Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
22-07-2021 06:32
Static task
static1
Behavioral task
behavioral1
Sample
434c4d6383148ec2d1e98e455ff2629b.exe
Resource
win7v20210410
General
-
Target
434c4d6383148ec2d1e98e455ff2629b.exe
-
Size
1.1MB
-
MD5
434c4d6383148ec2d1e98e455ff2629b
-
SHA1
4fe3f1549a9ef0d6c1ff611a1a4f88cf17c8d8cb
-
SHA256
6fa6caea53a25606c7e2991d370927d98bf3df093e77a0cea8816c30194afda0
-
SHA512
3e83e7d70f3634418a8c1a950b43587104f6ba0213a2f49e95ab72f7e740030d3d1568b66a5938c47250daed961ea31c3a65094bc95db7d6de1c13ae36fe33ed
Malware Config
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Signatures
-
Blocklisted process makes network request 6 IoCs
Processes:
WScript.exerundll32.exeRUNDLL32.EXEflow pid process 32 3168 WScript.exe 34 3168 WScript.exe 36 3168 WScript.exe 38 3168 WScript.exe 41 1848 rundll32.exe 42 856 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
4.exevpn.exeLucca.exe.comLucca.exe.comSmartClock.exeqwvbaegb.exepid process 3796 4.exe 3888 vpn.exe 936 Lucca.exe.com 648 Lucca.exe.com 1164 SmartClock.exe 3200 qwvbaegb.exe -
Drops startup file 1 IoCs
Processes:
4.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Loads dropped DLL 3 IoCs
Processes:
434c4d6383148ec2d1e98e455ff2629b.exerundll32.exeRUNDLL32.EXEpid process 752 434c4d6383148ec2d1e98e455ff2629b.exe 1848 rundll32.exe 856 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
434c4d6383148ec2d1e98e455ff2629b.exerundll32.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 434c4d6383148ec2d1e98e455ff2629b.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 434c4d6383148ec2d1e98e455ff2629b.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 434c4d6383148ec2d1e98e455ff2629b.exe File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXELucca.exe.comdescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Lucca.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Lucca.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE -
Modifies registry class 1 IoCs
Processes:
Lucca.exe.comdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings Lucca.exe.com -
Processes:
WScript.exeRUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 WScript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C71EACF8AB7857F5F2DAC00ACB3E4659BDF1465D RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C71EACF8AB7857F5F2DAC00ACB3E4659BDF1465D\Blob = 030000000100000014000000c71eacf8ab7857f5f2dac00acb3e4659bdf1465d2000000001000000620200003082025e308201c7a00302010202081878a8fd2493b616300d06092a864886f70d01010b050030513128302606035504030c1f486f337473706f7420322e3020547275737420526f6f74204341202d20303331183016060355040a0c0f57464120486f7473706f7420322e30310b3009060355040613025553301e170d3139303732333038333735335a170d3233303732323038333735335a30513128302606035504030c1f486f337473706f7420322e3020547275737420526f6f74204341202d20303331183016060355040a0c0f57464120486f7473706f7420322e30310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100a84c762830d21c487b7bd174b0f1e61c9780d556c8ad2db25a442cd87f8d6b174d64155cfec506bd282410615fbd9daf9ef8f9bf8cec0b828319d16393de72190278317de843c8a76b63cced80888a13227031da6a2bb510af6f26b694a31f7f3acdb16967ecfc5238b9f4b3698c51a87fa18cac6194090d2f51f5a3f1eb50990203010001a33f303d300f0603551d130101ff040530030101ff302a0603551d1104233021821f486f337473706f7420322e3020547275737420526f6f74204341202d203033300d06092a864886f70d01010b0500038181001ac8f101a20809f7e807a850f00b0d81b19faf14bdb9fc7a921dfde6e268fc4b3aad113068f5683ffa65c3600241261255b521d806ac204b42eee2e68d73d2a44532bd7da780649c811dcc82a2d18d0e06f8324582db852b991d462e4e9c1330b9b8d4655d60803c34b88fa619a723310760c9abc9dc42a29fbc75b9a19fc903 RUNDLL32.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 1164 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exepid process 856 RUNDLL32.EXE 856 RUNDLL32.EXE 856 RUNDLL32.EXE 856 RUNDLL32.EXE 856 RUNDLL32.EXE 856 RUNDLL32.EXE 1756 powershell.exe 1756 powershell.exe 1756 powershell.exe 856 RUNDLL32.EXE 856 RUNDLL32.EXE 1128 powershell.exe 1128 powershell.exe 1128 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 856 RUNDLL32.EXE Token: SeDebugPrivilege 1756 powershell.exe Token: SeDebugPrivilege 1128 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 856 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
434c4d6383148ec2d1e98e455ff2629b.exevpn.execmd.execmd.exeLucca.exe.com4.exeLucca.exe.comqwvbaegb.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 752 wrote to memory of 3796 752 434c4d6383148ec2d1e98e455ff2629b.exe 4.exe PID 752 wrote to memory of 3796 752 434c4d6383148ec2d1e98e455ff2629b.exe 4.exe PID 752 wrote to memory of 3796 752 434c4d6383148ec2d1e98e455ff2629b.exe 4.exe PID 752 wrote to memory of 3888 752 434c4d6383148ec2d1e98e455ff2629b.exe vpn.exe PID 752 wrote to memory of 3888 752 434c4d6383148ec2d1e98e455ff2629b.exe vpn.exe PID 752 wrote to memory of 3888 752 434c4d6383148ec2d1e98e455ff2629b.exe vpn.exe PID 3888 wrote to memory of 2556 3888 vpn.exe cmd.exe PID 3888 wrote to memory of 2556 3888 vpn.exe cmd.exe PID 3888 wrote to memory of 2556 3888 vpn.exe cmd.exe PID 2556 wrote to memory of 1904 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 1904 2556 cmd.exe cmd.exe PID 2556 wrote to memory of 1904 2556 cmd.exe cmd.exe PID 1904 wrote to memory of 2408 1904 cmd.exe findstr.exe PID 1904 wrote to memory of 2408 1904 cmd.exe findstr.exe PID 1904 wrote to memory of 2408 1904 cmd.exe findstr.exe PID 1904 wrote to memory of 936 1904 cmd.exe Lucca.exe.com PID 1904 wrote to memory of 936 1904 cmd.exe Lucca.exe.com PID 1904 wrote to memory of 936 1904 cmd.exe Lucca.exe.com PID 1904 wrote to memory of 3052 1904 cmd.exe PING.EXE PID 1904 wrote to memory of 3052 1904 cmd.exe PING.EXE PID 1904 wrote to memory of 3052 1904 cmd.exe PING.EXE PID 936 wrote to memory of 648 936 Lucca.exe.com Lucca.exe.com PID 936 wrote to memory of 648 936 Lucca.exe.com Lucca.exe.com PID 936 wrote to memory of 648 936 Lucca.exe.com Lucca.exe.com PID 3796 wrote to memory of 1164 3796 4.exe SmartClock.exe PID 3796 wrote to memory of 1164 3796 4.exe SmartClock.exe PID 3796 wrote to memory of 1164 3796 4.exe SmartClock.exe PID 648 wrote to memory of 3200 648 Lucca.exe.com qwvbaegb.exe PID 648 wrote to memory of 3200 648 Lucca.exe.com qwvbaegb.exe PID 648 wrote to memory of 3200 648 Lucca.exe.com qwvbaegb.exe PID 648 wrote to memory of 4016 648 Lucca.exe.com WScript.exe PID 648 wrote to memory of 4016 648 Lucca.exe.com WScript.exe PID 648 wrote to memory of 4016 648 Lucca.exe.com WScript.exe PID 3200 wrote to memory of 1848 3200 qwvbaegb.exe rundll32.exe PID 3200 wrote to memory of 1848 3200 qwvbaegb.exe rundll32.exe PID 3200 wrote to memory of 1848 3200 qwvbaegb.exe rundll32.exe PID 648 wrote to memory of 3168 648 Lucca.exe.com WScript.exe PID 648 wrote to memory of 3168 648 Lucca.exe.com WScript.exe PID 648 wrote to memory of 3168 648 Lucca.exe.com WScript.exe PID 1848 wrote to memory of 856 1848 rundll32.exe RUNDLL32.EXE PID 1848 wrote to memory of 856 1848 rundll32.exe RUNDLL32.EXE PID 1848 wrote to memory of 856 1848 rundll32.exe RUNDLL32.EXE PID 856 wrote to memory of 1756 856 RUNDLL32.EXE powershell.exe PID 856 wrote to memory of 1756 856 RUNDLL32.EXE powershell.exe PID 856 wrote to memory of 1756 856 RUNDLL32.EXE powershell.exe PID 856 wrote to memory of 1128 856 RUNDLL32.EXE powershell.exe PID 856 wrote to memory of 1128 856 RUNDLL32.EXE powershell.exe PID 856 wrote to memory of 1128 856 RUNDLL32.EXE powershell.exe PID 1128 wrote to memory of 2452 1128 powershell.exe nslookup.exe PID 1128 wrote to memory of 2452 1128 powershell.exe nslookup.exe PID 1128 wrote to memory of 2452 1128 powershell.exe nslookup.exe PID 856 wrote to memory of 3244 856 RUNDLL32.EXE schtasks.exe PID 856 wrote to memory of 3244 856 RUNDLL32.EXE schtasks.exe PID 856 wrote to memory of 3244 856 RUNDLL32.EXE schtasks.exe PID 856 wrote to memory of 1220 856 RUNDLL32.EXE schtasks.exe PID 856 wrote to memory of 1220 856 RUNDLL32.EXE schtasks.exe PID 856 wrote to memory of 1220 856 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\434c4d6383148ec2d1e98e455ff2629b.exe"C:\Users\Admin\AppData\Local\Temp\434c4d6383148ec2d1e98e455ff2629b.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Miele.mpeg3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^nuJmDolyOEafNkCbidgtyicKjPeDQxxFworNyycSxwBitdTxqUhgYpwdKZhOuHfxlNgFoOseVcKtGhFWVICViyHRu$" Gioco.mpeg5⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.comLucca.exe.com e5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.com e6⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\qwvbaegb.exe"C:\Users\Admin\AppData\Local\Temp\qwvbaegb.exe"7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QWVBAE~1.TMP,S C:\Users\Admin\AppData\Local\Temp\qwvbaegb.exe8⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\QWVBAE~1.TMP,RAg89⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp7125.tmp.ps1"10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp9190.tmp.ps1"10⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost11⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask10⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask10⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbadkyvtcpnv.vbs"7⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\hougrlptmbk.vbs"7⤵
- Blocklisted process makes network request
- Modifies system certificate store
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 305⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Jvgzbfh.tmpMD5
41c486d5eeef5e53f81e5e6f298d2e9b
SHA12ca09f905be740d3289b41e11646e9450e50a330
SHA256070116928d1e038dfc77a2ddfc94390e705c1f9838a213773dbeba2f15276e50
SHA5124318876030b15e96823edc5af8e0633e0e6e50dd96d2b7a27421a55e140ac70af9a767afaf2a1d506515f3f0bcdc372cab9cdbac589e2b6461124bf344e7323b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
245487229053fcb8956e9ec4f4e20225
SHA15b47b30902569bca8c21a29ec5c3628c562ec604
SHA2560656856d7fd7a6904c730fbc5e422038047b398beda153a3e140c4b43f51b54f
SHA512c19c913c358576845275adbd6354a14978c060de9b7982a4702aac7fcdf501d027c751b689de0a3c0b07459ef679db36bb25e3e751436d5a3f75ee14a7fe0563
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esitanza.mpegMD5
427c6ebcc433964a24b02173f29f50a2
SHA18d99cd9f94f102a174a153f002a48a202c9cf086
SHA25673ce8f59b6e5236e39d061984ad5d9dae9e30ce0f57947485852eff2510011e3
SHA512e9cd8901cd47e006e271401e51cfcd4f8bc807a50685a6a1e632e2b7aa4dfe4936a2cdaf96798151229e24ca0b99c32ef9238793058ddc26af698524b7694d76
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gioco.mpegMD5
3a0ff91c269582c1d565af0dc43bb90c
SHA12e30abe0a8ce9d88d30970045699bbe60f21f1bc
SHA256db2812a7b23090ba287410fae0afcbee1b8bb53dcd1ce7c342005093c8cfbb2f
SHA5129b14c7fb67fe331ca6dd0d445f9c449198c16939b08d53587005b70200db9f9d17d69ec65b18c84cfba4e51b1e53e72d72ddbd7c72db988cfffcffc3669ef1b8
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Lucca.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Miele.mpegMD5
2855e5e33ce8a671af83d926edc50ca5
SHA1abaa3f3dbd2e7015a16c86061b5ed50e9d9fdfe6
SHA2564b47193fc4658debb1e8e9020ffc5242870c2d7a11fbf9dd401d5746baf390dd
SHA5126dcc5a75d4bc5bef801cc396eaaa66c6920aedec66a0b48d68d7382856f181043c2d0cbb11a560926160f1fdfa342c37b517f2faf5118601365efd61206cd6b1
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tue.mpegMD5
35b7b68ab0c10c09e68774cde98bd3f8
SHA14254c30bc7ca8972eb0889c62a114e9ae7db2242
SHA256683e8ee070649cf1bb12c9259b5d1f557ef8e465ddb91b7c5c53db00c6ecabbc
SHA51292fab930fcd0106644e09337995a019ab5f6df0bbe9fde2411714321c877df5fba331d40a4d55504c3bfba75fff041127755e7ef204bdd335bca96543c7368c8
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\eMD5
427c6ebcc433964a24b02173f29f50a2
SHA18d99cd9f94f102a174a153f002a48a202c9cf086
SHA25673ce8f59b6e5236e39d061984ad5d9dae9e30ce0f57947485852eff2510011e3
SHA512e9cd8901cd47e006e271401e51cfcd4f8bc807a50685a6a1e632e2b7aa4dfe4936a2cdaf96798151229e24ca0b99c32ef9238793058ddc26af698524b7694d76
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exeMD5
31b5d8e5ed683cc81b9bc86bb0e52cbf
SHA10e67c2ea30a6eea520ae7090103b40bf993912be
SHA256210cf285b5e19e67f752e3cc68ceaf6a46bee8d554af6882a03bbb4723472c55
SHA5124dbea8a629cad21b874a28d00061abff1a26cd4db4949cf0a7662a052a1270eab04b68eaf97e1bd724ead4a2722d27f933c0e6c8b57250a7e8f3cd5bd63be2fd
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exeMD5
31b5d8e5ed683cc81b9bc86bb0e52cbf
SHA10e67c2ea30a6eea520ae7090103b40bf993912be
SHA256210cf285b5e19e67f752e3cc68ceaf6a46bee8d554af6882a03bbb4723472c55
SHA5124dbea8a629cad21b874a28d00061abff1a26cd4db4949cf0a7662a052a1270eab04b68eaf97e1bd724ead4a2722d27f933c0e6c8b57250a7e8f3cd5bd63be2fd
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exeMD5
3e7e5920c63db4bb2e6ca27233a2dca2
SHA109dbb68babcda244a6ce0e36943493e9666dc9e4
SHA25613b85b6a099f6744e182089650c5fd877331e8ca23c36f0df14587f8c05b48aa
SHA5124ff2ea42da2b4cc7d76a8a4035bdf704475397b2462cd3ab9b75fb01d567f9774570d0922510f9c200b57cdeb46217102ad81990253379ef82c43c64a401117c
-
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exeMD5
3e7e5920c63db4bb2e6ca27233a2dca2
SHA109dbb68babcda244a6ce0e36943493e9666dc9e4
SHA25613b85b6a099f6744e182089650c5fd877331e8ca23c36f0df14587f8c05b48aa
SHA5124ff2ea42da2b4cc7d76a8a4035bdf704475397b2462cd3ab9b75fb01d567f9774570d0922510f9c200b57cdeb46217102ad81990253379ef82c43c64a401117c
-
C:\Users\Admin\AppData\Local\Temp\QWVBAE~1.TMPMD5
7386df2d975ef96ef522799851969ce6
SHA1c8cf209f8ade0a9cbb2fb85d7c85249e72a414ae
SHA256329288495b2c02eca00ae8d1c3f60131332e68bcd5aedba63f3f60807fb23ed3
SHA512350221cb59e35c4e6c737d52dfb46c506dae0332f51763f371ac4ba5b064ec3d2f49b429aca6f492687aeb4aaa65a2b25885f4ec9f148e5e2ae235ab70262861
-
C:\Users\Admin\AppData\Local\Temp\bbadkyvtcpnv.vbsMD5
b52338e634478d8e09589e5b9ab7ec1f
SHA129efae32c06d74ff6f3e0bd0330c382034fca786
SHA2569a8c421ce86f8334480b94af8b447d2f9320584f76ce6126d8ae21d2fb7b5673
SHA51234e45cecc66282cfca08d79715c2dff0c25dbe630d66df6542b5f499f8d37f7ce39ad86a6c4583e64bb091ca89389c6cae032d91293f5d621c1f3a94c1aebcc8
-
C:\Users\Admin\AppData\Local\Temp\hougrlptmbk.vbsMD5
2343f0f56c9d4ee879a90d4bab68c28e
SHA13ffcab229df5525f6472a1ddc7d097d018936127
SHA25663deb1c937deee9e4a4c0695c35061902e2a0f4085ff9117b93166b5174e312a
SHA512e2a2133c7c09ee88c3a5e2b1ee8a64ecf8e1ea7858987d770966c2c81e0fea708b618af5780fba13068aac8f2eb7fbd45249ed9e09c067f79aa433090e81ef72
-
C:\Users\Admin\AppData\Local\Temp\qwvbaegb.exeMD5
52f6faca0532c27ff56d489fedfbe06f
SHA1484bef833639d33a190899d7d78e78bf47199ab1
SHA2567ede8f2954f1dd8de16087ee498117e51c1b7be094afaf879fe48f45dcab5c02
SHA5127da1b2a60de69dbf1fa3f42f5293dea9dcbd5ece2c1f0e02ee6b4bd8185cf3ac7d2e2c654da163650676acf83e02115c0fd9c1fce6bb8a30dc02517a9be62c3d
-
C:\Users\Admin\AppData\Local\Temp\qwvbaegb.exeMD5
52f6faca0532c27ff56d489fedfbe06f
SHA1484bef833639d33a190899d7d78e78bf47199ab1
SHA2567ede8f2954f1dd8de16087ee498117e51c1b7be094afaf879fe48f45dcab5c02
SHA5127da1b2a60de69dbf1fa3f42f5293dea9dcbd5ece2c1f0e02ee6b4bd8185cf3ac7d2e2c654da163650676acf83e02115c0fd9c1fce6bb8a30dc02517a9be62c3d
-
C:\Users\Admin\AppData\Local\Temp\tmp7125.tmp.ps1MD5
3c652f66e511abf49b9ee3b7edaf5b2f
SHA15f74d6dd9efe737787f5fa3699197689877cea69
SHA256113198ed3bc656cfec1018e44a7812c01564c143212a0f27226908f6dd3c662c
SHA512568ea52248f733a745a092ec18cdae41b5356d7e468c02a595df746b2a9de5a76271f29c85e6978c70ce58b8d716d2f5228ce2e4950747db2cd22c3d47874fdd
-
C:\Users\Admin\AppData\Local\Temp\tmp7126.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp9190.tmp.ps1MD5
c05df059b13cec79179d2cee74ce8ee8
SHA1aafb3f29583d6827c8d1e96393b10d08aa00605c
SHA256f2d8beee55af53cffe14cc3c1a940a28a29bb9cc61b68a4dfe69feebb72d15e8
SHA512f0c5f20bf95ab71b7e407d12f41a0656bfda22b9f2699cd7e0c51563cdb0a7e76686fdc68f40d98cb885e9f12f76617370f736e9b0f15c3e98e65c3552a91172
-
C:\Users\Admin\AppData\Local\Temp\tmp91A0.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
31b5d8e5ed683cc81b9bc86bb0e52cbf
SHA10e67c2ea30a6eea520ae7090103b40bf993912be
SHA256210cf285b5e19e67f752e3cc68ceaf6a46bee8d554af6882a03bbb4723472c55
SHA5124dbea8a629cad21b874a28d00061abff1a26cd4db4949cf0a7662a052a1270eab04b68eaf97e1bd724ead4a2722d27f933c0e6c8b57250a7e8f3cd5bd63be2fd
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exeMD5
31b5d8e5ed683cc81b9bc86bb0e52cbf
SHA10e67c2ea30a6eea520ae7090103b40bf993912be
SHA256210cf285b5e19e67f752e3cc68ceaf6a46bee8d554af6882a03bbb4723472c55
SHA5124dbea8a629cad21b874a28d00061abff1a26cd4db4949cf0a7662a052a1270eab04b68eaf97e1bd724ead4a2722d27f933c0e6c8b57250a7e8f3cd5bd63be2fd
-
\Users\Admin\AppData\Local\Temp\QWVBAE~1.TMPMD5
7386df2d975ef96ef522799851969ce6
SHA1c8cf209f8ade0a9cbb2fb85d7c85249e72a414ae
SHA256329288495b2c02eca00ae8d1c3f60131332e68bcd5aedba63f3f60807fb23ed3
SHA512350221cb59e35c4e6c737d52dfb46c506dae0332f51763f371ac4ba5b064ec3d2f49b429aca6f492687aeb4aaa65a2b25885f4ec9f148e5e2ae235ab70262861
-
\Users\Admin\AppData\Local\Temp\QWVBAE~1.TMPMD5
7386df2d975ef96ef522799851969ce6
SHA1c8cf209f8ade0a9cbb2fb85d7c85249e72a414ae
SHA256329288495b2c02eca00ae8d1c3f60131332e68bcd5aedba63f3f60807fb23ed3
SHA512350221cb59e35c4e6c737d52dfb46c506dae0332f51763f371ac4ba5b064ec3d2f49b429aca6f492687aeb4aaa65a2b25885f4ec9f148e5e2ae235ab70262861
-
\Users\Admin\AppData\Local\Temp\nse9CF2.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/648-141-0x0000000001700000-0x000000000184A000-memory.dmpFilesize
1.3MB
-
memory/648-131-0x0000000000000000-mapping.dmp
-
memory/856-161-0x0000000000000000-mapping.dmp
-
memory/856-169-0x0000000004D50000-0x0000000005FE6000-memory.dmpFilesize
18.6MB
-
memory/936-127-0x0000000000000000-mapping.dmp
-
memory/1128-225-0x0000000004873000-0x0000000004874000-memory.dmpFilesize
4KB
-
memory/1128-211-0x0000000004870000-0x0000000004871000-memory.dmpFilesize
4KB
-
memory/1128-207-0x0000000007BC0000-0x0000000007BC1000-memory.dmpFilesize
4KB
-
memory/1128-198-0x0000000000000000-mapping.dmp
-
memory/1128-210-0x0000000008080000-0x0000000008081000-memory.dmpFilesize
4KB
-
memory/1128-212-0x0000000004872000-0x0000000004873000-memory.dmpFilesize
4KB
-
memory/1164-135-0x0000000000000000-mapping.dmp
-
memory/1164-139-0x0000000002B80000-0x0000000002CCA000-memory.dmpFilesize
1.3MB
-
memory/1164-140-0x0000000000400000-0x0000000002B7B000-memory.dmpFilesize
39.5MB
-
memory/1220-226-0x0000000000000000-mapping.dmp
-
memory/1756-179-0x0000000007AD0000-0x0000000007AD1000-memory.dmpFilesize
4KB
-
memory/1756-193-0x00000000090B0000-0x00000000090B1000-memory.dmpFilesize
4KB
-
memory/1756-172-0x0000000000000000-mapping.dmp
-
memory/1756-175-0x0000000006BB0000-0x0000000006BB1000-memory.dmpFilesize
4KB
-
memory/1756-176-0x00000000072C0000-0x00000000072C1000-memory.dmpFilesize
4KB
-
memory/1756-177-0x0000000006C80000-0x0000000006C81000-memory.dmpFilesize
4KB
-
memory/1756-178-0x0000000006C82000-0x0000000006C83000-memory.dmpFilesize
4KB
-
memory/1756-197-0x0000000006C83000-0x0000000006C84000-memory.dmpFilesize
4KB
-
memory/1756-180-0x0000000007960000-0x0000000007961000-memory.dmpFilesize
4KB
-
memory/1756-181-0x0000000007B00000-0x0000000007B01000-memory.dmpFilesize
4KB
-
memory/1756-182-0x0000000007C80000-0x0000000007C81000-memory.dmpFilesize
4KB
-
memory/1756-183-0x0000000008050000-0x0000000008051000-memory.dmpFilesize
4KB
-
memory/1756-184-0x0000000008570000-0x0000000008571000-memory.dmpFilesize
4KB
-
memory/1756-185-0x0000000008370000-0x0000000008371000-memory.dmpFilesize
4KB
-
memory/1756-194-0x0000000009350000-0x0000000009351000-memory.dmpFilesize
4KB
-
memory/1756-187-0x0000000006EA0000-0x0000000006EA1000-memory.dmpFilesize
4KB
-
memory/1756-192-0x0000000009B20000-0x0000000009B21000-memory.dmpFilesize
4KB
-
memory/1848-164-0x00000000051B0000-0x0000000006446000-memory.dmpFilesize
18.6MB
-
memory/1848-148-0x0000000000000000-mapping.dmp
-
memory/1904-123-0x0000000000000000-mapping.dmp
-
memory/2408-124-0x0000000000000000-mapping.dmp
-
memory/2452-221-0x0000000000000000-mapping.dmp
-
memory/2556-121-0x0000000000000000-mapping.dmp
-
memory/3052-129-0x0000000000000000-mapping.dmp
-
memory/3168-153-0x0000000000000000-mapping.dmp
-
memory/3200-149-0x0000000004B30000-0x0000000004C30000-memory.dmpFilesize
1024KB
-
memory/3200-150-0x0000000000400000-0x0000000002C50000-memory.dmpFilesize
40.3MB
-
memory/3200-143-0x0000000000000000-mapping.dmp
-
memory/3244-224-0x0000000000000000-mapping.dmp
-
memory/3796-134-0x0000000002C00000-0x0000000002CAE000-memory.dmpFilesize
696KB
-
memory/3796-115-0x0000000000000000-mapping.dmp
-
memory/3796-138-0x0000000000400000-0x0000000002B7B000-memory.dmpFilesize
39.5MB
-
memory/3888-118-0x0000000000000000-mapping.dmp
-
memory/4016-146-0x0000000000000000-mapping.dmp