Malware Analysis Report

2024-11-13 17:11

Sample ID 230321-rvz5wada7t
Target 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.zip
SHA256 9e82f4feac500f219662c11c5036343cccd46f8ff3133f6ff2dfddf2f3946270
Tags
aurora spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e82f4feac500f219662c11c5036343cccd46f8ff3133f6ff2dfddf2f3946270

Threat Level: Known bad

The file 60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.zip was found to be: Known bad.

Malicious Activity Summary

aurora spyware stealer

Aurora

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-03-21 14:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-21 14:31

Reported

2023-03-21 14:34

Platform

win7-20230220-en

Max time kernel

28s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"

Signatures

Aurora

stealer aurora

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 924 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\System32\Wbem\wmic.exe
PID 924 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\System32\Wbem\wmic.exe
PID 924 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\System32\Wbem\wmic.exe
PID 924 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\system32\cmd.exe
PID 884 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 884 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 884 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 924 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\system32\cmd.exe
PID 924 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\system32\cmd.exe
PID 336 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 336 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 336 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe

"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"

C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe

"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
NL 45.15.156.172:8081 tcp

Files

memory/924-54-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-55-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-56-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-57-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-58-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-59-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-60-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-61-0x000007FFFFFD5000-0x000007FFFFFD6000-memory.dmp

memory/924-62-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-64-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-65-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-66-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-67-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-68-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-69-0x0000000000400000-0x000000000075C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

MD5 6a3c2fe239e67cd5804a699b9aa54b07
SHA1 018091f0c903173dec18cd10e0e00889f0717d67
SHA256 160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168
SHA512 aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37

memory/924-103-0x0000000000400000-0x000000000075C000-memory.dmp

memory/924-104-0x0000000000400000-0x000000000075C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-21 14:31

Reported

2023-03-21 14:34

Platform

win10v2004-20230220-en

Max time kernel

120s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"

Signatures

Aurora

stealer aurora

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4520 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 4520 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe
PID 2276 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\System32\Wbem\wmic.exe
PID 2276 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\System32\Wbem\wmic.exe
PID 2276 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\system32\cmd.exe
PID 2276 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\system32\cmd.exe
PID 1008 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1008 wrote to memory of 4172 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2276 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\system32\cmd.exe
PID 2276 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe C:\Windows\system32\cmd.exe
PID 1408 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1408 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Processes

C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe

"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"

C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe

"C:\Users\Admin\AppData\Local\Temp\60f5cf24370600410d431405a2af891db1e19396a73d437b33f2e9c01e9fb27e.exe"

C:\Windows\System32\Wbem\wmic.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.137.241.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 45.15.156.172:8081 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
NL 45.15.156.172:8081 tcp
US 8.8.8.8:53 172.156.15.45.in-addr.arpa udp
US 20.189.173.11:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp

Files

memory/2276-133-0x0000000000C20000-0x0000000000F7C000-memory.dmp

memory/2276-138-0x0000000000C20000-0x0000000000F7C000-memory.dmp

memory/2276-143-0x0000000000C20000-0x0000000000F7C000-memory.dmp

memory/2276-144-0x0000000000C20000-0x0000000000F7C000-memory.dmp

memory/2276-146-0x0000000000C20000-0x0000000000F7C000-memory.dmp

memory/2276-145-0x0000000000C20000-0x0000000000F7C000-memory.dmp

memory/2276-147-0x0000000000C20000-0x0000000000F7C000-memory.dmp

memory/2276-148-0x0000000000C20000-0x0000000000F7C000-memory.dmp

memory/2276-150-0x0000000000C20000-0x0000000000F7C000-memory.dmp

memory/2276-151-0x0000000000C20000-0x0000000000F7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj

MD5 dc2b0f48d8f547d5ff7d67b371d850f0
SHA1 84d02ddbf478bf7cfe9ccb466362860ee18b3839
SHA256 0434c46910f48821a0a442b510260a3faea9404d7e6a8edd2cf44cc7dfea3890
SHA512 3470ae3db7053a7e606a221f97f8cadf58500a746daaa4c763d714fe99df026d1c7858aaaf6d34ec1bbaa5305f8eead00101b6a7ac6f4d457425d04bcf92e8d7

C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL

MD5 dd7a4110e2dc0760efdd47ee918c0deb
SHA1 5ed5efe128e521023e0caf4fff9af747522c8166
SHA256 550ad8794d9ec26bc7e09225cb1cbe648ee7c1c2349aabec8172f08bdec26084
SHA512 c928725e5f010d371727aadcc057da91378a0b24c66b2848217e9186dd319b6bf09c0859d7bf523ff1736fc41591eb25662a900fbe3977b63132a0c40dcd35dc

memory/2276-206-0x0000000000C20000-0x0000000000F7C000-memory.dmp

memory/2276-207-0x0000000000C20000-0x0000000000F7C000-memory.dmp