formbook | 45f838f47dc31fd3130e5fc24591a7c59e40bd300a8c093efa8ba503b77d91be

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-10-2022 19:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6897445707/6897445707.exe
Size

839KB
MD5

381cdc135c6e06969d270fd7e754d148
SHA1

649ee25900a10b1cf567ca867489658be44a3629
SHA256

6c51e2ce3f46927b7b8bc3a559980136e6fdf05bcdf6d84294a0e64fe9adf56b
SHA512

faceefe7b56408c6e187f72871cb55fbf0e4490ce92d886189551facc7292b412dc0d49d7fa67e5e7efc061c39707c9a401b8058253e9b2ca77fa1341ca260b0
SSDEEP

24576:e7eYV4ukDeT876VCMNh39DMPsnjDIP3j:O86kqLnjDIP

Score

10^/10

formbook modiloader od65 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

od65

Decoy

oMDl7+9m1JtQ+KJ//bSZYk7C

0nQRVuikEsWM9KcRhRk=

VXATJsbZt/OyEi6Z0Y9m9O4=

C8ZitXuEXIk613jZWQ==

4IIRKYI2mygmEr7EUhOuiEZ1ux4c

x3mNjz4y4M20lnKM1I9m9O4=

UGB//3QuqmDHeDQ=

2H5k5/UwHEwPv2G+Sg==

xHh+uLvyCnZdPo0YXdyEe+ZowQ==

MMGT27gl8VFJ

pLA/Ve3++kcn1lhn6dDmhI2KGzfKNYU=

Ic/vJ/dG0uDhkYblI6XXFL0SN8cDrZP5

MfKDkw/woqFDCabB0YIs

IsDCzc1GuJOGdqX4CgCAPA==

bROVz2hP/wgV9/eGkw4=

cyM+htBboyUeyj0qbuqNTrhX9gJF/6fx

Q+MDF9cCCn8pkyU5y7fmPwYagMMGB7jx

Ve57nDZMRqeXP+V+0IMu

vmJrjeIXWfXWuZbB0YIs

5qVAfUZyi/sC13jZWQ==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

ModiLoader Second Stage 63 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1884-55-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-56-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-57-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-61-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-60-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-59-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-65-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-64-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-63-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-62-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-58-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-66-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-67-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-70-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-71-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-69-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-68-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-75-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-76-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-74-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-73-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-72-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-79-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-80-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-78-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-77-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-82-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-81-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-88-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-89-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-87-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-92-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-93-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-91-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-90-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-86-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-85-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-84-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-95-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-94-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-83-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-96-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-97-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-98-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-99-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-100-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-101-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-102-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-103-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-104-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-105-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-106-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-107-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-108-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-109-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-110-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-112-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-111-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-113-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-114-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-115-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-116-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2
behavioral1/memory/1884-117-0x00000000004E0000-0x0000000000505000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation cmd.exe
Loads dropped DLL 1 IoCs

Processes:

help.exe

pid process

1628 help.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\International\Geo\Nation	cmd.exe

pid	process
1628	help.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

6897445707.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Uzvtgrkq = "C:\\Users\\Public\\Libraries\\qkrgtvzU.url"	6897445707.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cmd.exehelp.exe

description	pid	process	target process
PID 1172 set thread context of 1216	1172	cmd.exe	Explorer.EXE
PID 1628 set thread context of 1216	1628	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

help.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	help.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

6897445707.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	6897445707.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	6897445707.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	6897445707.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	6897445707.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	6897445707.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	6897445707.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

6897445707.execmd.exehelp.exe

pid process

1884 6897445707.exe
1172 cmd.exe
1172 cmd.exe
1172 cmd.exe
1172 cmd.exe
1628 help.exe
1628 help.exe
1628 help.exe
1628 help.exe
1628 help.exe
1628 help.exe
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

cmd.exehelp.exe

pid process

1172 cmd.exe
1172 cmd.exe
1172 cmd.exe
1628 help.exe
1628 help.exe
1628 help.exe
1628 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exehelp.exe

description pid process

Token: SeDebugPrivilege 1172 cmd.exe
Token: SeDebugPrivilege 1628 help.exe

pid	process
1884	6897445707.exe
1172	cmd.exe
1172	cmd.exe
1172	cmd.exe
1172	cmd.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe

pid	process
1172	cmd.exe
1172	cmd.exe
1172	cmd.exe
1628	help.exe
1628	help.exe
1628	help.exe
1628	help.exe

description	pid	process
Token: SeDebugPrivilege	1172	cmd.exe
Token: SeDebugPrivilege	1628	help.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

6897445707.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1884 wrote to memory of 1172	1884	6897445707.exe	cmd.exe
PID 1884 wrote to memory of 1172	1884	6897445707.exe	cmd.exe
PID 1884 wrote to memory of 1172	1884	6897445707.exe	cmd.exe
PID 1884 wrote to memory of 1172	1884	6897445707.exe	cmd.exe
PID 1884 wrote to memory of 1172	1884	6897445707.exe	cmd.exe
PID 1884 wrote to memory of 1172	1884	6897445707.exe	cmd.exe
PID 1884 wrote to memory of 1172	1884	6897445707.exe	cmd.exe
PID 1216 wrote to memory of 1628	1216	Explorer.EXE	help.exe
PID 1216 wrote to memory of 1628	1216	Explorer.EXE	help.exe
PID 1216 wrote to memory of 1628	1216	Explorer.EXE	help.exe
PID 1216 wrote to memory of 1628	1216	Explorer.EXE	help.exe
PID 1628 wrote to memory of 840	1628	help.exe	Firefox.exe
PID 1628 wrote to memory of 840	1628	help.exe	Firefox.exe
PID 1628 wrote to memory of 840	1628	help.exe	Firefox.exe
PID 1628 wrote to memory of 840	1628	help.exe	Firefox.exe
PID 1628 wrote to memory of 840	1628	help.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\6897445707\6897445707.exe
"C:\Users\Admin\AppData\Local\Temp\6897445707\6897445707.exe"
2⤵
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
904KB

MD5
5e5ba61531d74e45b11cadb79e7394a1

SHA1
677224e14aac9dd35f367d5eb1704b36e69356b8

SHA256
99e91ae250c955bd403ec1a2321d6b11fcb715bdcc7cb3f63ffb46b349afde5c

SHA512
712bfe419ba97ecf0ec8323a68743013e8c767da9d986f74ab94d2a395c3086cac2a5823048e0022d3bbcebb55281b9e1f8c87fdc9295c70cc5521b57850bf46

Download Submit
memory/1172-120-0x0000000000000000-mapping.dmp

Download
memory/1172-127-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1172-131-0x0000000010411000-0x000000001043F000-memory.dmp

Filesize
184KB

Download
memory/1172-133-0x00000000025A0000-0x00000000028A3000-memory.dmp

Filesize
3.0MB

Download
memory/1172-185-0x0000000010410000-0x000000001043F000-memory.dmp

Filesize
188KB

Download
memory/1172-187-0x0000000010411000-0x000000001043F000-memory.dmp

Filesize
184KB

Download
memory/1172-186-0x00000000001E0000-0x00000000001F0000-memory.dmp

Filesize
64KB

Download
memory/1216-190-0x0000000004FB0000-0x00000000050CF000-memory.dmp

Filesize
1.1MB

Download
memory/1216-188-0x0000000004BC0000-0x0000000004CC9000-memory.dmp

Filesize
1.0MB

Download
memory/1216-192-0x0000000004FB0000-0x00000000050CF000-memory.dmp

Filesize
1.1MB

Download
memory/1628-189-0x0000000000370000-0x00000000003FF000-memory.dmp

Filesize
572KB

Download
memory/1628-191-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1628-134-0x0000000000000000-mapping.dmp

Download
memory/1628-140-0x00000000007C0000-0x0000000000AC3000-memory.dmp

Filesize
3.0MB

Download
memory/1628-138-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1628-136-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1884-90-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-97-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-70-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-71-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-69-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-68-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-75-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-76-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-74-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-73-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-72-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-79-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-80-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-78-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-77-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-82-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-81-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-88-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-89-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-87-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-92-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-93-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-91-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-66-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-86-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-85-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-84-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-95-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-94-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-83-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-96-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-67-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-98-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-99-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-100-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-101-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-102-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-103-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-104-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-105-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-106-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-107-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-108-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-109-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-110-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-112-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-111-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-58-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-62-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-63-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-64-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-65-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-59-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-60-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-61-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-57-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-56-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-55-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1884-113-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-114-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-115-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-116-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download
memory/1884-117-0x00000000004E0000-0x0000000000505000-memory.dmp

Filesize
148KB

Download