formbook | 12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a

Analysis

max time kernel
302s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
03-06-2022 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe
Size

929KB
MD5

93b07745eaf59eb167bfd31d9fd2d57c
SHA1

832b665f85fb2ff1161ee8e11ec668c099e3dc2f
SHA256

12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a
SHA512

350267c3f59b39280f649e0ca3bfbfe0d1b3637002d4e866c7af88d6acd82509ca1d0c7e08ac5d0fe6628fa17d777ab9d37d5b1cd48fa140ac9675d6b88e8577

Score

10^/10

formbook modiloader xloader n7ak uj3c loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2408-249-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/2408-270-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral2/memory/1444-276-0x0000000000720000-0x000000000074E000-memory.dmp	formbook
behavioral2/memory/1444-281-0x0000000000720000-0x000000000074E000-memory.dmp	formbook

ModiLoader Second Stage 56 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2136-140-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-141-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-143-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-142-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-145-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-146-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-147-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-144-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-149-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-150-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-151-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-148-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-153-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-152-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-154-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-155-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-156-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-157-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-159-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-158-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-160-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-161-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-162-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-163-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-164-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-165-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-169-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-170-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-172-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-171-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-173-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-181-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-182-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-180-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-183-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-184-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-185-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-186-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/2136-187-0x0000000003AF0000-0x0000000003B42000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-221-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-222-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-224-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-223-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-226-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-227-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-228-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-225-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-230-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-231-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-232-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-229-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-234-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-233-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-235-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-236-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2
behavioral2/memory/4008-237-0x00000000039D0000-0x0000000003A24000-memory.dmp	modiloader_stage2

Xloader Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2136-167-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/4408-168-0x0000000000000000-mapping.dmp	xloader
behavioral2/memory/4408-193-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/1692-197-0x00000000007D0000-0x00000000007FB000-memory.dmp	xloader
behavioral2/memory/1692-200-0x00000000007D0000-0x00000000007FB000-memory.dmp	xloader

Blocklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

77 1692 cmd.exe
97 1692 cmd.exe
102 1692 cmd.exe
111 1692 cmd.exe
Executes dropped EXE 3 IoCs

Processes:

h8tpnr.exevdbxnonst.exeej7p5zix.exe

pid process

4008 h8tpnr.exe
4532 vdbxnonst.exe
2544 ej7p5zix.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
77	1692	cmd.exe
97	1692	cmd.exe
102	1692	cmd.exe
111	1692	cmd.exe

pid	process
4008	h8tpnr.exe
4532	vdbxnonst.exe
2544	ej7p5zix.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	cmd.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

h8tpnr.exe12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.execmd.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gsnaatekuq = "C:\\Users\\Public\\Libraries\\quketaansG.url"	h8tpnr.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ixknjgjdxi = "C:\\Users\\Public\\Libraries\\ixdjgjnkxI.url"	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ODCXTXTPO6 = "C:\\Program Files (x86)\\Eohl\\vdbxnonst.exe"	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

logagent.execmd.exeDpiScaling.exemsdt.exe

description	pid	process	target process
PID 4408 set thread context of 8	4408	logagent.exe	Explorer.EXE
PID 1692 set thread context of 8	1692	cmd.exe	Explorer.EXE
PID 2408 set thread context of 8	2408	DpiScaling.exe	Explorer.EXE
PID 1444 set thread context of 8	1444	msdt.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

cmd.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Eohl\vdbxnonst.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Eohl	Explorer.EXE
File created	C:\Program Files (x86)\Eohl\vdbxnonst.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Eohl\vdbxnonst.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

logagent.execmd.exeDpiScaling.exemsdt.exe

pid	process
4408	logagent.exe
4408	logagent.exe
4408	logagent.exe
4408	logagent.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
2408	DpiScaling.exe
2408	DpiScaling.exe
2408	DpiScaling.exe
2408	DpiScaling.exe
1692	cmd.exe
1692	cmd.exe
1444	msdt.exe
1444	msdt.exe
1444	msdt.exe
1444	msdt.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1444	msdt.exe
1444	msdt.exe
1692	cmd.exe
1692	cmd.exe
1444	msdt.exe
1444	msdt.exe
1692	cmd.exe
1692	cmd.exe
1444	msdt.exe
1444	msdt.exe
1692	cmd.exe
1692	cmd.exe
1444	msdt.exe
1444	msdt.exe
1692	cmd.exe
1692	cmd.exe
1444	msdt.exe
1444	msdt.exe
1692	cmd.exe
1692	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

8 Explorer.EXE

pid	process
8	Explorer.EXE

Suspicious behavior: MapViewOfSection 12 IoCs

Processes:

logagent.execmd.exeDpiScaling.exemsdt.exe

pid	process
4408	logagent.exe
4408	logagent.exe
4408	logagent.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
2408	DpiScaling.exe
2408	DpiScaling.exe
2408	DpiScaling.exe
1444	msdt.exe
1444	msdt.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

logagent.execmd.exeExplorer.EXEDpiScaling.exemsdt.exe

description	pid	process
Token: SeDebugPrivilege	4408	logagent.exe
Token: SeDebugPrivilege	1692	cmd.exe
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE
Token: SeDebugPrivilege	2408	DpiScaling.exe
Token: SeDebugPrivilege	1444	msdt.exe
Token: SeShutdownPrivilege	8	Explorer.EXE
Token: SeCreatePagefilePrivilege	8	Explorer.EXE

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exeExplorer.EXEcmd.exeh8tpnr.exemsdt.exe

description	pid	process	target process
PID 2136 wrote to memory of 4408	2136	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 2136 wrote to memory of 4408	2136	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 2136 wrote to memory of 4408	2136	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 2136 wrote to memory of 4408	2136	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 2136 wrote to memory of 4408	2136	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 2136 wrote to memory of 4408	2136	12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe	logagent.exe
PID 8 wrote to memory of 1692	8	Explorer.EXE	cmd.exe
PID 8 wrote to memory of 1692	8	Explorer.EXE	cmd.exe
PID 8 wrote to memory of 1692	8	Explorer.EXE	cmd.exe
PID 1692 wrote to memory of 2684	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 2684	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 2684	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 4616	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 4616	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 4616	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1128	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1128	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1128	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 764	1692	cmd.exe	Firefox.exe
PID 1692 wrote to memory of 764	1692	cmd.exe	Firefox.exe
PID 1692 wrote to memory of 764	1692	cmd.exe	Firefox.exe
PID 1692 wrote to memory of 4008	1692	cmd.exe	h8tpnr.exe
PID 1692 wrote to memory of 4008	1692	cmd.exe	h8tpnr.exe
PID 1692 wrote to memory of 4008	1692	cmd.exe	h8tpnr.exe
PID 4008 wrote to memory of 2408	4008	h8tpnr.exe	DpiScaling.exe
PID 4008 wrote to memory of 2408	4008	h8tpnr.exe	DpiScaling.exe
PID 4008 wrote to memory of 2408	4008	h8tpnr.exe	DpiScaling.exe
PID 4008 wrote to memory of 2408	4008	h8tpnr.exe	DpiScaling.exe
PID 4008 wrote to memory of 2408	4008	h8tpnr.exe	DpiScaling.exe
PID 4008 wrote to memory of 2408	4008	h8tpnr.exe	DpiScaling.exe
PID 8 wrote to memory of 1444	8	Explorer.EXE	msdt.exe
PID 8 wrote to memory of 1444	8	Explorer.EXE	msdt.exe
PID 8 wrote to memory of 1444	8	Explorer.EXE	msdt.exe
PID 1444 wrote to memory of 4592	1444	msdt.exe	cmd.exe
PID 1444 wrote to memory of 4592	1444	msdt.exe	cmd.exe
PID 1444 wrote to memory of 4592	1444	msdt.exe	cmd.exe
PID 8 wrote to memory of 4532	8	Explorer.EXE	vdbxnonst.exe
PID 8 wrote to memory of 4532	8	Explorer.EXE	vdbxnonst.exe
PID 8 wrote to memory of 4532	8	Explorer.EXE	vdbxnonst.exe
PID 1692 wrote to memory of 2544	1692	cmd.exe	ej7p5zix.exe
PID 1692 wrote to memory of 2544	1692	cmd.exe	ej7p5zix.exe
PID 1692 wrote to memory of 2544	1692	cmd.exe	ej7p5zix.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:8

C:\Users\Admin\AppData\Local\Temp\12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe
"C:\Users\Admin\AppData\Local\Temp\12fd21cbec194aad7f97eb21ca373742d6992b18c7f54eab1c71ecef3d874f3a.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
3⤵
PID:2684

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:4616

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
3⤵
PID:1128

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\h8tpnr.exe
"C:\Users\Admin\AppData\Local\Temp\h8tpnr.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Users\Admin\AppData\Local\Temp\ej7p5zix.exe
"C:\Users\Admin\AppData\Local\Temp\ej7p5zix.exe"
3⤵
- Executes dropped EXE
PID:2544

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\DpiScaling.exe"
3⤵
PID:4592

C:\Program Files (x86)\Eohl\vdbxnonst.exe
"C:\Program Files (x86)\Eohl\vdbxnonst.exe"
2⤵
- Executes dropped EXE
PID:4532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Eohl\vdbxnonst.exe
Filesize
86KB

MD5
523a40703dd9e7da957aa92a204cb1c4

SHA1
2a069bff58a87f7d2b405fdf87634fb2ce213b21

SHA256
058e1a4389ae837fafc6a7bdfca2abf33ceb6915410edbc4b2ebca052e4f13a6

SHA512
ca5002ebddb39acd0dbbeb77297ffb719a36bc8288ad6f2732247a28cbf1a6fe7cd238ef126f6b1cca3f259cab55a5c01e3bfcd9bda3d25097233093bdb940bf

Download Submit
C:\Program Files (x86)\Eohl\vdbxnonst.exe
Filesize
86KB

MD5
523a40703dd9e7da957aa92a204cb1c4

SHA1
2a069bff58a87f7d2b405fdf87634fb2ce213b21

SHA256
058e1a4389ae837fafc6a7bdfca2abf33ceb6915410edbc4b2ebca052e4f13a6

SHA512
ca5002ebddb39acd0dbbeb77297ffb719a36bc8288ad6f2732247a28cbf1a6fe7cd238ef126f6b1cca3f259cab55a5c01e3bfcd9bda3d25097233093bdb940bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
1KB

MD5
21cd26f84067808d04d9cc2612519723

SHA1
ff4b88b954eb688f9a509fce25a1b9a758b7b833

SHA256
d64140cdb8de87a068eccd819a98c89c6bfbc39c0e62082f309070fc80760dda

SHA512
4a1093382dc198dbf1bc1bf2a6804f474170d837edbdfc1b85f1a2c3e8c5120c0c8b16452463a55fc817e5e32f15df4ff4de4ddc3d501e033bbef388e3f42615

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
416B

MD5
6a3754b90534ddcef2946a8610b09010

SHA1
9b067045acdd21d1aa86acf5a51dbd3cd7569a2e

SHA256
4e6216bc0120f35899cd381c721e686a778288fa198d720121058dc04845f801

SHA512
89fa0e942c1583c1ca6561d795b70b3637da1b91415cc650bd73481948fc052d9699bca6c8eb7f1f90ef1b2c2aeee2e6ef5da89f9ee5f15c7bead5ea84d64fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\ej7p5zix.exe
Filesize
892KB

MD5
1586ba86228b75478e39c18a4414cea0

SHA1
75467b96d2a138df8ee42355dd228212d60c6c51

SHA256
7a33326911b7cc7ba3dc7c64feeda67e8b396f261bc5789833dfac686c4d7748

SHA512
a6ac5b85d5c0960e04c80c86c4347c7a6d8751920ef02d8c058fb81a4ec86779d38a1beb7564c36f0926f8f57045610b7e5a5bed9a128df54b722a0ed56eb667

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8tpnr.exe
Filesize
892KB

MD5
1586ba86228b75478e39c18a4414cea0

SHA1
75467b96d2a138df8ee42355dd228212d60c6c51

SHA256
7a33326911b7cc7ba3dc7c64feeda67e8b396f261bc5789833dfac686c4d7748

SHA512
a6ac5b85d5c0960e04c80c86c4347c7a6d8751920ef02d8c058fb81a4ec86779d38a1beb7564c36f0926f8f57045610b7e5a5bed9a128df54b722a0ed56eb667

Download Submit
C:\Users\Admin\AppData\Local\Temp\h8tpnr.exe
Filesize
892KB

MD5
1586ba86228b75478e39c18a4414cea0

SHA1
75467b96d2a138df8ee42355dd228212d60c6c51

SHA256
7a33326911b7cc7ba3dc7c64feeda67e8b396f261bc5789833dfac686c4d7748

SHA512
a6ac5b85d5c0960e04c80c86c4347c7a6d8751920ef02d8c058fb81a4ec86779d38a1beb7564c36f0926f8f57045610b7e5a5bed9a128df54b722a0ed56eb667

Download Submit
memory/8-201-0x0000000008360000-0x000000000849C000-memory.dmp

Filesize
1.2MB

Download
memory/8-191-0x0000000007D90000-0x0000000007EF7000-memory.dmp

Filesize
1.4MB

Download
memory/8-273-0x00000000084A0000-0x00000000085F6000-memory.dmp

Filesize
1.3MB

Download
memory/8-280-0x00000000086D0000-0x000000000880A000-memory.dmp

Filesize
1.2MB

Download
memory/8-199-0x0000000008360000-0x000000000849C000-memory.dmp

Filesize
1.2MB

Download
memory/8-282-0x00000000086D0000-0x000000000880A000-memory.dmp

Filesize
1.2MB

Download
memory/1128-204-0x0000000000000000-mapping.dmp

Download
memory/1444-279-0x0000000002830000-0x00000000028C3000-memory.dmp

Filesize
588KB

Download
memory/1444-274-0x0000000000000000-mapping.dmp

Download
memory/1444-276-0x0000000000720000-0x000000000074E000-memory.dmp

Filesize
184KB

Download
memory/1444-275-0x0000000000FD0000-0x0000000001027000-memory.dmp

Filesize
348KB

Download
memory/1444-278-0x0000000002AF0000-0x0000000002E3A000-memory.dmp

Filesize
3.3MB

Download
memory/1444-281-0x0000000000720000-0x000000000074E000-memory.dmp

Filesize
184KB

Download
memory/1692-200-0x00000000007D0000-0x00000000007FB000-memory.dmp

Filesize
172KB

Download
memory/1692-198-0x0000000001240000-0x00000000012D0000-memory.dmp

Filesize
576KB

Download
memory/1692-197-0x00000000007D0000-0x00000000007FB000-memory.dmp

Filesize
172KB

Download
memory/1692-196-0x0000000000F40000-0x0000000000F9A000-memory.dmp

Filesize
360KB

Download
memory/1692-195-0x0000000001510000-0x000000000185A000-memory.dmp

Filesize
3.3MB

Download
memory/1692-192-0x0000000000000000-mapping.dmp

Download
memory/2136-164-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-162-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-172-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-171-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-173-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-181-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-182-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-180-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-183-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-184-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-185-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-186-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-187-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-141-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-153-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-169-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-143-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-142-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-170-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-167-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/2136-165-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-140-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-163-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-148-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-161-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-160-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-145-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-158-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-159-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-157-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-146-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-156-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-155-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-154-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-152-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-147-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-144-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-149-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-150-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2136-151-0x0000000003AF0000-0x0000000003B42000-memory.dmp

Filesize
328KB

Download
memory/2408-249-0x0000000000000000-mapping.dmp

Download
memory/2408-272-0x0000000002B90000-0x0000000002BA4000-memory.dmp

Filesize
80KB

Download
memory/2408-271-0x0000000002C80000-0x0000000002FCA000-memory.dmp

Filesize
3.3MB

Download
memory/2408-270-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/2544-286-0x0000000000000000-mapping.dmp

Download
memory/2684-194-0x0000000000000000-mapping.dmp

Download
memory/4008-226-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-222-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-228-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-235-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-223-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-237-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-232-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-234-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-230-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-233-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-229-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-227-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-225-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-236-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-231-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-224-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4008-206-0x0000000000000000-mapping.dmp

Download
memory/4008-221-0x00000000039D0000-0x0000000003A24000-memory.dmp

Filesize
336KB

Download
memory/4408-190-0x0000000003130000-0x0000000003141000-memory.dmp

Filesize
68KB

Download
memory/4408-189-0x00000000032F0000-0x000000000363A000-memory.dmp

Filesize
3.3MB

Download
memory/4408-193-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/4408-168-0x0000000000000000-mapping.dmp

Download
memory/4532-283-0x0000000000000000-mapping.dmp

Download
memory/4592-277-0x0000000000000000-mapping.dmp

Download
memory/4616-202-0x0000000000000000-mapping.dmp

Download