formbook | 35295675b2fbd8ff9900336325e3324270f083705fd0cf51f4ef28763430cdd6

General

Target

INV21029.exe
Size

577KB
MD5

740dd9c14dea0b98df6ad434abfe789e
SHA1

cbec4d898e68c12fb7dcaddb17d0aca16e8e0e7b
SHA256

35295675b2fbd8ff9900336325e3324270f083705fd0cf51f4ef28763430cdd6
SHA512

66041e42091e83889a6da93c4242a01a0a3122774dc2db8baf909fb0ec6b0d6e847183ac92a24f2ca99f99de7dd4abddddda4a908887f354e3a333202bc0a66e

Score

10^/10

formbook xloader ahc8 loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Xloader Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2420-118-0x0000000000400000-0x0000000000429000-memory.dmp	xloader
behavioral1/memory/4060-126-0x0000000003000000-0x0000000003029000-memory.dmp	xloader

Executes dropped EXE 3 IoCs

Processes:

reqbqonire.exereqbqonire.exealtux5xnbq8.exe

pid process

3732 reqbqonire.exe
2420 reqbqonire.exe
2352 altux5xnbq8.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3732	reqbqonire.exe
2420	reqbqonire.exe
2352	altux5xnbq8.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	raserver.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\9RQLDX = "C:\\Program Files (x86)\\Nvpx4any0\\altux5xnbq8.exe"	raserver.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

reqbqonire.exereqbqonire.exeraserver.exe

description	pid	process	target process
PID 3732 set thread context of 2420	3732	reqbqonire.exe	reqbqonire.exe
PID 2420 set thread context of 2284	2420	reqbqonire.exe	Explorer.EXE
PID 4060 set thread context of 2284	4060	raserver.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

raserver.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Nvpx4any0\altux5xnbq8.exe	raserver.exe
File opened for modification	C:\Program Files (x86)\Nvpx4any0	Explorer.EXE
File created	C:\Program Files (x86)\Nvpx4any0\altux5xnbq8.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Nvpx4any0\altux5xnbq8.exe	Explorer.EXE

Drops file in Windows directory 3 IoCs

Processes:

taskmgr.exeExplorer.EXE

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3252 2352 WerFault.exe altux5xnbq8.exe

pid	pid_target	process	target process
3252	2352	WerFault.exe	altux5xnbq8.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

raserver.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1937337463-1541593363-3360944660-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	raserver.exe

Modifies registry class 1 IoCs

Processes:

Explorer.EXE

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Explorer.EXE
Runs net.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

reqbqonire.exeraserver.exetaskmgr.exe

pid	process
2420	reqbqonire.exe
2420	reqbqonire.exe
2420	reqbqonire.exe
2420	reqbqonire.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
4060	raserver.exe
4060	raserver.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
4060	raserver.exe
4060	raserver.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
4060	raserver.exe
4060	raserver.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
4060	raserver.exe
4060	raserver.exe
3400	taskmgr.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe
4060	raserver.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
1276
1436
1564
4088
4076
3388
2972
2512
2844
3600
3812
3828
3632
3784
3788
484
2744
1072
1624
1856
2176
3804
3832
3792
3796
2276
1220
3588
3524
3548
3508
3288
3280
292
160
2704
2700
188
3560
2952
3816
2980
2428
3640
2388
2392
2332
3364
2720
676
1420
2408
2212
3204
2108
2104
3220
2452
3860
3200
3328
3264
3224
3308

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

reqbqonire.exeraserver.exe

pid process

2420 reqbqonire.exe
2420 reqbqonire.exe
2420 reqbqonire.exe
4060 raserver.exe
4060 raserver.exe
4060 raserver.exe
4060 raserver.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

reqbqonire.exeraserver.exeExplorer.EXEtaskmgr.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	2420	reqbqonire.exe
Token: SeDebugPrivilege	4060	raserver.exe
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeDebugPrivilege	3400	taskmgr.exe
Token: SeSystemProfilePrivilege	3400	taskmgr.exe
Token: SeCreateGlobalPrivilege	3400	taskmgr.exe
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: 33	3400	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3400	taskmgr.exe
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeRestorePrivilege	3252	WerFault.exe
Token: SeBackupPrivilege	3252	WerFault.exe
Token: SeDebugPrivilege	3252	WerFault.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exeExplorer.EXE

pid	process
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
2284	Explorer.EXE
2284	Explorer.EXE
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exeExplorer.EXE

pid	process
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE
2284	Explorer.EXE

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

INV21029.exereqbqonire.exeExplorer.EXEraserver.execmd.exenet.exe

description	pid	process	target process
PID 3708 wrote to memory of 3732	3708	INV21029.exe	reqbqonire.exe
PID 3708 wrote to memory of 3732	3708	INV21029.exe	reqbqonire.exe
PID 3708 wrote to memory of 3732	3708	INV21029.exe	reqbqonire.exe
PID 3732 wrote to memory of 2420	3732	reqbqonire.exe	reqbqonire.exe
PID 3732 wrote to memory of 2420	3732	reqbqonire.exe	reqbqonire.exe
PID 3732 wrote to memory of 2420	3732	reqbqonire.exe	reqbqonire.exe
PID 3732 wrote to memory of 2420	3732	reqbqonire.exe	reqbqonire.exe
PID 3732 wrote to memory of 2420	3732	reqbqonire.exe	reqbqonire.exe
PID 3732 wrote to memory of 2420	3732	reqbqonire.exe	reqbqonire.exe
PID 2284 wrote to memory of 4060	2284	Explorer.EXE	raserver.exe
PID 2284 wrote to memory of 4060	2284	Explorer.EXE	raserver.exe
PID 2284 wrote to memory of 4060	2284	Explorer.EXE	raserver.exe
PID 4060 wrote to memory of 1328	4060	raserver.exe	cmd.exe
PID 4060 wrote to memory of 1328	4060	raserver.exe	cmd.exe
PID 4060 wrote to memory of 1328	4060	raserver.exe	cmd.exe
PID 2284 wrote to memory of 1808	2284	Explorer.EXE	cmd.exe
PID 2284 wrote to memory of 1808	2284	Explorer.EXE	cmd.exe
PID 1808 wrote to memory of 3120	1808	cmd.exe	net.exe
PID 1808 wrote to memory of 3120	1808	cmd.exe	net.exe
PID 3120 wrote to memory of 2364	3120	net.exe	net1.exe
PID 3120 wrote to memory of 2364	3120	net.exe	net1.exe
PID 2284 wrote to memory of 3400	2284	Explorer.EXE	taskmgr.exe
PID 2284 wrote to memory of 3400	2284	Explorer.EXE	taskmgr.exe
PID 4060 wrote to memory of 1220	4060	raserver.exe	cmd.exe
PID 4060 wrote to memory of 1220	4060	raserver.exe	cmd.exe
PID 4060 wrote to memory of 1220	4060	raserver.exe	cmd.exe
PID 4060 wrote to memory of 3732	4060	raserver.exe	Firefox.exe
PID 4060 wrote to memory of 3732	4060	raserver.exe	Firefox.exe
PID 2284 wrote to memory of 2352	2284	Explorer.EXE	altux5xnbq8.exe
PID 2284 wrote to memory of 2352	2284	Explorer.EXE	altux5xnbq8.exe
PID 2284 wrote to memory of 2352	2284	Explorer.EXE	altux5xnbq8.exe
PID 4060 wrote to memory of 3732	4060	raserver.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2284

C:\Users\Admin\AppData\Local\Temp\INV21029.exe
"C:\Users\Admin\AppData\Local\Temp\INV21029.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe C:\Users\Admin\AppData\Local\Temp\truuumm
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe C:\Users\Admin\AppData\Local\Temp\truuumm
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2420

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe"
3⤵
PID:1328

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1220

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:3732

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\system32\net.exe
net user test /add
3⤵
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user test /add
4⤵
PID:2364

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
2⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3400

C:\Program Files (x86)\Nvpx4any0\altux5xnbq8.exe
"C:\Program Files (x86)\Nvpx4any0\altux5xnbq8.exe"
2⤵
- Executes dropped EXE
PID:2352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 568
3⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

3

T1082

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Nvpx4any0\altux5xnbq8.exe
MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Program Files (x86)\Nvpx4any0\altux5xnbq8.exe
MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1djuqculeikkmhtz2x2
MD5
199f72b6103b1ad570f3a810d06c332a

SHA1
43b9341301394deec3c674cf98fc3c6cc629ee2b

SHA256
a61bbd1659ba2338fe6e4df411d709834285b54991c403ba07bc9459af5320fc

SHA512
0ce6be58193b0bcdccd003218597ce8f6bd0de35563c32d28c2e111903445f12ece5fa0a536dd2b79153b9c265c10a6ec17f8ef67b11edb95d155c0f502adeb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\reqbqonire.exe
MD5
b83e207b80ad38dccaf5b38b9a64cf97

SHA1
a28cba27c256021902f8150d47ced82565bb8558

SHA256
97658ad1a093a80ac9f16949b1971079bbdddc8cdd3515bb681b821203794741

SHA512
190ee397a064ca8caf6e0625a79ab764d7bae84007790b2157804f9ae2f16454d430c17402b4d7df76ce5cdea24b3f56d2298c56a5a38215fd9a65fb8e68e0a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\truuumm
MD5
0a99632c69bc8d3fe6231d0a50bff785

SHA1
ad875f4428f17d0474be5ee8667158bd14d10f22

SHA256
0a11eae20268581b0ad9c67defaf1a4dc4bf183ede922eca10c5da698eec8078

SHA512
93905216a40975163edfcc94cf3c55c40a27e4cf7143d028ef6c5caead6ceaaa1504bd4c5a05d043d61be3df08991ea7e1e8c98cdfafd9d8744ccacdc5d7de2f

Download Submit
memory/2284-129-0x0000000004D20000-0x0000000004EA0000-memory.dmp

Filesize
1.5MB

Download
memory/2284-124-0x0000000004C50000-0x0000000004D1C000-memory.dmp

Filesize
816KB

Download
memory/2420-123-0x0000000000DD0000-0x0000000000DE1000-memory.dmp

Filesize
68KB

Download
memory/2420-121-0x00000000009B0000-0x0000000000CD0000-memory.dmp

Filesize
3.1MB

Download
memory/2420-122-0x000000000041D000-0x000000000041E000-memory.dmp

Filesize
4KB

Download
memory/2420-118-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4060-126-0x0000000003000000-0x0000000003029000-memory.dmp

Filesize
164KB

Download
memory/4060-127-0x0000000004530000-0x0000000004850000-memory.dmp

Filesize
3.1MB

Download
memory/4060-128-0x00000000048E0000-0x0000000004970000-memory.dmp

Filesize
576KB

Download
memory/4060-125-0x0000000000C90000-0x0000000000CAF000-memory.dmp

Filesize
124KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads