Malware Analysis Report

2024-11-16 13:09

Sample ID 220527-yn9jasegaj
Target 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5
SHA256 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5
Tags
limerat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5

Threat Level: Known bad

The file 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5 was found to be: Known bad.

Malicious Activity Summary

limerat rat

LimeRAT

Executes dropped EXE

Drops startup file

Checks computer location settings

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

NTFS ADS

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-27 19:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-27 19:57

Reported

2022-05-27 21:03

Platform

win7-20220414-en

Max time kernel

147s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\erttry.exe.lnk C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 960 set thread context of 320 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 960 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 960 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 960 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 960 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 960 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 960 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 960 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 960 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 960 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 432 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 432 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 432 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 432 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe

"C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe" "%appdata%\ertyrtr\erttry.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\ertyrtr\erttry.exe:Zone.Identifier

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ren "%appdata%\ertyrtr\erttry.exe.jpg" erttry.exe

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp

Files

memory/960-54-0x0000000000ED0000-0x000000000100C000-memory.dmp

memory/960-55-0x0000000000210000-0x0000000000224000-memory.dmp

memory/960-56-0x0000000076571000-0x0000000076573000-memory.dmp

memory/1952-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe

MD5 e936a9268db132fc3b8ed65344ebf65b
SHA1 d08422c2de8389397020ef04941a30ec5d6d4afa
SHA256 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5
SHA512 fb8b1607c06e852acf4efe0f64e53eee6034a508abadfd32f1c0b86f03a4b6296ef97f932191488eceeaeb4f2ac5ef7f16942eb8091b8d99f66102bb345144fa

memory/960-59-0x0000000072960000-0x0000000073CEF000-memory.dmp

memory/1732-60-0x0000000000000000-mapping.dmp

memory/1156-61-0x0000000000000000-mapping.dmp

memory/960-62-0x0000000071F50000-0x0000000072960000-memory.dmp

memory/960-63-0x0000000074560000-0x00000000746F4000-memory.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/320-65-0x0000000000400000-0x000000000040C000-memory.dmp

memory/320-66-0x0000000000400000-0x000000000040C000-memory.dmp

memory/320-68-0x0000000000400000-0x000000000040C000-memory.dmp

memory/320-73-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/320-69-0x0000000000400000-0x000000000040C000-memory.dmp

memory/320-70-0x00000000004080CE-mapping.dmp

memory/320-75-0x0000000000400000-0x000000000040C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 9af17c8393f0970ee5136bd3ffa27001
SHA1 4b285b72c1a11285a25f31f2597e090da6bbc049
SHA256 71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019
SHA512 b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

memory/960-77-0x0000000071230000-0x0000000071F4D000-memory.dmp

memory/432-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat

MD5 89fd02ba358befbfc6a5974bf4e73d37
SHA1 b337542e6424054be1f4497fafed0123a1883483
SHA256 28bc0f5cf086b8646094fe7b81276f1dd13e9cf6a474dc6737261faaf2430278
SHA512 d8524477ff1b831a5b1c8599094b6e74270af44a6aac64c91d5a6d07fce85580b41c9a33097fe19a7d01b067b0cabee2efb6fc1f3e6e2d85da3493dabacf1f21

memory/2040-80-0x0000000000000000-mapping.dmp

memory/960-81-0x0000000070A50000-0x0000000071230000-memory.dmp

memory/960-82-0x0000000074380000-0x0000000074551000-memory.dmp

memory/320-83-0x0000000071F50000-0x0000000072960000-memory.dmp

memory/320-84-0x0000000070A50000-0x0000000071230000-memory.dmp

memory/320-85-0x0000000074380000-0x0000000074551000-memory.dmp

memory/320-86-0x0000000072960000-0x0000000073CEF000-memory.dmp

memory/320-87-0x0000000070880000-0x00000000709A3000-memory.dmp

memory/960-88-0x0000000072960000-0x0000000073CEF000-memory.dmp

memory/960-90-0x0000000071F50000-0x0000000072960000-memory.dmp

memory/320-89-0x0000000074560000-0x00000000746F4000-memory.dmp

memory/960-91-0x0000000074380000-0x0000000074551000-memory.dmp

memory/320-92-0x0000000071230000-0x0000000071F4D000-memory.dmp

memory/960-93-0x0000000071230000-0x0000000071F4D000-memory.dmp

memory/320-95-0x0000000074240000-0x000000007433C000-memory.dmp

memory/320-96-0x000000006FFA0000-0x00000000706DE000-memory.dmp

memory/320-97-0x0000000071F50000-0x0000000072960000-memory.dmp

memory/320-98-0x0000000074380000-0x0000000074551000-memory.dmp

memory/320-99-0x0000000072960000-0x0000000073CEF000-memory.dmp

memory/320-100-0x0000000070880000-0x00000000709A3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-27 19:57

Reported

2022-05-27 21:04

Platform

win10v2004-20220414-en

Max time kernel

183s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe"

Signatures

LimeRAT

rat limerat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\erttry.exe.lnk C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4712 set thread context of 4152 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

NTFS ADS

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe:Zone.Identifier C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4712 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4712 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4712 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4712 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4712 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4712 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4712 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 4712 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 4712 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe C:\Windows\SysWOW64\cmd.exe
PID 5076 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5076 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 5076 wrote to memory of 5072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe

"C:\Users\Admin\AppData\Local\Temp\04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c copy "C:/Users/Admin/AppData/Local/Temp/04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5.exe" "%appdata%\ertyrtr\erttry.exe" /Y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %appdata%\ertyrtr\erttry.exe:Zone.Identifier

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ren "%appdata%\ertyrtr\erttry.exe.jpg" erttry.exe

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat

C:\Windows\SysWOW64\timeout.exe

timeout /t 300

Network

Country Destination Domain Proto
US 20.189.173.14:443 tcp
NL 104.110.191.140:80 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp
DE 193.161.193.99:44611 tcp

Files

memory/4712-130-0x0000000000780000-0x00000000008BC000-memory.dmp

memory/4712-131-0x00000000059F0000-0x0000000005F94000-memory.dmp

memory/4712-132-0x0000000005300000-0x0000000005392000-memory.dmp

memory/4712-133-0x0000000005440000-0x00000000054DC000-memory.dmp

memory/4220-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe

MD5 e936a9268db132fc3b8ed65344ebf65b
SHA1 d08422c2de8389397020ef04941a30ec5d6d4afa
SHA256 04cbed17b97c910331c995a4bdce33616d9fc4ec88527b587a2682240d7fd1b5
SHA512 fb8b1607c06e852acf4efe0f64e53eee6034a508abadfd32f1c0b86f03a4b6296ef97f932191488eceeaeb4f2ac5ef7f16942eb8091b8d99f66102bb345144fa

memory/3532-136-0x0000000000000000-mapping.dmp

memory/2688-137-0x0000000000000000-mapping.dmp

memory/4152-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 8fdf47e0ff70c40ed3a17014aeea4232
SHA1 e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256 ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512 bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 8fdf47e0ff70c40ed3a17014aeea4232
SHA1 e6256a0159688f0560b015da4d967f41cbf8c9bd
SHA256 ed9884bac608c06b7057037cc91d90e4ae5f74dd2dbce2af476699c6d4492d82
SHA512 bd69d092ed4f9c5e1f24eaf5ec79fb316469d53849dc798fae0fcba5e90869b77ee924c23cc6f692198ff25827ab60ad47bb46cadd6e0aadde7731cbafb013be

memory/4152-142-0x0000000000370000-0x000000000037C000-memory.dmp

memory/5076-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\ertyrtr\erttry.exe.bat

MD5 89fd02ba358befbfc6a5974bf4e73d37
SHA1 b337542e6424054be1f4497fafed0123a1883483
SHA256 28bc0f5cf086b8646094fe7b81276f1dd13e9cf6a474dc6737261faaf2430278
SHA512 d8524477ff1b831a5b1c8599094b6e74270af44a6aac64c91d5a6d07fce85580b41c9a33097fe19a7d01b067b0cabee2efb6fc1f3e6e2d85da3493dabacf1f21

memory/5072-145-0x0000000000000000-mapping.dmp

memory/4152-146-0x0000000004C10000-0x0000000004C76000-memory.dmp