formbook | 5839da1f2d15ad51aa8165869552f628e67bb3e30341ea9f619a1167301e8354

Resubmissions

15-06-2023 18:07

230615-wqfynaaf2z 10

14-06-2023 09:43

230614-lp1xbsfh4x 10

Analysis

max time kernel
269s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2023 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Yeni sifaris siyahisi.exe
Size

714KB
MD5

6172cb3957b8d2e9c6826b552ce3639d
SHA1

4baef093ea515002536b9de941b4a6df8d7a28a6
SHA256

5839da1f2d15ad51aa8165869552f628e67bb3e30341ea9f619a1167301e8354
SHA512

1b08fb6e0bde7d5b2336ec2dd12e7559f70d8ed6e5798432bd01d6efb91d4e74c144d2a6a45cf8d743b6c77a4e360475a368cf2aa180cc61c65ce89e8cc154d6
SSDEEP

12288:D4iyBJSbLJfaMAhJVNRdfNl6lFqZLDZGqtV2ZE:D3ykf9AJ5vcADHW

Score

10^/10

formbook modiloader xloader uj3c loader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uj3c

Decoy

copimetro.com

choonchain.com

luxxwireless.com

fashionweekofcincinnati.com

campingshare.net

suncochina.com

kidsfundoor.com

testingnyc.co

lovesoe.com

vehiclesbeenrecord.com

socialpearmarketing.com

maxproductdji.com

getallarticle.online

forummind.com

arenamarenostrum.com

trisuaka.xyz

designgamagazine.com

chateaulehotel.com

huangse5.com

esginvestment.tech

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

ModiLoader Second Stage 63 IoCs

resource	yara_rule
behavioral2/memory/4980-135-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-136-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-137-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-138-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-139-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-140-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-141-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-142-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-143-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-144-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-145-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-146-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-147-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-148-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-149-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-150-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-151-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-152-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-153-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-154-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-155-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-156-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-157-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-158-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-159-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-160-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-161-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-162-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-163-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-164-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-165-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-166-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-167-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-168-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-169-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-170-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-171-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-172-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-173-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-174-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-175-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-176-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-177-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-178-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-179-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-180-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-181-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-182-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-183-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-184-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-185-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-186-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-187-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-188-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-189-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-190-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-191-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-192-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-193-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-194-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-195-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-196-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2
behavioral2/memory/4980-197-0x00000000027F0000-0x0000000002822000-memory.dmp	modiloader_stage2

Xloader payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/3940-395-0x0000000010410000-0x000000001043B000-memory.dmp	xloader
behavioral2/memory/3796-403-0x00000000006B0000-0x00000000006DB000-memory.dmp	xloader
behavioral2/memory/3796-409-0x00000000006B0000-0x00000000006DB000-memory.dmp	xloader

Executes dropped EXE 1 IoCs

pid	Process
412	nt2anwtnxn.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Pxzaxrjm = "C:\\Users\\Public\\Pxzaxrjm.url"	Yeni sifaris siyahisi.exe
Key created	\Registry\Machine\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	cmstp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\-ZYL6T_H1ZUT = "C:\\Program Files (x86)\\Ycxz0u\\nt2anwtnxn.exe"	cmstp.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3940 set thread context of 3160	3940	SndVol.exe	48
PID 3796 set thread context of 3160	3796	cmstp.exe	48

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Ycxz0u\nt2anwtnxn.exe	cmstp.exe
File opened for modification	C:\Program Files (x86)\Ycxz0u	Explorer.EXE
File created	C:\Program Files (x86)\Ycxz0u\nt2anwtnxn.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Ycxz0u\nt2anwtnxn.exe	Explorer.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Key created	\Registry\User\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmstp.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	Explorer.EXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	13	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2508	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4980	Yeni sifaris siyahisi.exe
4980	Yeni sifaris siyahisi.exe
3940	SndVol.exe
3940	SndVol.exe
3940	SndVol.exe
3940	SndVol.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3160	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
3940	SndVol.exe
3940	SndVol.exe
3940	SndVol.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe
3796	cmstp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	SndVol.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeDebugPrivilege	3796	cmstp.exe
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE
Token: SeShutdownPrivilege	3160	Explorer.EXE
Token: SeCreatePagefilePrivilege	3160	Explorer.EXE

Suspicious use of FindShellTrayWindow 15 IoCs

pid	Process
3940	SndVol.exe
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3940	SndVol.exe
3940	SndVol.exe
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE
3160	Explorer.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE
2508	EXCEL.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 3940	4980	Yeni sifaris siyahisi.exe	84
PID 4980 wrote to memory of 3940	4980	Yeni sifaris siyahisi.exe	84
PID 4980 wrote to memory of 3940	4980	Yeni sifaris siyahisi.exe	84
PID 4980 wrote to memory of 3940	4980	Yeni sifaris siyahisi.exe	84
PID 4980 wrote to memory of 3940	4980	Yeni sifaris siyahisi.exe	84
PID 4980 wrote to memory of 3940	4980	Yeni sifaris siyahisi.exe	84
PID 3160 wrote to memory of 3796	3160	Explorer.EXE	85
PID 3160 wrote to memory of 3796	3160	Explorer.EXE	85
PID 3160 wrote to memory of 3796	3160	Explorer.EXE	85
PID 3796 wrote to memory of 2284	3796	cmstp.exe	86
PID 3796 wrote to memory of 2284	3796	cmstp.exe	86
PID 3796 wrote to memory of 2284	3796	cmstp.exe	86
PID 3160 wrote to memory of 2508	3160	Explorer.EXE	94
PID 3160 wrote to memory of 2508	3160	Explorer.EXE	94
PID 3160 wrote to memory of 2508	3160	Explorer.EXE	94
PID 3796 wrote to memory of 60	3796	cmstp.exe	98
PID 3796 wrote to memory of 60	3796	cmstp.exe	98
PID 3796 wrote to memory of 60	3796	cmstp.exe	98
PID 3796 wrote to memory of 1140	3796	cmstp.exe	100
PID 3796 wrote to memory of 1140	3796	cmstp.exe	100
PID 3796 wrote to memory of 1140	3796	cmstp.exe	100
PID 3796 wrote to memory of 4628	3796	cmstp.exe	102
PID 3796 wrote to memory of 4628	3796	cmstp.exe	102
PID 3796 wrote to memory of 4628	3796	cmstp.exe	102
PID 3160 wrote to memory of 412	3160	Explorer.EXE	103
PID 3160 wrote to memory of 412	3160	Explorer.EXE	103
PID 3160 wrote to memory of 412	3160	Explorer.EXE	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Local\Temp\Yeni sifaris siyahisi.exe
  "C:\Users\Admin\AppData\Local\Temp\Yeni sifaris siyahisi.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4980
- - C:\Windows\SysWOW64\SndVol.exe
    C:\Windows\System32\SndVol.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3940
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\SndVol.exe"
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:60
- - C:\Windows\SysWOW64\cmd.exe
    /c copy "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V
    3⤵
    PID:1140
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:4628
- C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SuspendInitialize.csv"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2508
- C:\Program Files (x86)\Ycxz0u\nt2anwtnxn.exe
  "C:\Program Files (x86)\Ycxz0u\nt2anwtnxn.exe"
  2⤵
  - Executes dropped EXE
  PID:412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Ycxz0u\nt2anwtnxn.exe

Filesize
220KB

MD5
5ac83d3d18f9b6e1c5b78bd712661524

SHA1
9ee22c8038e47a4935aeac113d3f2ee6f03a22c4

SHA256
d68ddc4be84705357288ba972939aa9aa5f95537ebc059c3ff3ccaae11638fca

SHA512
2fc37b27836a4f0a4c61a5cd976e7452120585b86a615cce25108737337a9a02b73cc68c92b26fbb89a5cadbf3033ad0b6355cc5b7094f18318e3dbea1b84082

Download Submit
C:\Program Files (x86)\Ycxz0u\nt2anwtnxn.exe

Filesize
220KB

MD5
5ac83d3d18f9b6e1c5b78bd712661524

SHA1
9ee22c8038e47a4935aeac113d3f2ee6f03a22c4

SHA256
d68ddc4be84705357288ba972939aa9aa5f95537ebc059c3ff3ccaae11638fca

SHA512
2fc37b27836a4f0a4c61a5cd976e7452120585b86a615cce25108737337a9a02b73cc68c92b26fbb89a5cadbf3033ad0b6355cc5b7094f18318e3dbea1b84082

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB1

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ycxz0u\nt2anwtnxn.exe

Filesize
220KB

MD5
5ac83d3d18f9b6e1c5b78bd712661524

SHA1
9ee22c8038e47a4935aeac113d3f2ee6f03a22c4

SHA256
d68ddc4be84705357288ba972939aa9aa5f95537ebc059c3ff3ccaae11638fca

SHA512
2fc37b27836a4f0a4c61a5cd976e7452120585b86a615cce25108737337a9a02b73cc68c92b26fbb89a5cadbf3033ad0b6355cc5b7094f18318e3dbea1b84082

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
676B

MD5
322b524a29669ded14e4eda5c6d46a78

SHA1
a7d4df49987436c440f1ac9bd90a9dab876deefc

SHA256
509660cede20c385c575e2d35b95df98d0c68742c1f0eda7297ef2df6ccd5df6

SHA512
3ace869dd1e803d36fa184f3f3a4658c97363541ecb522faeccddb935de7679543317a43326ead363fe92f2618e35c217b21ea68247a50f747e4b710491deb39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
24B

MD5
4fcb2a3ee025e4a10d21e1b154873fe2

SHA1
57658e2fa594b7d0b99d02e041d0f3418e58856b

SHA256
90bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228

SHA512
4e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff

Download Submit
memory/3160-416-0x0000000008D90000-0x0000000008E9D000-memory.dmp

Filesize
1.1MB

Download
memory/3160-398-0x0000000008860000-0x000000000894A000-memory.dmp

Filesize
936KB

Download
memory/3160-408-0x0000000008D90000-0x0000000008E9D000-memory.dmp

Filesize
1.1MB

Download
memory/3796-409-0x00000000006B0000-0x00000000006DB000-memory.dmp

Filesize
172KB

Download
memory/3796-407-0x0000000002410000-0x00000000024A0000-memory.dmp

Filesize
576KB

Download
memory/3796-404-0x00000000026E0000-0x0000000002A2A000-memory.dmp

Filesize
3.3MB

Download
memory/3796-403-0x00000000006B0000-0x00000000006DB000-memory.dmp

Filesize
172KB

Download
memory/3796-402-0x0000000000910000-0x0000000000926000-memory.dmp

Filesize
88KB

Download
memory/3940-397-0x0000000004C80000-0x0000000004C91000-memory.dmp

Filesize
68KB

Download
memory/3940-396-0x0000000004CE0000-0x000000000502A000-memory.dmp

Filesize
3.3MB

Download
memory/3940-395-0x0000000010410000-0x000000001043B000-memory.dmp

Filesize
172KB

Download
memory/3940-394-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/4980-170-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-180-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-149-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-150-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-151-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-152-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-153-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-154-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-155-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-156-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-157-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-158-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-159-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-160-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-161-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-162-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-163-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-164-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-165-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-166-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-167-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-168-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-169-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-147-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-171-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-172-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-173-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-174-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-175-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-176-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-177-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-178-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-179-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-148-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-181-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-182-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-183-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-184-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-185-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-186-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-187-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-188-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-189-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-190-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-191-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-192-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-146-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-145-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-144-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-143-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-142-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-141-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-140-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-139-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-138-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-137-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-136-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-135-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-134-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/4980-133-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/4980-193-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-194-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-195-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-196-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download
memory/4980-197-0x00000000027F0000-0x0000000002822000-memory.dmp

Filesize
200KB

Download