Analysis Overview
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Threat Level: Known bad
The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.
Malicious Activity Summary
Detect PureCrypter injector
PureCrypter
Aurora
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-05 13:23
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-05 13:23
Reported
2023-02-05 13:26
Platform
win7-20220812-en
Max time kernel
97s
Max time network
102s
Command Line
Signatures
Aurora
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1752 set thread context of 1616 | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| DE | 45.9.74.11:8081 | tcp |
Files
memory/2028-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
memory/2028-56-0x0000000075811000-0x0000000075813000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 59b596bf09f3ae0a0a79834d4cc5277b |
| SHA1 | d21bd330e29bff58e29515b36d88728e8e855eb4 |
| SHA256 | 54b216b3d8e336b04664f77db9faf5b62d5e15b49b94583b4e971f4e220b2f11 |
| SHA512 | 4c1fc8606f4074f84b4d3161aab76ee481ab363d07523489699a8d8333ba16ae3a26d0680c7430a12f4febfe0143b36f7be8f0638109354fdb693b654bf1bd56 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c08c12cc0ea770f1242723ed94f8de1e |
| SHA1 | 678e1b6cf8b521c3fcd6fb3ac59d562299bb9d63 |
| SHA256 | 6512e71dd3ebe2a92a6578ff90c126b27872fbc23313f7ee8c8b21624f646720 |
| SHA512 | 1f43a9118249833766ff697023795010acb5e406f0a11a0b8a20c8144c706092d8b155c37a52d5285e6d411345531d29045724b9b1eedd9441472ea5e5ebd222 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 019e6ce55e3522204e1c3ab4dc65add8 |
| SHA1 | 4f366e1341df8f2e2e1083c848c7cc9a6ec06920 |
| SHA256 | 03d99fa1dc2fe81d09ef92450e0fcbb55aef86f7bba0b34b95eee7c314275e17 |
| SHA512 | fccaafc225781e88567d42f99bd40acd1dc6a911fcbb3bbf9ea2fee70c6d7f96c540a419d34d31c43c4e2d61aa7a4fb13afac11bdfdc89eb67c011aa87106a0d |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 615a0b521ef5882a3089da98f8420dea |
| SHA1 | 9bf4dee8f990674cfcf2bc693113ba47ddf4f66a |
| SHA256 | b80d81e9b1e41e0257b357ff475b26e3b3eb642954112e43631b941d5e1be896 |
| SHA512 | bc52f3edd5b070b20c5d68c202d58dff0a877ff5d7f82fc8bf37b21d4aa2c6281eb6dfed2995b560bcbeb0b8c54b6400d2108b3534b9502235f085ba05549cd8 |
memory/1752-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 0589744e604dab45cffdf069f9dddfde |
| SHA1 | 6accbe590a5ed0bf2533df97e454660d1d5bc6ab |
| SHA256 | 9f4189ebb408e1b8000c1708176c5af80bbc2cd958d5e6b66968390973f5903a |
| SHA512 | d6bb588ca4fc07ffa8fb8a7bb975958c3484e2a86b2f999243674e66dd94cc89281c60eca1918aa42a6f9f32508c483aad16af6112054c44c288c0d470dbad40 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | af5700b9d67adf5b23c173a43e047eaa |
| SHA1 | bda403b54a84b931603d2f4acd45fb0f307badf7 |
| SHA256 | efedadf5dddacb6eb4e4d31100213f9fea3a6ca959c4854778381235dafb359a |
| SHA512 | f187b3bfbdcbe77a54d3b80f7141f0fbacfb35d06eb8d0e3bc39695ded83e02d220f67685e4c06d572fa617e8d92247ee45aad38cfffd16050a8ebe5e9402bea |
memory/1752-65-0x0000000001200000-0x0000000001974000-memory.dmp
memory/1752-66-0x0000000006460000-0x0000000006800000-memory.dmp
memory/1056-67-0x0000000000000000-mapping.dmp
memory/1056-69-0x000000006F750000-0x000000006FCFB000-memory.dmp
memory/1056-70-0x000000006F750000-0x000000006FCFB000-memory.dmp
memory/1056-71-0x000000006F750000-0x000000006FCFB000-memory.dmp
memory/880-72-0x0000000000000000-mapping.dmp
memory/1752-73-0x0000000005330000-0x00000000054A2000-memory.dmp
memory/1548-74-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | cc1f3ca48a90a45d09ca6d64da3ee160 |
| SHA1 | bf2eb1a830bd830ae4a83ed3df2662342c4faf90 |
| SHA256 | d39797cd724022506123c334525a29cda727deb5e512be2815834aa4e3ae2509 |
| SHA512 | 14ea7c60259ebeeea0b5670edf15f7de1c6415feeb0bce6ab86775b0d15d9b35c67206c69b7eae63d8f7442faa47d37a666caf60ceebb1b28d6eb3235ac344d4 |
memory/1616-78-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1616-80-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1616-76-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1616-82-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1548-83-0x000000006F1A0000-0x000000006F74B000-memory.dmp
memory/1616-85-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1616-86-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1616-88-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1616-89-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | e0cbbf3cef6a47c4c4d004eb986a4589 |
| SHA1 | 7a220e8a2c2e0261e97178fc25c2b8bf97bda574 |
| SHA256 | 9916db0ceac052be2a84763eae443e4d67cff4d138c51e9dcfaae69e92a2304c |
| SHA512 | e7a56b15029f4735522c095648d084aa9fe2ece783b1043f1003946f705f67077c6a58e55d518cd5b4488e8491d63be1b0661000802511f7fa16f02608b4af29 |
memory/1616-90-0x0000000000464C20-mapping.dmp
memory/1616-93-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1616-94-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1548-95-0x000000006F1A0000-0x000000006F74B000-memory.dmp
memory/1824-96-0x0000000000000000-mapping.dmp
memory/1964-97-0x0000000000000000-mapping.dmp
memory/1712-98-0x0000000000000000-mapping.dmp
memory/2004-99-0x0000000000000000-mapping.dmp
memory/1364-100-0x0000000000000000-mapping.dmp
memory/1616-101-0x0000000000400000-0x0000000000731000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-05 13:23
Reported
2023-02-05 13:26
Platform
win10v2004-20220812-en
Max time kernel
93s
Max time network
154s
Command Line
Signatures
Aurora
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 620 set thread context of 3348 | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| IE | 13.69.239.72:443 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| DE | 45.9.74.11:8081 | tcp |
Files
memory/1364-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
memory/620-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
memory/620-138-0x0000000000700000-0x0000000000E74000-memory.dmp
memory/620-139-0x0000000006C80000-0x0000000006CA2000-memory.dmp
memory/4580-140-0x0000000000000000-mapping.dmp
memory/4580-141-0x0000000004BF0000-0x0000000004C26000-memory.dmp
memory/4580-142-0x0000000005260000-0x0000000005888000-memory.dmp
memory/4580-143-0x0000000005A80000-0x0000000005AE6000-memory.dmp
memory/4580-144-0x0000000005AF0000-0x0000000005B56000-memory.dmp
memory/4580-145-0x0000000006180000-0x000000000619E000-memory.dmp
memory/4580-146-0x00000000079A0000-0x000000000801A000-memory.dmp
memory/4580-147-0x0000000006670000-0x000000000668A000-memory.dmp
memory/2360-148-0x0000000000000000-mapping.dmp
memory/5020-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/3348-151-0x0000000000000000-mapping.dmp
memory/3348-152-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | a079cf4f0e16b486ccc043f74d6272e3 |
| SHA1 | de1f8b989bc5bca3006e1264501409eae50e2e27 |
| SHA256 | 57a72ea2e0cba13176e4a6fa3ef5afa7ccd2223d814c4b1a535c2a75b2a965b3 |
| SHA512 | 2d8a103e21444c358d667e418b0550eb90c739c288e4c26ad3c1fd2ebf9d16d4523e9e5f6d9757a296c67251e72deba442b02dd5a6b664b9aa1b61e36093ba6a |
memory/3348-155-0x0000000000400000-0x0000000000731000-memory.dmp
memory/3348-156-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 81990a6177c169653f6c00cf55d149e7 |
| SHA1 | 126a4d14e3ba241c037798a242470249ffbec30c |
| SHA256 | 7195f4858c5f303eb3f14186ba6ccd4406d518c1a850c25508b372df1fe6626f |
| SHA512 | 6314f388fb1025f3cb3ba53cc47613342ead2cad2842a685a52dd0c1b725201d0c7a7a25c6761c1bfb7f02d3ea8eb4aeea804d166289210978d402161069f547 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/5020-159-0x0000000007920000-0x0000000007952000-memory.dmp
memory/5020-160-0x0000000074670000-0x00000000746BC000-memory.dmp
memory/5020-161-0x0000000006F20000-0x0000000006F3E000-memory.dmp
memory/5020-162-0x0000000007CF0000-0x0000000007CFA000-memory.dmp
memory/3360-163-0x0000000000000000-mapping.dmp
memory/5020-164-0x0000000007F40000-0x0000000007FD6000-memory.dmp
memory/1864-165-0x0000000000000000-mapping.dmp
memory/3104-166-0x0000000000000000-mapping.dmp
memory/5020-167-0x00000000067D0000-0x00000000067DE000-memory.dmp
memory/5020-168-0x0000000007EA0000-0x0000000007EBA000-memory.dmp
memory/5020-169-0x0000000007E80000-0x0000000007E88000-memory.dmp
memory/2900-170-0x0000000000000000-mapping.dmp
memory/1184-171-0x0000000000000000-mapping.dmp
memory/3348-172-0x0000000000400000-0x0000000000731000-memory.dmp