Malware Analysis Report

2024-11-30 16:00

Sample ID 220624-2hezaaffdk
Target 9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae
SHA256 9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae

Threat Level: Known bad

The file 9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-24 22:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-24 22:34

Reported

2022-06-24 22:42

Platform

win7-20220414-en

Max time kernel

153s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchosl = "C:\\Users\\Admin\\AppData\\Roaming\\svchosl\\svchosl.exe" C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1756 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe
PID 1756 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe
PID 1756 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe
PID 1756 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe
PID 1756 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Windows\SysWOW64\cmd.exe
PID 704 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 704 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 704 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 704 wrote to memory of 1204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe

"C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe"

C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe

"C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 maxibrainz.linkpc.net udp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp

Files

memory/1756-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

memory/1756-55-0x00000000748C0000-0x0000000074E6B000-memory.dmp

\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe

MD5 7a76310e8ed433e10ddba6b898340240
SHA1 c2e1790dd0ccdb180f43a9cecfd2609883b0b98d
SHA256 9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae
SHA512 b0803a82e520fe27286f550d102c26dba1e84fce450577ea54b4c7e76a5dabf7ff48863a26bdd45f14bc0021c8602272b3f4d6887028b07fdb848fa61fcb749a

memory/1548-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe

MD5 7a76310e8ed433e10ddba6b898340240
SHA1 c2e1790dd0ccdb180f43a9cecfd2609883b0b98d
SHA256 9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae
SHA512 b0803a82e520fe27286f550d102c26dba1e84fce450577ea54b4c7e76a5dabf7ff48863a26bdd45f14bc0021c8602272b3f4d6887028b07fdb848fa61fcb749a

\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe

MD5 7a76310e8ed433e10ddba6b898340240
SHA1 c2e1790dd0ccdb180f43a9cecfd2609883b0b98d
SHA256 9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae
SHA512 b0803a82e520fe27286f550d102c26dba1e84fce450577ea54b4c7e76a5dabf7ff48863a26bdd45f14bc0021c8602272b3f4d6887028b07fdb848fa61fcb749a

C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe

MD5 7a76310e8ed433e10ddba6b898340240
SHA1 c2e1790dd0ccdb180f43a9cecfd2609883b0b98d
SHA256 9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae
SHA512 b0803a82e520fe27286f550d102c26dba1e84fce450577ea54b4c7e76a5dabf7ff48863a26bdd45f14bc0021c8602272b3f4d6887028b07fdb848fa61fcb749a

memory/704-62-0x0000000000000000-mapping.dmp

memory/1756-64-0x00000000748C0000-0x0000000074E6B000-memory.dmp

memory/1204-63-0x0000000000000000-mapping.dmp

memory/1548-65-0x00000000748C0000-0x0000000074E6B000-memory.dmp

memory/1548-66-0x00000000748C0000-0x0000000074E6B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-24 22:34

Reported

2022-06-24 22:42

Platform

win10v2004-20220414-en

Max time kernel

189s

Max time network

193s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchosl = "\\svchosl\\svchosl.exe" C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchosl = "C:\\Users\\Admin\\AppData\\Roaming\\svchosl\\svchosl.exe" C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3624 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe
PID 3624 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe
PID 3624 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe
PID 3624 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe C:\Windows\SysWOW64\cmd.exe
PID 2556 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2556 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2556 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe

"C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe"

C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe

"C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 209.197.3.8:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 maxibrainz.linkpc.net udp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp
US 67.214.175.69:2580 maxibrainz.linkpc.net tcp

Files

memory/3624-130-0x0000000075400000-0x00000000759B1000-memory.dmp

memory/3624-131-0x0000000075400000-0x00000000759B1000-memory.dmp

memory/4308-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe

MD5 7a76310e8ed433e10ddba6b898340240
SHA1 c2e1790dd0ccdb180f43a9cecfd2609883b0b98d
SHA256 9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae
SHA512 b0803a82e520fe27286f550d102c26dba1e84fce450577ea54b4c7e76a5dabf7ff48863a26bdd45f14bc0021c8602272b3f4d6887028b07fdb848fa61fcb749a

C:\Users\Admin\AppData\Local\Temp\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae\9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae.exe

MD5 7a76310e8ed433e10ddba6b898340240
SHA1 c2e1790dd0ccdb180f43a9cecfd2609883b0b98d
SHA256 9560685c75f98ab9a01e5f272208db8816e88da4218ee87ca8a0b678f8e385ae
SHA512 b0803a82e520fe27286f550d102c26dba1e84fce450577ea54b4c7e76a5dabf7ff48863a26bdd45f14bc0021c8602272b3f4d6887028b07fdb848fa61fcb749a

memory/2556-135-0x0000000000000000-mapping.dmp

memory/4260-136-0x0000000000000000-mapping.dmp

memory/3624-137-0x0000000075400000-0x00000000759B1000-memory.dmp

memory/4308-138-0x0000000075400000-0x00000000759B1000-memory.dmp

memory/4308-139-0x0000000075400000-0x00000000759B1000-memory.dmp