Malware Analysis Report

2024-11-13 15:44

Sample ID 221029-a2a1wsdhe6
Target 535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186
SHA256 535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186
Tags
imminent persistence spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186

Threat Level: Known bad

The file 535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186 was found to be: Known bad.

Malicious Activity Summary

imminent persistence spyware trojan

Imminent RAT

Executes dropped EXE

Loads dropped DLL

Deletes itself

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-29 00:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-29 00:41

Reported

2022-10-29 03:59

Platform

win7-20220812-en

Max time kernel

152s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe"

Signatures

Imminent RAT

trojan spyware imminent

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\\Windows\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Users\\Admin\\AppData\\Local\\Windows\\explorer.exe" C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1184 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe
PID 1184 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe
PID 1184 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe
PID 1184 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe
PID 1184 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Windows\SysWOW64\cmd.exe
PID 1184 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1956 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1956 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1956 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe C:\Windows\SysWOW64\taskmgr.exe
PID 1312 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1312 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1312 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1312 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe

"C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe"

C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe

"C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe"

C:\Windows\SysWOW64\taskmgr.exe

"C:\Windows\System32\taskmgr.exe"

C:\Windows\SysWOW64\PING.EXE

ping 1.1.1.1 -n 1 -w 1000

Network

Country Destination Domain Proto
US 8.8.8.8:53 kluxmodsftp.no-ip.info udp

Files

memory/1184-54-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

memory/1184-55-0x0000000074300000-0x00000000748AB000-memory.dmp

\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe

MD5 6e991b3a1fece5eca1245671278fe7b3
SHA1 59488e5bb50f50de0918ed6502dde596d8d14b63
SHA256 535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186
SHA512 6fda298d1abf38aca349c9ed304bf93548727135d6d47e14bef0d8b6aac584f3efdd368f44d081411b7f5710c9587776c92a49772e49e542f8820bd1a32f8489

\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe

MD5 6e991b3a1fece5eca1245671278fe7b3
SHA1 59488e5bb50f50de0918ed6502dde596d8d14b63
SHA256 535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186
SHA512 6fda298d1abf38aca349c9ed304bf93548727135d6d47e14bef0d8b6aac584f3efdd368f44d081411b7f5710c9587776c92a49772e49e542f8820bd1a32f8489

C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe

MD5 6e991b3a1fece5eca1245671278fe7b3
SHA1 59488e5bb50f50de0918ed6502dde596d8d14b63
SHA256 535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186
SHA512 6fda298d1abf38aca349c9ed304bf93548727135d6d47e14bef0d8b6aac584f3efdd368f44d081411b7f5710c9587776c92a49772e49e542f8820bd1a32f8489

memory/1956-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe

MD5 6e991b3a1fece5eca1245671278fe7b3
SHA1 59488e5bb50f50de0918ed6502dde596d8d14b63
SHA256 535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186
SHA512 6fda298d1abf38aca349c9ed304bf93548727135d6d47e14bef0d8b6aac584f3efdd368f44d081411b7f5710c9587776c92a49772e49e542f8820bd1a32f8489

memory/1956-62-0x0000000074300000-0x00000000748AB000-memory.dmp

memory/1312-63-0x0000000000000000-mapping.dmp

memory/1184-64-0x0000000074300000-0x00000000748AB000-memory.dmp

memory/1960-65-0x0000000000000000-mapping.dmp

memory/520-67-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe

MD5 6e991b3a1fece5eca1245671278fe7b3
SHA1 59488e5bb50f50de0918ed6502dde596d8d14b63
SHA256 535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186
SHA512 6fda298d1abf38aca349c9ed304bf93548727135d6d47e14bef0d8b6aac584f3efdd368f44d081411b7f5710c9587776c92a49772e49e542f8820bd1a32f8489

\Users\Admin\AppData\Local\Temp\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186\535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186.exe

MD5 6e991b3a1fece5eca1245671278fe7b3
SHA1 59488e5bb50f50de0918ed6502dde596d8d14b63
SHA256 535297fa7ca0a25bae29a97591892b19f6501300d04fb791f4cdf1e68443e186
SHA512 6fda298d1abf38aca349c9ed304bf93548727135d6d47e14bef0d8b6aac584f3efdd368f44d081411b7f5710c9587776c92a49772e49e542f8820bd1a32f8489

memory/1956-70-0x0000000074300000-0x00000000748AB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-29 00:41

Reported

2022-10-29 04:00

Platform

win10v2004-20220812-en

Max time network

124s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 72.21.91.29:80 tcp
US 93.184.221.240:80 tcp
US 8.238.21.126:80 tcp
US 20.42.65.90:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 kluxmodsftp.no-ip.info udp
US 8.8.8.8:53 kluxmodsftp.no-ip.info udp
US 8.8.8.8:53 kluxmodsftp.no-ip.info udp
US 8.8.8.8:53 kluxmodsftp.no-ip.info udp
US 8.8.8.8:53 kluxmodsftp.no-ip.info udp
US 8.8.8.8:53 kluxmodsftp.no-ip.info udp

Files

N/A