formbook | 878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9

General

Target

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
Size

52KB
MD5

207fdcecc4c844004d064f7f7d25fb0f
SHA1

4a1b05f7cd8b3ba7c82f48ca8aeb10b264369c4c
SHA256

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9
SHA512

739ce29e9cf6d5cb25e22841bb28d0e0d825c452df49f3b15e9a0b2d275150f88da198566b540fc3d40c089cbd0dcd077f79620e4a2c2d1f7d9e13a5cb46499d
SSDEEP

768:EyH64NqpyLvO3klekO2Pco2YQ78QTEB6SrZdP545gkRUnqkAmZbI:w5pyLvLy2awvsSVBqukeqxEI

Score

10^/10

formbook scse rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exeAddInProcess32.execmd.exe

description	pid	process	target process
PID 1328 set thread context of 1920	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInProcess32.exe
PID 1920 set thread context of 772	1920	AddInProcess32.exe	Explorer.EXE
PID 3780 set thread context of 772	3780	cmd.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmd.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exeAddInProcess32.execmd.exe

pid	process
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
1920	AddInProcess32.exe
1920	AddInProcess32.exe
1920	AddInProcess32.exe
1920	AddInProcess32.exe
1920	AddInProcess32.exe
1920	AddInProcess32.exe
1920	AddInProcess32.exe
1920	AddInProcess32.exe
3780	cmd.exe
3780	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

772 Explorer.EXE
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

AddInProcess32.execmd.exe

pid process

1920 AddInProcess32.exe
1920 AddInProcess32.exe
1920 AddInProcess32.exe
3780 cmd.exe
3780 cmd.exe
3780 cmd.exe
3780 cmd.exe

pid	process
772	Explorer.EXE

pid	process
1920	AddInProcess32.exe
1920	AddInProcess32.exe
1920	AddInProcess32.exe
3780	cmd.exe
3780	cmd.exe
3780	cmd.exe
3780	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exeAddInProcess32.execmd.exe

description	pid	process
Token: SeDebugPrivilege	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
Token: SeDebugPrivilege	1920	AddInProcess32.exe
Token: SeDebugPrivilege	3780	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1328 wrote to memory of 4936	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_compiler.exe
PID 1328 wrote to memory of 4936	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_compiler.exe
PID 1328 wrote to memory of 4944	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	Microsoft.Workflow.Compiler.exe
PID 1328 wrote to memory of 4944	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	Microsoft.Workflow.Compiler.exe
PID 1328 wrote to memory of 1656	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AppLaunch.exe
PID 1328 wrote to memory of 1656	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AppLaunch.exe
PID 1328 wrote to memory of 1644	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	cvtres.exe
PID 1328 wrote to memory of 1644	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	cvtres.exe
PID 1328 wrote to memory of 684	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	DataSvcUtil.exe
PID 1328 wrote to memory of 684	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	DataSvcUtil.exe
PID 1328 wrote to memory of 564	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ServiceModelReg.exe
PID 1328 wrote to memory of 564	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ServiceModelReg.exe
PID 1328 wrote to memory of 4536	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regbrowsers.exe
PID 1328 wrote to memory of 4536	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regbrowsers.exe
PID 1328 wrote to memory of 60	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	dfsvc.exe
PID 1328 wrote to memory of 60	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	dfsvc.exe
PID 1328 wrote to memory of 4808	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInUtil.exe
PID 1328 wrote to memory of 4808	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInUtil.exe
PID 1328 wrote to memory of 2884	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regsql.exe
PID 1328 wrote to memory of 2884	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regsql.exe
PID 1328 wrote to memory of 2696	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	MSBuild.exe
PID 1328 wrote to memory of 2696	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	MSBuild.exe
PID 1328 wrote to memory of 2780	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	csc.exe
PID 1328 wrote to memory of 2780	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	csc.exe
PID 1328 wrote to memory of 4856	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInProcess.exe
PID 1328 wrote to memory of 4856	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInProcess.exe
PID 1328 wrote to memory of 2900	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_state.exe
PID 1328 wrote to memory of 2900	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_state.exe
PID 1328 wrote to memory of 1480	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	RegAsm.exe
PID 1328 wrote to memory of 1480	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	RegAsm.exe
PID 1328 wrote to memory of 4276	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	EdmGen.exe
PID 1328 wrote to memory of 4276	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	EdmGen.exe
PID 1328 wrote to memory of 1872	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	CasPol.exe
PID 1328 wrote to memory of 1872	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	CasPol.exe
PID 1328 wrote to memory of 3576	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	InstallUtil.exe
PID 1328 wrote to memory of 3576	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	InstallUtil.exe
PID 1328 wrote to memory of 4424	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	WsatConfig.exe
PID 1328 wrote to memory of 4424	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	WsatConfig.exe
PID 1328 wrote to memory of 368	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_wp.exe
PID 1328 wrote to memory of 368	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_wp.exe
PID 1328 wrote to memory of 260	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regiis.exe
PID 1328 wrote to memory of 260	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	aspnet_regiis.exe
PID 1328 wrote to memory of 204	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ngentask.exe
PID 1328 wrote to memory of 204	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ngentask.exe
PID 1328 wrote to memory of 208	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ComSvcConfig.exe
PID 1328 wrote to memory of 208	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ComSvcConfig.exe
PID 1328 wrote to memory of 4552	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ilasm.exe
PID 1328 wrote to memory of 4552	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ilasm.exe
PID 1328 wrote to memory of 4884	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	RegSvcs.exe
PID 1328 wrote to memory of 4884	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	RegSvcs.exe
PID 1328 wrote to memory of 912	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	vbc.exe
PID 1328 wrote to memory of 912	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	vbc.exe
PID 1328 wrote to memory of 1736	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ngen.exe
PID 1328 wrote to memory of 1736	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	ngen.exe
PID 1328 wrote to memory of 1920	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInProcess32.exe
PID 1328 wrote to memory of 1920	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInProcess32.exe
PID 1328 wrote to memory of 1920	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInProcess32.exe
PID 1328 wrote to memory of 1920	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInProcess32.exe
PID 1328 wrote to memory of 1920	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInProcess32.exe
PID 1328 wrote to memory of 1920	1328	878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe	AddInProcess32.exe
PID 772 wrote to memory of 3780	772	Explorer.EXE	cmd.exe
PID 772 wrote to memory of 3780	772	Explorer.EXE	cmd.exe
PID 772 wrote to memory of 3780	772	Explorer.EXE	cmd.exe
PID 3780 wrote to memory of 4512	3780	cmd.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe
"C:\Users\Admin\AppData\Local\Temp\878b17fea5a31ad0ce61021cacba5be79f2130fa08165b768196a87eae4e6be9.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
3⤵
PID:4936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
3⤵
PID:4944

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
3⤵
PID:1656

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
3⤵
PID:1644

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
3⤵
PID:684

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
3⤵
PID:564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
3⤵
PID:4536

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
3⤵
PID:60

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
3⤵
PID:4808

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
3⤵
PID:2884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
3⤵
PID:2696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
3⤵
PID:2780

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
3⤵
PID:4856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
3⤵
PID:2900

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
3⤵
PID:1480

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
3⤵
PID:4276

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
3⤵
PID:1872

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
3⤵
PID:3576

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
3⤵
PID:4424

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
3⤵
PID:368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
3⤵
PID:260

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
3⤵
PID:204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
3⤵
PID:208

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
3⤵
PID:4552

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
3⤵
PID:4884

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
3⤵
PID:912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
3⤵
PID:1736

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3780

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4512

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/772-143-0x0000000008250000-0x0000000008396000-memory.dmp

Filesize
1.3MB

Download
memory/772-153-0x0000000008F40000-0x00000000090BE000-memory.dmp

Filesize
1.5MB

Download
memory/772-151-0x0000000008F40000-0x00000000090BE000-memory.dmp

Filesize
1.5MB

Download
memory/1328-133-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/1328-137-0x00007FFBD4DF0000-0x00007FFBD58B1000-memory.dmp

Filesize
10.8MB

Download
memory/1328-132-0x000002C3196C0000-0x000002C3196D2000-memory.dmp

Filesize
72KB

Download
memory/1920-138-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1920-146-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1920-141-0x0000000001180000-0x0000000001190000-memory.dmp

Filesize
64KB

Download
memory/1920-142-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1920-139-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1920-134-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1920-145-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1920-140-0x0000000001750000-0x0000000001A9A000-memory.dmp

Filesize
3.3MB

Download
memory/1920-135-0x00000000004012B0-mapping.dmp

Download
memory/3780-149-0x0000000001690000-0x00000000019DA000-memory.dmp

Filesize
3.3MB

Download
memory/3780-147-0x00000000004E0000-0x000000000053A000-memory.dmp

Filesize
360KB

Download
memory/3780-148-0x00000000009D0000-0x00000000009FD000-memory.dmp

Filesize
180KB

Download
memory/3780-150-0x0000000001430000-0x00000000014BF000-memory.dmp

Filesize
572KB

Download
memory/3780-152-0x00000000009D0000-0x00000000009FD000-memory.dmp

Filesize
180KB

Download
memory/3780-144-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads