Analysis
-
max time kernel
154s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 11:51
Static task
static1
General
-
Target
0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe
-
Size
694KB
-
MD5
5113abb28878ff293661fc23685a48bf
-
SHA1
175aa3169fe7112cead1a550dd702c552bbe832c
-
SHA256
0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10
-
SHA512
c4e447cba8dafa4f9744e09a2bbd39b1c59025f1d2f5cf879f0fbae121779a56e42174580cfbd760c48e55a5c997cdec96d1189a4724ff4a6f06d3632dda780f
-
SSDEEP
12288:RIn+H+LD9IlljoZ9bQGhQwDZF4J40l+BrNGqWOl1u/OfzgYWvwddkydK4akFXRyy:RILOHjoDQGhHQ40loJGts42fz4YTkydp
Malware Config
Extracted
formbook
pgnt
0WG18LbM4lR9iqMRa4nlBzTb
jcfGYzPgZTqFZVO9FV2yIw==
laIfrdSC8/4CNg==
Q73ilev5GIWuOrAAFV2yIw==
Q2u/pMw7pv4sPA==
TbqvIUHwlQscPo0HFV2yIw==
8PNWfGPyE8n0IQ==
WtgROxXzvY2L
PryaRBNjm4eP
Y9Hdi06Cry1um9Sj68YAu1o=
3Gulyp7CMQtR78jvLkk=
JJ3GasTVTCRQT6Tfz6S6GlI=
RnS42bhb9tI0R6UpD6wOxriNxw==
he1mi2sOGfzTRGHnuA==
eaYjCtjxVjdU5XLRtBMBLKk9quA=
k9rTeEqYzzw8WaTfz6S6GlI=
5luVQwe2vJWKEAiMdF4=
MGW14L9OVk5Y5TaR6w/DqdhYxXVY
mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==
y5klhuMbE8n0IQ==
u/NKcEKARatNn/dT
ZJaHJQCvzDWRuPPmMsEVxriNxw==
nRhddlcPOegWrv5R
/njA0TJ1U+osPA==
pi8az6AySKlNn/dT
e/k+YjN+U+osPA==
kMAZ36lMWa3gRGHnuA==
wfX0nGsGE1yUJb1Jq33LoDdDWLSgFQ==
wfk35UJcfeHoRGHnuA==
dbzljekZ3ka2QYCYOP1I
Nq3kDeMNNJWDMnWYOP1I
Sa0SN/04cNje8xbaJLgUxriNxw==
yDejyZiQ/X/BQYiYOP1I
UIPN7ckznp2W
s/HtqJNKdmtv88jvLkk=
KanG2bhM0CsdiNrNF0E=
QLrtp3svzjcsTaJ9y5kPopyQzQ==
syhbC2iJZ8obK2Y7nHSa7CmdUuA=
HZXK676zo5OV
5WFoCWeuxqekcHx5YkE=
PbX1H/gmE8n0IQ==
3HTB6Asznp2W
9HGhWLLyrJXPcq4FRecyGU247XBS
/oW437jofmJ8DQiMdF4=
sh415lJ8q3cL3XJvaEA=
XucfBGWzVEg=
PKWeQgpB1cUHprue4sYAu1o=
MXFzDmuO/nBtmjc6g5elIVMbQeWFjyMN
q+v2lgI9Vb0rC2juug==
WYvkDdX8kEjU73U=
6BJjmWGiizGT
fLHageH29Ex1m8jvLkk=
3D+hsVkFtIyr5WI=
ntIbRgolp0jU73U=
GGGJMpC3pJPdQ8ZGkpxA
8FtjHvNDiICP
L63yFOor5uMdLqnrNNblBzTb
Gav/MgU4AByfuddW
xek7Tm3lhlY=
n2sDng5BBdtNn/dT
LZsINfoQH6dNn/dT
Io+SQh7ak0Ti7Gg=
T8Xci1oCP63aRGHnuA==
bZX0DnWMqxcyQ39hzOH+7U0BvmhP
hf9blwwuwpx7j8k.live
Extracted
xloader
3.�E
pgnt
0WG18LbM4lR9iqMRa4nlBzTb
jcfGYzPgZTqFZVO9FV2yIw==
laIfrdSC8/4CNg==
Q73ilev5GIWuOrAAFV2yIw==
Q2u/pMw7pv4sPA==
TbqvIUHwlQscPo0HFV2yIw==
8PNWfGPyE8n0IQ==
WtgROxXzvY2L
PryaRBNjm4eP
Y9Hdi06Cry1um9Sj68YAu1o=
3Gulyp7CMQtR78jvLkk=
JJ3GasTVTCRQT6Tfz6S6GlI=
RnS42bhb9tI0R6UpD6wOxriNxw==
he1mi2sOGfzTRGHnuA==
eaYjCtjxVjdU5XLRtBMBLKk9quA=
k9rTeEqYzzw8WaTfz6S6GlI=
5luVQwe2vJWKEAiMdF4=
MGW14L9OVk5Y5TaR6w/DqdhYxXVY
mAsYz6k6sQkDC0/DoHj9t1RPWLSgFQ==
y5klhuMbE8n0IQ==
u/NKcEKARatNn/dT
ZJaHJQCvzDWRuPPmMsEVxriNxw==
nRhddlcPOegWrv5R
/njA0TJ1U+osPA==
pi8az6AySKlNn/dT
e/k+YjN+U+osPA==
kMAZ36lMWa3gRGHnuA==
wfX0nGsGE1yUJb1Jq33LoDdDWLSgFQ==
wfk35UJcfeHoRGHnuA==
dbzljekZ3ka2QYCYOP1I
Nq3kDeMNNJWDMnWYOP1I
Sa0SN/04cNje8xbaJLgUxriNxw==
yDejyZiQ/X/BQYiYOP1I
UIPN7ckznp2W
s/HtqJNKdmtv88jvLkk=
KanG2bhM0CsdiNrNF0E=
QLrtp3svzjcsTaJ9y5kPopyQzQ==
syhbC2iJZ8obK2Y7nHSa7CmdUuA=
HZXK676zo5OV
5WFoCWeuxqekcHx5YkE=
PbX1H/gmE8n0IQ==
3HTB6Asznp2W
9HGhWLLyrJXPcq4FRecyGU247XBS
/oW437jofmJ8DQiMdF4=
sh415lJ8q3cL3XJvaEA=
XucfBGWzVEg=
PKWeQgpB1cUHprue4sYAu1o=
MXFzDmuO/nBtmjc6g5elIVMbQeWFjyMN
q+v2lgI9Vb0rC2juug==
WYvkDdX8kEjU73U=
6BJjmWGiizGT
fLHageH29Ex1m8jvLkk=
3D+hsVkFtIyr5WI=
ntIbRgolp0jU73U=
GGGJMpC3pJPdQ8ZGkpxA
8FtjHvNDiICP
L63yFOor5uMdLqnrNNblBzTb
Gav/MgU4AByfuddW
xek7Tm3lhlY=
n2sDng5BBdtNn/dT
LZsINfoQH6dNn/dT
Io+SQh7ak0Ti7Gg=
T8Xci1oCP63aRGHnuA==
bZX0DnWMqxcyQ39hzOH+7U0BvmhP
hf9blwwuwpx7j8k.live
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exevbc.execmd.exedescription pid process target process PID 2444 set thread context of 4652 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 4652 set thread context of 3052 4652 vbc.exe Explorer.EXE PID 4588 set thread context of 3052 4588 cmd.exe Explorer.EXE -
Processes:
cmd.exedescription ioc process Key created \Registry\User\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 cmd.exe -
Suspicious behavior: EnumeratesProcesses 62 IoCs
Processes:
0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exevbc.execmd.exepid process 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe 4652 vbc.exe 4652 vbc.exe 4652 vbc.exe 4652 vbc.exe 4652 vbc.exe 4652 vbc.exe 4652 vbc.exe 4652 vbc.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3052 Explorer.EXE -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
vbc.execmd.exepid process 4652 vbc.exe 4652 vbc.exe 4652 vbc.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe 4588 cmd.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exevbc.execmd.exedescription pid process Token: SeDebugPrivilege 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe Token: SeDebugPrivilege 4652 vbc.exe Token: SeDebugPrivilege 4588 cmd.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exeExplorer.EXEcmd.exedescription pid process target process PID 2444 wrote to memory of 4904 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 4904 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 4904 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 3580 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 3580 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 3580 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 4652 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 4652 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 4652 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 4652 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 4652 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 2444 wrote to memory of 4652 2444 0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe vbc.exe PID 3052 wrote to memory of 4588 3052 Explorer.EXE cmd.exe PID 3052 wrote to memory of 4588 3052 Explorer.EXE cmd.exe PID 3052 wrote to memory of 4588 3052 Explorer.EXE cmd.exe PID 4588 wrote to memory of 1076 4588 cmd.exe Firefox.exe PID 4588 wrote to memory of 1076 4588 cmd.exe Firefox.exe PID 4588 wrote to memory of 1076 4588 cmd.exe Firefox.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe"C:\Users\Admin\AppData\Local\Temp\0911f0bf9c55b8b1388b01524a3d37bbe843c3a3d5a5db4047812ec1a436ec10.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:4904
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵PID:3580
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:1076
-
-