Malware Analysis Report

2024-10-19 08:46

Sample ID 220520-3w5brscecp
Target bcb30c2233345ccc3769c21dbfdecb20ec43339517204720f310ccfec29fe49a
SHA256 bcb30c2233345ccc3769c21dbfdecb20ec43339517204720f310ccfec29fe49a
Tags
masslogger spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bcb30c2233345ccc3769c21dbfdecb20ec43339517204720f310ccfec29fe49a

Threat Level: Known bad

The file bcb30c2233345ccc3769c21dbfdecb20ec43339517204720f310ccfec29fe49a was found to be: Known bad.

Malicious Activity Summary

masslogger spyware stealer

MassLogger

MassLogger Main Payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-20 23:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-20 23:52

Reported

2022-05-21 06:05

Platform

win7-20220414-en

Max time kernel

110s

Max time network

65s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1100 set thread context of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\VideoLAN\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 1100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 1100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 1100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 1100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 1100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 1100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 1100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 1100 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 2028 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2028 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 1944 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1944 wrote to memory of 1888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 1924 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1924 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1924 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1924 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1924 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1924 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1924 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1924 wrote to memory of 1096 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 1212 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 1212 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 1212 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 1212 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 472 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 472 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 472 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 472 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 456 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 456 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 456 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 456 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 544 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 544 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 544 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 544 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 316 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 316 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 316 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 1096 wrote to memory of 316 N/A C:\Users\Admin\VideoLAN\vlc.exe C:\Users\Admin\VideoLAN\vlc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe

"C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe"

C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF613.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\VideoLAN\vlc.exe

"C:\Users\Admin\VideoLAN\vlc.exe"

C:\Users\Admin\VideoLAN\vlc.exe

"{path}"

C:\Users\Admin\VideoLAN\vlc.exe

"{path}"

C:\Users\Admin\VideoLAN\vlc.exe

"{path}"

C:\Users\Admin\VideoLAN\vlc.exe

"{path}"

C:\Users\Admin\VideoLAN\vlc.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp

Files

memory/1100-54-0x00000000010C0000-0x00000000011DC000-memory.dmp

memory/1100-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

memory/1100-56-0x00000000004D0000-0x00000000004E0000-memory.dmp

memory/1100-57-0x0000000005970000-0x0000000005A26000-memory.dmp

memory/1100-58-0x0000000005BD0000-0x0000000005C94000-memory.dmp

memory/2028-59-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/2028-62-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/2028-60-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/2028-65-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/2028-64-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/2028-66-0x00000000004B318E-mapping.dmp

memory/2028-70-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/2028-68-0x0000000000400000-0x00000000004C4000-memory.dmp

memory/2028-71-0x0000000000E40000-0x0000000000EB8000-memory.dmp

memory/1944-73-0x0000000000000000-mapping.dmp

memory/1924-74-0x0000000000000000-mapping.dmp

memory/2028-75-0x0000000004EF5000-0x0000000004F06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF613.tmp.bat

MD5 e53585d93bf0fd9bd247231372ad1daa
SHA1 bdf2455a73e4d9f6f4545c64469962a11b0416b9
SHA256 2f1f1a6ff5b37da166d6afb8b0c07c9f4bc95fd8d7b325ffa91b587fdf077409
SHA512 39e2689ec48eecf0a423ef975c826281a1bd6294889a08aa6dd0972ee6f7b1c96d6753c379c648ee50e25b7b7207de9cc62a19f624dd4e2689b9670c19e944de

memory/1680-78-0x0000000000000000-mapping.dmp

memory/1888-77-0x0000000000000000-mapping.dmp

\Users\Admin\VideoLAN\vlc.exe

MD5 9d1676055eebd75eb7abd7a09528776f
SHA1 da284df615ccefcf583175ec88ea887fc1d769b2
SHA256 b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512 74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

C:\Users\Admin\VideoLAN\vlc.exe

MD5 9d1676055eebd75eb7abd7a09528776f
SHA1 da284df615ccefcf583175ec88ea887fc1d769b2
SHA256 b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512 74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

memory/1096-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\VideoLAN\vlc.exe

MD5 9d1676055eebd75eb7abd7a09528776f
SHA1 da284df615ccefcf583175ec88ea887fc1d769b2
SHA256 b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512 74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

memory/1096-83-0x0000000000340000-0x000000000045C000-memory.dmp

C:\Users\Admin\VideoLAN\vlc.exe

MD5 9d1676055eebd75eb7abd7a09528776f
SHA1 da284df615ccefcf583175ec88ea887fc1d769b2
SHA256 b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512 74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

C:\Users\Admin\VideoLAN\vlc.exe

MD5 9d1676055eebd75eb7abd7a09528776f
SHA1 da284df615ccefcf583175ec88ea887fc1d769b2
SHA256 b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512 74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

C:\Users\Admin\VideoLAN\vlc.exe

MD5 9d1676055eebd75eb7abd7a09528776f
SHA1 da284df615ccefcf583175ec88ea887fc1d769b2
SHA256 b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512 74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

C:\Users\Admin\VideoLAN\vlc.exe

MD5 9d1676055eebd75eb7abd7a09528776f
SHA1 da284df615ccefcf583175ec88ea887fc1d769b2
SHA256 b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512 74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

C:\Users\Admin\VideoLAN\vlc.exe

MD5 9d1676055eebd75eb7abd7a09528776f
SHA1 da284df615ccefcf583175ec88ea887fc1d769b2
SHA256 b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512 74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-20 23:52

Reported

2022-05-21 06:05

Platform

win10v2004-20220414-en

Max time kernel

131s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3420 set thread context of 2876 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A
N/A N/A C:\Users\Admin\VideoLAN\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\VideoLAN\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3420 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 3420 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 3420 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 3420 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 3420 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 3420 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 3420 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 3420 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe
PID 2876 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 3744 N/A C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2776 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2776 wrote to memory of 4600 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3744 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3744 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3744 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3744 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 3744 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\VideoLAN\vlc.exe
PID 3744 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\VideoLAN\vlc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe

"C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe"

C:\Users\Admin\AppData\Local\Temp\AUG10TH_.exe

"{path}"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEFFD.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn vlc.exe /tr '"C:\Users\Admin\VideoLAN\vlc.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\VideoLAN\vlc.exe

"C:\Users\Admin\VideoLAN\vlc.exe"

Network

Country Destination Domain Proto
US 104.208.16.90:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:80 api.ipify.org tcp

Files

memory/3420-130-0x0000000000460000-0x000000000057C000-memory.dmp

memory/3420-131-0x0000000005790000-0x0000000005D34000-memory.dmp

memory/3420-132-0x0000000005380000-0x0000000005412000-memory.dmp

memory/3420-133-0x00000000050B0000-0x00000000050BA000-memory.dmp

memory/3420-134-0x000000000D750000-0x000000000D7EC000-memory.dmp

memory/2876-135-0x0000000000000000-mapping.dmp

memory/2876-136-0x0000000000400000-0x00000000004C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AUG10TH_.exe.log

MD5 400f1cc1a0a0ce1cdabda365ab3368ce
SHA1 1ecf683f14271d84f3b6063493dce00ff5f42075
SHA256 c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA512 14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

memory/2876-138-0x0000000005880000-0x00000000058E6000-memory.dmp

memory/2776-139-0x0000000000000000-mapping.dmp

memory/3744-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEFFD.tmp.bat

MD5 f70f5da3d2b5978d5567881265efe045
SHA1 d8680f7f8a9f4d1264c9290a917a8b75846a63a0
SHA256 718c49ac5e7d45a04777194d58361e19710c9f6bb4e2ee0fde573b23e098015f
SHA512 9afde5aefa6c1555c56631a433467840b3dac52d9940b6589a71a1fd9aa8f8e65f79cfcf29c3a966097b0f89dd206aa46d144f5efa0f43a6eb05b9143e4c26f8

memory/4600-142-0x0000000000000000-mapping.dmp

memory/3232-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\VideoLAN\vlc.exe

MD5 9d1676055eebd75eb7abd7a09528776f
SHA1 da284df615ccefcf583175ec88ea887fc1d769b2
SHA256 b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512 74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc

memory/1460-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\VideoLAN\vlc.exe

MD5 9d1676055eebd75eb7abd7a09528776f
SHA1 da284df615ccefcf583175ec88ea887fc1d769b2
SHA256 b045f558a43c37201a204a240bd09b7da12735958ad5c8d317feff0044d132c4
SHA512 74197863ee985f7e974d794f3038dfe8bb4e1973107e424a06ed801c63b32a4e1fd2dd9be172343b8040bb663eaf5cb04a1b6659fa36b734d07a2e30547fb8fc