Analysis Overview
SHA256
471d501162e2a5cb6aab3f4f5362ff843d05ef9f20d9fd7ea29733d3a9875747
Threat Level: Known bad
The file 5e243f79ecb539d0d1f75fce7ddfedeccee70a48 was found to be: Known bad.
Malicious Activity Summary
PureCrypter
Aurora
Detect PureCrypter injector
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-05 13:34
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-05 13:34
Reported
2023-02-05 13:37
Platform
win7-20220812-en
Max time kernel
85s
Max time network
89s
Command Line
Signatures
Aurora
Detect PureCrypter injector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PureCrypter
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1308 set thread context of 1648 | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
Network
| Country | Destination | Domain | Proto |
| DE | 45.9.74.11:8081 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | e444d74e90a591074fc8edb957525c97 |
| SHA1 | 88390d1a953d964a21e7adc24b58bc197c7ec7f3 |
| SHA256 | 55c6b9f8e91402ee6554194ebdd87deddab55be55a03ff1d4794499fd3efb93d |
| SHA512 | 63f0db5de81f7a84c1722cb695b920c4a3bb62c488c39138b618ba9d5fb431bf78e0837044ee5b5b86cc06b7aa2e710b6d22c6df7d09f7ab7cf331d1d4d3b3f6 |
memory/672-54-0x0000000000000000-mapping.dmp
memory/672-56-0x0000000074F41000-0x0000000074F43000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | 13115942e0b047cc2e32a26ff8ab1319 |
| SHA1 | 1af626f56b28329e467df12b6decc13a49705dab |
| SHA256 | 489a9148faca7f7772785c40e900fc3957073d18921cf1230b51d5cee6ce7e95 |
| SHA512 | 63fc4524d76eb893523806b9361409bfc7b640ef2f7c478e0540b5d772a1599e754bcca81fb1bce4ee5944eb0988e00e7229e8c7b117f9a0847fcbff5505c952 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c6be758319bf76f71c15e856b77b792f |
| SHA1 | 73b8051d270e484762392b803bdc149a2590892a |
| SHA256 | c7a4538659cdcabc3ccefe0505001c0337efca0abfd2ca623bfca5d5acb77739 |
| SHA512 | 36c3f22a81a8083998252f7a48a21b876c0c20f356065255c0f8deb03fba7f7606a1d821d9b1e3d6587b85c2909fe74585ce9efa34093abdd1da85a8b152ff27 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 6366d1f60f8658e3b5894eea61aa464e |
| SHA1 | da2f2763ca2b975fcfdda63b5eeda4301d2b6e8b |
| SHA256 | d1e66a8a722d2416534f69d8a655939bfbee206c6fb743f4423d15914b489893 |
| SHA512 | 1595b472298664c2b1ccbcec3d90e5d1aef3cd4624a8c46003b93482b41fd5aa0bfe159a0153211a85c33a09d0da140167f0f04d6397122443a5c375b97e44f8 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 65e77e7b6966bda0502eaec92b3fc880 |
| SHA1 | 8b8029c483e9a021c307df8437448e5d7ba2ea78 |
| SHA256 | 842b46eba4acc4653015f8c446ae11c325a3722712979be6e476c68faa9c5497 |
| SHA512 | 6d3fdd446f3ffe63a2ca93966ffda716d2441d9a338cc6578a35b43276fd8e71642211950a683c59d0d3daa9366e1fc117b5d861bc06606f17dd13d1ffe0cd49 |
\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | c61e8b33fb94cfefd73b4ac0b8907cbd |
| SHA1 | 2f4ff9dc4d2fb47329a2a344d1f993f301216d0f |
| SHA256 | 48b5f11faf08100d18f8a601e4abba38e0e99b5db6af0bc0874639d0618ffc13 |
| SHA512 | 457f35064efb99b3431012b8974c23b028ed02c257a3fe20442d5ff03d7f63ca4b2bfc7452f205f1dff1c5360330089f1535a679205137fd6e6b0c6cf6212f03 |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 09eccf943a1bc7882adbf7f93530d210 |
| SHA1 | 3d5e7029ab21389acea861abe9a619b77fb48972 |
| SHA256 | 80e6c245d517c219a7212e1b52b106b721f2d68c6d773a4ba82e8b39d7d36826 |
| SHA512 | 759d552aeb82eae50f6b691753e0f6456100b9149ff6ee3438911ca3c85d5b1a07f4db2a23724f695adff8f317eadf49c7128e52fbbe78dbf988b32c15923be5 |
memory/1308-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 94dd6b60cd666dc1350b102380cc44fb |
| SHA1 | 66229a8965bcd37d186450c9180ef33792cc6953 |
| SHA256 | c0fed800e7490e98929d7882223ffe8eb1be6d1d37157623edcfc1d6f4676739 |
| SHA512 | 3c970cd9f672b2749f65a20bb73d5d9c00b7ea6449911fc2b95a6d378bb3d05b30d8c6e255fd89afae5c832ea0d1dda392f6534c2a7b5c1e0cd666fb7e44b5ed |
memory/1308-65-0x0000000000CB0000-0x0000000001424000-memory.dmp
memory/1308-66-0x0000000006310000-0x00000000066B0000-memory.dmp
memory/1752-67-0x0000000000000000-mapping.dmp
memory/1752-69-0x000000006F6A0000-0x000000006FC4B000-memory.dmp
memory/1752-70-0x000000006F6A0000-0x000000006FC4B000-memory.dmp
memory/1752-71-0x000000006F6A0000-0x000000006FC4B000-memory.dmp
memory/1856-72-0x0000000000000000-mapping.dmp
memory/1308-74-0x0000000005420000-0x0000000005592000-memory.dmp
memory/996-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 67c396fdb8639cc8ba1e1e756fb31c06 |
| SHA1 | 71eadf6e0412e4f7d39e6b86ca58a44b78ef96a4 |
| SHA256 | 052960f31448f93c368b7d8afe06b4a6c9d65e09117c50365315ecbb744deb83 |
| SHA512 | 835bea56a1a65eed4b83176fca0538979df061cb8c4fdbc8501be2e18f28a3a0b6fee4d5fdb1fbaa85f7cfc190bf29bc0157f72b366c6ae53bf8a39813128080 |
memory/1648-77-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1648-78-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1648-80-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1648-84-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1648-85-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1648-87-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1648-82-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1648-88-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1648-89-0x0000000000464C20-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | e5bb75e1bf1e1ea607fa2eca9f71d44a |
| SHA1 | 3a4a14296042d215760826bf697e548ece01d256 |
| SHA256 | a0b8432c6d867721a5904e0f337c76c355249a0c37dd331c2ba6036050eb9c17 |
| SHA512 | 6957921917c94fa9c0fc4677755b1c246f465e924b5a084ac60c8bc517e3c9b5610e1b07c2149ededf5121ec5f2003bac97c24a430c8eeb318bc893f86c558eb |
memory/1648-92-0x0000000000400000-0x0000000000731000-memory.dmp
memory/996-93-0x000000006F660000-0x000000006FC0B000-memory.dmp
memory/996-94-0x000000006F660000-0x000000006FC0B000-memory.dmp
memory/1648-95-0x0000000000400000-0x0000000000731000-memory.dmp
memory/1540-96-0x0000000000000000-mapping.dmp
memory/1364-97-0x0000000000000000-mapping.dmp
memory/1088-98-0x0000000000000000-mapping.dmp
memory/364-99-0x0000000000000000-mapping.dmp
memory/1284-100-0x0000000000000000-mapping.dmp
memory/1648-101-0x0000000000400000-0x0000000000731000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-05 13:34
Reported
2023-02-05 13:37
Platform
win10v2004-20220812-en
Max time kernel
75s
Max time network
154s
Command Line
Signatures
Aurora
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1340 set thread context of 400 | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe
"C:\Users\Admin\AppData\Local\Temp\5e243f79ecb539d0d1f75fce7ddfedeccee70a48.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| US | 52.168.117.170:443 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| NL | 178.79.208.1:80 | tcp | |
| DE | 45.9.74.11:8081 | tcp |
Files
memory/4264-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | edaccf0f5fe46665a08f46416be2c512 |
| SHA1 | 768334d2a5c9ccc554e20593e6bf3a00a19bf346 |
| SHA256 | d405b95511bc5498b98a4fbe07becfc061c2d5a819a28f123ec561c5ac9982bc |
| SHA512 | 14ce030e0898cc824f765bcbd98656596ec5e3f91b1100b5fbfb7199cef39ab67d349a101be40ab5baba5e79a2a5a61270374bff72d7ea6f42bededf0b10a9d4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe
| MD5 | b3e8f2a6ffe842eea3571b6c2fe7052b |
| SHA1 | 3cba9e2831806ee00e10c39033b171e4bc53240f |
| SHA256 | 791b6cedc0a50d2190776b7a6e27bb8b454d66037d26799f3af910245636b86e |
| SHA512 | 29cae014af667b06d7539855c527e7b0b0b686ae3498d636399205b99dde858bc4ac79114d22a52ebadeb2453d491e4f8aa287ffa77e80afb4e1a41cbff776c0 |
memory/1340-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 580731ff034e277d56b421ba4c15ea48 |
| SHA1 | e68d09553c49c4e9b5704592b8c6eae274416c7c |
| SHA256 | bbec475243e96d82e8bbd07278ad8ea74a25c017afbc8df9537ac47e69f9668b |
| SHA512 | 3287c20f6695458b8047e7070a84e04e3699881a7b6caa22f76a8c917831f4afaef1335ac60a389462e8706375b62ffc914e26cb467a246a5e44497830ae590c |
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | f959065f68d94e586c0a4c7337f1a392 |
| SHA1 | b5b0e17880936095f2028e613be8a01d77570dac |
| SHA256 | fc49f1d19fad37467335f959e878cdd2eba5bc76b9121006ae00b753704a9617 |
| SHA512 | 98b3af35cd6d26fd00baa30a63b545aca5ec43e5ec560e5be7841a1f5e4154a5fe4f59dd10dc495824d7da2cfb985349c80c68107c925c7305995174405f49a2 |
memory/1340-138-0x0000000000E10000-0x0000000001584000-memory.dmp
memory/1340-139-0x00000000074D0000-0x00000000074F2000-memory.dmp
memory/5056-140-0x0000000000000000-mapping.dmp
memory/5056-141-0x0000000003240000-0x0000000003276000-memory.dmp
memory/5056-142-0x00000000059C0000-0x0000000005FE8000-memory.dmp
memory/5056-143-0x00000000060F0000-0x0000000006156000-memory.dmp
memory/5056-144-0x00000000061D0000-0x0000000006236000-memory.dmp
memory/5056-145-0x00000000067F0000-0x000000000680E000-memory.dmp
memory/5056-146-0x0000000007E30000-0x00000000084AA000-memory.dmp
memory/5056-147-0x0000000006CF0000-0x0000000006D0A000-memory.dmp
memory/3804-148-0x0000000000000000-mapping.dmp
memory/2184-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
memory/400-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 426d40be03968e6fdd30d7281338b275 |
| SHA1 | 52cb1472fe40cd2528aa96680f9d02b833a2f729 |
| SHA256 | 49bbf2d1415b022dc9d04fd073653ecc3ff06e2c3286a923be721c9c6a936a93 |
| SHA512 | 64e3d30d4a6363354ab30b18a5788064c43331f0f9e5dc58a4ee6f68156ea69cb01097361b77b7f1953bcad64af5f0d5757043a83b6c5f527c266ea90428b467 |
memory/400-154-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe
| MD5 | 4a5fb4b46751ce473e50a40f7e53cc13 |
| SHA1 | 8b4e670a689e17435c44d988a8a02d7b7d41c093 |
| SHA256 | 66dfab22330f16aac24ac6183aa90e2a698efc2da4b27c60a065a88ee7540357 |
| SHA512 | 9d215aa918a16fc426d0fa44458b19eb8511304aa0863e437fd548f02b30e337cc074f3f660aa5ea7277cebb348d4e9db9fc3cbfbcc2c4ff4d2d98cc7c6b8555 |
memory/400-157-0x0000000000400000-0x0000000000731000-memory.dmp
memory/2228-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0a17f096546385df3c09ab7b323a5974 |
| SHA1 | 919f11eff329ff849c0cb5277f6d40bf470d0fc7 |
| SHA256 | bd93ce4455de76d6a11e0a7bf07422f201485afd4ec1d142a6da9ab7e9ba1fc7 |
| SHA512 | 8bc89b571c5c543cf03588689949f4b1614b727237638bf8b96d61f5ae92ef44b20cfb3e2e1dd1b56fdf0e0daab425ab35fe3a00e132d4546e819a4c13a8f0fd |
memory/400-159-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/2184-163-0x00000000754F0000-0x000000007553C000-memory.dmp
memory/5100-162-0x0000000000000000-mapping.dmp
memory/2184-164-0x00000000060F0000-0x000000000610E000-memory.dmp
memory/2184-161-0x0000000006BB0000-0x0000000006BE2000-memory.dmp
memory/2184-165-0x0000000006F60000-0x0000000006F6A000-memory.dmp
memory/580-166-0x0000000000000000-mapping.dmp
memory/3800-167-0x0000000000000000-mapping.dmp
memory/2184-168-0x00000000071B0000-0x0000000007246000-memory.dmp
memory/3836-169-0x0000000000000000-mapping.dmp
memory/4948-170-0x0000000000000000-mapping.dmp
memory/2184-171-0x0000000005A40000-0x0000000005A4E000-memory.dmp
memory/2184-172-0x0000000007110000-0x000000000712A000-memory.dmp
memory/2184-173-0x00000000070F0000-0x00000000070F8000-memory.dmp
memory/400-174-0x0000000000400000-0x0000000000731000-memory.dmp