeWindows Desktop.exeAddInProcess32.exe

pid process

1508 un.exe
2028 Windows Desktop.exe
816 AddInProcess32.exe

Drops startup file 4 IoCs

Processes:

wscript.exeun.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkzxEsqUMq.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkzxEsqUMq.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe	un.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe	un.exe

Loads dropped DLL 3 IoCs

Processes:

un.exeWindows Desktop.exe

pid process

1508 un.exe
1508 un.exe
2028 Windows Desktop.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/1508-70-0x0000000000620000-0x0000000000641000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SEJOKAOI5S = "\"C:\\Users\\Admin\\AppData\\Roaming\\dkzxEsqUMq.js\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Windows Desktop.exeAddInProcess32.exenetsh.exe

description	pid	process	target process
PID 2028 set thread context of 816	2028	Windows Desktop.exe	AddInProcess32.exe
PID 816 set thread context of 1228	816	AddInProcess32.exe	Explorer.EXE
PID 816 set thread context of 1228	816	AddInProcess32.exe	Explorer.EXE
PID 388 set thread context of 1228	388	netsh.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

un.exeWindows Desktop.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	un.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Windows Desktop.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Windows Desktop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	un.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	un.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

un.exeWindows Desktop.exeAddInProcess32.exenetsh.exe

pid	process
1508	un.exe
1508	un.exe
1508	un.exe
1508	un.exe
1508	un.exe
2028	Windows Desktop.exe
2028	Windows Desktop.exe
816	AddInProcess32.exe
816	AddInProcess32.exe
816	AddInProcess32.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe
388	netsh.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

AddInProcess32.exenetsh.exe

pid process

816 AddInProcess32.exe
816 AddInProcess32.exe
816 AddInProcess32.exe
816 AddInProcess32.exe
388 netsh.exe
388 netsh.exe

pid	process
816	AddInProcess32.exe
816	AddInProcess32.exe
816	AddInProcess32.exe
816	AddInProcess32.exe
388	netsh.exe
388	netsh.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

un.exeWindows Desktop.exeAddInProcess32.exenetsh.exe

description	pid	process
Token: SeDebugPrivilege	1508	un.exe
Token: SeDebugPrivilege	2028	Windows Desktop.exe
Token: SeDebugPrivilege	816	AddInProcess32.exe
Token: SeDebugPrivilege	388	netsh.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE
1228 Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

wscript.exeun.execmd.exeWindows Desktop.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 1860 wrote to memory of 1956	1860	wscript.exe	wscript.exe
PID 1860 wrote to memory of 1956	1860	wscript.exe	wscript.exe
PID 1860 wrote to memory of 1956	1860	wscript.exe	wscript.exe
PID 1860 wrote to memory of 1508	1860	wscript.exe	un.exe
PID 1860 wrote to memory of 1508	1860	wscript.exe	un.exe
PID 1860 wrote to memory of 1508	1860	wscript.exe	un.exe
PID 1860 wrote to memory of 1508	1860	wscript.exe	un.exe
PID 1508 wrote to memory of 1836	1508	un.exe	cmd.exe
PID 1508 wrote to memory of 1836	1508	un.exe	cmd.exe
PID 1508 wrote to memory of 1836	1508	un.exe	cmd.exe
PID 1508 wrote to memory of 1836	1508	un.exe	cmd.exe
PID 1836 wrote to memory of 1516	1836	cmd.exe	reg.exe
PID 1836 wrote to memory of 1516	1836	cmd.exe	reg.exe
PID 1836 wrote to memory of 1516	1836	cmd.exe	reg.exe
PID 1836 wrote to memory of 1516	1836	cmd.exe	reg.exe
PID 1508 wrote to memory of 2028	1508	un.exe	Windows Desktop.exe
PID 1508 wrote to memory of 2028	1508	un.exe	Windows Desktop.exe
PID 1508 wrote to memory of 2028	1508	un.exe	Windows Desktop.exe
PID 1508 wrote to memory of 2028	1508	un.exe	Windows Desktop.exe
PID 2028 wrote to memory of 816	2028	Windows Desktop.exe	AddInProcess32.exe
PID 2028 wrote to memory of 816	2028	Windows Desktop.exe	AddInProcess32.exe
PID 2028 wrote to memory of 816	2028	Windows Desktop.exe	AddInProcess32.exe
PID 2028 wrote to memory of 816	2028	Windows Desktop.exe	AddInProcess32.exe
PID 2028 wrote to memory of 816	2028	Windows Desktop.exe	AddInProcess32.exe
PID 2028 wrote to memory of 816	2028	Windows Desktop.exe	AddInProcess32.exe
PID 2028 wrote to memory of 816	2028	Windows Desktop.exe	AddInProcess32.exe
PID 1228 wrote to memory of 388	1228	Explorer.EXE	netsh.exe
PID 1228 wrote to memory of 388	1228	Explorer.EXE	netsh.exe
PID 1228 wrote to memory of 388	1228	Explorer.EXE	netsh.exe
PID 1228 wrote to memory of 388	1228	Explorer.EXE	netsh.exe
PID 388 wrote to memory of 1652	388	netsh.exe	cmd.exe
PID 388 wrote to memory of 1652	388	netsh.exe	cmd.exe
PID 388 wrote to memory of 1652	388	netsh.exe	cmd.exe
PID 388 wrote to memory of 1652	388	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\BOM Contracting and General Supplies.js"
2⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\dkzxEsqUMq.js"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1956

C:\Users\Admin\AppData\Local\Temp\un.exe
"C:\Users\Admin\AppData\Local\Temp\un.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe,"
4⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe,"
5⤵
- Modifies WinLogon for persistence
PID:1516

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:816

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
3⤵
PID:1652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
b15e317b09321eaee14148808dc05492

SHA1
9c435e4c3bc9577d01d92be91ba5688b12bfa570

SHA256
d1e6796b0c9b9d66d35219739e46993ae91f788f864ef4c74ced0d7b370f4ba2

SHA512
7f78fba5ea578aaec2c26075b912b4e2abfdb8929bd671590ced7969f5e828909f45d40e14ed0a8c93422c0d58374ac0d10d9143783559338e84cfa5031a3ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\un.exe
MD5
c8199355d0ca0fe289ea4d1ee018ff47

SHA1
ac0428f426c0bda431bd80f6abab183ccd484d07

SHA256
127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7

SHA512
0f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395

Download Submit
C:\Users\Admin\AppData\Local\Temp\un.exe
MD5
c8199355d0ca0fe289ea4d1ee018ff47

SHA1
ac0428f426c0bda431bd80f6abab183ccd484d07

SHA256
127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7

SHA512
0f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe
MD5
c8199355d0ca0fe289ea4d1ee018ff47

SHA1
ac0428f426c0bda431bd80f6abab183ccd484d07

SHA256
127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7

SHA512
0f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe
MD5
c8199355d0ca0fe289ea4d1ee018ff47

SHA1
ac0428f426c0bda431bd80f6abab183ccd484d07

SHA256
127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7

SHA512
0f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395

Download Submit
C:\Users\Admin\AppData\Roaming\dkzxEsqUMq.js
MD5
518e6b1ff0aa8ceb28ec463e15dbe880

SHA1
7ec70e887b02f1fe669c7611324e24f3869aee55

SHA256
f65e6b154131aed1c0d1a380a85b77829f57243e659a1eeffc67efd2b5640704

SHA512
30048b1575e91bb92b432989ab7d3ec18844fc43c5549f828d93c3250aae429fd238f8daf2c45605363a5a38b7b31403e574c442b64c44e470df10deb876d3e6

Download Submit
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
MD5
6a673bfc3b67ae9782cb31af2f234c68

SHA1
7544e89566d91e84e3cd437b9a073e5f6b56566e

SHA256
978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e

SHA512
72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe
MD5
c8199355d0ca0fe289ea4d1ee018ff47

SHA1
ac0428f426c0bda431bd80f6abab183ccd484d07

SHA256
127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7

SHA512
0f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Desktop.exe
MD5
c8199355d0ca0fe289ea4d1ee018ff47

SHA1
ac0428f426c0bda431bd80f6abab183ccd484d07

SHA256
127262efb50609596b0597f1f357d75ff1dca0a0519fd8805d4fac1b288abae7

SHA512
0f1f70ef0bbfa75b53a57549ef170d493b2706bbb8c41c2288fb831ace0dce902e6b9fa97834baf4b0adaa995df3767318055ad43b5bd366bbe257678f1da395

Download Submit
memory/388-105-0x0000000000560000-0x00000000005F3000-memory.dmp

Filesize
588KB

Download
memory/388-100-0x0000000000000000-mapping.dmp

Download
memory/388-103-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/388-102-0x0000000001560000-0x000000000157B000-memory.dmp

Filesize
108KB

Download
memory/388-104-0x0000000000C70000-0x0000000000F73000-memory.dmp

Filesize
3.0MB

Download
memory/816-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-91-0x000000000041F170-mapping.dmp

Download
memory/816-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-95-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/816-94-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/816-90-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-88-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/816-98-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download
memory/1228-99-0x0000000006470000-0x000000000657B000-memory.dmp

Filesize
1.0MB

Download
memory/1228-96-0x00000000041A0000-0x00000000042C1000-memory.dmp

Filesize
1.1MB

Download
memory/1228-106-0x0000000002980000-0x0000000002A4A000-memory.dmp

Filesize
808KB

Download
memory/1508-68-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/1508-66-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/1508-70-0x0000000000620000-0x0000000000641000-memory.dmp

Filesize
132KB

Download
memory/1508-63-0x0000000000000000-mapping.dmp

Download
memory/1508-73-0x00000000006D1000-0x00000000006D2000-memory.dmp

Filesize
4KB

Download
memory/1516-72-0x0000000000000000-mapping.dmp

Download
memory/1652-101-0x0000000000000000-mapping.dmp

Download
memory/1836-71-0x0000000000000000-mapping.dmp

Download
memory/1860-60-0x000007FEFC2E1000-0x000007FEFC2E3000-memory.dmp

Filesize
8KB

Download
memory/1956-61-0x0000000000000000-mapping.dmp

Download
memory/2028-85-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2028-84-0x00000000005D0000-0x00000000005DB000-memory.dmp

Filesize
44KB

Download
memory/2028-83-0x0000000002451000-0x0000000002452000-memory.dmp

Filesize
4KB

Download
memory/2028-82-0x0000000002450000-0x0000000002451000-memory.dmp

Filesize
4KB

Download
memory/2028-79-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/2028-76-0x0000000000000000-mapping.dmp

Download