IOC Report

Files

File Path

Type

Category

Malicious

g4FtSOZMD9.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

download

C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

download

C:\Users\user\AppData\Local\Temp\Brevsamlingssteds8\Restroke.vbs

ASCII text, with CRLF line terminators

dropped

download

C:\Users\user\AppData\Local\Temp\bhvFAB7.tmp

Extensible storage user DataBase, version 0x620, checksum 0x1277828c, page size 32768, DirtyShutdown, Windows version 10.0

dropped

download

C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo

Little-endian UTF-16 Unicode text, with no line terminators

dropped

download

C:\Users\user\AppData\Local\Temp\~DFF48BD71CF1E747D1.TMP

Composite Document File V2 Document, Cannot read section info

dropped

download

C:\Users\user\AppData\Roaming\Clock\logs.dat

data

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_022802.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_023804.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_024805.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_025806.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_030807.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_031808.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_032809.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_033810.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_034810.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_035812.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_040812.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_041814.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_042814.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_043815.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_044815.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_045816.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_050816.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

C:\Users\user\AppData\Roaming\Screenshots\time_20220102_051818.png

PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced

dropped

download

There are 15 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\g4FtSOZMD9.exe

"C:\Users\user\Desktop\g4FtSOZMD9.exe"

Details

Is windows:	true
Is dropped:	false
PID:	7068
Target ID:	0
Parent PID:	5196
Name:	g4FtSOZMD9.exe
Path:	C:\Users\user\Desktop\g4FtSOZMD9.exe
Commandline:	"C:\Users\user\Desktop\g4FtSOZMD9.exe"
Size:	258048
MD5:	81F377EDA4163DA1B74CAE83E38CED9F
Time:	02:26:17
Date:	02/01/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	262144
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspect Svchost Activity	System Summary
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sigma detected: Suspicious Svchost Process	System Summary
Yara detected VB6 Downloader Generic	Data Obfuscation
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\Desktop\g4FtSOZMD9.exe

"C:\Users\user\Desktop\g4FtSOZMD9.exe"

Details

Is windows:	true
Is dropped:	false
PID:	5452
Target ID:	9
Parent PID:	7068
Name:	g4FtSOZMD9.exe
Path:	C:\Users\user\Desktop\g4FtSOZMD9.exe
Commandline:	"C:\Users\user\Desktop\g4FtSOZMD9.exe"
Size:	258048
MD5:	81F377EDA4163DA1B74CAE83E38CED9F
Time:	02:27:06
Date:	02/01/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	20525056
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspect Svchost Activity	System Summary
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sigma detected: Suspicious Svchost Process	System Summary
Yara detected VB6 Downloader Generic	Data Obfuscation
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe

Details

Is windows:	true
Is dropped:	false
PID:	2948
Target ID:	20
Parent PID:	5452
Name:	svchost.exe
Path:	C:\Windows\SysWOW64\svchost.exe
Commandline:	C:\Windows\SysWOW64\svchost.exe
Size:	44520
MD5:	FA6C268A5B5BDA067A901764D203D433
Time:	02:28:02
Date:	02/01/2022
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xe20000
Modulesize:	53248
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: Suspect Svchost Activity	System Summary
Sigma detected: Suspicious Svchost Process	System Summary
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\Desktop\g4FtSOZMD9.exe

C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"

Details

Is windows:	true
Is dropped:	false
PID:	5524
Target ID:	21
Parent PID:	5452
Name:	g4FtSOZMD9.exe
Path:	C:\Users\user\Desktop\g4FtSOZMD9.exe
Commandline:	C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\iwxzjjveuvjtvtlo"
Size:	258048
MD5:	81F377EDA4163DA1B74CAE83E38CED9F
Time:	02:28:15
Date:	02/01/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	491520
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspect Svchost Activity	System Summary
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sigma detected: Suspicious Svchost Process	System Summary
Yara detected VB6 Downloader Generic	Data Obfuscation
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\Desktop\g4FtSOZMD9.exe

C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"

Details

Is windows:	true
Is dropped:	false
PID:	3920
Target ID:	22
Parent PID:	5452
Name:	g4FtSOZMD9.exe
Path:	C:\Users\user\Desktop\g4FtSOZMD9.exe
Commandline:	C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\srdskbfyidbgfzzawoj"
Size:	258048
MD5:	81F377EDA4163DA1B74CAE83E38CED9F
Time:	02:28:16
Date:	02/01/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	147456
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspect Svchost Activity	System Summary
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sigma detected: Suspicious Svchost Process	System Summary
Yara detected VB6 Downloader Generic	Data Obfuscation
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\Desktop\g4FtSOZMD9.exe

C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"

Details

Is windows:	true
Is dropped:	false
PID:	5972
Target ID:	23
Parent PID:	5452
Name:	g4FtSOZMD9.exe
Path:	C:\Users\user\Desktop\g4FtSOZMD9.exe
Commandline:	C:\Users\user\Desktop\g4FtSOZMD9.exe /stext "C:\Users\user\AppData\Local\Temp\vtilcuqzwmtlifvenyefmr"
Size:	258048
MD5:	81F377EDA4163DA1B74CAE83E38CED9F
Time:	02:28:16
Date:	02/01/2022
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	356352
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Detected unpacking (changes PE section rights)	Data Obfuscation	Software Packing
Multi AV Scanner detection for submitted file	AV Detection
Sigma detected: Suspect Svchost Activity	System Summary
Yara detected Remcos RAT	AV Detection, E-Banking Fraud, Stealing of Sensitive Information, Remote Access Functionality
Injects a PE file into a foreign processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Installs a global keyboard hook	Key, Mouse, Clipboard, Microphone and Screen Capturing	Input Capture
Sigma detected: Suspicious Svchost Process	System Summary
Yara detected VB6 Downloader Generic	Data Obfuscation
Yara detected WebBrowserPassView password recovery tool	Stealing of Sensitive Information
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file contains strange resources	System Summary
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary
Found strings which match to known social media urls	Networking
May try to detect the Windows Explorer process (often used for injection)	HIPS / PFW / Operating System Protection Evasion	Process Injection Process Discovery
PE file has an executable .text section and no other executable section	System Summary
Sample is known by Antivirus	System Summary
Sample reads its own file content	System Summary
Sigma detected: Windows Processes Suspicious Parent Directory	System Summary
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

URLs

Name

IP

Malicious

nhtaxfilling.ddnsgeek.com

http://147.189.137.168/1040_RyQoPlW98.bin

147.189.137.168

http://www.msn.com/de-ch/entertainment/_h/c920645c/webcore/externalscripts/oneTrustV2/scripttemplate

unknown

https://www.google.com/chrome/static/images/folder-applications.svg

unknown

http://www.imvu.comr

unknown

https://www.google.com/chrome/static/css/main.v2.min.css

unknown

https://www.google.com/chrome/static/images/fallback/google-chrome-logo.jpg

unknown

http://www.msn.com

unknown

https://deff.nelreports.net/api/report?cat=msn

unknown

http://google.com/chrome

unknown

https://contextual.media.net/__media__/js/util/nrrV9140.js

unknown

https://www.google.com/chrome/static/images/chrome-logo.svg

unknown

https://www.google.com/chrome/static/images/homepage/homepage_features.png

unknown

https://mem.gfx.ms/me/MeControl/10.19168.0/en-US/meCore.min.js

unknown

https://www.google.com/chrome/static/images/download-browser/big_pixel_phone.png

unknown

https://www.google.com/chrome/

unknown

https://www.google.com

unknown

http://images.outbrainimg.com/transform/v3/eyJpdSI6Ijk4OGQ1ZDgwMWE2ODQ2NDNkM2ZkMmYyMGEwOTgwMWQ3MDE2Z

unknown

https://assets.adobedtm.com/5ef092d1efb5/4d1d9f749fd3/434d91f2e635/RCc13122162a9a46c3b4cbf05ffccde0f

unknown

https://www.google.com/chrome/static/images/homepage/hero-anim-bottom-left.png

unknown