Malware Analysis Report

2024-11-30 23:02

Sample ID 230223-ltdycshc6x
Target cc1ea92ccab2960cedad3783799f56bb.exe
SHA256 b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8
Tags
aurora spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b5c486b05ed054bf9433bbfcb3d26e02eee06243435adf105307bc0d193af4d8

Threat Level: Known bad

The file cc1ea92ccab2960cedad3783799f56bb.exe was found to be: Known bad.

Malicious Activity Summary

aurora spyware stealer

Aurora

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-23 09:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-23 09:49

Reported

2023-02-23 09:51

Platform

win7-20230220-en

Max time kernel

29s

Max time network

32s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe"

Signatures

Aurora

stealer aurora

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1208 set thread context of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1208 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 1744 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\System32\Wbem\wmic.exe
PID 1744 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\System32\Wbem\wmic.exe
PID 1744 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\System32\Wbem\wmic.exe
PID 1744 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 568 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 568 wrote to memory of 1640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1744 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\system32\cmd.exe
PID 1744 wrote to memory of 900 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\system32\cmd.exe
PID 900 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 900 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 900 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe

"C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe"

C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe

"C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
NL 94.142.138.94:8081 tcp

Files

memory/1744-54-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-55-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-56-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-57-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-58-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-59-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-60-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-61-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

memory/1744-62-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-64-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-65-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-66-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-67-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-68-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-69-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-70-0x0000000000400000-0x000000000075C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 7634ebd082abbba35a8e6a300ec83c51
SHA1 953666e70fbed932e4bed446f1d1e432781972b7
SHA256 792aa1b2f647c981a8778a35717809ff0783bc4b6c022e6ed049c1029f6c584f
SHA512 6f95e7c7c4548ad206294e5fc13f9ed0bad9476e5775ac4e06bd324c6e0a14382fcf5f604e5899084ee2f3733405716d60842f3393d5fa174902dbb055d40f3e

memory/1744-102-0x0000000000400000-0x000000000075C000-memory.dmp

memory/1744-103-0x0000000000400000-0x000000000075C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-23 09:49

Reported

2023-02-23 09:51

Platform

win10v2004-20230220-en

Max time kernel

78s

Max time network

81s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe"

Signatures

Aurora

stealer aurora

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3384 set thread context of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 3384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 3384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 3384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 3384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 3384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 3384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 3384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 3384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 3384 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe
PID 4920 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\System32\Wbem\wmic.exe
PID 4920 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\System32\Wbem\wmic.exe
PID 4920 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\system32\cmd.exe
PID 4920 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\system32\cmd.exe
PID 2568 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2568 wrote to memory of 3508 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4920 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\system32\cmd.exe
PID 4920 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe C:\Windows\system32\cmd.exe
PID 4568 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4568 wrote to memory of 2628 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe

"C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe"

C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe

"C:\Users\Admin\AppData\Local\Temp\cc1ea92ccab2960cedad3783799f56bb.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
NL 94.142.138.94:8081 tcp
US 8.8.8.8:53 94.138.142.94.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 13.89.179.9:443 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 178.79.208.1:80 tcp
NL 173.223.113.164:443 tcp

Files

memory/4920-133-0x0000000000E50000-0x00000000011AC000-memory.dmp

memory/4920-138-0x0000000000E50000-0x00000000011AC000-memory.dmp

memory/4920-143-0x0000000000E50000-0x00000000011AC000-memory.dmp

memory/4920-145-0x0000000000E50000-0x00000000011AC000-memory.dmp

memory/4920-144-0x0000000000E50000-0x00000000011AC000-memory.dmp

memory/4920-146-0x0000000000E50000-0x00000000011AC000-memory.dmp

memory/4920-147-0x0000000000E50000-0x00000000011AC000-memory.dmp

memory/4920-148-0x0000000000E50000-0x00000000011AC000-memory.dmp

memory/4920-149-0x0000000000E50000-0x00000000011AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 92d24961d2ebaacf1ace5463dfc9930d
SHA1 99ffaf6904ab616c33a37ce01d383e4a493df335
SHA256 9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3
SHA512 77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 dce9b749d38fdc247ab517e8a76e6102
SHA1 d6c5b6548e1a3da3326bd097c50c49fc7906be3f
SHA256 5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7
SHA512 56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446

memory/4920-202-0x0000000000E50000-0x00000000011AC000-memory.dmp

memory/4920-203-0x0000000000E50000-0x00000000011AC000-memory.dmp