Malware Analysis Report

2025-01-18 12:23

Sample ID 221125-dz7hvsha39
Target 2da9543a96dc5ca68af4c2e095e21f49
SHA256 e7be55c53cc03e17484068b1f69f6b2091f9cfe105480b9595f30bb557112f14
Tags
agenttesla wshrat collection keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e7be55c53cc03e17484068b1f69f6b2091f9cfe105480b9595f30bb557112f14

Threat Level: Known bad

The file 2da9543a96dc5ca68af4c2e095e21f49 was found to be: Known bad.

Malicious Activity Summary

agenttesla wshrat collection keylogger persistence spyware stealer trojan

WSHRAT payload

WSHRAT

AgentTesla

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Drops startup file

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Script User-Agent

outlook_win_path

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-25 03:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-25 03:27

Reported

2022-11-25 03:30

Platform

win7-20220901-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

WSHRAT

trojan wshrat

WSHRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\hat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eHmrw.vbs C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eHmrw.vbs C:\Windows\SysWOW64\wscript.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\wscript.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\hat.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Euksrjermc = "\"C:\\Users\\Admin\\AppData\\Roaming\\Dszfa\\Euksrjermc.exe\"" C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\software\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\eHmrw = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\eHmrw.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\MACHINE\software\Wow6432Node\microsoft\windows\currentversion\run C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\eHmrw = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\eHmrw.vbs\"" C:\Windows\SysWOW64\wscript.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ethjtred = "C:\\Users\\Admin\\AppData\\Roaming\\ethjtred\\ethjtred.exe" C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1760 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe
PID 1760 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe
PID 1760 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe
PID 1760 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe
PID 1760 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe
PID 1760 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe
PID 1760 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe
PID 1760 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe
PID 1760 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe
PID 976 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Windows\SysWOW64\wscript.exe
PID 976 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Windows\SysWOW64\wscript.exe
PID 976 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Windows\SysWOW64\wscript.exe
PID 976 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe C:\Windows\SysWOW64\wscript.exe
PID 1436 wrote to memory of 1308 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Roaming\hat.exe
PID 1436 wrote to memory of 1308 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Roaming\hat.exe
PID 1436 wrote to memory of 1308 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Roaming\hat.exe
PID 1436 wrote to memory of 1308 N/A C:\Windows\SysWOW64\wscript.exe C:\Users\Admin\AppData\Roaming\hat.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\hat.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\hat.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\hat.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 1308 wrote to memory of 944 N/A C:\Users\Admin\AppData\Roaming\hat.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 944 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 944 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 944 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 944 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe
PID 944 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe

"C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==

C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe

C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe

C:\Windows\SysWOW64\wscript.exe

"C:\Windows\System32\wscript.exe" "C:\Users\Admin\AppData\Roaming\eHmrw.vbs"

C:\Users\Admin\AppData\Roaming\hat.exe

"C:\Users\Admin\AppData\Roaming\hat.exe"

C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

"C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe" C:\Users\Admin\AppData\Local\Temp\cajpktnk.qa

C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

"C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe" C:\Users\Admin\AppData\Local\Temp\cajpktnk.qa

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 snkcyp.duckdns.org udp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 45.85.219.227:80 45.85.219.227 tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 8.8.8.8:53 api.ipify.org udp
N/A 54.91.59.199:443 api.ipify.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp
N/A 194.180.48.65:44147 snkcyp.duckdns.org tcp

Files

memory/1760-54-0x00000000011A0000-0x0000000001352000-memory.dmp

memory/1760-55-0x0000000000DC0000-0x0000000000E9C000-memory.dmp

memory/1760-56-0x0000000000CF0000-0x0000000000D82000-memory.dmp

memory/1668-57-0x0000000000000000-mapping.dmp

memory/1668-58-0x0000000075931000-0x0000000075933000-memory.dmp

memory/1668-59-0x000000006F460000-0x000000006FA0B000-memory.dmp

memory/1668-60-0x000000006F460000-0x000000006FA0B000-memory.dmp

memory/1668-61-0x000000006F460000-0x000000006FA0B000-memory.dmp

memory/976-62-0x0000000000400000-0x000000000048A000-memory.dmp

memory/976-63-0x0000000000400000-0x000000000048A000-memory.dmp

memory/976-65-0x0000000000400000-0x000000000048A000-memory.dmp

memory/976-67-0x0000000000400000-0x000000000048A000-memory.dmp

memory/976-68-0x0000000000400000-0x000000000048A000-memory.dmp

memory/976-69-0x00000000004842AE-mapping.dmp

memory/976-71-0x0000000000400000-0x000000000048A000-memory.dmp

memory/976-73-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1436-74-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\eHmrw.vbs

MD5 cd1f081335b6c49a40d51e090604a9ab
SHA1 5b645d1cf905f73cf7bd23af3dae0c3f381c8b2a
SHA256 efcde6d8aa951a087836a35b27d0db4f95b8c4886a1800c34ce58deab9aa5bdb
SHA512 47b786ea6414f1c7fffdac54b80b6e064dd9fde3adc8094ec1d6a08648b37be0d46b09bbe316da7d662c6ceaad24eb390332bedfd218ec8dd11d77b067fdfccc

\Users\Admin\AppData\Roaming\hat.exe

MD5 2a163403e00ba8afbe3c7a2e6df3e2e2
SHA1 404038a796396209580a64a537b57695bbd9b175
SHA256 4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef
SHA512 6a7fdae05a3f2945ef2a8b87c1495dc00a69daa66355cd1009e0b924919f25314b47e541aefd1465c0ca6f2db0dc2b9796b056c1357aa67721ee044446d91187

memory/1308-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\hat.exe

MD5 2a163403e00ba8afbe3c7a2e6df3e2e2
SHA1 404038a796396209580a64a537b57695bbd9b175
SHA256 4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef
SHA512 6a7fdae05a3f2945ef2a8b87c1495dc00a69daa66355cd1009e0b924919f25314b47e541aefd1465c0ca6f2db0dc2b9796b056c1357aa67721ee044446d91187

C:\Users\Admin\AppData\Roaming\hat.exe

MD5 2a163403e00ba8afbe3c7a2e6df3e2e2
SHA1 404038a796396209580a64a537b57695bbd9b175
SHA256 4a8bba516cd171925cf36969b9e882c1029dbf88383463f9f646145f54fc35ef
SHA512 6a7fdae05a3f2945ef2a8b87c1495dc00a69daa66355cd1009e0b924919f25314b47e541aefd1465c0ca6f2db0dc2b9796b056c1357aa67721ee044446d91187

\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

MD5 8a73408537089a2c75b20e5777a45a3c
SHA1 6743c59431668ff81f1c09e2c2820417dea10324
SHA256 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
SHA512 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06

memory/944-83-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

MD5 8a73408537089a2c75b20e5777a45a3c
SHA1 6743c59431668ff81f1c09e2c2820417dea10324
SHA256 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
SHA512 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06

C:\Users\Admin\AppData\Local\Temp\cajpktnk.qa

MD5 52d6c758e902d52f73d818e395df4afc
SHA1 e947d2b6392657226ca248014dc3933e8ed56007
SHA256 a38032f0d1f0dfc6eb4d3b0d898b8faefe486d63a84113ad8f856d130049f910
SHA512 2dd0ed8c70a8ace942f48763add368ce411e068ad40ab3524d09edb6a21c074c06404a9b7fd2228cb3253028e63a8885804c5a37b9d9ec3c5ea7a5e584fc2551

C:\Users\Admin\AppData\Local\Temp\ymnzmdjt.z

MD5 287ed1f3735b69389a9c35b08671168f
SHA1 7ceeaf5bc178a85b911d8415f220d82e1a347398
SHA256 64a65ddf80fa3ebedaa87d12c18366b83650b779f7af15696442f0725bd29d7f
SHA512 1d21132e401ef395fbb92bb669dbb0b10a3daaf60e3b09be68d3884ba10901ee9429cf73b4f6c4d1e5f52a0630c547a35be6a38ed480d977e904b99b55240c5a

\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

MD5 8a73408537089a2c75b20e5777a45a3c
SHA1 6743c59431668ff81f1c09e2c2820417dea10324
SHA256 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
SHA512 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06

C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

MD5 8a73408537089a2c75b20e5777a45a3c
SHA1 6743c59431668ff81f1c09e2c2820417dea10324
SHA256 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
SHA512 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06

memory/1316-90-0x0000000000401896-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\kbddodhxh.exe

MD5 8a73408537089a2c75b20e5777a45a3c
SHA1 6743c59431668ff81f1c09e2c2820417dea10324
SHA256 6058cebe9c8ccfd2c4576dbfbaf254e18e0617d3a42e4b4e054b71105cbdb98b
SHA512 87955fcebd7dfe6c2b6517266a7525a6ef71bd215de8404622ff2ebf0145a95b44955f6fee33292a247e32fc2e5f3d0f9063cecff2e68d67b987195788917a06

memory/1316-93-0x00000000004E0000-0x000000000051C000-memory.dmp

memory/1316-94-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-25 03:27

Reported

2022-11-25 03:31

Platform

win10v2004-20221111-en

Max time kernel

150s

Max time network

177s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe

"C:\Users\Admin\AppData\Local\Temp\2da9543a96dc5ca68af4c2e095e21f49.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==

Network

Country Destination Domain Proto
N/A 85.17.31.82:80 tcp
N/A 67.27.153.254:80 tcp
N/A 67.27.153.254:80 tcp
N/A 72.21.91.29:80 tcp
N/A 104.208.16.90:443 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 104.80.225.205:443 tcp

Files

memory/4544-132-0x0000000000180000-0x0000000000332000-memory.dmp

memory/4544-133-0x0000000005380000-0x00000000053A2000-memory.dmp

memory/1504-134-0x0000000000000000-mapping.dmp

memory/1504-135-0x0000000002490000-0x00000000024C6000-memory.dmp

memory/1504-136-0x0000000004BD0000-0x00000000051F8000-memory.dmp

memory/1504-137-0x0000000005370000-0x00000000053D6000-memory.dmp

memory/1504-138-0x00000000053E0000-0x0000000005446000-memory.dmp

memory/1504-139-0x0000000005A50000-0x0000000005A6E000-memory.dmp

memory/1504-140-0x00000000070A0000-0x000000000771A000-memory.dmp

memory/1504-141-0x0000000005F80000-0x0000000005F9A000-memory.dmp