Analysis Overview
SHA256
51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d
Threat Level: Known bad
The file 51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d was found to be: Known bad.
Malicious Activity Summary
Aurora
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-26 22:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-26 22:27
Reported
2023-02-26 22:32
Platform
win7-20230220-en
Max time kernel
154s
Max time network
171s
Command Line
Signatures
Aurora
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 752 set thread context of 636 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe
"C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| NL | 94.142.138.112:8081 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
| MD5 | 0f1c71b32b79c69580a2047de48151d5 |
| SHA1 | 21f5a5060f0681de7d77ad8ef5cac16c61569c92 |
| SHA256 | e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98 |
| SHA512 | a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
| MD5 | 0f1c71b32b79c69580a2047de48151d5 |
| SHA1 | 21f5a5060f0681de7d77ad8ef5cac16c61569c92 |
| SHA256 | e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98 |
| SHA512 | a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104 |
memory/752-60-0x0000000000CB0000-0x0000000001072000-memory.dmp
memory/752-61-0x0000000004E60000-0x0000000005030000-memory.dmp
memory/752-62-0x0000000004E20000-0x0000000004E60000-memory.dmp
memory/752-63-0x0000000005310000-0x0000000005448000-memory.dmp
memory/1448-66-0x0000000002640000-0x0000000002680000-memory.dmp
memory/1448-67-0x0000000002640000-0x0000000002680000-memory.dmp
memory/1448-68-0x0000000002640000-0x0000000002680000-memory.dmp
memory/752-69-0x0000000004E20000-0x0000000004E60000-memory.dmp
memory/1448-70-0x0000000002640000-0x0000000002680000-memory.dmp
memory/1448-71-0x0000000002640000-0x0000000002680000-memory.dmp
memory/1448-72-0x0000000002640000-0x0000000002680000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
| MD5 | 0f1c71b32b79c69580a2047de48151d5 |
| SHA1 | 21f5a5060f0681de7d77ad8ef5cac16c61569c92 |
| SHA256 | e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98 |
| SHA512 | a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104 |
memory/636-76-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-75-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-77-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-78-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-79-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-80-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-81-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-82-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
| MD5 | 0f1c71b32b79c69580a2047de48151d5 |
| SHA1 | 21f5a5060f0681de7d77ad8ef5cac16c61569c92 |
| SHA256 | e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98 |
| SHA512 | a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104 |
memory/636-83-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-86-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-87-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-88-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-89-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-90-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-91-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-92-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-93-0x0000000000400000-0x0000000000731000-memory.dmp
memory/636-94-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
| MD5 | 6a3c2fe239e67cd5804a699b9aa54b07 |
| SHA1 | 018091f0c903173dec18cd10e0e00889f0717d67 |
| SHA256 | 160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168 |
| SHA512 | aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37 |
memory/636-126-0x0000000000400000-0x0000000000731000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-26 22:27
Reported
2023-02-26 22:32
Platform
win10-20230220-en
Max time kernel
144s
Max time network
179s
Command Line
Signatures
Aurora
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3436 set thread context of 4636 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe
"C:\Users\Admin\AppData\Local\Temp\51b8e08571ddd7d98f4da91561999fce1b454ea42b3b83655f207df77f02ae1d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 52.168.117.169:443 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| NL | 94.142.138.112:8081 | tcp | |
| US | 8.8.8.8:53 | 112.138.142.94.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
| MD5 | 0f1c71b32b79c69580a2047de48151d5 |
| SHA1 | 21f5a5060f0681de7d77ad8ef5cac16c61569c92 |
| SHA256 | e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98 |
| SHA512 | a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
| MD5 | 0f1c71b32b79c69580a2047de48151d5 |
| SHA1 | 21f5a5060f0681de7d77ad8ef5cac16c61569c92 |
| SHA256 | e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98 |
| SHA512 | a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104 |
memory/3436-124-0x0000000000710000-0x0000000000AD2000-memory.dmp
memory/3436-125-0x00000000053A0000-0x0000000005570000-memory.dmp
memory/3436-126-0x0000000005390000-0x00000000053A0000-memory.dmp
memory/3436-127-0x0000000005670000-0x00000000057A8000-memory.dmp
memory/3436-128-0x0000000002DF0000-0x0000000002E12000-memory.dmp
memory/3436-129-0x00000000069E0000-0x0000000006D30000-memory.dmp
memory/3436-130-0x0000000005390000-0x00000000053A0000-memory.dmp
memory/1016-133-0x0000000004D60000-0x0000000004D96000-memory.dmp
memory/1016-134-0x0000000007630000-0x0000000007C58000-memory.dmp
memory/1016-135-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/1016-136-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/1016-137-0x0000000007530000-0x0000000007596000-memory.dmp
memory/1016-138-0x0000000007E40000-0x0000000007EA6000-memory.dmp
memory/1016-139-0x0000000007C80000-0x0000000007C9C000-memory.dmp
memory/1016-140-0x0000000008350000-0x000000000839B000-memory.dmp
memory/1016-141-0x0000000008570000-0x00000000085E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4z1rtqz2.a0l.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1016-156-0x0000000009DC0000-0x000000000A438000-memory.dmp
memory/1016-157-0x0000000009360000-0x000000000937A000-memory.dmp
memory/1016-158-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/1016-159-0x0000000004DB0000-0x0000000004DC0000-memory.dmp
memory/4636-164-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\meetrounov.exe
| MD5 | 0f1c71b32b79c69580a2047de48151d5 |
| SHA1 | 21f5a5060f0681de7d77ad8ef5cac16c61569c92 |
| SHA256 | e9729112633b5e23b2cb67e0050129cbcab51bfadb34646f033707ec75f7fd98 |
| SHA512 | a1143e50f1deea80db9b39b6fcd8e65b4a38ddc7e01af6fa6af313f24ddfc715e83f61eeae2e04f37c5ab4560f346f7d3c360b6646deb29ff6cce5e716a38104 |
memory/4636-168-0x0000000000400000-0x0000000000731000-memory.dmp
memory/4636-169-0x0000000000400000-0x0000000000731000-memory.dmp
memory/4636-170-0x0000000000400000-0x0000000000731000-memory.dmp
memory/4636-171-0x0000000000400000-0x0000000000731000-memory.dmp
memory/4636-172-0x0000000000400000-0x0000000000731000-memory.dmp
memory/4636-173-0x0000000000400000-0x0000000000731000-memory.dmp
memory/4636-174-0x0000000000400000-0x0000000000731000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | a3eb5f22bc8e7f4060e3ff18c4ac70b9 |
| SHA1 | 8480869a34c9723063dba9cc8279cf4e7c2bc4cd |
| SHA256 | 0582ca04b28149ce2fd9732dff5e9894a60454eeb03166ddde677c9224c1f9f6 |
| SHA512 | 3e88f72ace3e80a18f2986b43d90b9bf33e131ec77ce34c1462605784332e4676af5e8414ee75146bd14ef8a2e60a13ecf097c189206cd010f748e171903c5f0 |
memory/4636-203-0x0000000000400000-0x0000000000731000-memory.dmp
memory/4636-207-0x0000000000400000-0x0000000000731000-memory.dmp