Analysis Overview
SHA256
d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125
Threat Level: Known bad
The file d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125 was found to be: Known bad.
Malicious Activity Summary
BitRAT
BitRAT Payload
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Modifies WinLogon for persistence
Turns off Windows Defender SpyNet reporting
Drops startup file
Windows security modification
Checks computer location settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Program crash
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-08 06:13
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-08 06:13
Reported
2022-05-08 09:10
Platform
win10v2004-20220414-en
Max time kernel
143s
Max time network
144s
Command Line
Signatures
BitRAT
BitRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe\"" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "0" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "0" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5068 set thread context of 900 | N/A | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe |
Enumerates physical storage devices
Program crash
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe
"C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force
C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe
"C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5068 -ip 5068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 2036
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 2036
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 52.168.117.170:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
Files
memory/5068-130-0x0000000000880000-0x0000000000CC0000-memory.dmp
memory/5068-131-0x00000000055F0000-0x000000000568C000-memory.dmp
memory/5060-132-0x0000000000000000-mapping.dmp
memory/5068-133-0x0000000006420000-0x00000000069C4000-memory.dmp
memory/2728-134-0x0000000000000000-mapping.dmp
memory/1348-135-0x0000000000000000-mapping.dmp
memory/4404-136-0x0000000000000000-mapping.dmp
memory/4000-137-0x0000000000000000-mapping.dmp
memory/2728-138-0x0000000002F70000-0x0000000002FA6000-memory.dmp
memory/1348-139-0x00000000059C0000-0x0000000005FE8000-memory.dmp
memory/2728-140-0x00000000057C0000-0x00000000057E2000-memory.dmp
memory/2728-142-0x0000000006130000-0x0000000006196000-memory.dmp
memory/1348-141-0x0000000005730000-0x0000000005796000-memory.dmp
memory/1348-143-0x0000000006680000-0x000000000669E000-memory.dmp
memory/4404-144-0x00000000060E0000-0x0000000006112000-memory.dmp
memory/4000-148-0x0000000070370000-0x00000000703BC000-memory.dmp
memory/4404-149-0x00000000060C0000-0x00000000060DE000-memory.dmp
memory/1348-147-0x0000000070370000-0x00000000703BC000-memory.dmp
memory/4404-146-0x0000000070370000-0x00000000703BC000-memory.dmp
memory/2728-145-0x0000000070370000-0x00000000703BC000-memory.dmp
memory/4404-150-0x0000000007460000-0x0000000007ADA000-memory.dmp
memory/4000-151-0x0000000007830000-0x000000000784A000-memory.dmp
memory/4404-152-0x0000000006E90000-0x0000000006E9A000-memory.dmp
memory/2728-153-0x0000000007E20000-0x0000000007EB6000-memory.dmp
memory/4404-154-0x0000000007050000-0x000000000705E000-memory.dmp
memory/4000-155-0x0000000007B70000-0x0000000007B8A000-memory.dmp
memory/4000-156-0x0000000007B50000-0x0000000007B58000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ed25c55987b96515e185ba5be6bc0db6 |
| SHA1 | fd4a4ac80ecad033ca0f07cccf782e29c0474e4a |
| SHA256 | 120d186fc14d99fcdb074049a0f2ebcdd02720f14598bc3a03d8e24bbbebd8c1 |
| SHA512 | a0a671cbb42f597513cccff57cfe38e2d78ef5c8d7e85f1e087a776304a46727e86efec8ad5e3f487e778fdb479c8413fadfb80218c9455e87a3968cbe31a2b4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e0c5b1ab9d2fadf3525874b62e5efcb5 |
| SHA1 | 74ab0f49febfa7a828844ae802232f2c862289d2 |
| SHA256 | f7a6fdceabe9aa6697f08ebed8c89e97f072512b8cc3a1a8445c058c3241c556 |
| SHA512 | 89cadac46bbcb90ddef664535457f146092e88bb5329c00fed574bcbfa0c4cedd070b272cd372a01e7ab2cd0674b03ee43949377a0289e8658b24d9c66f0acb0 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 39f78f240ee7326700553ae5ce89683b |
| SHA1 | 988cff637774b2255d584b2fdc248a34bc5b04af |
| SHA256 | d2003f5480c04de65fba62d583aa9687ade6048025aeb2fca92d8cb66c3a9f08 |
| SHA512 | 4b7489132933af803338533929e01c9efd13cb6462bcc2608b1bf59f1912375db576ce2b578b43b081e4e41f3e8ba0808072bd77744e9c3082d082d239fe4e69 |
memory/900-162-0x0000000000000000-mapping.dmp
memory/900-163-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/900-164-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/900-165-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/900-166-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1448-167-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-08 06:13
Reported
2022-05-08 09:10
Platform
win7-20220414-en
Max time kernel
147s
Max time network
158s
Command Line
Signatures
BitRAT
BitRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe\"" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "0" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "0" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 780 set thread context of 1960 | N/A | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe
"C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe" -Force
C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe
"C:\Users\Admin\AppData\Local\Temp\d7c23da50a0ae8ebcdf3bc384e6498d09264bb051877e44840903f9039e45125.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 1840
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | omglunie.hopto.org | udp |
| MA | 41.143.20.233:4777 | omglunie.hopto.org | tcp |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.59.81:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | omglunie.hopto.org | udp |
| MA | 41.143.20.233:4777 | omglunie.hopto.org | tcp |
Files
memory/780-54-0x000000000F270000-0x000000000F6B0000-memory.dmp
memory/780-55-0x0000000076531000-0x0000000076533000-memory.dmp
memory/968-56-0x0000000000000000-mapping.dmp
memory/780-57-0x0000000004B60000-0x0000000004F70000-memory.dmp
memory/1840-61-0x0000000000000000-mapping.dmp
memory/524-63-0x0000000000000000-mapping.dmp
memory/1588-59-0x0000000000000000-mapping.dmp
memory/1728-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 3533292edb8d69a6cb99b664126761f9 |
| SHA1 | a1e39a951fb8c856bb305277c5ffbce6f0876892 |
| SHA256 | a8a0eb5bb2d52ca08a23b8f712b0063e4a3598ad5b4e9529d657242b8e06f646 |
| SHA512 | 1e4654ad4716b82546efdf76d77610e30cf07cbdffa8dc23de95e574ef904eed7a71988d32a92e7a4422b737373441125328d6fa74e2831dee8a241b8ce6dec8 |
memory/1588-67-0x000000006F5D0000-0x000000006FB7B000-memory.dmp
memory/524-68-0x000000006F5D0000-0x000000006FB7B000-memory.dmp
memory/1728-69-0x000000006F5D0000-0x000000006FB7B000-memory.dmp
memory/1840-70-0x000000006F5D0000-0x000000006FB7B000-memory.dmp
memory/1960-71-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1960-72-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1960-74-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1960-76-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1960-78-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1960-80-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1960-81-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1960-83-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1960-85-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1960-86-0x0000000000620E0E-mapping.dmp
memory/1960-88-0x0000000000400000-0x00000000007FF000-memory.dmp
memory/1664-89-0x0000000000000000-mapping.dmp
memory/1960-90-0x0000000000400000-0x00000000007FF000-memory.dmp