Malware Analysis Report

2025-04-14 08:31

Sample ID 220205-m4n2raafg2
Target b6af270fde44e8fe7757806eafa906fe59418d54e8d3c6a87c8d0242ced2a371
SHA256 b6af270fde44e8fe7757806eafa906fe59418d54e8d3c6a87c8d0242ced2a371
Tags
collection spyware stealer upx nanocore wshrat evasion keylogger persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6af270fde44e8fe7757806eafa906fe59418d54e8d3c6a87c8d0242ced2a371

Threat Level: Known bad

The file b6af270fde44e8fe7757806eafa906fe59418d54e8d3c6a87c8d0242ced2a371 was found to be: Known bad.

Malicious Activity Summary

collection spyware stealer upx nanocore wshrat evasion keylogger persistence trojan

WSHRAT Payload

WSHRAT

NanoCore

Executes dropped EXE

UPX packed file

Blocklisted process makes network request

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

outlook_office_path

outlook_win_path

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-05 11:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-05 11:01

Reported

2022-02-05 11:03

Platform

win7-en-20211208

Max time kernel

144s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1048 set thread context of 2016 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe"

Network

N/A

Files

memory/1048-54-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1048-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

memory/1048-56-0x0000000000260000-0x0000000000266000-memory.dmp

memory/2016-57-0x0000000000400000-0x00000000004AD000-memory.dmp

memory/2016-60-0x0000000000380000-0x0000000000383000-memory.dmp

memory/2016-59-0x0000000000380000-0x0000000000383000-memory.dmp

memory/2016-61-0x0000000000380000-0x0000000000383000-memory.dmp

memory/2016-62-0x0000000000380000-0x0000000000383000-memory.dmp

memory/2016-63-0x0000000000380000-0x0000000000383000-memory.dmp

memory/2016-64-0x0000000000380000-0x0000000000383000-memory.dmp

memory/2016-65-0x0000000000380000-0x0000000000383000-memory.dmp

memory/2016-66-0x0000000000380000-0x0000000000383000-memory.dmp

memory/2016-67-0x0000000000380000-0x0000000000383000-memory.dmp

memory/2016-68-0x0000000000380000-0x0000000000383000-memory.dmp

memory/2016-69-0x0000000002010000-0x0000000002011000-memory.dmp

memory/2016-70-0x0000000002011000-0x0000000002012000-memory.dmp

memory/2016-71-0x0000000002012000-0x0000000002013000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-05 11:01

Reported

2022-02-05 11:04

Platform

win10v2004-en-20220112

Max time kernel

142s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1892 set thread context of 2292 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\MusNotifyIcon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\MusNotifyIcon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132887089248311711" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4012" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" C:\Windows\System32\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" C:\Windows\System32\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" C:\Windows\System32\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "5.263206" C:\Windows\System32\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\img-Z27093627.pdf.exe"

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 209.197.3.8:80 tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 104.80.224.57:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.184.216.226:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
NL 20.73.194.208:443 settings-win.data.microsoft.com tcp

Files

memory/1892-130-0x0000000002350000-0x0000000002550000-memory.dmp

memory/1892-131-0x0000000002350000-0x0000000002550000-memory.dmp

memory/1892-132-0x0000000002350000-0x0000000002550000-memory.dmp

memory/2292-133-0x0000000000400000-0x00000000004AD000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2022-02-05 11:01

Reported

2022-02-05 11:03

Platform

win7-en-20211208

Max time kernel

149s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

WSHRAT

trojan wshrat

WSHRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\opxTE.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\opxTE.vbs C:\Windows\SysWOW64\WScript.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\opxTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\opxTE.vbs\"" C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\opxTE = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\opxTE.vbs\"" C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start" C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2024 set thread context of 1600 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe
PID 2024 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe
PID 2024 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe
PID 2024 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe
PID 1600 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1600 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1600 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1600 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 1600 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\server1.exe
PID 1600 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\server1.exe
PID 1600 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\server1.exe
PID 1600 wrote to memory of 268 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\server1.exe
PID 1600 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1600 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1600 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 1600 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 268 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\server1.exe C:\Windows\SysWOW64\WScript.exe
PID 268 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\server1.exe C:\Windows\SysWOW64\WScript.exe
PID 268 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\server1.exe C:\Windows\SysWOW64\WScript.exe
PID 268 wrote to memory of 1424 N/A C:\Users\Admin\AppData\Local\Temp\server1.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe"

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Users\Admin\AppData\Local\Temp\server1.exe

"C:\Users\Admin\AppData\Local\Temp\server1.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\opxTE.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:1334 blackhil.ddns.net tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 8.8.8.8:53 rajas.com.my udp
MY 103.6.196.76:80 rajas.com.my tcp
N/A 127.0.0.1:53896 tcp
MY 103.6.196.76:80 rajas.com.my tcp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
MY 103.6.196.76:80 rajas.com.my tcp
US 184.105.237.199:1334 blackhil.ddns.net tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
MY 103.6.196.76:80 rajas.com.my tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
US 184.105.237.199:1334 blackhil.ddns.net tcp
N/A 127.0.0.1:53896 tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
MY 103.6.196.76:80 rajas.com.my tcp
N/A 127.0.0.1:53896 tcp
US 184.105.237.199:1334 blackhil.ddns.net tcp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 184.105.237.199:1334 blackhil.ddns.net tcp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
N/A 127.0.0.1:53896 tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
US 184.105.237.199:1334 blackhil.ddns.net tcp
NL 8.248.3.254:80 tcp
US 8.8.8.8:53 blackhil.ddns.net udp
US 184.105.237.199:53896 blackhil.ddns.net tcp
N/A 127.0.0.1:53896 tcp

Files

memory/2024-53-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2024-54-0x00000000751B1000-0x00000000751B3000-memory.dmp

memory/2024-55-0x00000000003E0000-0x00000000003E6000-memory.dmp

memory/1600-57-0x0000000000400000-0x00000000005C0000-memory.dmp

memory/1600-59-0x0000000001E90000-0x0000000001E93000-memory.dmp

memory/1600-58-0x0000000001E90000-0x0000000001E93000-memory.dmp

memory/1600-60-0x0000000001E90000-0x0000000001E93000-memory.dmp

memory/1600-62-0x0000000001E90000-0x0000000001E93000-memory.dmp

memory/1600-63-0x0000000001E90000-0x0000000001E93000-memory.dmp

memory/1600-61-0x0000000001E90000-0x0000000001E93000-memory.dmp

memory/1600-65-0x0000000001E90000-0x0000000001E93000-memory.dmp

memory/1600-66-0x0000000001E90000-0x0000000001E93000-memory.dmp

memory/1600-67-0x0000000001E90000-0x0000000001E93000-memory.dmp

memory/1600-64-0x0000000001E90000-0x0000000001E93000-memory.dmp

memory/1600-68-0x0000000002350000-0x0000000002351000-memory.dmp

\Users\Admin\AppData\Local\Temp\server.exe

MD5 0e8b49b3d9227a40be1266063b013371
SHA1 d1665de48fc77fa70099dacbe9321d5cee170fae
SHA256 a79d6ed879410a1193774ac6a64b51043e568eef40076df0057c152cabc58f61
SHA512 c9fadda7f02780b71561ff416ed8d2487dfa6245c431385af481b1ac1df6b504e006d7e7b99c117ce6cf1aa86eb9f5eb2f724529b3da978806af01c92abc6efc

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 0e8b49b3d9227a40be1266063b013371
SHA1 d1665de48fc77fa70099dacbe9321d5cee170fae
SHA256 a79d6ed879410a1193774ac6a64b51043e568eef40076df0057c152cabc58f61
SHA512 c9fadda7f02780b71561ff416ed8d2487dfa6245c431385af481b1ac1df6b504e006d7e7b99c117ce6cf1aa86eb9f5eb2f724529b3da978806af01c92abc6efc

C:\Users\Admin\AppData\Local\Temp\server.exe

MD5 0e8b49b3d9227a40be1266063b013371
SHA1 d1665de48fc77fa70099dacbe9321d5cee170fae
SHA256 a79d6ed879410a1193774ac6a64b51043e568eef40076df0057c152cabc58f61
SHA512 c9fadda7f02780b71561ff416ed8d2487dfa6245c431385af481b1ac1df6b504e006d7e7b99c117ce6cf1aa86eb9f5eb2f724529b3da978806af01c92abc6efc

memory/1504-72-0x0000000000380000-0x000000000039A000-memory.dmp

\Users\Admin\AppData\Local\Temp\server1.exe

MD5 82f7e10ddeb06d7ac706f8053f7be9ab
SHA1 c0aa068d29b7812a4097f024f717fbb75d006ecb
SHA256 7bdf4741a02e5879afa0b5c4248b9d12d8f5aff1b82a0113d8b8e9a63c7ce9ab
SHA512 44577b1002a4b430700150bdaba1f70245d153d8a5c5cda456df4a292ce65238a7531a126d13e17accefb1d499ca5e24753f3625ed586110d55c8d65558fc290

C:\Users\Admin\AppData\Local\Temp\server1.exe

MD5 82f7e10ddeb06d7ac706f8053f7be9ab
SHA1 c0aa068d29b7812a4097f024f717fbb75d006ecb
SHA256 7bdf4741a02e5879afa0b5c4248b9d12d8f5aff1b82a0113d8b8e9a63c7ce9ab
SHA512 44577b1002a4b430700150bdaba1f70245d153d8a5c5cda456df4a292ce65238a7531a126d13e17accefb1d499ca5e24753f3625ed586110d55c8d65558fc290

\Users\Admin\AppData\Local\Temp\server1.exe

MD5 82f7e10ddeb06d7ac706f8053f7be9ab
SHA1 c0aa068d29b7812a4097f024f717fbb75d006ecb
SHA256 7bdf4741a02e5879afa0b5c4248b9d12d8f5aff1b82a0113d8b8e9a63c7ce9ab
SHA512 44577b1002a4b430700150bdaba1f70245d153d8a5c5cda456df4a292ce65238a7531a126d13e17accefb1d499ca5e24753f3625ed586110d55c8d65558fc290

C:\Users\Admin\AppData\Local\Temp\server1.exe

MD5 82f7e10ddeb06d7ac706f8053f7be9ab
SHA1 c0aa068d29b7812a4097f024f717fbb75d006ecb
SHA256 7bdf4741a02e5879afa0b5c4248b9d12d8f5aff1b82a0113d8b8e9a63c7ce9ab
SHA512 44577b1002a4b430700150bdaba1f70245d153d8a5c5cda456df4a292ce65238a7531a126d13e17accefb1d499ca5e24753f3625ed586110d55c8d65558fc290

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a436e690055e9a46e93d529afb1d5095
SHA1 095610080d02e5de31c3f7c56b55577b8a795250
SHA256 fb7636c9233719102f95dce7009b2ede5e9ff7d3a15d6e9b2fde8d3152f72f60
SHA512 22195596e74e83cef0977fccbecf3cffd89b72d266112416216c3fe6bfa358b4868bb324fd37d29c5148562c03bc8e05bb76407b5b7b48acd4b16aec273a1b54

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a436e690055e9a46e93d529afb1d5095
SHA1 095610080d02e5de31c3f7c56b55577b8a795250
SHA256 fb7636c9233719102f95dce7009b2ede5e9ff7d3a15d6e9b2fde8d3152f72f60
SHA512 22195596e74e83cef0977fccbecf3cffd89b72d266112416216c3fe6bfa358b4868bb324fd37d29c5148562c03bc8e05bb76407b5b7b48acd4b16aec273a1b54

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a436e690055e9a46e93d529afb1d5095
SHA1 095610080d02e5de31c3f7c56b55577b8a795250
SHA256 fb7636c9233719102f95dce7009b2ede5e9ff7d3a15d6e9b2fde8d3152f72f60
SHA512 22195596e74e83cef0977fccbecf3cffd89b72d266112416216c3fe6bfa358b4868bb324fd37d29c5148562c03bc8e05bb76407b5b7b48acd4b16aec273a1b54

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 a436e690055e9a46e93d529afb1d5095
SHA1 095610080d02e5de31c3f7c56b55577b8a795250
SHA256 fb7636c9233719102f95dce7009b2ede5e9ff7d3a15d6e9b2fde8d3152f72f60
SHA512 22195596e74e83cef0977fccbecf3cffd89b72d266112416216c3fe6bfa358b4868bb324fd37d29c5148562c03bc8e05bb76407b5b7b48acd4b16aec273a1b54

memory/268-83-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/464-85-0x0000000000130000-0x0000000000131000-memory.dmp

C:\Users\Admin\AppData\Roaming\opxTE.vbs

MD5 358d63d1074cc5c25a3893a744d2c63f
SHA1 aef18c3ad7190795e05d0ddbc9eecf0faac365a5
SHA256 6a92b629a1ca59b6fc91d09c01e1afbd0588ef0e699475bc096eb0f13c396e45
SHA512 9db134036de548723d5ddf0cdc6de8b1125fb3bffa31a5d412892a18bcfe501bca66157289a0ec61f4cc5ac9ea840404ff87e9d05b5ae1e4fc027d41ed1c3cdc

memory/1504-88-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/1504-89-0x00000000009B5000-0x00000000009C6000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2022-02-05 11:01

Reported

2022-02-05 11:03

Platform

win10v2004-en-20220113

Max time kernel

2s

Max time network

8s

Command Line

"C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\img-Z27093628.pdf.exe"

Network

Files

N/A