formbook | 12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a

Analysis

max time kernel
280s
max time network
300s
platform
windows7_x64
resource
win7-20220414-en
submitted
03-06-2022 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe
Size

929KB
MD5

93b07745eaf59eb167bfd31d9fd2d57c
SHA1

832b665f85fb2ff1161ee8e11ec668c099e3dc2f
SHA256

12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a
SHA512

350267c3f59b39280f649e0ca3bfbfe0d1b3637002d4e866c7af88d6acd82509ca1d0c7e08ac5d0fe6628fa17d777ab9d37d5b1cd48fa140ac9675d6b88e8577

Score

10^/10

formbook modiloader xloader n7ak uj3c loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1492-179-0x0000000000000000-mapping.dmp	formbook
behavioral1/memory/1492-183-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral1/memory/1840-191-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook
behavioral1/memory/1840-197-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

ModiLoader Second Stage 50 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1972-65-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-66-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-67-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-68-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-71-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-70-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-69-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-72-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-76-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-75-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-74-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-73-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-90-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-89-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-88-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-87-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-86-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-85-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-84-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-83-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-82-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-81-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-80-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-79-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-78-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-77-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-96-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-98-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-97-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-99-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-100-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-108-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-107-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-109-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-112-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-111-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-113-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1972-114-0x0000000004630000-0x0000000004682000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-149-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-150-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-151-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-152-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-154-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-155-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-156-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-153-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-158-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-159-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-160-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2
behavioral1/memory/1548-157-0x0000000004030000-0x0000000004084000-memory.dmp	modiloader_stage2

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1972-92-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral1/memory/1168-95-0x0000000000000000-mapping.dmp	xloader
behavioral1/memory/1168-116-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral1/memory/596-122-0x00000000001B0000-0x00000000001DB000-memory.dmp	xloader
behavioral1/memory/596-126-0x00000000001B0000-0x00000000001DB000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JR8XNT2HKTE = "C:\\Program Files (x86)\\Gmnupd\\vgaebgx.exe"	cscript.exe

Executes dropped EXE 3 IoCs

Processes:

nrxhw.exevgaebgx.exezdmtqht.exe

pid process

1548 nrxhw.exe
1912 vgaebgx.exe
1308 zdmtqht.exe
Loads dropped DLL 2 IoCs

Processes:

cscript.exe

pid process

596 cscript.exe
596 cscript.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1548	nrxhw.exe
1912	vgaebgx.exe
1308	zdmtqht.exe

pid	process
596	cscript.exe
596	cscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exenrxhw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ixknjgjdxi = "C:\\Users\\Public\\Libraries\\ixdjgjnkxI.url"	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Gsnaatekuq = "C:\\Users\\Public\\Libraries\\quketaansG.url"	nrxhw.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

logagent.execscript.exeDpiScaling.execontrol.exe

description	pid	process	target process
PID 1168 set thread context of 1416	1168	logagent.exe	Explorer.EXE
PID 596 set thread context of 1416	596	cscript.exe	Explorer.EXE
PID 1492 set thread context of 1416	1492	DpiScaling.exe	Explorer.EXE
PID 1840 set thread context of 1416	1840	control.exe	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

cscript.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Gmnupd\vgaebgx.exe	cscript.exe
File created	C:\Program Files (x86)\Gmnupd\vgaebgx.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

logagent.execscript.exeDpiScaling.execontrol.exe

pid	process
1168	logagent.exe
1168	logagent.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
1492	DpiScaling.exe
1492	DpiScaling.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
1840	control.exe
1840	control.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
1840	control.exe
596	cscript.exe
596	cscript.exe
1840	control.exe

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

logagent.execscript.exeDpiScaling.execontrol.exe

pid	process
1168	logagent.exe
1168	logagent.exe
1168	logagent.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
596	cscript.exe
1492	DpiScaling.exe
1492	DpiScaling.exe
1492	DpiScaling.exe
1840	control.exe
1840	control.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

logagent.execscript.exeDpiScaling.execontrol.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1168	logagent.exe
Token: SeDebugPrivilege	596	cscript.exe
Token: SeDebugPrivilege	1492	DpiScaling.exe
Token: SeDebugPrivilege	1840	control.exe
Token: SeShutdownPrivilege	1416	Explorer.EXE

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exeExplorer.EXEcscript.exenrxhw.execontrol.exe

description	pid	process	target process
PID 1972 wrote to memory of 1168	1972	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 1972 wrote to memory of 1168	1972	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 1972 wrote to memory of 1168	1972	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 1972 wrote to memory of 1168	1972	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 1972 wrote to memory of 1168	1972	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 1972 wrote to memory of 1168	1972	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 1972 wrote to memory of 1168	1972	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 1416 wrote to memory of 596	1416	Explorer.EXE	cscript.exe
PID 1416 wrote to memory of 596	1416	Explorer.EXE	cscript.exe
PID 1416 wrote to memory of 596	1416	Explorer.EXE	cscript.exe
PID 1416 wrote to memory of 596	1416	Explorer.EXE	cscript.exe
PID 596 wrote to memory of 1620	596	cscript.exe	cmd.exe
PID 596 wrote to memory of 1620	596	cscript.exe	cmd.exe
PID 596 wrote to memory of 1620	596	cscript.exe	cmd.exe
PID 596 wrote to memory of 1620	596	cscript.exe	cmd.exe
PID 596 wrote to memory of 1136	596	cscript.exe	Firefox.exe
PID 596 wrote to memory of 1136	596	cscript.exe	Firefox.exe
PID 596 wrote to memory of 1136	596	cscript.exe	Firefox.exe
PID 596 wrote to memory of 1136	596	cscript.exe	Firefox.exe
PID 596 wrote to memory of 1136	596	cscript.exe	Firefox.exe
PID 596 wrote to memory of 1548	596	cscript.exe	nrxhw.exe
PID 596 wrote to memory of 1548	596	cscript.exe	nrxhw.exe
PID 596 wrote to memory of 1548	596	cscript.exe	nrxhw.exe
PID 596 wrote to memory of 1548	596	cscript.exe	nrxhw.exe
PID 1548 wrote to memory of 1492	1548	nrxhw.exe	DpiScaling.exe
PID 1548 wrote to memory of 1492	1548	nrxhw.exe	DpiScaling.exe
PID 1548 wrote to memory of 1492	1548	nrxhw.exe	DpiScaling.exe
PID 1548 wrote to memory of 1492	1548	nrxhw.exe	DpiScaling.exe
PID 1548 wrote to memory of 1492	1548	nrxhw.exe	DpiScaling.exe
PID 1548 wrote to memory of 1492	1548	nrxhw.exe	DpiScaling.exe
PID 1548 wrote to memory of 1492	1548	nrxhw.exe	DpiScaling.exe
PID 1416 wrote to memory of 1840	1416	Explorer.EXE	control.exe
PID 1416 wrote to memory of 1840	1416	Explorer.EXE	control.exe
PID 1416 wrote to memory of 1840	1416	Explorer.EXE	control.exe
PID 1416 wrote to memory of 1840	1416	Explorer.EXE	control.exe
PID 1840 wrote to memory of 668	1840	control.exe	cmd.exe
PID 1840 wrote to memory of 668	1840	control.exe	cmd.exe
PID 1840 wrote to memory of 668	1840	control.exe	cmd.exe
PID 1840 wrote to memory of 668	1840	control.exe	cmd.exe
PID 1416 wrote to memory of 1912	1416	Explorer.EXE	vgaebgx.exe
PID 1416 wrote to memory of 1912	1416	Explorer.EXE	vgaebgx.exe
PID 1416 wrote to memory of 1912	1416	Explorer.EXE	vgaebgx.exe
PID 1416 wrote to memory of 1912	1416	Explorer.EXE	vgaebgx.exe
PID 596 wrote to memory of 1308	596	cscript.exe	zdmtqht.exe
PID 596 wrote to memory of 1308	596	cscript.exe	zdmtqht.exe
PID 596 wrote to memory of 1308	596	cscript.exe	zdmtqht.exe
PID 596 wrote to memory of 1308	596	cscript.exe	zdmtqht.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

cscript.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cscript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	cscript.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe
"C:\Users\Admin\AppData\Local\Temp\12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1580

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:964

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1492

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:528

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1360

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2036

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1176

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1576

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Adds policy Run key to start application
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:596

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:1620

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:1136

C:\Users\Admin\AppData\Local\Temp\nrxhw.exe
"C:\Users\Admin\AppData\Local\Temp\nrxhw.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\AppData\Local\Temp\zdmtqht.exe
"C:\Users\Admin\AppData\Local\Temp\zdmtqht.exe"
3⤵
- Executes dropped EXE
PID:1308

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\DpiScaling.exe"
3⤵
PID:668

C:\Program Files (x86)\Gmnupd\vgaebgx.exe
"C:\Program Files (x86)\Gmnupd\vgaebgx.exe"
2⤵
- Executes dropped EXE
PID:1912

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gmnupd\vgaebgx.exe
Filesize
93KB

MD5
ea7d55e6964aa852bc7ae6f1c3349a55

SHA1
53359c8e8931277285906a434c390b572c44727d

SHA256
9f62d26179d0f61ee5bc2aa53507579c009dc28f916a32a557d6e0dfe0e0d1ea

SHA512
5c121555745a27708767547131b213344085fb7e75928b6caabccc0e398be39c64cebdacd0e2a888a37f609d2a8cad95255aae163b3b5cc28f28ce75afdd0124

Download Submit
C:\Program Files (x86)\Gmnupd\vgaebgx.exe
Filesize
93KB

MD5
ea7d55e6964aa852bc7ae6f1c3349a55

SHA1
53359c8e8931277285906a434c390b572c44727d

SHA256
9f62d26179d0f61ee5bc2aa53507579c009dc28f916a32a557d6e0dfe0e0d1ea

SHA512
5c121555745a27708767547131b213344085fb7e75928b6caabccc0e398be39c64cebdacd0e2a888a37f609d2a8cad95255aae163b3b5cc28f28ce75afdd0124

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
1KB

MD5
21cd26f84067808d04d9cc2612519723

SHA1
ff4b88b954eb688f9a509fce25a1b9a758b7b833

SHA256
d64140cdb8de87a068eccd819a98c89c6bfbc39c0e62082f309070fc80760dda

SHA512
4a1093382dc198dbf1bc1bf2a6804f474170d837edbdfc1b85f1a2c3e8c5120c0c8b16452463a55fc817e5e32f15df4ff4de4ddc3d501e033bbef388e3f42615

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
416B

MD5
615ff38d00bf64eee6d305281ca6c100

SHA1
3526922f741178097991069c622025469b0b435e

SHA256
f39bac3cff9e2e24ac431d8303233560a6b4945224026a79321254f3c4c329cb

SHA512
e3bc8bd0f7f140d75a94e55a7183e36b02bc3320481211fc5bc9b3bd498f0116d41f49da587082e908f069498642fc2d53bb46003888ed65be14c30132b6e3a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
bd5bc6f8d292343f8c8756c4c6cca277

SHA1
c47f11b40cc1947900487251d0b70c9ea3449eff

SHA256
dc40914098089cfddc2a0f78e0429c07ac5fbb104733427d113cb6b4d05841f8

SHA512
3a53901e5ae2928f989a4fc9ac4534e725c6920c20bfbe2c5d42e63ef86f91dd15b1643640db062fe699d30ac638e4765e0809ea4573beb9b0422d918806c157

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
1a1fb57e3c9d274e7cc9ee4a277cf954

SHA1
af3a97bf23184a5e1eb9ac6da7d8e2f47b488467

SHA256
46ba98e84f85253890452c878d9b2c32892b1b9005e1be75306f5842d6b27da0

SHA512
dc5ffdc62aa17df037d780370dd8e280c6b062b31fa49453821e77029e5e540aae3a660232067d7b84bbc2cc9e103b777eabd5e552eab271debd6920f57886a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrxhw.exe
Filesize
892KB

MD5
1586ba86228b75478e39c18a4414cea0

SHA1
75467b96d2a138df8ee42355dd228212d60c6c51

SHA256
7a33326911b7cc7ba3dc7c64feeda67e8b396f261bc5789833dfac686c4d7748

SHA512
a6ac5b85d5c0960e04c80c86c4347c7a6d8751920ef02d8c058fb81a4ec86779d38a1beb7564c36f0926f8f57045610b7e5a5bed9a128df54b722a0ed56eb667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nrxhw.exe
Filesize
892KB

MD5
1586ba86228b75478e39c18a4414cea0

SHA1
75467b96d2a138df8ee42355dd228212d60c6c51

SHA256
7a33326911b7cc7ba3dc7c64feeda67e8b396f261bc5789833dfac686c4d7748

SHA512
a6ac5b85d5c0960e04c80c86c4347c7a6d8751920ef02d8c058fb81a4ec86779d38a1beb7564c36f0926f8f57045610b7e5a5bed9a128df54b722a0ed56eb667

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdmtqht.exe
Filesize
892KB

MD5
1586ba86228b75478e39c18a4414cea0

SHA1
75467b96d2a138df8ee42355dd228212d60c6c51

SHA256
7a33326911b7cc7ba3dc7c64feeda67e8b396f261bc5789833dfac686c4d7748

SHA512
a6ac5b85d5c0960e04c80c86c4347c7a6d8751920ef02d8c058fb81a4ec86779d38a1beb7564c36f0926f8f57045610b7e5a5bed9a128df54b722a0ed56eb667

Download Submit
C:\Users\Admin\AppData\Local\Temp\zdmtqht.exe
Filesize
892KB

MD5
1586ba86228b75478e39c18a4414cea0

SHA1
75467b96d2a138df8ee42355dd228212d60c6c51

SHA256
7a33326911b7cc7ba3dc7c64feeda67e8b396f261bc5789833dfac686c4d7748

SHA512
a6ac5b85d5c0960e04c80c86c4347c7a6d8751920ef02d8c058fb81a4ec86779d38a1beb7564c36f0926f8f57045610b7e5a5bed9a128df54b722a0ed56eb667

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O4FP06L1.txt
Filesize
64B

MD5
88387e43accb0e7fb02ac26053cd074e

SHA1
80369a828d32aabc4a9869a5f69f1e8689f2833b

SHA256
2e8a877166bf4962c9c689453726dccfaf9434d1df7cd64a581b08a7d35fa1e4

SHA512
8e948402b4788a09e56a364bcb5a42b0deb1520f4823207a876ecaef417b05e81db43dd227385e5591df0a495fb13143d7856ac1e1163967ac8b72107ead2fd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\UCOEORC3.txt
Filesize
64B

MD5
22644a93e69824608a7ea149c717d348

SHA1
d50e37f154aed546e884fdec101573c6519b76c4

SHA256
54931cd00aeeea4799a3f47bb1d4c2458b1076705e8583ace9896f2fed5f949b

SHA512
c1df07e5df678d528dae8ac482aea19dbcc1057edce002f676c5b68b12302dc634a0fd6e3cdbce637ab6bbeda6fb209301e30ebe71842758614afcc137d211ba

Download Submit
\Users\Admin\AppData\Local\Temp\nrxhw.exe
Filesize
892KB

MD5
1586ba86228b75478e39c18a4414cea0

SHA1
75467b96d2a138df8ee42355dd228212d60c6c51

SHA256
7a33326911b7cc7ba3dc7c64feeda67e8b396f261bc5789833dfac686c4d7748

SHA512
a6ac5b85d5c0960e04c80c86c4347c7a6d8751920ef02d8c058fb81a4ec86779d38a1beb7564c36f0926f8f57045610b7e5a5bed9a128df54b722a0ed56eb667

Download Submit
\Users\Admin\AppData\Local\Temp\zdmtqht.exe
Filesize
892KB

MD5
1586ba86228b75478e39c18a4414cea0

SHA1
75467b96d2a138df8ee42355dd228212d60c6c51

SHA256
7a33326911b7cc7ba3dc7c64feeda67e8b396f261bc5789833dfac686c4d7748

SHA512
a6ac5b85d5c0960e04c80c86c4347c7a6d8751920ef02d8c058fb81a4ec86779d38a1beb7564c36f0926f8f57045610b7e5a5bed9a128df54b722a0ed56eb667

Download Submit
memory/596-123-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/596-121-0x00000000002F0000-0x0000000000312000-memory.dmp

Filesize
136KB

Download
memory/596-120-0x0000000000000000-mapping.dmp

Download
memory/596-122-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/596-125-0x00000000003B0000-0x0000000000440000-memory.dmp

Filesize
576KB

Download
memory/596-126-0x00000000001B0000-0x00000000001DB000-memory.dmp

Filesize
172KB

Download
memory/668-189-0x0000000000000000-mapping.dmp

Download
memory/1168-95-0x0000000000000000-mapping.dmp

Download
memory/1168-93-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/1168-117-0x00000000021C0000-0x00000000024C3000-memory.dmp

Filesize
3.0MB

Download
memory/1168-118-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/1168-116-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/1308-199-0x0000000000000000-mapping.dmp

Download
memory/1416-128-0x0000000006FA0000-0x000000000707F000-memory.dmp

Filesize
892KB

Download
memory/1416-119-0x0000000006C50000-0x0000000006D51000-memory.dmp

Filesize
1.0MB

Download
memory/1416-187-0x0000000009540000-0x0000000009681000-memory.dmp

Filesize
1.3MB

Download
memory/1416-127-0x0000000006FA0000-0x000000000707F000-memory.dmp

Filesize
892KB

Download
memory/1492-186-0x0000000000200000-0x0000000000214000-memory.dmp

Filesize
80KB

Download
memory/1492-184-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/1492-179-0x0000000000000000-mapping.dmp

Download
memory/1492-183-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/1548-159-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-155-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-157-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-160-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-158-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-153-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-156-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-131-0x0000000000000000-mapping.dmp

Download
memory/1548-154-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-152-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-151-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-150-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1548-149-0x0000000004030000-0x0000000004084000-memory.dmp

Filesize
336KB

Download
memory/1620-124-0x0000000000000000-mapping.dmp

Download
memory/1840-192-0x0000000001EB0000-0x00000000021B3000-memory.dmp

Filesize
3.0MB

Download
memory/1840-185-0x0000000000000000-mapping.dmp

Download
memory/1840-197-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1840-195-0x0000000001D20000-0x0000000001DB3000-memory.dmp

Filesize
588KB

Download
memory/1840-191-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1840-190-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/1912-193-0x0000000000000000-mapping.dmp

Download
memory/1972-87-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-89-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-84-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-85-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-86-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-77-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-96-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-98-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-97-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-99-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-100-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-108-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-107-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-114-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-113-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1972-111-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-112-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-88-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-83-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-90-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-82-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-73-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-74-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-75-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-92-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/1972-109-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-81-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-80-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-76-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-79-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-72-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-78-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-69-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-70-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-71-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-68-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-67-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-66-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download
memory/1972-65-0x0000000004630000-0x0000000004682000-memory.dmp

Filesize
328KB

Download