formbook | 6672b26a03db7ec5d61e90ce7827c422cb6a8a942cc1c77f92f97e263a35d8e5

General

Target

太太希Jw的 rA.exe
Size

499KB
MD5

73aac8ac5dc4ded42398f9fe2a191c19
SHA1

4f3ed7fa592f4ae4c4462928543dcbd4997f2549
SHA256

6672b26a03db7ec5d61e90ce7827c422cb6a8a942cc1c77f92f97e263a35d8e5
SHA512

cc5459746e50fe49d87f5facbb7ee79c1554697e54df2a615ace177ef0f439d134f188e19f51a1f866486237d3a79fa381d362b7da942dc74e00f675bc3cb58d
SSDEEP

12288:0osBGYb7Hku+M1e02kE15gLXOCYeHcUiK9DRB1R5//+P25wENJYWfaBFyutY4ld2:cBGO7HkwGkE15AXOCYeHcU7

Score

10^/10

formbook xloader v4qp loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Extracted

Family

xloader

Version

2.9

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 14 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1708-59-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1708-60-0x000000000041F6E0-mapping.dmp	xloader
behavioral1/memory/1708-66-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1288-70-0x00000000000C0000-0x00000000000EC000-memory.dmp	xloader
behavioral1/memory/1120-79-0x000000000041F6E0-mapping.dmp	xloader
behavioral1/memory/632-89-0x000000000041F6E0-mapping.dmp	xloader
behavioral1/memory/1396-99-0x000000000041F6E0-mapping.dmp	xloader
behavioral1/memory/1076-110-0x000000000041F6E0-mapping.dmp	xloader
behavioral1/memory/952-120-0x000000000041F6E0-mapping.dmp	xloader
behavioral1/memory/1288-124-0x00000000000C0000-0x00000000000EC000-memory.dmp	xloader
behavioral1/memory/1868-131-0x000000000041F6E0-mapping.dmp	xloader
behavioral1/memory/1620-142-0x000000000041F6E0-mapping.dmp	xloader
behavioral1/memory/1112-151-0x000000000041F6E0-mapping.dmp	xloader
behavioral1/memory/1724-162-0x000000000041F6E0-mapping.dmp	xloader

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

太太希Jw的 rA.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	太太希Jw的 rA.exe

Suspicious use of SetThreadContext 12 IoCs

Processes:

太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.execolorcpl.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe

description	pid	process	target process
PID 364 set thread context of 1708	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1708 set thread context of 1356	1708	太太希Jw的 rA.exe	Explorer.EXE
PID 1332 set thread context of 1120	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 set thread context of 632	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1288 set thread context of 1356	1288	colorcpl.exe	Explorer.EXE
PID 1616 set thread context of 1396	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1436 set thread context of 1076	1436	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 524 set thread context of 952	524	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1584 set thread context of 1868	1584	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1928 set thread context of 1620	1928	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1800 set thread context of 1112	1800	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1640 set thread context of 1724	1640	太太希Jw的 rA.exe	太太希Jw的 rA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

太太希Jw的 rA.exe太太希Jw的 rA.execolorcpl.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe

pid	process
364	太太希Jw的 rA.exe
1708	太太希Jw的 rA.exe
1708	太太希Jw的 rA.exe
364	太太希Jw的 rA.exe
1288	colorcpl.exe
364	太太希Jw的 rA.exe
1288	colorcpl.exe
1332	太太希Jw的 rA.exe
1120	太太希Jw的 rA.exe
1332	太太希Jw的 rA.exe
1764	太太希Jw的 rA.exe
1764	太太希Jw的 rA.exe
632	太太希Jw的 rA.exe
1764	太太希Jw的 rA.exe
1616	太太希Jw的 rA.exe
1616	太太希Jw的 rA.exe
1616	太太希Jw的 rA.exe
1396	太太希Jw的 rA.exe
1616	太太希Jw的 rA.exe
1436	太太希Jw的 rA.exe
1436	太太希Jw的 rA.exe
1076	太太希Jw的 rA.exe
1288	colorcpl.exe
1436	太太希Jw的 rA.exe
524	太太希Jw的 rA.exe
952	太太希Jw的 rA.exe
524	太太希Jw的 rA.exe
1584	太太希Jw的 rA.exe
1868	太太希Jw的 rA.exe
1288	colorcpl.exe
1584	太太希Jw的 rA.exe
1928	太太希Jw的 rA.exe
1620	太太希Jw的 rA.exe
1288	colorcpl.exe
1928	太太希Jw的 rA.exe
1800	太太希Jw的 rA.exe
1112	太太希Jw的 rA.exe
1800	太太希Jw的 rA.exe
1640	太太希Jw的 rA.exe
1724	太太希Jw的 rA.exe
1288	colorcpl.exe
1640	太太希Jw的 rA.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe
1288	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

太太希Jw的 rA.execolorcpl.exe

pid process

1708 太太希Jw的 rA.exe
1708 太太希Jw的 rA.exe
1708 太太希Jw的 rA.exe
1288 colorcpl.exe
1288 colorcpl.exe

pid	process
1708	太太希Jw的 rA.exe
1708	太太希Jw的 rA.exe
1708	太太希Jw的 rA.exe
1288	colorcpl.exe
1288	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

太太希Jw的 rA.exe太太希Jw的 rA.execolorcpl.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	364	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1708	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1288	colorcpl.exe
Token: SeDebugPrivilege	1332	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1120	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1764	太太希Jw的 rA.exe
Token: SeDebugPrivilege	632	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1616	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1396	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1436	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1076	太太希Jw的 rA.exe
Token: SeDebugPrivilege	524	太太希Jw的 rA.exe
Token: SeDebugPrivilege	952	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1584	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1868	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1928	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1620	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1800	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1112	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1640	太太希Jw的 rA.exe
Token: SeDebugPrivilege	1724	太太希Jw的 rA.exe
Token: SeShutdownPrivilege	1356	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE

Suspicious use of SendNotifyMessage 29 IoCs

Processes:

Explorer.EXE

pid	process
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE
1356	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

太太希Jw的 rA.exeExplorer.EXEcolorcpl.exe太太希Jw的 rA.exe太太希Jw的 rA.exe太太希Jw的 rA.exe

description	pid	process	target process
PID 364 wrote to memory of 1708	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 364 wrote to memory of 1708	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 364 wrote to memory of 1708	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 364 wrote to memory of 1708	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 364 wrote to memory of 1708	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 364 wrote to memory of 1708	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 364 wrote to memory of 1708	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1356 wrote to memory of 1288	1356	Explorer.EXE	colorcpl.exe
PID 1356 wrote to memory of 1288	1356	Explorer.EXE	colorcpl.exe
PID 1356 wrote to memory of 1288	1356	Explorer.EXE	colorcpl.exe
PID 1356 wrote to memory of 1288	1356	Explorer.EXE	colorcpl.exe
PID 1288 wrote to memory of 1376	1288	colorcpl.exe	cmd.exe
PID 1288 wrote to memory of 1376	1288	colorcpl.exe	cmd.exe
PID 1288 wrote to memory of 1376	1288	colorcpl.exe	cmd.exe
PID 1288 wrote to memory of 1376	1288	colorcpl.exe	cmd.exe
PID 364 wrote to memory of 1332	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 364 wrote to memory of 1332	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 364 wrote to memory of 1332	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 364 wrote to memory of 1332	364	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1120	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1120	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1120	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1120	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1120	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1120	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1120	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1764	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1764	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1764	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1332 wrote to memory of 1764	1332	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 1724	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 1724	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 1724	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 1724	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 632	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 632	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 632	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 632	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 632	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 632	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 632	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 1616	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 1616	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 1616	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1764 wrote to memory of 1616	1764	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1992	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1992	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1992	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1992	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1984	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1984	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1984	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1984	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1396	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1396	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1396	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1396	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1396	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1396	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1396	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1436	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1436	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1436	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe
PID 1616 wrote to memory of 1436	1616	太太希Jw的 rA.exe	太太希Jw的 rA.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:364

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1708

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
5⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
5⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
6⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
6⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
7⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
7⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:952

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
8⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
9⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
9⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
10⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"{path}"
12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe
"C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
12⤵
PID:2012

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\太太希Jw的 rA.exe"
3⤵
PID:1376

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/364-55-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/364-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/364-74-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/524-125-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/524-122-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/524-113-0x0000000000000000-mapping.dmp

Download
memory/632-91-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/632-89-0x000000000041F6E0-mapping.dmp

Download
memory/952-121-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download
memory/952-120-0x000000000041F6E0-mapping.dmp

Download
memory/1076-111-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1076-110-0x000000000041F6E0-mapping.dmp

Download
memory/1112-151-0x000000000041F6E0-mapping.dmp

Download
memory/1112-152-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/1120-79-0x000000000041F6E0-mapping.dmp

Download
memory/1120-80-0x0000000000980000-0x0000000000C83000-memory.dmp

Filesize
3.0MB

Download
memory/1288-102-0x0000000000430000-0x00000000004C0000-memory.dmp

Filesize
576KB

Download
memory/1288-70-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1288-71-0x0000000000BB0000-0x0000000000EB3000-memory.dmp

Filesize
3.0MB

Download
memory/1288-124-0x00000000000C0000-0x00000000000EC000-memory.dmp

Filesize
176KB

Download
memory/1288-69-0x0000000000F60000-0x0000000000F78000-memory.dmp

Filesize
96KB

Download
memory/1288-65-0x0000000000000000-mapping.dmp

Download
memory/1332-81-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1332-83-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1332-72-0x0000000000000000-mapping.dmp

Download
memory/1356-64-0x0000000003E80000-0x0000000003F5A000-memory.dmp

Filesize
872KB

Download
memory/1356-166-0x0000000005EE0000-0x0000000006065000-memory.dmp

Filesize
1.5MB

Download
memory/1356-170-0x0000000005EE0000-0x0000000006065000-memory.dmp

Filesize
1.5MB

Download
memory/1376-68-0x0000000000000000-mapping.dmp

Download
memory/1396-99-0x000000000041F6E0-mapping.dmp

Download
memory/1396-100-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1436-115-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1436-103-0x0000000000000000-mapping.dmp

Download
memory/1436-112-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1584-136-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1584-123-0x0000000000000000-mapping.dmp

Download
memory/1584-133-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-92-0x0000000000000000-mapping.dmp

Download
memory/1616-105-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-101-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1620-143-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1620-142-0x000000000041F6E0-mapping.dmp

Download
memory/1640-154-0x0000000000000000-mapping.dmp

Download
memory/1640-169-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-157-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1708-60-0x000000000041F6E0-mapping.dmp

Download
memory/1708-57-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1708-66-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1708-63-0x0000000000160000-0x0000000000171000-memory.dmp

Filesize
68KB

Download
memory/1708-56-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1708-59-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1708-61-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1724-163-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1724-162-0x000000000041F6E0-mapping.dmp

Download
memory/1764-94-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1764-82-0x0000000000000000-mapping.dmp

Download
memory/1764-90-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-144-0x0000000000000000-mapping.dmp

Download
memory/1800-153-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1800-156-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1868-131-0x000000000041F6E0-mapping.dmp

Download
memory/1868-132-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download
memory/1928-134-0x0000000000000000-mapping.dmp

Download
memory/1928-146-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/1928-137-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-164-0x0000000000000000-mapping.dmp

Download
memory/2012-167-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-168-0x00000000748B0000-0x0000000074E5B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads