Analysis Overview
SHA256
f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e
Threat Level: Known bad
The file f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Turns off Windows Defender SpyNet reporting
BitRAT
Modifies Windows Defender Real-time Protection settings
BitRAT Payload
Windows security bypass
UPX packed file
Windows security modification
Drops startup file
Checks computer location settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-08 07:30
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-08 07:30
Reported
2022-05-08 10:31
Platform
win7-20220414-en
Max time kernel
170s
Max time network
198s
Command Line
Signatures
BitRAT
BitRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe\"" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Windows security bypass
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "0" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "0" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2024 set thread context of 1668 | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 1352
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | omglunie.hopto.org | udp |
| MA | 41.143.20.233:4777 | omglunie.hopto.org | tcp |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.59.81:443 | myexternalip.com | tcp |
Files
memory/2024-54-0x000000000F8C0000-0x000000000FADA000-memory.dmp
memory/2024-55-0x00000000765F1000-0x00000000765F3000-memory.dmp
memory/1744-56-0x0000000000000000-mapping.dmp
memory/2024-57-0x0000000004DB0000-0x0000000004F9C000-memory.dmp
memory/1288-58-0x0000000000000000-mapping.dmp
memory/1096-59-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c0fb8fdae68d5c81d305b649333a84e5 |
| SHA1 | e7a77ef57e1d8ec42f4bcc48436d08f4dcfaa85e |
| SHA256 | 0dacd23f0a9494d130852841b7ed8cdd0b8b3a33f8f52f695db807bbe5e876f7 |
| SHA512 | 05878de9298ff97fed97a9d394cbb5f53576518461249a50c48f24d6615d0c3a9c7668d132e4d7a1433be9534d47e6503acac0eb32e003a77c06430280b023ef |
memory/1480-63-0x0000000000000000-mapping.dmp
memory/872-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c0fb8fdae68d5c81d305b649333a84e5 |
| SHA1 | e7a77ef57e1d8ec42f4bcc48436d08f4dcfaa85e |
| SHA256 | 0dacd23f0a9494d130852841b7ed8cdd0b8b3a33f8f52f695db807bbe5e876f7 |
| SHA512 | 05878de9298ff97fed97a9d394cbb5f53576518461249a50c48f24d6615d0c3a9c7668d132e4d7a1433be9534d47e6503acac0eb32e003a77c06430280b023ef |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c0fb8fdae68d5c81d305b649333a84e5 |
| SHA1 | e7a77ef57e1d8ec42f4bcc48436d08f4dcfaa85e |
| SHA256 | 0dacd23f0a9494d130852841b7ed8cdd0b8b3a33f8f52f695db807bbe5e876f7 |
| SHA512 | 05878de9298ff97fed97a9d394cbb5f53576518461249a50c48f24d6615d0c3a9c7668d132e4d7a1433be9534d47e6503acac0eb32e003a77c06430280b023ef |
memory/1288-69-0x000000006FCC0000-0x000000007026B000-memory.dmp
memory/1096-70-0x000000006FCC0000-0x000000007026B000-memory.dmp
memory/1480-71-0x000000006FCC0000-0x000000007026B000-memory.dmp
memory/872-72-0x000000006FCC0000-0x000000007026B000-memory.dmp
memory/1668-73-0x0000000000400000-0x000000000081E000-memory.dmp
memory/1668-74-0x0000000000400000-0x000000000081E000-memory.dmp
memory/1668-76-0x0000000000400000-0x000000000081E000-memory.dmp
memory/1668-77-0x0000000000400000-0x000000000081E000-memory.dmp
memory/1668-79-0x0000000000400000-0x000000000081E000-memory.dmp
memory/1668-80-0x0000000000805D30-mapping.dmp
memory/1668-81-0x0000000000400000-0x000000000081E000-memory.dmp
memory/1668-82-0x0000000000400000-0x000000000081E000-memory.dmp
memory/1668-83-0x0000000000400000-0x000000000081E000-memory.dmp
memory/980-84-0x0000000000000000-mapping.dmp
memory/1668-86-0x0000000000400000-0x000000000081E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-08 07:30
Reported
2022-05-08 10:29
Platform
win10v2004-20220414-en
Max time kernel
163s
Max time network
170s
Command Line
Signatures
BitRAT
BitRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe\"" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "0" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "0" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4180 set thread context of 2032 | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe" -Force
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"
C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe
"C:\Users\Admin\AppData\Local\Temp\f993f006b0712bbfd2fa2ea4d0d56acc1c28563ff6146101406562fe1e2bb97e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4180 -ip 4180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 1580
Network
| Country | Destination | Domain | Proto |
| US | 8.253.135.241:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 20.189.173.12:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| US | 8.8.8.8:53 | omglunie.hopto.org | udp |
| MA | 41.143.20.233:4777 | omglunie.hopto.org | tcp |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.59.81:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | omglunie.hopto.org | udp |
| MA | 41.143.20.233:4777 | omglunie.hopto.org | tcp |
| US | 34.117.59.81:443 | myexternalip.com | tcp |
Files
memory/4180-130-0x0000000000370000-0x000000000058A000-memory.dmp
memory/4180-131-0x0000000004EE0000-0x0000000004F7C000-memory.dmp
memory/3084-132-0x0000000000000000-mapping.dmp
memory/4180-133-0x0000000005A90000-0x0000000006034000-memory.dmp
memory/4344-134-0x0000000000000000-mapping.dmp
memory/3516-135-0x0000000000000000-mapping.dmp
memory/2116-137-0x0000000000000000-mapping.dmp
memory/4344-136-0x00000000022B0000-0x00000000022E6000-memory.dmp
memory/4344-139-0x0000000004E80000-0x00000000054A8000-memory.dmp
memory/2088-138-0x0000000000000000-mapping.dmp
memory/4344-140-0x0000000004BE0000-0x0000000004C02000-memory.dmp
memory/3516-141-0x0000000005340000-0x00000000053A6000-memory.dmp
memory/4344-142-0x0000000005520000-0x0000000005586000-memory.dmp
memory/4344-143-0x0000000005B90000-0x0000000005BAE000-memory.dmp
memory/4560-144-0x0000000000000000-mapping.dmp
memory/4748-145-0x0000000000000000-mapping.dmp
memory/2756-146-0x0000000000000000-mapping.dmp
memory/2032-147-0x0000000000000000-mapping.dmp
memory/2032-148-0x0000000000400000-0x000000000081E000-memory.dmp
memory/2032-149-0x0000000000400000-0x000000000081E000-memory.dmp
memory/2116-151-0x00000000065E0000-0x0000000006612000-memory.dmp
memory/2116-155-0x000000006F4F0000-0x000000006F53C000-memory.dmp
memory/2032-154-0x0000000000400000-0x000000000081E000-memory.dmp
memory/4344-156-0x0000000006130000-0x000000000614E000-memory.dmp
memory/2088-157-0x000000006F4F0000-0x000000006F53C000-memory.dmp
memory/3516-153-0x000000006F4F0000-0x000000006F53C000-memory.dmp
memory/4344-152-0x000000006F4F0000-0x000000006F53C000-memory.dmp
memory/2032-150-0x0000000000400000-0x000000000081E000-memory.dmp
memory/3516-158-0x0000000007B60000-0x00000000081DA000-memory.dmp
memory/3516-159-0x0000000007510000-0x000000000752A000-memory.dmp
memory/2032-160-0x0000000000400000-0x000000000081E000-memory.dmp
memory/4344-161-0x0000000005FA0000-0x0000000005FAA000-memory.dmp
memory/2116-162-0x00000000075B0000-0x0000000007646000-memory.dmp
memory/2088-163-0x0000000007540000-0x000000000754E000-memory.dmp
memory/4344-164-0x00000000071F0000-0x000000000720A000-memory.dmp
memory/2088-165-0x0000000007630000-0x0000000007638000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 4a38d5b0b02b758b2880578f7b5f9f7b |
| SHA1 | 08219944009c483e3674240ebe75555c6d0f6e8c |
| SHA256 | b211519273748838dcc66e92727385a9f91c270987e014348511fd28f61669d9 |
| SHA512 | 8218cbe01f72ac490264fbf6ec030450f6b20c88e7eb3d0d3f27333bbd04059d4962393d20a76a9b1324c57dd21ca427c632010c83804a6844b09e9082de72a9 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d51ca9e06574c673490e81c52ff7a38f |
| SHA1 | 43bb7f11f917ca94c75f785fd8abfc078c7d795b |
| SHA256 | 287f0cd71a4dcde2cd52bb3629f2f1ef6203cfd04929d2f5694486b1e435b471 |
| SHA512 | a260768d2078fbd648e2c4faa18a66a020ee33d5e3f2d28e5b66d954c61d3dded6b05ff9c91bb40f7a2f739a2d626638d98b3c00caa7bb2475138f3e20790868 |