Analysis Overview
SHA256
04d31c61d53359359e896db066a150f94321c1fd788a9ef7cb6a3e08ab963761
Threat Level: Known bad
The file anon1.c.exe was found to be: Known bad.
Malicious Activity Summary
Raccoon
RedLine payload
SystemBC
RedLine
Downloads MZ/PE file
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Loads dropped DLL
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Enumerates physical storage devices
GoLang User-Agent
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-08 12:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-08 12:19
Reported
2022-11-08 12:24
Platform
win7-20220812-en
Max time kernel
292s
Max time network
304s
Command Line
Signatures
Raccoon
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SystemBC
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\c6dvZEah.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\ksUM43uw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1404 set thread context of 1876 | N/A | C:\Users\Admin\AppData\Roaming\ksUM43uw.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\wow64.job | C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe | N/A |
| File opened for modification | C:\Windows\Tasks\wow64.job | C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\anon1.c.exe
"C:\Users\Admin\AppData\Local\Temp\anon1.c.exe"
C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe
"C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe"
C:\Users\Admin\AppData\Roaming\c6dvZEah.exe
"C:\Users\Admin\AppData\Roaming\c6dvZEah.exe"
C:\Windows\system32\cmd.exe
cmd.exe /C schtasks /create /tn tfmMOxFVCU /tr C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Roaming\ksUM43uw.exe
"C:\Users\Admin\AppData\Roaming\ksUM43uw.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /tn tfmMOxFVCU /tr C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {A3B4FD51-C93F-4A01-8B93-861222ECF246} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe
C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe start
C:\Windows\system32\taskeng.exe
taskeng.exe {11097B21-E440-4B64-8A1B-12C9B30BF8B1} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
Network
| Country | Destination | Domain | Proto |
| DE | 194.37.80.221:80 | 194.37.80.221 | tcp |
| RU | 45.15.156.48:80 | 45.15.156.48 | tcp |
| US | 8.8.8.8:53 | clipper.guru | udp |
| NL | 45.159.189.115:80 | clipper.guru | tcp |
| RU | 45.15.156.48:4254 | tcp | |
| RU | 45.15.156.48:8285 | tcp | |
| NL | 45.159.189.115:80 | clipper.guru | tcp |
| NL | 45.159.189.115:80 | clipper.guru | tcp |
| NL | 45.159.189.115:80 | clipper.guru | tcp |
Files
memory/1184-54-0x0000000000400000-0x0000000000DCA000-memory.dmp
memory/1184-56-0x0000000074BB1000-0x0000000074BB3000-memory.dmp
memory/1184-57-0x0000000000400000-0x0000000000DCA000-memory.dmp
\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | dbf4f8dcefb8056dc6bae4b67ff810ce |
| SHA1 | bbac1dd8a07c6069415c04b62747d794736d0689 |
| SHA256 | 47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68 |
| SHA512 | b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1 |
\Users\Admin\AppData\LocalLow\nss3.dll
| MD5 | f67d08e8c02574cbc2f1122c53bfb976 |
| SHA1 | 6522992957e7e4d074947cad63189f308a80fcf2 |
| SHA256 | c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e |
| SHA512 | 2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5 |
\Users\Admin\AppData\LocalLow\mozglue.dll
| MD5 | f07d9977430e762b563eaadc2b94bbfa |
| SHA1 | da0a05b2b8d269fb73558dfcf0ed5c167f6d3877 |
| SHA256 | 4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862 |
| SHA512 | 6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf |
memory/1184-61-0x0000000000400000-0x0000000000DCA000-memory.dmp
\Users\Admin\AppData\Roaming\14dsT2Dg.exe
| MD5 | 8850b7c96abf365df3fd542cb17755c5 |
| SHA1 | 90e77265727ab091e9ee48e82df170b8929998b4 |
| SHA256 | cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5 |
| SHA512 | d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933 |
\Users\Admin\AppData\Roaming\14dsT2Dg.exe
| MD5 | 8850b7c96abf365df3fd542cb17755c5 |
| SHA1 | 90e77265727ab091e9ee48e82df170b8929998b4 |
| SHA256 | cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5 |
| SHA512 | d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933 |
memory/2036-64-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe
| MD5 | 8850b7c96abf365df3fd542cb17755c5 |
| SHA1 | 90e77265727ab091e9ee48e82df170b8929998b4 |
| SHA256 | cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5 |
| SHA512 | d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933 |
memory/1696-68-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\c6dvZEah.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
\Users\Admin\AppData\Roaming\c6dvZEah.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
C:\Users\Admin\AppData\Roaming\c6dvZEah.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
C:\Users\Admin\AppData\Roaming\c6dvZEah.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
memory/1796-71-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\ksUM43uw.exe
| MD5 | 25b80f714520a949e5ae6b95b0585ce8 |
| SHA1 | 9265fb3f52d272fe4a034f45b5e9b49eefd28e09 |
| SHA256 | b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba |
| SHA512 | 0b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98 |
memory/1364-75-0x0000000000000000-mapping.dmp
memory/1404-74-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\ksUM43uw.exe
| MD5 | 25b80f714520a949e5ae6b95b0585ce8 |
| SHA1 | 9265fb3f52d272fe4a034f45b5e9b49eefd28e09 |
| SHA256 | b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba |
| SHA512 | 0b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98 |
C:\Users\Admin\AppData\Roaming\ksUM43uw.exe
| MD5 | 25b80f714520a949e5ae6b95b0585ce8 |
| SHA1 | 9265fb3f52d272fe4a034f45b5e9b49eefd28e09 |
| SHA256 | b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba |
| SHA512 | 0b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98 |
memory/1184-77-0x0000000000400000-0x0000000000DCA000-memory.dmp
memory/2036-79-0x0000000002E0B000-0x0000000002E21000-memory.dmp
memory/2036-80-0x0000000000220000-0x0000000000225000-memory.dmp
memory/2036-81-0x0000000000400000-0x0000000002C3E000-memory.dmp
memory/1876-82-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1876-84-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1876-89-0x0000000000422122-mapping.dmp
memory/1876-90-0x0000000000400000-0x0000000000428000-memory.dmp
memory/1876-91-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe
| MD5 | 8850b7c96abf365df3fd542cb17755c5 |
| SHA1 | 90e77265727ab091e9ee48e82df170b8929998b4 |
| SHA256 | cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5 |
| SHA512 | d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933 |
C:\Users\Admin\AppData\Roaming\14dsT2Dg.exe
| MD5 | 8850b7c96abf365df3fd542cb17755c5 |
| SHA1 | 90e77265727ab091e9ee48e82df170b8929998b4 |
| SHA256 | cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5 |
| SHA512 | d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933 |
memory/1496-93-0x0000000000000000-mapping.dmp
memory/972-98-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
memory/2036-101-0x0000000002E0B000-0x0000000002E21000-memory.dmp
memory/1496-102-0x00000000002CB000-0x00000000002E1000-memory.dmp
memory/1496-103-0x0000000000400000-0x0000000002C3E000-memory.dmp
memory/1496-105-0x00000000002CB000-0x00000000002E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-08 12:19
Reported
2022-11-08 12:24
Platform
win10v2004-20220812-en
Max time kernel
268s
Max time network
302s
Command Line
Signatures
Raccoon
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SystemBC
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\537MXN29.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\4etPA1W6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\zLlhcrne.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\537MXN29.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1560 set thread context of 3028 | N/A | C:\Users\Admin\AppData\Roaming\zLlhcrne.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\wow64.job | C:\Users\Admin\AppData\Roaming\537MXN29.exe | N/A |
| File opened for modification | C:\Windows\Tasks\wow64.job | C:\Users\Admin\AppData\Roaming\537MXN29.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\537MXN29.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\anon1.c.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\anon1.c.exe
"C:\Users\Admin\AppData\Local\Temp\anon1.c.exe"
C:\Users\Admin\AppData\Roaming\537MXN29.exe
"C:\Users\Admin\AppData\Roaming\537MXN29.exe"
C:\Users\Admin\AppData\Roaming\4etPA1W6.exe
"C:\Users\Admin\AppData\Roaming\4etPA1W6.exe"
C:\Windows\system32\cmd.exe
cmd.exe /C schtasks /create /tn tfmMOxFVCU /tr C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
C:\Windows\system32\schtasks.exe
schtasks /create /tn tfmMOxFVCU /tr C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
C:\Users\Admin\AppData\Roaming\zLlhcrne.exe
"C:\Users\Admin\AppData\Roaming\zLlhcrne.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Users\Admin\AppData\Roaming\537MXN29.exe
C:\Users\Admin\AppData\Roaming\537MXN29.exe start
C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4200 -ip 4200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 756
Network
| Country | Destination | Domain | Proto |
| DE | 194.37.80.221:80 | 194.37.80.221 | tcp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 20.189.173.4:443 | tcp | |
| DE | 194.37.80.221:80 | 194.37.80.221 | tcp |
| RU | 45.15.156.48:80 | 45.15.156.48 | tcp |
| RU | 45.15.156.48:8285 | tcp | |
| RU | 45.15.156.48:4254 | tcp | |
| US | 8.8.8.8:53 | clipper.guru | udp |
| NL | 45.159.189.115:80 | clipper.guru | tcp |
| NL | 45.159.189.115:80 | clipper.guru | tcp |
| NL | 45.159.189.115:80 | clipper.guru | tcp |
Files
memory/1532-132-0x0000000000400000-0x0000000000DCA000-memory.dmp
memory/1532-134-0x0000000000400000-0x0000000000DCA000-memory.dmp
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | dbf4f8dcefb8056dc6bae4b67ff810ce |
| SHA1 | bbac1dd8a07c6069415c04b62747d794736d0689 |
| SHA256 | 47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68 |
| SHA512 | b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1 |
C:\Users\Admin\AppData\LocalLow\nss3.dll
| MD5 | f67d08e8c02574cbc2f1122c53bfb976 |
| SHA1 | 6522992957e7e4d074947cad63189f308a80fcf2 |
| SHA256 | c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e |
| SHA512 | 2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5 |
C:\Users\Admin\AppData\LocalLow\mozglue.dll
| MD5 | f07d9977430e762b563eaadc2b94bbfa |
| SHA1 | da0a05b2b8d269fb73558dfcf0ed5c167f6d3877 |
| SHA256 | 4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862 |
| SHA512 | 6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf |
memory/1532-138-0x0000000000400000-0x0000000000DCA000-memory.dmp
memory/4200-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\537MXN29.exe
| MD5 | 8850b7c96abf365df3fd542cb17755c5 |
| SHA1 | 90e77265727ab091e9ee48e82df170b8929998b4 |
| SHA256 | cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5 |
| SHA512 | d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933 |
C:\Users\Admin\AppData\Roaming\537MXN29.exe
| MD5 | 8850b7c96abf365df3fd542cb17755c5 |
| SHA1 | 90e77265727ab091e9ee48e82df170b8929998b4 |
| SHA256 | cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5 |
| SHA512 | d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933 |
memory/4068-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\4etPA1W6.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
C:\Users\Admin\AppData\Roaming\4etPA1W6.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
memory/1220-145-0x0000000000000000-mapping.dmp
memory/2444-146-0x0000000000000000-mapping.dmp
memory/1560-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\zLlhcrne.exe
| MD5 | 25b80f714520a949e5ae6b95b0585ce8 |
| SHA1 | 9265fb3f52d272fe4a034f45b5e9b49eefd28e09 |
| SHA256 | b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba |
| SHA512 | 0b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98 |
memory/1532-149-0x0000000000400000-0x0000000000DCA000-memory.dmp
C:\Users\Admin\AppData\Roaming\zLlhcrne.exe
| MD5 | 25b80f714520a949e5ae6b95b0585ce8 |
| SHA1 | 9265fb3f52d272fe4a034f45b5e9b49eefd28e09 |
| SHA256 | b6fb44538c3a5ac766e0b3c2a51ca7e99f295adb761ff99a3ce11a45151277ba |
| SHA512 | 0b1281cc3224f8bb10e3ea9306e96ef7dee1e17b2dd0e55b21602c5410a5bb98b17a309f9318d4b250f6db2897c6552fe0027969266c884447e2ba14cb80ff98 |
memory/3028-152-0x0000000000360000-0x0000000000388000-memory.dmp
memory/3028-151-0x0000000000000000-mapping.dmp
memory/4200-157-0x0000000002D29000-0x0000000002D3F000-memory.dmp
memory/4200-158-0x00000000046F0000-0x00000000046F5000-memory.dmp
C:\Users\Admin\AppData\Roaming\537MXN29.exe
| MD5 | 8850b7c96abf365df3fd542cb17755c5 |
| SHA1 | 90e77265727ab091e9ee48e82df170b8929998b4 |
| SHA256 | cf93000b1ae58e02666a9c6e29002bdddd0d8c7e03a1a14ae1f3a1b8f62b14c5 |
| SHA512 | d9645e871ba53be9617fb591cbd2dd7cb1c67b5a6ac4a4c2872e48a114808d55ec98fdfbdeee38fb1aad72138b690ccca8fcf03143f24b7054d6581cd8b5f933 |
memory/4200-160-0x0000000000400000-0x0000000002C3E000-memory.dmp
memory/3028-161-0x0000000005460000-0x0000000005A78000-memory.dmp
memory/3028-162-0x0000000004FB0000-0x00000000050BA000-memory.dmp
memory/3028-163-0x0000000004EE0000-0x0000000004EF2000-memory.dmp
memory/3028-164-0x0000000004F40000-0x0000000004F7C000-memory.dmp
memory/448-165-0x0000000002F4B000-0x0000000002F61000-memory.dmp
memory/448-166-0x0000000000400000-0x0000000002C3E000-memory.dmp
memory/448-167-0x0000000002F4B000-0x0000000002F61000-memory.dmp
memory/3028-168-0x0000000006030000-0x00000000065D4000-memory.dmp
memory/3028-169-0x00000000053B0000-0x0000000005442000-memory.dmp
memory/3028-170-0x0000000005A80000-0x0000000005AE6000-memory.dmp
memory/3028-171-0x0000000007690000-0x0000000007852000-memory.dmp
memory/3028-172-0x0000000007D90000-0x00000000082BC000-memory.dmp
C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |
C:\Users\Admin\AppData\Roaming\tfmMOxFVCU\svcupdater.exe
| MD5 | 27d2a70c1f2a5a6cdb5b5e87e976014d |
| SHA1 | 9b68a92a1e305f44ad040cc7ab5f4eb63ea58907 |
| SHA256 | d062bf90cc1a1fb3b510a8aca6bc05bdf475e6a98c7a1b83fc13558ed70f134a |
| SHA512 | c1af2cbef681159e451cc5ce7ba3940b49726efb2aa49a10aa2a3ab5d14264ead7bedc93a2225cad5868438fea05f369c4b41466641568f34c324144aafca4f5 |