Malware Analysis Report

2024-10-24 17:03

Sample ID 221126-wm4kjsgb71
Target cb5892e66ce5c2e7b5ab9946e77e1e634fdc5588a729ad6fdaaa4fd822f27051
SHA256 cb5892e66ce5c2e7b5ab9946e77e1e634fdc5588a729ad6fdaaa4fd822f27051
Tags
persistence runningrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb5892e66ce5c2e7b5ab9946e77e1e634fdc5588a729ad6fdaaa4fd822f27051

Threat Level: Known bad

The file cb5892e66ce5c2e7b5ab9946e77e1e634fdc5588a729ad6fdaaa4fd822f27051 was found to be: Known bad.

Malicious Activity Summary

persistence runningrat

RunningRat payload

Runningrat family

Executes dropped EXE

Sets DLL path for service in the registry

Loads dropped DLL

Checks computer location settings

Deletes itself

Creates a Windows Service

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-26 18:03

Signatures

RunningRat payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Runningrat family

runningrat

Analysis: behavioral4

Detonation Overview

Submitted

2022-11-26 18:03

Reported

2022-11-27 09:44

Platform

win10v2004-20221111-en

Max time kernel

150s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1328 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 616 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 616 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 616 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 1

Network

Country Destination Domain Proto
N/A 8.238.21.126:80 tcp
N/A 104.46.162.226:443 tcp
N/A 104.80.225.205:443 tcp
N/A 8.238.21.126:80 tcp
N/A 8.238.21.126:80 tcp
N/A 8.238.21.126:80 tcp
N/A 8.238.21.126:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\240622734.dll

MD5 d577f66de7124b80ef14b558be6a90f9
SHA1 688c3cab5c53f1708adbf7f5e548deec69a316e2
SHA256 4f14d7c1b36f30f3965cd3610538e3246cb6df8bf6472cf48eece6d9d516179c
SHA512 16427d1eeab8ea8cdef25983ee14e12c783afbee1ccd7b0996a1481b1070267f0db61a9e3d76c69eec46379ed45c0da36e8cae167ecc2e8841c7fd7fc533ebbe

memory/616-133-0x0000000000000000-mapping.dmp

memory/4424-134-0x0000000000000000-mapping.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2022-11-26 18:03

Reported

2022-11-27 09:43

Platform

win7-20220812-en

Max time kernel

171s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\server.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\123.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\123\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\7109074.dll" C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Creates a Windows Service

persistence

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\123.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\123.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\7109074.dll C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "123"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "123"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 1

C:\Windows\SysWOW64\123.exe

C:\Windows\system32\123.exe "c:\program files (x86)\google\7109074.dll",MainThread

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 ip.cn udp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp
N/A 172.67.135.10:80 ip.cn tcp

Files

memory/1056-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

\Program Files (x86)\Google\7109074.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\Program Files (x86)\Google\7109074.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\??\c:\program files (x86)\google\7109074.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

memory/2044-58-0x0000000000000000-mapping.dmp

memory/1984-59-0x0000000000000000-mapping.dmp

memory/1176-61-0x0000000000000000-mapping.dmp

\Windows\SysWOW64\123.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Windows\SysWOW64\123.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

C:\Windows\SysWOW64\123.exe

MD5 51138beea3e2c21ec44d0932c71762a8
SHA1 8939cf35447b22dd2c6e6f443446acc1bf986d58
SHA256 5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124
SHA512 794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

\Program Files (x86)\Google\7109074.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\Program Files (x86)\Google\7109074.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\Program Files (x86)\Google\7109074.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\Program Files (x86)\Google\7109074.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

Analysis: behavioral6

Detonation Overview

Submitted

2022-11-26 18:03

Reported

2022-11-27 09:44

Platform

win10v2004-20221111-en

Max time kernel

156s

Max time network

176s

Command Line

"C:\Users\Admin\AppData\Local\Temp\server.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\123.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\123\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\240607953.dll" C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\123.exe N/A

Creates a Windows Service

persistence

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\123.exe C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\123.exe C:\Windows\SysWOW64\svchost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google\240607953.dll C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "123"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k "123"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 1

C:\Windows\SysWOW64\123.exe

C:\Windows\system32\123.exe "c:\program files (x86)\google\240607953.dll",MainThread

Network

Country Destination Domain Proto
N/A 13.78.111.199:443 tcp
N/A 104.80.225.205:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 8.8.8.8:53 ip.cn udp
N/A 104.21.6.167:80 ip.cn tcp
N/A 8.8.8.8:53 106.89.54.20.in-addr.arpa udp
N/A 104.21.6.167:80 ip.cn tcp
N/A 8.8.8.8:53 a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 104.21.6.167:80 ip.cn tcp

Files

C:\Program Files (x86)\Google\240607953.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

C:\Program Files (x86)\Google\240607953.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

\??\c:\program files (x86)\google\240607953.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

memory/2328-135-0x0000000000000000-mapping.dmp

memory/4412-136-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\123.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

memory/3388-137-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\123.exe

MD5 889b99c52a60dd49227c5e485a016679
SHA1 8fa889e456aa646a4d0a4349977430ce5fa5e2d7
SHA256 6cbe0e1f046b13b29bfa26f8b368281d2dda7eb9b718651d5856f22cc3e02910
SHA512 08933106eaf338dd119c45cbf1f83e723aff77cc0f8d3fc84e36253b1eb31557a54211d1d5d1cb58958188e32064d451f6c66a24b3963cccd3de07299ab90641

C:\Program Files (x86)\Google\240607953.dll

MD5 7584e503fa363f192940905470467f87
SHA1 212df83d88300008faef1730d14f7945930c6836
SHA256 b041bd2a32989f79b513e54bec057e6f5769eb00f95011ae1e7e487df407a913
SHA512 c4835b299d62a821cff5eae30809d26011838443e7fab554ab2884d7cf9e17a720ceb38086ccac09ee5f99ce1bc7ebdf1e11114960101fb56e010a97168568e5

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-26 18:03

Reported

2022-11-27 09:47

Platform

win7-20221111-en

Max time kernel

227s

Max time network

336s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Gh0st.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Gh0st.exe

"C:\Users\Admin\AppData\Local\Temp\Gh0st.exe"

Network

N/A

Files

memory/1768-54-0x0000000076D71000-0x0000000076D73000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-26 18:03

Reported

2022-11-27 09:43

Platform

win10v2004-20220812-en

Max time kernel

172s

Max time network

191s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Gh0st.exe"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gh0st.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Gh0st.exe

"C:\Users\Admin\AppData\Local\Temp\Gh0st.exe"

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 13.69.109.130:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2022-11-26 18:03

Reported

2022-11-27 09:43

Platform

win7-20220812-en

Max time kernel

45s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 1 && del /f/q "C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 1

Network

N/A

Files

memory/1996-54-0x0000000075281000-0x0000000075283000-memory.dmp

\Users\Admin\AppData\Local\Temp\7072118.dll

MD5 d577f66de7124b80ef14b558be6a90f9
SHA1 688c3cab5c53f1708adbf7f5e548deec69a316e2
SHA256 4f14d7c1b36f30f3965cd3610538e3246cb6df8bf6472cf48eece6d9d516179c
SHA512 16427d1eeab8ea8cdef25983ee14e12c783afbee1ccd7b0996a1481b1070267f0db61a9e3d76c69eec46379ed45c0da36e8cae167ecc2e8841c7fd7fc533ebbe

memory/904-56-0x0000000000000000-mapping.dmp

memory/948-58-0x0000000000000000-mapping.dmp