Malware Analysis Report

2024-11-30 15:59

Sample ID 220626-219avafhd6
Target 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27
SHA256 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27

Threat Level: Known bad

The file 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27 was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-26 23:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-26 23:04

Reported

2022-06-26 23:17

Platform

win7-20220414-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\winstarted = "C:\\Users\\Admin\\AppData\\Roaming\\defendersts\\winlogimdesa.exe" C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 960 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1136 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1136 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1136 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1136 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1136 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Windows\SysWOW64\cmd.exe
PID 1136 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Windows\SysWOW64\cmd.exe
PID 680 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 680 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 680 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 680 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1360 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1360 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1360 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1360 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1360 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1360 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1360 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1360 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 1360 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

"C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

"C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

"C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

"C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ceosas.linkpc.net udp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp

Files

memory/960-54-0x0000000000EF0000-0x0000000000FA0000-memory.dmp

memory/960-55-0x00000000007D0000-0x0000000000880000-memory.dmp

memory/960-56-0x00000000001C0000-0x00000000001DE000-memory.dmp

memory/960-57-0x0000000075801000-0x0000000075803000-memory.dmp

memory/1136-58-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1136-59-0x0000000000451C4E-mapping.dmp

memory/1136-61-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1136-63-0x0000000000400000-0x0000000000456000-memory.dmp

memory/1136-64-0x0000000000270000-0x0000000000280000-memory.dmp

memory/1136-65-0x0000000000C30000-0x0000000000CDE000-memory.dmp

memory/1136-66-0x00000000003A0000-0x00000000003C8000-memory.dmp

\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

MD5 e1e39270be98466c91a550cf28d7d369
SHA1 f3ccfd4abb007504a1da42b360a89279577d0e7d
SHA256 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27
SHA512 2e23cabab334f3ff276d4bc62f986ec77cca0cf9b00d6ddaff02f629cf173c76f61bd57669638a78195a7ac4ca55dcc9a3b79f853e0f8df5ab67d4b0d6d59719

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

MD5 e1e39270be98466c91a550cf28d7d369
SHA1 f3ccfd4abb007504a1da42b360a89279577d0e7d
SHA256 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27
SHA512 2e23cabab334f3ff276d4bc62f986ec77cca0cf9b00d6ddaff02f629cf173c76f61bd57669638a78195a7ac4ca55dcc9a3b79f853e0f8df5ab67d4b0d6d59719

memory/1360-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

MD5 e1e39270be98466c91a550cf28d7d369
SHA1 f3ccfd4abb007504a1da42b360a89279577d0e7d
SHA256 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27
SHA512 2e23cabab334f3ff276d4bc62f986ec77cca0cf9b00d6ddaff02f629cf173c76f61bd57669638a78195a7ac4ca55dcc9a3b79f853e0f8df5ab67d4b0d6d59719

memory/1360-72-0x0000000000E90000-0x0000000000F40000-memory.dmp

memory/680-73-0x0000000000000000-mapping.dmp

memory/1092-74-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

MD5 e1e39270be98466c91a550cf28d7d369
SHA1 f3ccfd4abb007504a1da42b360a89279577d0e7d
SHA256 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27
SHA512 2e23cabab334f3ff276d4bc62f986ec77cca0cf9b00d6ddaff02f629cf173c76f61bd57669638a78195a7ac4ca55dcc9a3b79f853e0f8df5ab67d4b0d6d59719

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

MD5 e1e39270be98466c91a550cf28d7d369
SHA1 f3ccfd4abb007504a1da42b360a89279577d0e7d
SHA256 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27
SHA512 2e23cabab334f3ff276d4bc62f986ec77cca0cf9b00d6ddaff02f629cf173c76f61bd57669638a78195a7ac4ca55dcc9a3b79f853e0f8df5ab67d4b0d6d59719

memory/980-78-0x0000000000451C4E-mapping.dmp

memory/980-85-0x00000000006F0000-0x0000000000706000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-26 23:04

Reported

2022-06-26 23:18

Platform

win10v2004-20220414-en

Max time kernel

151s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

Signatures

Imminent RAT

trojan spyware imminent

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winstarted = "\\defendersts\\winlogimdesa.exe" C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winstarted = "C:\\Users\\Admin\\AppData\\Roaming\\defendersts\\winlogimdesa.exe" C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 3908 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 3908 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 3908 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 3908 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 3908 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 3908 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 3908 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 5096 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 5096 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 5096 wrote to memory of 608 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 5096 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Windows\SysWOW64\cmd.exe
PID 4756 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4756 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4756 wrote to memory of 3056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 608 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 608 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 608 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 608 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 608 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 608 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 608 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe
PID 608 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

Processes

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

"C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

"C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

"C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

"C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

Network

Country Destination Domain Proto
US 8.238.111.254:80 tcp
US 93.184.220.29:80 tcp
IE 13.69.239.73:443 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.238.111.254:80 tcp
US 8.238.111.254:80 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa udp
US 8.8.8.8:53 ceosas.linkpc.net udp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp
US 192.254.74.210:1060 ceosas.linkpc.net tcp

Files

memory/3908-130-0x00000000003A0000-0x0000000000450000-memory.dmp

memory/3908-131-0x0000000007800000-0x0000000007DA4000-memory.dmp

memory/3908-132-0x00000000072F0000-0x0000000007382000-memory.dmp

memory/3908-133-0x00000000072D0000-0x00000000072DA000-memory.dmp

memory/3908-134-0x0000000005060000-0x00000000050FC000-memory.dmp

memory/5096-135-0x0000000000000000-mapping.dmp

memory/5096-136-0x0000000000400000-0x0000000000456000-memory.dmp

memory/5096-137-0x0000000005A10000-0x0000000005A76000-memory.dmp

memory/608-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

MD5 e1e39270be98466c91a550cf28d7d369
SHA1 f3ccfd4abb007504a1da42b360a89279577d0e7d
SHA256 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27
SHA512 2e23cabab334f3ff276d4bc62f986ec77cca0cf9b00d6ddaff02f629cf173c76f61bd57669638a78195a7ac4ca55dcc9a3b79f853e0f8df5ab67d4b0d6d59719

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

MD5 e1e39270be98466c91a550cf28d7d369
SHA1 f3ccfd4abb007504a1da42b360a89279577d0e7d
SHA256 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27
SHA512 2e23cabab334f3ff276d4bc62f986ec77cca0cf9b00d6ddaff02f629cf173c76f61bd57669638a78195a7ac4ca55dcc9a3b79f853e0f8df5ab67d4b0d6d59719

memory/4756-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe.log

MD5 1191fafc0def1cf027ca380d326d5e50
SHA1 6d11938c77d51d5009a1258f9f35892866c44acf
SHA256 59e94d52aa2b2684225c35720dae5b1d76d67ce4d9e84714bf84c6b9b11d6b86
SHA512 10b375820b5e3a28f2a8ac329835af40a20aec377e94bc771863d69e834515db0b8197274d17aa0d06e96ec292a9429e122ffb87fe9dfd6a42559309fa27f088

memory/3056-143-0x0000000000000000-mapping.dmp

memory/3360-144-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27\35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27.exe

MD5 e1e39270be98466c91a550cf28d7d369
SHA1 f3ccfd4abb007504a1da42b360a89279577d0e7d
SHA256 35ca4a96e28439a4e7fbacf48599f7008213b9bcea4e30c22546be8c6b53ef27
SHA512 2e23cabab334f3ff276d4bc62f986ec77cca0cf9b00d6ddaff02f629cf173c76f61bd57669638a78195a7ac4ca55dcc9a3b79f853e0f8df5ab67d4b0d6d59719