Analysis Overview
SHA256
a8f36e203ba22b243837f95a371fbad43ef4162e2cf6f01ab78714fed88e7bb3
Threat Level: Known bad
The file d091285362e6cfcf60690c8a4dcd695e was found to be: Known bad.
Malicious Activity Summary
Echelon
Executes dropped EXE
Modifies Windows Firewall
Downloads MZ/PE file
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Adds Run key to start application
Looks up external IP address via web service
Drops autorun.inf file
Enumerates physical storage devices
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-06-24 02:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2021-06-24 02:02
Reported
2021-06-24 02:05
Platform
win7v20210410
Max time kernel
150s
Max time network
197s
Command Line
Signatures
Echelon
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
Modifies Windows Firewall
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Drops autorun.inf file
Enumerates physical storage devices
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe
"C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe"
C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe
"C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe"
C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe
"C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe"
C:\Users\Admin\AppData\Roaming\Microsoft.exe
"C:\Users\Admin\AppData\Roaming\Microsoft.exe"
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft.exe" "Microsoft.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | wervjjjjdjfvjdfgjdfjgjdf.000webhostapp.com | udp |
| N/A | 145.14.144.116:443 | wervjjjjdjfvjdfgjdfjgjdf.000webhostapp.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 54.243.175.83:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 52.14.18.129:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.128.107.74:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 3.22.53.161:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.22.53.161:19492 | 2.tcp.ngrok.io | tcp |
Files
memory/2024-59-0x0000000000950000-0x0000000000951000-memory.dmp
memory/2024-61-0x0000000076A81000-0x0000000076A83000-memory.dmp
memory/2024-62-0x0000000004DD0000-0x0000000004DD1000-memory.dmp
\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe
| MD5 | eb2efc889c96765d41bcac7ae5586f93 |
| SHA1 | f6129e5533d751f33bea71d2f114b2e217ecbb5c |
| SHA256 | b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0 |
| SHA512 | 5003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9 |
memory/772-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe
| MD5 | eb2efc889c96765d41bcac7ae5586f93 |
| SHA1 | f6129e5533d751f33bea71d2f114b2e217ecbb5c |
| SHA256 | b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0 |
| SHA512 | 5003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9 |
C:\Users\Admin\AppData\Local\Temp\pbdtnrkk.cav.exe
| MD5 | eb2efc889c96765d41bcac7ae5586f93 |
| SHA1 | f6129e5533d751f33bea71d2f114b2e217ecbb5c |
| SHA256 | b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0 |
| SHA512 | 5003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9 |
\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe
| MD5 | 4679d9734f3c814016da3e5300705979 |
| SHA1 | 73d0709085f74c84d188131df65911931bc94c01 |
| SHA256 | e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df |
| SHA512 | 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb |
memory/772-68-0x0000000000AA0000-0x0000000000AA1000-memory.dmp
memory/1488-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe
| MD5 | 4679d9734f3c814016da3e5300705979 |
| SHA1 | 73d0709085f74c84d188131df65911931bc94c01 |
| SHA256 | e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df |
| SHA512 | 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb |
C:\Users\Admin\AppData\Local\Temp\h1uqkhud.0py.exe
| MD5 | 4679d9734f3c814016da3e5300705979 |
| SHA1 | 73d0709085f74c84d188131df65911931bc94c01 |
| SHA256 | e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df |
| SHA512 | 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb |
memory/772-74-0x00000000022C0000-0x0000000002331000-memory.dmp
memory/1488-75-0x0000000000970000-0x0000000000971000-memory.dmp
memory/772-76-0x000000001B110000-0x000000001B112000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft.exe
| MD5 | 4679d9734f3c814016da3e5300705979 |
| SHA1 | 73d0709085f74c84d188131df65911931bc94c01 |
| SHA256 | e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df |
| SHA512 | 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb |
C:\Users\Admin\AppData\Roaming\Microsoft.exe
| MD5 | 4679d9734f3c814016da3e5300705979 |
| SHA1 | 73d0709085f74c84d188131df65911931bc94c01 |
| SHA256 | e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df |
| SHA512 | 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb |
memory/1636-78-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft.exe
| MD5 | 4679d9734f3c814016da3e5300705979 |
| SHA1 | 73d0709085f74c84d188131df65911931bc94c01 |
| SHA256 | e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df |
| SHA512 | 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb |
memory/1636-82-0x00000000004F0000-0x00000000004F1000-memory.dmp
memory/1084-83-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-06-24 02:02
Reported
2021-06-24 02:04
Platform
win10v20210408
Max time kernel
151s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
| N/A | N/A | C:\ProgramData\Decoder.exe | N/A |
Modifies Windows Firewall
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\59634f1056072fe0355f6437f8fc6428.exe | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\59634f1056072fe0355f6437f8fc6428 = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft.exe\" .." | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Drops autorun.inf file
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\ProgramData\Decoder.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\ProgramData\Decoder.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe
"C:\Users\Admin\AppData\Local\Temp\d091285362e6cfcf60690c8a4dcd695e.exe"
C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe
"C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe"
C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe
"C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe"
C:\Users\Admin\AppData\Roaming\Microsoft.exe
"C:\Users\Admin\AppData\Roaming\Microsoft.exe"
C:\ProgramData\Decoder.exe
"C:\ProgramData\Decoder.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
C:\Windows\system32\timeout.exe
timeout 4
C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\Microsoft.exe" "Microsoft.exe" ENABLE
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | wervjjjjdjfvjdfgjdfjgjdf.000webhostapp.com | udp |
| N/A | 145.14.144.116:443 | wervjjjjdjfvjdfgjdfjgjdf.000webhostapp.com | tcp |
| N/A | 8.8.8.8:53 | api.ipify.org | udp |
| N/A | 23.21.173.155:443 | api.ipify.org | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | api.telegram.org | udp |
| N/A | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 8.8.8.8:53 | freegeoip.app | udp |
| N/A | 172.67.188.154:443 | freegeoip.app | tcp |
| N/A | 8.8.8.8:53 | f0521569.xsph.ru | udp |
| N/A | 141.8.192.151:80 | f0521569.xsph.ru | tcp |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.138.45.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 3.131.207.170:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 8.8.8.8:53 | 2.tcp.ngrok.io | udp |
| N/A | 13.59.15.185:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 13.59.15.185:19492 | 2.tcp.ngrok.io | tcp |
| N/A | 13.59.15.185:19492 | 2.tcp.ngrok.io | tcp |
Files
memory/564-114-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
memory/564-116-0x00000000055B0000-0x00000000055B1000-memory.dmp
memory/3736-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe
| MD5 | eb2efc889c96765d41bcac7ae5586f93 |
| SHA1 | f6129e5533d751f33bea71d2f114b2e217ecbb5c |
| SHA256 | b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0 |
| SHA512 | 5003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9 |
C:\Users\Admin\AppData\Local\Temp\kd4ka2tc.5oq.exe
| MD5 | eb2efc889c96765d41bcac7ae5586f93 |
| SHA1 | f6129e5533d751f33bea71d2f114b2e217ecbb5c |
| SHA256 | b12603344325e60166c40764c52866e4cdc556f0176017f2cb71b5e7f0f591f0 |
| SHA512 | 5003c8d36343fe8c2761f6c73d73b9c2f99da59d9b7d80dd29dc7eb754e52ef25285b65b50119fa09d02f8ab354d8d0fd7dd59bb09f372b0347d0c2ef87be3f9 |
memory/3236-121-0x0000000000000000-mapping.dmp
memory/3736-120-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe
| MD5 | 4679d9734f3c814016da3e5300705979 |
| SHA1 | 73d0709085f74c84d188131df65911931bc94c01 |
| SHA256 | e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df |
| SHA512 | 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb |
C:\Users\Admin\AppData\Local\Temp\a2w304xa.nbb.exe
| MD5 | 4679d9734f3c814016da3e5300705979 |
| SHA1 | 73d0709085f74c84d188131df65911931bc94c01 |
| SHA256 | e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df |
| SHA512 | 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb |
memory/3236-125-0x0000000002520000-0x0000000002521000-memory.dmp
memory/3736-126-0x0000000002D20000-0x0000000002D91000-memory.dmp
memory/3736-127-0x000000001BC50000-0x000000001BC52000-memory.dmp
memory/704-128-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft.exe
| MD5 | 4679d9734f3c814016da3e5300705979 |
| SHA1 | 73d0709085f74c84d188131df65911931bc94c01 |
| SHA256 | e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df |
| SHA512 | 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb |
C:\Users\Admin\AppData\Roaming\Microsoft.exe
| MD5 | 4679d9734f3c814016da3e5300705979 |
| SHA1 | 73d0709085f74c84d188131df65911931bc94c01 |
| SHA256 | e2c3166cb076362c126a82167baf21c10b61d87b9a08d4e8db734b64c8b474df |
| SHA512 | 31eca954a704e50e97aa3297ac5ae17e492319230c4d9c45cd71d9c4e53d4bcbc50f3c67387f38aaa8fc600cb289029a96b1fead7dbde1cd79d4c916abcd62fb |
memory/2976-131-0x0000000000000000-mapping.dmp
C:\ProgramData\Decoder.exe
| MD5 | c29c0d495ed13e703f433d53bdffdab8 |
| SHA1 | 74ed36e6b6027b61abcfe2956670ffd9de7fd71a |
| SHA256 | 20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b |
| SHA512 | fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426 |
memory/3580-134-0x0000000000000000-mapping.dmp
C:\ProgramData\Decoder.exe
| MD5 | c29c0d495ed13e703f433d53bdffdab8 |
| SHA1 | 74ed36e6b6027b61abcfe2956670ffd9de7fd71a |
| SHA256 | 20309707aa6fc678963aace7685a37839d439c850b1ba399bdbfbbeddc10ed4b |
| SHA512 | fea4c1066ee6df3ebb29a354678a3d0f1398cd216b92b261296fcff580b00e19cefe24d975beebcc41854cceef3df2702d569811358dae4203a924fb52cf5426 |
C:\Users\Admin\AppData\Local\Temp\.cmd
| MD5 | 73712247036b6a24d16502c57a3e5679 |
| SHA1 | 65ca9edadb0773fc34db7dfefe9e6416f1ac17fa |
| SHA256 | 8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0 |
| SHA512 | 548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de |
memory/3140-136-0x0000000000000000-mapping.dmp
memory/2976-137-0x0000000004AE0000-0x0000000004B76000-memory.dmp
memory/704-138-0x0000000002DA0000-0x0000000002DA1000-memory.dmp
memory/2976-139-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
memory/2976-140-0x0000000004AD2000-0x0000000004AD3000-memory.dmp
memory/2976-141-0x0000000004AD3000-0x0000000004AD4000-memory.dmp
memory/2976-142-0x0000000004B80000-0x0000000004B81000-memory.dmp
memory/2976-143-0x0000000004A20000-0x0000000004AB4000-memory.dmp
memory/2976-144-0x0000000004AD4000-0x0000000004AD6000-memory.dmp
memory/2976-145-0x0000000005190000-0x0000000005191000-memory.dmp
memory/2976-146-0x0000000006FC0000-0x0000000006FC1000-memory.dmp
memory/2976-147-0x00000000054A0000-0x0000000005510000-memory.dmp
memory/3176-148-0x0000000000000000-mapping.dmp