formbook | 92a841c1968bcbb08c081fa2df12d16e4a8011a49600c501cc49ffbe9360e8d5

Analysis

max time kernel
158s
max time network
172s
platform
windows7_x64
resource
win7-20220414-en
submitted
08-05-2022 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

odeme SWIFT.exe
Size

1.6MB
MD5

586e761b6f03a2ea904ca2b3c8ad24e2
SHA1

34893070fbd5fa441bdff1313c20793c25d1e7c0
SHA256

199533f77cb4331908a90346f24610888ef42d6dd2f9866b733752426702e737
SHA512

67058f6f9932d17bffefa2c6780b85f4c7fc731addbf15df4cff694e0067d29833103e23315a5c767f0cd4a6bd5ac810519b86760142caf78c49e21d47013a9e

Score

10^/10

formbook n7ak persistence rat spyware stealer suricata trojan upx

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2196-64-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/2220-70-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\YJZXUFP8HR = "C:\\Program Files (x86)\\T2dt\\msrfipi6.exe"	svchost.exe

Executes dropped EXE 1 IoCs

Processes:

odeme SWIFTmgr.exe

pid process

1340 odeme SWIFTmgr.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe	upx
\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe	upx
C:\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe	upx
behavioral1/memory/1340-59-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2300 cmd.exe

pid	process
2300	cmd.exe

Drops startup file 1 IoCs

Processes:

odeme SWIFT.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpremove.url	odeme SWIFT.exe

Loads dropped DLL 2 IoCs

Processes:

odeme SWIFT.exe

pid process

904 odeme SWIFT.exe
904 odeme SWIFT.exe

Suspicious use of SetThreadContext 7 IoCs

Processes:

odeme SWIFT.exeodeme SWIFT.exesvchost.exe

description	pid	process	target process
PID 904 set thread context of 2196	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 2196 set thread context of 1416	2196	odeme SWIFT.exe	Explorer.EXE
PID 2220 set thread context of 1416	2220	svchost.exe	Explorer.EXE
PID 2220 set thread context of 1520	2220	svchost.exe	iexplore.exe
PID 2220 set thread context of 636	2220	svchost.exe	iexplore.exe
PID 2220 set thread context of 1136	2220	svchost.exe	IEXPLORE.EXE
PID 2220 set thread context of 1700	2220	svchost.exe	IEXPLORE.EXE

Drops file in Program Files directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Program Files (x86)\T2dt\msrfipi6.exe svchost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\T2dt\msrfipi6.exe	svchost.exe

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEsvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7177AC21-CF23-11EC-9EE1-6280490416C4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "358816153"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{71782151-CF23-11EC-9EE1-6280490416C4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

odeme SWIFTmgr.exeodeme SWIFT.exesvchost.exe

pid	process
1340	odeme SWIFTmgr.exe
1340	odeme SWIFTmgr.exe
1340	odeme SWIFTmgr.exe
1340	odeme SWIFTmgr.exe
1340	odeme SWIFTmgr.exe
1340	odeme SWIFTmgr.exe
1340	odeme SWIFTmgr.exe
1340	odeme SWIFTmgr.exe
2196	odeme SWIFT.exe
2196	odeme SWIFT.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

odeme SWIFT.exeodeme SWIFT.exesvchost.exe

pid	process
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
904	odeme SWIFT.exe
2196	odeme SWIFT.exe
2196	odeme SWIFT.exe
2196	odeme SWIFT.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe
2220	svchost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

odeme SWIFTmgr.exeodeme SWIFT.exesvchost.exe

description pid process

Token: SeDebugPrivilege 1340 odeme SWIFTmgr.exe
Token: SeDebugPrivilege 2196 odeme SWIFT.exe
Token: SeDebugPrivilege 2220 svchost.exe
Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

odeme SWIFT.exeiexplore.exeiexplore.exeExplorer.EXE

pid process

904 odeme SWIFT.exe
904 odeme SWIFT.exe
904 odeme SWIFT.exe
1520 iexplore.exe
636 iexplore.exe
1416 Explorer.EXE
1416 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

odeme SWIFT.exeExplorer.EXE

pid process

904 odeme SWIFT.exe
904 odeme SWIFT.exe
904 odeme SWIFT.exe
1416 Explorer.EXE
1416 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1340	odeme SWIFTmgr.exe
Token: SeDebugPrivilege	2196	odeme SWIFT.exe
Token: SeDebugPrivilege	2220	svchost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1520	iexplore.exe
636	iexplore.exe
1520	iexplore.exe
636	iexplore.exe
1700	IEXPLORE.EXE
1136	IEXPLORE.EXE
1136	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE
1700	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

odeme SWIFT.exeodeme SWIFTmgr.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 904 wrote to memory of 1340	904	odeme SWIFT.exe	odeme SWIFTmgr.exe
PID 904 wrote to memory of 1340	904	odeme SWIFT.exe	odeme SWIFTmgr.exe
PID 904 wrote to memory of 1340	904	odeme SWIFT.exe	odeme SWIFTmgr.exe
PID 904 wrote to memory of 1340	904	odeme SWIFT.exe	odeme SWIFTmgr.exe
PID 1340 wrote to memory of 1520	1340	odeme SWIFTmgr.exe	iexplore.exe
PID 1340 wrote to memory of 1520	1340	odeme SWIFTmgr.exe	iexplore.exe
PID 1340 wrote to memory of 1520	1340	odeme SWIFTmgr.exe	iexplore.exe
PID 1340 wrote to memory of 1520	1340	odeme SWIFTmgr.exe	iexplore.exe
PID 1340 wrote to memory of 636	1340	odeme SWIFTmgr.exe	iexplore.exe
PID 1340 wrote to memory of 636	1340	odeme SWIFTmgr.exe	iexplore.exe
PID 1340 wrote to memory of 636	1340	odeme SWIFTmgr.exe	iexplore.exe
PID 1340 wrote to memory of 636	1340	odeme SWIFTmgr.exe	iexplore.exe
PID 636 wrote to memory of 1136	636	iexplore.exe	IEXPLORE.EXE
PID 636 wrote to memory of 1136	636	iexplore.exe	IEXPLORE.EXE
PID 636 wrote to memory of 1136	636	iexplore.exe	IEXPLORE.EXE
PID 636 wrote to memory of 1136	636	iexplore.exe	IEXPLORE.EXE
PID 1520 wrote to memory of 1700	1520	iexplore.exe	IEXPLORE.EXE
PID 1520 wrote to memory of 1700	1520	iexplore.exe	IEXPLORE.EXE
PID 1520 wrote to memory of 1700	1520	iexplore.exe	IEXPLORE.EXE
PID 1520 wrote to memory of 1700	1520	iexplore.exe	IEXPLORE.EXE
PID 904 wrote to memory of 1960	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1960	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1960	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1960	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 436	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 436	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 436	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 436	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 808	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 808	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 808	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 808	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1672	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1672	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1672	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1672	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1996	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1996	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1996	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1996	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1480	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1480	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1480	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1480	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1704	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1704	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1704	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1704	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1356	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1356	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1356	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1356	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1968	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1968	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1968	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1968	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1552	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1552	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1552	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1552	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1976	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1976	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1976	904	odeme SWIFT.exe	odeme SWIFT.exe
PID 904 wrote to memory of 1976	904	odeme SWIFT.exe	odeme SWIFT.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1416

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:636 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1520

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1520 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1700

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:436

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:808

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1000

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1076

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1004

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2052

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2108

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
3⤵
- Deletes itself
PID:2300

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2388

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7177AC21-CF23-11EC-9EE1-6280490416C4}.dat
Filesize
5KB

MD5
4bb1de9546889c05a3f1043199931494

SHA1
b262b31573c6caafdc3440506c111d9fd77ccc7c

SHA256
cc556613e56393d94410044d6e04a7fb51a9c0518b3e384a6f0461704a3bea7f

SHA512
d5a92b68f6d383ca8e5abe58193b10732737ec5af2675cb7fffb8295a5e0ffc0479da79ef209d4250edcce01bdae75c9cdbd45b5f770fba926dcf01ddc0897bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{71782151-CF23-11EC-9EE1-6280490416C4}.dat
Filesize
4KB

MD5
14a8e582923910aa2f47e303fe437c1d

SHA1
a7543bde7d7fd46c7b13c014f479822303fc4c87

SHA256
9c01cc0730019d1beb02742e120a41c9ac30e4dad2ea4ddf030bc42533fdc8e9

SHA512
5caf61456cc8238b817436ff2c73ad0c22be4509705a50b6f17dbdc531b3f8ed3a6bcceeab3dbea6bfa23134e123adf02d37001d6ad735b9d29d4a3e18ec41d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe
Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
C:\Users\Admin\AppData\Roaming\94O2R65S\94Ologim.jpeg
Filesize
28KB

MD5
1891658f5048ef1a77b6bf361842d550

SHA1
32fee5518f64725ecb9fc5d1c7c98c8c5e4ceabc

SHA256
924bf46fed3226f29d339cc12b3cd88f14e2f8f482adf3e6aef7be8b64296688

SHA512
4c066b6b9feeed4948e94c268a2282250df294eed9d6768a7f9ef616fbfcdaca275ac59da5c32e80118b6b0a10d23984f2e9be067e8bdc05bb6af8142dc4dc63

Download Submit
C:\Users\Admin\AppData\Roaming\94O2R65S\94Ologrf.ini
Filesize
40B

MD5
2f245469795b865bdd1b956c23d7893d

SHA1
6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

SHA256
1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

SHA512
909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

Download Submit
C:\Users\Admin\AppData\Roaming\94O2R65S\94Ologri.ini
Filesize
40B

MD5
d63a82e5d81e02e399090af26db0b9cb

SHA1
91d0014c8f54743bba141fd60c9d963f869d76c9

SHA256
eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

SHA512
38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

Download Submit
C:\Users\Admin\AppData\Roaming\94O2R65S\94Ologrv.ini
Filesize
40B

MD5
ba3b6bc807d4f76794c4b81b09bb9ba5

SHA1
24cb89501f0212ff3095ecc0aba97dd563718fb1

SHA256
6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

SHA512
ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FUUZCQTL.txt
Filesize
594B

MD5
ef312b6cd06ca9023e5710eb993f5b10

SHA1
95b094adc67fe70ff1221d55153d8143d44060b8

SHA256
4591ac15aa5116cdf8711075f070ec8da1d7e92cebd2e2f6bb3b13842e2c363f

SHA512
ec2a04e5cb2c1c50c06ccc19ea8394ea2bc9e1b042ff583e7d6750f1aff2d2d10c1bcf912c62a8d64bd3911eaa1ae47e0f223ac67e55cc2d9f4da5d59c31d452

Download Submit
\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe
Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe
Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
memory/904-63-0x0000000000180000-0x00000000001AD000-memory.dmp

Filesize
180KB

Download
memory/904-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1340-59-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1340-57-0x0000000000000000-mapping.dmp

Download
memory/1416-74-0x0000000006FA0000-0x00000000070EE000-memory.dmp

Filesize
1.3MB

Download
memory/1416-67-0x0000000006C50000-0x0000000006DB6000-memory.dmp

Filesize
1.4MB

Download
memory/2196-66-0x00000000001C0000-0x00000000001D4000-memory.dmp

Filesize
80KB

Download
memory/2196-65-0x0000000000B20000-0x0000000000E23000-memory.dmp

Filesize
3.0MB

Download
memory/2196-64-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2196-62-0x000000000041E380-mapping.dmp

Download
memory/2220-71-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/2220-73-0x0000000000790000-0x0000000000823000-memory.dmp

Filesize
588KB

Download
memory/2220-70-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/2220-69-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

Filesize
32KB

Download
memory/2220-68-0x0000000000000000-mapping.dmp

Download
memory/2300-72-0x0000000000000000-mapping.dmp

Download