formbook | 7e05beb1f3567f6c96823777d029ceb27c43e7f275304e57b28f6c42bbbc099c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-06-2022 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

orden grande pdf.exe
Size

241KB
MD5

149d29a68788c9cd599cba389698ed47
SHA1

cad8135bbbee484b91b87df367631b9043c2f403
SHA256

b92800b4c8d2200d261f52287439016dc29ba57a73d428015ab05ee98a19c159
SHA512

6026a7692a4a745518f2c8404a1c4b4c08e8c66f2d6fe0c9385c73d8a125bb26bba8496b4f9a492d3c8bc73140ba2173d3583435318245fe5ea0004e51a916c7

Score

10^/10

formbook modiloader xloader gqvv n7ak loader persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

gqvv

Decoy

keyclash.com

canadianinspiration.com

testmanagement.xyz

doxpunk.xyz

kodacult.com

snatchbra.net

313370955.com

sarochin.com

norozoto.xyz

nbpanthers.com

colombiaartesanias.com

m57hwtiuu7h.com

tsaerac.com

alugiare.com

elizeusomautomotivo.com

fgijjisdifsd.xyz

isecurewebsites.com

incomeviaonline.com

caribbeanbrunch.com

alveus-solarboote.com

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3768-255-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/3768-275-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral2/memory/3768-281-0x0000000010410000-0x000000001043E000-memory.dmp	formbook
behavioral2/memory/4820-284-0x0000000000C30000-0x0000000000C5E000-memory.dmp	formbook
behavioral2/memory/4820-288-0x0000000000C30000-0x0000000000C5E000-memory.dmp	formbook

ModiLoader Second Stage 55 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4156-141-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-143-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-142-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-144-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-145-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-146-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-147-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-148-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-149-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-150-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-151-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-152-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-153-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-154-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-155-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-156-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-157-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-158-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-159-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-160-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-161-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-162-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-163-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-164-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-165-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-170-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-169-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-171-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-172-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-173-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-180-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-181-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-182-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-183-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-184-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-185-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-186-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/4156-187-0x00000000036F0000-0x0000000003742000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-227-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-228-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-229-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-230-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-231-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-232-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-234-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-233-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-235-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-236-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-238-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-237-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-240-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-241-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-239-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-243-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2
behavioral2/memory/1872-242-0x0000000003D90000-0x0000000003DE4000-memory.dmp	modiloader_stage2

Xloader Payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4156-167-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/3108-168-0x0000000000000000-mapping.dmp	xloader
behavioral2/memory/3108-189-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/3108-196-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/1972-200-0x0000000000760000-0x000000000078B000-memory.dmp	xloader
behavioral2/memory/1972-204-0x0000000000760000-0x000000000078B000-memory.dmp	xloader

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ipconfig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\CJQX0PXPEDN = "C:\\Program Files (x86)\\Ry8op\\mpxthll_r.exe"	ipconfig.exe

Executes dropped EXE 2 IoCs

Processes:

jpkd2.exempxthll_r.exe

pid process

1872 jpkd2.exe
4068 mpxthll_r.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1872	jpkd2.exe
4068	mpxthll_r.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jpkd2.exeorden grande pdf.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rbyflxbzhq = "C:\\Users\\Public\\Libraries\\qhzbxlfybR.url"	jpkd2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bovfeygedf = "C:\\Users\\Public\\Libraries\\fdegyefvoB.url"	orden grande pdf.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

logagent.exeipconfig.exeDpiScaling.exemsiexec.exe

description	pid	process	target process
PID 3108 set thread context of 1032	3108	logagent.exe	Explorer.EXE
PID 3108 set thread context of 1032	3108	logagent.exe	Explorer.EXE
PID 1972 set thread context of 1032	1972	ipconfig.exe	Explorer.EXE
PID 3768 set thread context of 1032	3768	DpiScaling.exe	Explorer.EXE
PID 4820 set thread context of 1032	4820	msiexec.exe	Explorer.EXE

Drops file in Program Files directory 4 IoCs

Processes:

ipconfig.exeExplorer.EXE

description	ioc	process
File opened for modification	C:\Program Files (x86)\Ry8op\mpxthll_r.exe	ipconfig.exe
File opened for modification	C:\Program Files (x86)\Ry8op	Explorer.EXE
File created	C:\Program Files (x86)\Ry8op\mpxthll_r.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Ry8op\mpxthll_r.exe	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

1972 ipconfig.exe

pid	process
1972	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

ipconfig.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

logagent.exeipconfig.exeDpiScaling.exemsiexec.exe

pid	process
3108	logagent.exe
3108	logagent.exe
3108	logagent.exe
3108	logagent.exe
3108	logagent.exe
3108	logagent.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
3768	DpiScaling.exe
3768	DpiScaling.exe
3768	DpiScaling.exe
3768	DpiScaling.exe
1972	ipconfig.exe
1972	ipconfig.exe
4820	msiexec.exe
4820	msiexec.exe
4820	msiexec.exe
4820	msiexec.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
4820	msiexec.exe
4820	msiexec.exe
1972	ipconfig.exe
1972	ipconfig.exe
4820	msiexec.exe
4820	msiexec.exe
1972	ipconfig.exe
1972	ipconfig.exe
4820	msiexec.exe
4820	msiexec.exe
1972	ipconfig.exe
1972	ipconfig.exe
4820	msiexec.exe
4820	msiexec.exe
1972	ipconfig.exe
1972	ipconfig.exe
4820	msiexec.exe
4820	msiexec.exe
1972	ipconfig.exe
1972	ipconfig.exe
4820	msiexec.exe
4820	msiexec.exe
1972	ipconfig.exe
1972	ipconfig.exe
4820	msiexec.exe
4820	msiexec.exe
1972	ipconfig.exe
1972	ipconfig.exe
4820	msiexec.exe
4820	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1032 Explorer.EXE

pid	process
1032	Explorer.EXE

Suspicious behavior: MapViewOfSection 13 IoCs

Processes:

logagent.exeipconfig.exeDpiScaling.exemsiexec.exe

pid	process
3108	logagent.exe
3108	logagent.exe
3108	logagent.exe
3108	logagent.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
1972	ipconfig.exe
3768	DpiScaling.exe
3768	DpiScaling.exe
3768	DpiScaling.exe
4820	msiexec.exe
4820	msiexec.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

logagent.exeipconfig.exeExplorer.EXEDpiScaling.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	3108	logagent.exe
Token: SeDebugPrivilege	1972	ipconfig.exe
Token: SeShutdownPrivilege	1032	Explorer.EXE
Token: SeCreatePagefilePrivilege	1032	Explorer.EXE
Token: SeDebugPrivilege	3768	DpiScaling.exe
Token: SeDebugPrivilege	4820	msiexec.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

orden grande pdf.exelogagent.exeipconfig.exejpkd2.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 4156 wrote to memory of 3108	4156	orden grande pdf.exe	logagent.exe
PID 4156 wrote to memory of 3108	4156	orden grande pdf.exe	logagent.exe
PID 4156 wrote to memory of 3108	4156	orden grande pdf.exe	logagent.exe
PID 4156 wrote to memory of 3108	4156	orden grande pdf.exe	logagent.exe
PID 4156 wrote to memory of 3108	4156	orden grande pdf.exe	logagent.exe
PID 4156 wrote to memory of 3108	4156	orden grande pdf.exe	logagent.exe
PID 3108 wrote to memory of 1972	3108	logagent.exe	ipconfig.exe
PID 3108 wrote to memory of 1972	3108	logagent.exe	ipconfig.exe
PID 3108 wrote to memory of 1972	3108	logagent.exe	ipconfig.exe
PID 1972 wrote to memory of 1148	1972	ipconfig.exe	cmd.exe
PID 1972 wrote to memory of 1148	1972	ipconfig.exe	cmd.exe
PID 1972 wrote to memory of 1148	1972	ipconfig.exe	cmd.exe
PID 1972 wrote to memory of 2148	1972	ipconfig.exe	cmd.exe
PID 1972 wrote to memory of 2148	1972	ipconfig.exe	cmd.exe
PID 1972 wrote to memory of 2148	1972	ipconfig.exe	cmd.exe
PID 1972 wrote to memory of 2348	1972	ipconfig.exe	cmd.exe
PID 1972 wrote to memory of 2348	1972	ipconfig.exe	cmd.exe
PID 1972 wrote to memory of 2348	1972	ipconfig.exe	cmd.exe
PID 1972 wrote to memory of 3536	1972	ipconfig.exe	Firefox.exe
PID 1972 wrote to memory of 3536	1972	ipconfig.exe	Firefox.exe
PID 1972 wrote to memory of 3536	1972	ipconfig.exe	Firefox.exe
PID 1972 wrote to memory of 1872	1972	ipconfig.exe	jpkd2.exe
PID 1972 wrote to memory of 1872	1972	ipconfig.exe	jpkd2.exe
PID 1972 wrote to memory of 1872	1972	ipconfig.exe	jpkd2.exe
PID 1872 wrote to memory of 3768	1872	jpkd2.exe	DpiScaling.exe
PID 1872 wrote to memory of 3768	1872	jpkd2.exe	DpiScaling.exe
PID 1872 wrote to memory of 3768	1872	jpkd2.exe	DpiScaling.exe
PID 1872 wrote to memory of 3768	1872	jpkd2.exe	DpiScaling.exe
PID 1872 wrote to memory of 3768	1872	jpkd2.exe	DpiScaling.exe
PID 1872 wrote to memory of 3768	1872	jpkd2.exe	DpiScaling.exe
PID 1032 wrote to memory of 4820	1032	Explorer.EXE	msiexec.exe
PID 1032 wrote to memory of 4820	1032	Explorer.EXE	msiexec.exe
PID 1032 wrote to memory of 4820	1032	Explorer.EXE	msiexec.exe
PID 4820 wrote to memory of 1788	4820	msiexec.exe	cmd.exe
PID 4820 wrote to memory of 1788	4820	msiexec.exe	cmd.exe
PID 4820 wrote to memory of 1788	4820	msiexec.exe	cmd.exe
PID 1032 wrote to memory of 4068	1032	Explorer.EXE	mpxthll_r.exe
PID 1032 wrote to memory of 4068	1032	Explorer.EXE	mpxthll_r.exe
PID 1032 wrote to memory of 4068	1032	Explorer.EXE	mpxthll_r.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\orden grande pdf.exe
"C:\Users\Admin\AppData\Local\Temp\orden grande pdf.exe"
2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\logagent.exe
C:\Windows\System32\logagent.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
4⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\logagent.exe"
5⤵
PID:1148

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
5⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
/c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
5⤵
PID:2348

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
5⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\jpkd2.exe
"C:\Users\Admin\AppData\Local\Temp\jpkd2.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\DpiScaling.exe
C:\Windows\System32\DpiScaling.exe
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1072

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\DpiScaling.exe"
3⤵
PID:1788

C:\Program Files (x86)\Ry8op\mpxthll_r.exe
"C:\Program Files (x86)\Ry8op\mpxthll_r.exe"
2⤵
- Executes dropped EXE
PID:4068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ry8op\mpxthll_r.exe
Filesize
86KB

MD5
523a40703dd9e7da957aa92a204cb1c4

SHA1
2a069bff58a87f7d2b405fdf87634fb2ce213b21

SHA256
058e1a4389ae837fafc6a7bdfca2abf33ceb6915410edbc4b2ebca052e4f13a6

SHA512
ca5002ebddb39acd0dbbeb77297ffb719a36bc8288ad6f2732247a28cbf1a6fe7cd238ef126f6b1cca3f259cab55a5c01e3bfcd9bda3d25097233093bdb940bf

Download Submit
C:\Program Files (x86)\Ry8op\mpxthll_r.exe
Filesize
86KB

MD5
523a40703dd9e7da957aa92a204cb1c4

SHA1
2a069bff58a87f7d2b405fdf87634fb2ce213b21

SHA256
058e1a4389ae837fafc6a7bdfca2abf33ceb6915410edbc4b2ebca052e4f13a6

SHA512
ca5002ebddb39acd0dbbeb77297ffb719a36bc8288ad6f2732247a28cbf1a6fe7cd238ef126f6b1cca3f259cab55a5c01e3bfcd9bda3d25097233093bdb940bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
1KB

MD5
1e59da967e5251fb6363e91677c70153

SHA1
b7d9388ca5b5b07d6af68fc9886eaa879f8d9160

SHA256
ca59967edb1115006d498632f34f0b7082c5a17dc5bbe98293cd4708e21bfe88

SHA512
4969e133e3124cf9fa213927dab57d11de093afee6db98dd384a66ce2a8173562674055177c89fe855b607b51a3d7375e301a7187098775b8f62f530cbc15dfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
471B

MD5
43111bb2c89745ed3725fbb55f689e2c

SHA1
8323b2edf18e0a2e04e62392c411d8062223d934

SHA256
799c420515dadabe7d9693c03bd09e3d67cf6d30c8d0fdef1fc79a8700e13a66

SHA512
62fdfc2cefbd2d96d80d4a0b9bfa32cc131f6afc3962030153027a47356ee5535d2f9f88dd59ce9d7406161b7f08da1527ff0f5ccdf5883423f1a61c0607f1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
Filesize
416B

MD5
66f73bdd93c34cf5eff6ac92a8db5ed0

SHA1
d9322a9551e87b87dbd88108ca94808c74e2c641

SHA256
c702b97b09584fe6d2fd31d96cd7bf087ed1d3150bfca5381a6b3783dc351bd6

SHA512
601e4777199e13aa84fe999e61024d70cbfd5a8804e77dcd42972fd121be77b5ec9c7a9321cae9d0b0f1e7597f337229a35e386fc80be07956afa0c7d779f23e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
Filesize
412B

MD5
431ab4942c3a39719a9dbdcab667b214

SHA1
3f8713da9347d54a354c9c3f6c7c612c20269293

SHA256
e1bd2d58c3913411003b1afdf203745a6a165be56b26a6ff6ab95681d9af0276

SHA512
db9dbf51a2e8c0a76174c10136401916dc1670d6c4d77e10902e4d70e8dd58fd51cf219303fbc7681f99613b4dddd5e385fc6d529d6ea7f78ba68710e4cebeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpkd2.exe
Filesize
832KB

MD5
c502a7c74e56610c645b07d353bc68ba

SHA1
a1e7fe7346d1c87fb948df2cfb5b9d6fa68de771

SHA256
e26f5163ac535bab0426bde4c29b11a7194d418f7ff9e27df41d079d7d04d259

SHA512
8c5feb4dd1eb68f940ce44af312726ab0892db198568d91c04cca8461740634d650a365207769091213ee4e6c7198075d36d728c8d669fb7021722eaec6c6e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\jpkd2.exe
Filesize
832KB

MD5
c502a7c74e56610c645b07d353bc68ba

SHA1
a1e7fe7346d1c87fb948df2cfb5b9d6fa68de771

SHA256
e26f5163ac535bab0426bde4c29b11a7194d418f7ff9e27df41d079d7d04d259

SHA512
8c5feb4dd1eb68f940ce44af312726ab0892db198568d91c04cca8461740634d650a365207769091213ee4e6c7198075d36d728c8d669fb7021722eaec6c6e43

Download Submit
memory/1032-287-0x0000000008940000-0x0000000008AA6000-memory.dmp

Filesize
1.4MB

Download
memory/1032-205-0x0000000008410000-0x00000000084F2000-memory.dmp

Filesize
904KB

Download
memory/1032-203-0x0000000008410000-0x00000000084F2000-memory.dmp

Filesize
904KB

Download
memory/1032-192-0x0000000003160000-0x00000000032D5000-memory.dmp

Filesize
1.5MB

Download
memory/1032-195-0x0000000008350000-0x0000000008407000-memory.dmp

Filesize
732KB

Download
memory/1032-279-0x0000000008860000-0x0000000008935000-memory.dmp

Filesize
852KB

Download
memory/1032-289-0x0000000008940000-0x0000000008AA6000-memory.dmp

Filesize
1.4MB

Download
memory/1148-198-0x0000000000000000-mapping.dmp

Download
memory/1788-282-0x0000000000000000-mapping.dmp

Download
memory/1872-239-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-230-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-229-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-228-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-227-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-231-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-232-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-234-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-233-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-235-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-236-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-210-0x0000000000000000-mapping.dmp

Download
memory/1872-238-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-237-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-240-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-241-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-243-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1872-242-0x0000000003D90000-0x0000000003DE4000-memory.dmp

Filesize
336KB

Download
memory/1972-200-0x0000000000760000-0x000000000078B000-memory.dmp

Filesize
172KB

Download
memory/1972-204-0x0000000000760000-0x000000000078B000-memory.dmp

Filesize
172KB

Download
memory/1972-202-0x0000000000F70000-0x0000000001000000-memory.dmp

Filesize
576KB

Download
memory/1972-201-0x0000000001240000-0x000000000158A000-memory.dmp

Filesize
3.3MB

Download
memory/1972-199-0x0000000000ED0000-0x0000000000EDB000-memory.dmp

Filesize
44KB

Download
memory/1972-197-0x0000000000000000-mapping.dmp

Download
memory/2148-206-0x0000000000000000-mapping.dmp

Download
memory/2348-208-0x0000000000000000-mapping.dmp

Download
memory/3108-196-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/3108-194-0x0000000001620000-0x0000000001631000-memory.dmp

Filesize
68KB

Download
memory/3108-191-0x00000000015E0000-0x00000000015F1000-memory.dmp

Filesize
68KB

Download
memory/3108-190-0x0000000003150000-0x000000000349A000-memory.dmp

Filesize
3.3MB

Download
memory/3108-189-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/3108-168-0x0000000000000000-mapping.dmp

Download
memory/3768-278-0x0000000002310000-0x0000000002324000-memory.dmp

Filesize
80KB

Download
memory/3768-276-0x00000000026C0000-0x0000000002A0A000-memory.dmp

Filesize
3.3MB

Download
memory/3768-281-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/3768-275-0x0000000010410000-0x000000001043E000-memory.dmp

Filesize
184KB

Download
memory/3768-255-0x0000000000000000-mapping.dmp

Download
memory/4068-290-0x0000000000000000-mapping.dmp

Download
memory/4156-182-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-151-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-173-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-172-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-171-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-169-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-170-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-181-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-167-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/4156-165-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-164-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-163-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-162-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-161-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-160-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-159-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-158-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-157-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-156-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-155-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-154-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-153-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-152-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-180-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-150-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-149-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-148-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-186-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-141-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-183-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-184-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-147-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-143-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-185-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-146-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-142-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-187-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-144-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4156-145-0x00000000036F0000-0x0000000003742000-memory.dmp

Filesize
328KB

Download
memory/4820-286-0x0000000002940000-0x00000000029D3000-memory.dmp

Filesize
588KB

Download
memory/4820-288-0x0000000000C30000-0x0000000000C5E000-memory.dmp

Filesize
184KB

Download
memory/4820-285-0x0000000002B00000-0x0000000002E4A000-memory.dmp

Filesize
3.3MB

Download
memory/4820-283-0x0000000000110000-0x0000000000122000-memory.dmp

Filesize
72KB

Download
memory/4820-284-0x0000000000C30000-0x0000000000C5E000-memory.dmp

Filesize
184KB

Download
memory/4820-280-0x0000000000000000-mapping.dmp

Download