Analysis Overview
SHA256
b2784bbe213a75389177773a1e0932c0e70721d3e61f94fc64767ec146442cc2
Threat Level: Known bad
The file b2784bbe213a75389177773a1e0932c0e70721d3e61f94fc64767ec146442cc2 was found to be: Known bad.
Malicious Activity Summary
ISR Stealer Payload
suricata: ET MALWARE ISRStealer Checkin
Darkcomet
ISR Stealer
Modifies WinLogon for persistence
Nirsoft
NirSoft MailPassView
Executes dropped EXE
UPX packed file
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Accesses Microsoft Outlook accounts
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-03-11 22:09
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2022-03-11 22:09
Reported
2022-03-11 22:13
Platform
win10v2004-20220310-en
Max time kernel
161s
Max time network
167s
Command Line
Signatures
Darkcomet
ISR Stealer
ISR Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\sysdate.exe" | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
suricata: ET MALWARE ISRStealer Checkin
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSDCSC\sysdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\beta.exe | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysdate.exe = "C:\\Windows\\system32\\MSDCSC\\sysdate.exe" | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\ | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
| File created | C:\Windows\SysWOW64\MSDCSC\sysdate.exe | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\sysdate.exe | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3216 set thread context of 1512 | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | C:\Users\Admin\AppData\Local\Temp\111.EXE |
| PID 3216 set thread context of 4164 | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | C:\Users\Admin\AppData\Local\Temp\111.EXE |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSDCSC\sysdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2784bbe213a75389177773a1e0932c0e70721d3e61f94fc64767ec146442cc2.exe
"C:\Users\Admin\AppData\Local\Temp\b2784bbe213a75389177773a1e0932c0e70721d3e61f94fc64767ec146442cc2.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63F7.tmp\abc2.bat""
C:\Users\Admin\AppData\Local\Temp\abc.exe
abc.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6D4E.tmp\abc.bat""
C:\Users\Admin\AppData\Local\Temp\beta.exe
beta.exe
C:\Users\Admin\AppData\Local\Temp\111.EXE
"C:\Users\Admin\AppData\Local\Temp\111.EXE"
C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE"
C:\Users\Admin\AppData\Local\Temp\111.EXE
/scomma "C:\Users\Admin\AppData\Local\Temp\BlVJSCb2Ry.ini"
C:\Windows\SysWOW64\MSDCSC\sysdate.exe
"C:\Windows\system32\MSDCSC\sysdate.exe"
C:\Users\Admin\AppData\Local\Temp\111.EXE
/scomma "C:\Users\Admin\AppData\Local\Temp\u8OlOilOLT.ini"
Network
| Country | Destination | Domain | Proto |
| NL | 104.80.225.205:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 8.238.20.254:80 | tcp | |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | www.fujian.bplaced.net | udp |
| DE | 162.55.0.137:80 | www.fujian.bplaced.net | tcp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\63F7.tmp\abc2.bat
| MD5 | 820b1c4f6becd0e81c876b4167fc3368 |
| SHA1 | 1e0d0f1593a3c3681e54c883398f5d01827934fa |
| SHA256 | 6a36893b1172bf259a163b34d7472da99010dc414a35a521281b85825922c8ff |
| SHA512 | e3e3a66eaf64e73f99045b54f22a10abf9a4171e95884332bcbf3391b7b70f58fcd2df0bab9dd2ff11a2bd32e30589106815f91db511e5016dd5972574b2fb58 |
C:\Users\Admin\AppData\Local\Temp\abc.exe
| MD5 | 7133b5fd74dfb78f63bcb62e7537627b |
| SHA1 | 3a5f6133bb7d5cb160270eff670a218d7c2d9572 |
| SHA256 | a07ad8b4d73d4304d12207efa427bcc68424f902361dca576a186c71e6b8cc0c |
| SHA512 | ccb0ec630366efec4f1cc1c18d5f524432a64285d5e61c3b6b193944b68ee3ac0a0b88907a77739af325361c80c9384f15932a7c775770f3c7251a4f5664b25e |
C:\Users\Admin\AppData\Local\Temp\abc.exe
| MD5 | 7133b5fd74dfb78f63bcb62e7537627b |
| SHA1 | 3a5f6133bb7d5cb160270eff670a218d7c2d9572 |
| SHA256 | a07ad8b4d73d4304d12207efa427bcc68424f902361dca576a186c71e6b8cc0c |
| SHA512 | ccb0ec630366efec4f1cc1c18d5f524432a64285d5e61c3b6b193944b68ee3ac0a0b88907a77739af325361c80c9384f15932a7c775770f3c7251a4f5664b25e |
C:\Users\Admin\AppData\Local\Temp\6D4E.tmp\abc.bat
| MD5 | e5a087855671c5ff97151b046c321878 |
| SHA1 | 8e3e899a1be7fcb1d44f3316b0174c14c446db96 |
| SHA256 | c3c00a71640762c6356066d788b51d505291ecd5874d7b5e7590e4377810c471 |
| SHA512 | 818361002cb536b1c49dfe6a4c23886f799c8a2bbc2352a2b8b944b0147360f848543786ab6e273ae5f2b09afb176713758bc9c8852b8a9bdbdb2ced39048188 |
C:\Users\Admin\AppData\Local\Temp\beta.exe
| MD5 | 3103d7f4452703474c292d65525280dd |
| SHA1 | ef7003b4a9b0d8f50b5011be1ba7c03139534648 |
| SHA256 | f0bb6141ea6655f4eb0b17a870fe81935df7aeb978a9db8e0a841d7761e825a4 |
| SHA512 | 33b8c157c8023deb9b58d020f291f5fb0f7c7e559a33e6f5ff921eeccd064530d5569fb557e03ac497ac7dd8a1947b15ac8837dc740d1e1edeea448b56553e39 |
C:\Users\Admin\AppData\Local\Temp\beta.exe
| MD5 | 3103d7f4452703474c292d65525280dd |
| SHA1 | ef7003b4a9b0d8f50b5011be1ba7c03139534648 |
| SHA256 | f0bb6141ea6655f4eb0b17a870fe81935df7aeb978a9db8e0a841d7761e825a4 |
| SHA512 | 33b8c157c8023deb9b58d020f291f5fb0f7c7e559a33e6f5ff921eeccd064530d5569fb557e03ac497ac7dd8a1947b15ac8837dc740d1e1edeea448b56553e39 |
C:\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
C:\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
memory/1512-146-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
memory/1512-149-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1512-150-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1200-151-0x0000000002260000-0x0000000002261000-memory.dmp
C:\Windows\SysWOW64\MSDCSC\sysdate.exe
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
C:\Windows\SysWOW64\MSDCSC\sysdate.exe
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
memory/4840-154-0x0000000002030000-0x0000000002031000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BlVJSCb2Ry.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
memory/4164-156-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
memory/4164-159-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4164-160-0x0000000000400000-0x000000000041F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-03-11 22:09
Reported
2022-03-11 22:12
Platform
win7-20220311-en
Max time kernel
4294211s
Max time network
124s
Command Line
Signatures
Darkcomet
ISR Stealer
ISR Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\sysdate.exe" | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
suricata: ET MALWARE ISRStealer Checkin
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\abc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSDCSC\sysdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysdate.exe = "C:\\Windows\\system32\\MSDCSC\\sysdate.exe" | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\MSDCSC\sysdate.exe | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\sysdate.exe | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\MSDCSC\ | C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 512 set thread context of 1128 | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | C:\Users\Admin\AppData\Local\Temp\111.EXE |
| PID 512 set thread context of 1364 | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | C:\Users\Admin\AppData\Local\Temp\111.EXE |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\MSDCSC\sysdate.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b2784bbe213a75389177773a1e0932c0e70721d3e61f94fc64767ec146442cc2.exe
"C:\Users\Admin\AppData\Local\Temp\b2784bbe213a75389177773a1e0932c0e70721d3e61f94fc64767ec146442cc2.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\2A2C.tmp\abc2.bat""
C:\Users\Admin\AppData\Local\Temp\abc.exe
abc.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\43D4.tmp\abc.bat""
C:\Users\Admin\AppData\Local\Temp\beta.exe
beta.exe
C:\Users\Admin\AppData\Local\Temp\111.EXE
"C:\Users\Admin\AppData\Local\Temp\111.EXE"
C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE"
C:\Users\Admin\AppData\Local\Temp\111.EXE
/scomma "C:\Users\Admin\AppData\Local\Temp\Kw59260RLs.ini"
C:\Windows\SysWOW64\MSDCSC\sysdate.exe
"C:\Windows\system32\MSDCSC\sysdate.exe"
C:\Users\Admin\AppData\Local\Temp\111.EXE
/scomma "C:\Users\Admin\AppData\Local\Temp\4pkORk80SK.ini"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | panzaknacka.hopto.org | udp |
| US | 8.8.8.8:53 | www.fujian.bplaced.net | udp |
| DE | 162.55.0.137:80 | www.fujian.bplaced.net | tcp |
Files
memory/1168-54-0x0000000075BB1000-0x0000000075BB3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2A2C.tmp\abc2.bat
| MD5 | 820b1c4f6becd0e81c876b4167fc3368 |
| SHA1 | 1e0d0f1593a3c3681e54c883398f5d01827934fa |
| SHA256 | 6a36893b1172bf259a163b34d7472da99010dc414a35a521281b85825922c8ff |
| SHA512 | e3e3a66eaf64e73f99045b54f22a10abf9a4171e95884332bcbf3391b7b70f58fcd2df0bab9dd2ff11a2bd32e30589106815f91db511e5016dd5972574b2fb58 |
C:\Users\Admin\AppData\Local\Temp\abc.exe
| MD5 | 7133b5fd74dfb78f63bcb62e7537627b |
| SHA1 | 3a5f6133bb7d5cb160270eff670a218d7c2d9572 |
| SHA256 | a07ad8b4d73d4304d12207efa427bcc68424f902361dca576a186c71e6b8cc0c |
| SHA512 | ccb0ec630366efec4f1cc1c18d5f524432a64285d5e61c3b6b193944b68ee3ac0a0b88907a77739af325361c80c9384f15932a7c775770f3c7251a4f5664b25e |
\Users\Admin\AppData\Local\Temp\abc.exe
| MD5 | 7133b5fd74dfb78f63bcb62e7537627b |
| SHA1 | 3a5f6133bb7d5cb160270eff670a218d7c2d9572 |
| SHA256 | a07ad8b4d73d4304d12207efa427bcc68424f902361dca576a186c71e6b8cc0c |
| SHA512 | ccb0ec630366efec4f1cc1c18d5f524432a64285d5e61c3b6b193944b68ee3ac0a0b88907a77739af325361c80c9384f15932a7c775770f3c7251a4f5664b25e |
\Users\Admin\AppData\Local\Temp\abc.exe
| MD5 | 7133b5fd74dfb78f63bcb62e7537627b |
| SHA1 | 3a5f6133bb7d5cb160270eff670a218d7c2d9572 |
| SHA256 | a07ad8b4d73d4304d12207efa427bcc68424f902361dca576a186c71e6b8cc0c |
| SHA512 | ccb0ec630366efec4f1cc1c18d5f524432a64285d5e61c3b6b193944b68ee3ac0a0b88907a77739af325361c80c9384f15932a7c775770f3c7251a4f5664b25e |
C:\Users\Admin\AppData\Local\Temp\abc.exe
| MD5 | 7133b5fd74dfb78f63bcb62e7537627b |
| SHA1 | 3a5f6133bb7d5cb160270eff670a218d7c2d9572 |
| SHA256 | a07ad8b4d73d4304d12207efa427bcc68424f902361dca576a186c71e6b8cc0c |
| SHA512 | ccb0ec630366efec4f1cc1c18d5f524432a64285d5e61c3b6b193944b68ee3ac0a0b88907a77739af325361c80c9384f15932a7c775770f3c7251a4f5664b25e |
C:\Users\Admin\AppData\Local\Temp\43D4.tmp\abc.bat
| MD5 | e5a087855671c5ff97151b046c321878 |
| SHA1 | 8e3e899a1be7fcb1d44f3316b0174c14c446db96 |
| SHA256 | c3c00a71640762c6356066d788b51d505291ecd5874d7b5e7590e4377810c471 |
| SHA512 | 818361002cb536b1c49dfe6a4c23886f799c8a2bbc2352a2b8b944b0147360f848543786ab6e273ae5f2b09afb176713758bc9c8852b8a9bdbdb2ced39048188 |
\Users\Admin\AppData\Local\Temp\beta.exe
| MD5 | 3103d7f4452703474c292d65525280dd |
| SHA1 | ef7003b4a9b0d8f50b5011be1ba7c03139534648 |
| SHA256 | f0bb6141ea6655f4eb0b17a870fe81935df7aeb978a9db8e0a841d7761e825a4 |
| SHA512 | 33b8c157c8023deb9b58d020f291f5fb0f7c7e559a33e6f5ff921eeccd064530d5569fb557e03ac497ac7dd8a1947b15ac8837dc740d1e1edeea448b56553e39 |
C:\Users\Admin\AppData\Local\Temp\beta.exe
| MD5 | 3103d7f4452703474c292d65525280dd |
| SHA1 | ef7003b4a9b0d8f50b5011be1ba7c03139534648 |
| SHA256 | f0bb6141ea6655f4eb0b17a870fe81935df7aeb978a9db8e0a841d7761e825a4 |
| SHA512 | 33b8c157c8023deb9b58d020f291f5fb0f7c7e559a33e6f5ff921eeccd064530d5569fb557e03ac497ac7dd8a1947b15ac8837dc740d1e1edeea448b56553e39 |
\Users\Admin\AppData\Local\Temp\beta.exe
| MD5 | 3103d7f4452703474c292d65525280dd |
| SHA1 | ef7003b4a9b0d8f50b5011be1ba7c03139534648 |
| SHA256 | f0bb6141ea6655f4eb0b17a870fe81935df7aeb978a9db8e0a841d7761e825a4 |
| SHA512 | 33b8c157c8023deb9b58d020f291f5fb0f7c7e559a33e6f5ff921eeccd064530d5569fb557e03ac497ac7dd8a1947b15ac8837dc740d1e1edeea448b56553e39 |
C:\Users\Admin\AppData\Local\Temp\beta.exe
| MD5 | 3103d7f4452703474c292d65525280dd |
| SHA1 | ef7003b4a9b0d8f50b5011be1ba7c03139534648 |
| SHA256 | f0bb6141ea6655f4eb0b17a870fe81935df7aeb978a9db8e0a841d7761e825a4 |
| SHA512 | 33b8c157c8023deb9b58d020f291f5fb0f7c7e559a33e6f5ff921eeccd064530d5569fb557e03ac497ac7dd8a1947b15ac8837dc740d1e1edeea448b56553e39 |
\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
C:\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
C:\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
C:\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
memory/1128-78-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1128-82-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1128-83-0x0000000000400000-0x0000000000453000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\WINDOWS RUNNER.EXE
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
\Windows\SysWOW64\MSDCSC\sysdate.exe
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
\Windows\SysWOW64\MSDCSC\sysdate.exe
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
C:\Windows\SysWOW64\MSDCSC\sysdate.exe
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
C:\Windows\SysWOW64\MSDCSC\sysdate.exe
| MD5 | e5560c1f0c9f01f54245792a481513e1 |
| SHA1 | f45c179c90da5e745da58497ba71b48e71ba5aa8 |
| SHA256 | 01502d9f44862f570d449cd18109aaf56138e6346765504e1ea7fafa98a54cfa |
| SHA512 | be9508bf79450315a1032f2376cd03c81b3d86228cc0e90b26107a5daced151bde34402a48498b22864158999e4abbd7cb0ad8c6726134d6c92ec06f147b54df |
memory/1568-90-0x0000000000240000-0x0000000000241000-memory.dmp
memory/880-91-0x00000000001D0000-0x00000000001D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Kw59260RLs.ini
| MD5 | d1ea279fb5559c020a1b4137dc4de237 |
| SHA1 | db6f8988af46b56216a6f0daf95ab8c9bdb57400 |
| SHA256 | fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba |
| SHA512 | 720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3 |
\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
memory/1364-95-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\111.EXE
| MD5 | 4ec3a61c143a4c5e3971b6c8e9f0f4fb |
| SHA1 | cf847aef12230444c9e877909b5e77d4b0348def |
| SHA256 | 61bb703efbb4dec300ab8454483b3e543fe884a080bee473df8900480c3ba098 |
| SHA512 | 9f6c42d920b050c6d3062e2a9b06a8ae6d3166bffe5fa7b953315a2c23770d651104544548bf330728592f03d89eda0af8162a41a37aa8a40a3cac48a82242f5 |
memory/1364-99-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1364-100-0x0000000000400000-0x000000000041F000-memory.dmp