Analysis Overview
SHA256
31fcc1a7c79fa0e760d81e479154824551be394658821275380c9fc45343ae22
Threat Level: Known bad
The file URLhaus.rar was found to be: Known bad.
Malicious Activity Summary
Remcos
Pony family
Azorult
Formbook
Pony,Fareit
Formbook family
HawkEye
xmrig
Lokibot
Formbook payload
Nirsoft
NirSoft WebBrowserPassView
XMRig Miner payload
NirSoft MailPassView
Formbook payload
Sets file execution options in registry
Reads user/profile data of web browsers
Drops startup file
Uses the VBS compiler for execution
UPX packed file
Deletes itself
Loads dropped DLL
Executes dropped EXE
Reads data files stored by FTP clients
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Enumerates connected drives
Adds Run key to start application
Creates a Windows Service
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Runs net.exe
Suspicious behavior: RenamesItself
Runs ping.exe
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-08-13 18:33
Signatures
Formbook family
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pony family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
42s
Max time network
45s
Command Line
Signatures
HawkEye
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hkj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B000CEF.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft HD Video Card = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft HD Video Card\\Microsoft HD Video Card.exe\"" | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" | C:\Users\Admin\AppData\Local\Temp\hkj.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2908 set thread context of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe |
| PID 768 set thread context of 1728 | N/A | C:\Users\Admin\AppData\Local\Temp\hkj.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hkj.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B000CEF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hkj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\B000CEF.exe
"C:\Users\Admin\AppData\Local\Temp\B000CEF.exe"
C:\Users\Admin\AppData\Local\Temp\hkj.exe
"C:\Users\Admin\AppData\Local\Temp\hkj.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe
"C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
C:\Users\Admin\AppData\Local\Temp\hkj.exe
"C:\Users\Admin\AppData\Local\Temp\hkj.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.16.154.36:80 | whatismyipaddress.com | tcp |
| US | 104.16.154.36:443 | whatismyipaddress.com | tcp |
| US | 104.16.154.36:443 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | mail.alltracklogistic.com | udp |
Files
memory/2108-56-0x0000000000240000-0x0000000000246000-memory.dmp
\Users\Admin\AppData\Local\Temp\hkj.exe
| MD5 | 8ba91c5ee18ce3e77385e4ef118b6e2b |
| SHA1 | 666c3a425c580da29b4b7b45ab5454c8130131e6 |
| SHA256 | fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351 |
| SHA512 | fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e |
C:\Users\Admin\AppData\Local\Temp\hkj.exe
| MD5 | 8ba91c5ee18ce3e77385e4ef118b6e2b |
| SHA1 | 666c3a425c580da29b4b7b45ab5454c8130131e6 |
| SHA256 | fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351 |
| SHA512 | fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e |
C:\Users\Admin\AppData\Local\Temp\hkj.exe
| MD5 | 8ba91c5ee18ce3e77385e4ef118b6e2b |
| SHA1 | 666c3a425c580da29b4b7b45ab5454c8130131e6 |
| SHA256 | fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351 |
| SHA512 | fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e |
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs
| MD5 | 7243d7fb56013167c127d817f6898fb7 |
| SHA1 | 40c558090177c395def62474e43ce792b2a6b306 |
| SHA256 | 2fe714713ff3bdb5451e746e1665b23dcfe343daca0e0e8669286a63ce4bda5c |
| SHA512 | 4e2f07fe1613b2fe082446c90374c5a76f47521a03421b3cf78a188ab0071a13c6320922f5024ef7b075c11e8efa0e4727194d987fcadcf85b86f6ab50b65414 |
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
memory/768-70-0x0000000073FF0000-0x000000007459B000-memory.dmp
\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
memory/768-75-0x0000000000990000-0x00000000009D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
memory/768-71-0x0000000073FF0000-0x000000007459B000-memory.dmp
\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
memory/768-81-0x0000000073FF0000-0x000000007459B000-memory.dmp
memory/3024-82-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
memory/3024-85-0x0000000000400000-0x0000000000417000-memory.dmp
memory/3024-86-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\install.bat
| MD5 | a3abafcae47dcd72799ac7e8d652a754 |
| SHA1 | 5799f0fd21f9dcd89c2e103ce0dbfdb96e856bd6 |
| SHA256 | ccb37eb9a989ad65d11ef5b384e70050cb93bbb9fad83c7dfa6e0041786db8f7 |
| SHA512 | 37b4b30223323f622e9aaa5d96eb3038285087c92de6972852bdfe681ba3c49afd7503518991e4abb3d95ee64dbbb3eec736d1824ee1804e78bc4c181543bbe6 |
memory/3024-96-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\install.bat
| MD5 | a3abafcae47dcd72799ac7e8d652a754 |
| SHA1 | 5799f0fd21f9dcd89c2e103ce0dbfdb96e856bd6 |
| SHA256 | ccb37eb9a989ad65d11ef5b384e70050cb93bbb9fad83c7dfa6e0041786db8f7 |
| SHA512 | 37b4b30223323f622e9aaa5d96eb3038285087c92de6972852bdfe681ba3c49afd7503518991e4abb3d95ee64dbbb3eec736d1824ee1804e78bc4c181543bbe6 |
memory/768-99-0x0000000073FF0000-0x000000007459B000-memory.dmp
memory/768-100-0x0000000000990000-0x00000000009D0000-memory.dmp
\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
C:\Users\Admin\AppData\Roaming\Microsoft HD Video Card\Microsoft HD Video Card.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe
| MD5 | 8ba91c5ee18ce3e77385e4ef118b6e2b |
| SHA1 | 666c3a425c580da29b4b7b45ab5454c8130131e6 |
| SHA256 | fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351 |
| SHA512 | fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e |
memory/768-109-0x0000000000990000-0x00000000009D0000-memory.dmp
memory/1728-110-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1728-112-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1728-113-0x0000000000400000-0x000000000041B000-memory.dmp
\Users\Admin\AppData\Local\Temp\hkj.exe
| MD5 | 8ba91c5ee18ce3e77385e4ef118b6e2b |
| SHA1 | 666c3a425c580da29b4b7b45ab5454c8130131e6 |
| SHA256 | fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351 |
| SHA512 | fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e |
memory/1972-120-0x0000000000BC0000-0x0000000000C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs
| MD5 | 7243d7fb56013167c127d817f6898fb7 |
| SHA1 | 40c558090177c395def62474e43ce792b2a6b306 |
| SHA256 | 2fe714713ff3bdb5451e746e1665b23dcfe343daca0e0e8669286a63ce4bda5c |
| SHA512 | 4e2f07fe1613b2fe082446c90374c5a76f47521a03421b3cf78a188ab0071a13c6320922f5024ef7b075c11e8efa0e4727194d987fcadcf85b86f6ab50b65414 |
memory/1972-117-0x0000000073FF0000-0x000000007459B000-memory.dmp
memory/1972-121-0x0000000073FF0000-0x000000007459B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hkj.exe
| MD5 | 8ba91c5ee18ce3e77385e4ef118b6e2b |
| SHA1 | 666c3a425c580da29b4b7b45ab5454c8130131e6 |
| SHA256 | fb9a8a98b737d75026ed8176ceac8ffcb4537b528103593e64ff21b556615351 |
| SHA512 | fc45f289d81bf0d331aa156e0d4ce08d9cfafd7fdf49d631643155d7bbab9bbd57d6563a72319747fbdba66fb8b724fabe8e8432d3cbb71b74588068a55b146e |
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs
| MD5 | 7243d7fb56013167c127d817f6898fb7 |
| SHA1 | 40c558090177c395def62474e43ce792b2a6b306 |
| SHA256 | 2fe714713ff3bdb5451e746e1665b23dcfe343daca0e0e8669286a63ce4bda5c |
| SHA512 | 4e2f07fe1613b2fe082446c90374c5a76f47521a03421b3cf78a188ab0071a13c6320922f5024ef7b075c11e8efa0e4727194d987fcadcf85b86f6ab50b65414 |
\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | bfb076afe618ce5d6a3cf05d3ac4e74b |
| SHA1 | e5fdb1ab41354d3b793015a80b98bfd17a5098f2 |
| SHA256 | c60c3ac771ccb72ba788e04d4add83786e26dfc54720c5270654b9215acbe0c0 |
| SHA512 | 48623c11f31273b41c8530184acd523de0173afa56b89efc9919fe135bdc79d5f6b3a59de486baf1bb320419ea94b6ae1e1eec9b12119054602e86b7a3cd385d |
memory/1972-128-0x0000000073FF0000-0x000000007459B000-memory.dmp
memory/1728-129-0x0000000000400000-0x000000000041B000-memory.dmp
memory/768-130-0x0000000000990000-0x00000000009D0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
21s
Max time network
18s
Command Line
Signatures
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Processes
C:\Users\Admin\AppData\Local\Temp\bin2.exe
"C:\Users\Admin\AppData\Local\Temp\bin2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | log.b4mb4m.ru | udp |
Files
C:\Users\Admin\AppData\Roaming\pts2W6U4Q1Q9X\General\forms.txt
| MD5 | fbf2b0ea6fdc6fe3148bd600729d5fac |
| SHA1 | 2c0aad6ae361763eddc2668a9493f434d6a972bd |
| SHA256 | c794c993f1d9125029477df973401ae082c56b53f1d7e461258537aa7efc5797 |
| SHA512 | 29547388d261c54a031e97f0beeaf3bba67949a4a178ab5df39091d7e8e8a66415bc1f9dabd518eb7ceb7c01868b124575c7a16e41ed4e180a9df872847e57fb |
Analysis: behavioral23
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
21s
Max time network
18s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
Network
Files
memory/2528-54-0x00000000010E0000-0x0000000001134000-memory.dmp
memory/2528-55-0x0000000074390000-0x0000000074A7E000-memory.dmp
memory/2528-56-0x0000000004BD0000-0x0000000004C10000-memory.dmp
memory/2528-57-0x0000000000760000-0x00000000007A6000-memory.dmp
memory/2528-58-0x00000000009C0000-0x0000000000A06000-memory.dmp
memory/2528-59-0x0000000074390000-0x0000000074A7E000-memory.dmp
memory/2528-60-0x0000000004BD0000-0x0000000004C10000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
22s
Max time network
19s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\uyo.exe
"C:\Users\Admin\AppData\Local\Temp\uyo.exe"
Network
Files
memory/2552-54-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2552-55-0x0000000000400000-0x0000000000490000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
31s
Max time network
18s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\6b282d34fv2.exe
"C:\Users\Admin\AppData\Local\Temp\6b282d34fv2.exe"
Network
Files
memory/1672-54-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1672-55-0x0000000000400000-0x0000000000519000-memory.dmp
memory/1672-56-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
12s
Max time network
18s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\TerracottaGUI.exe
"C:\Users\Admin\AppData\Local\Temp\TerracottaGUI.exe"
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
24s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\otIXAOPqOVgvIKePlwFQLX.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\otIXAOPqOVgvIKePlwFQLX.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3008 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\otIXAOPqOVgvIKePlwFQLX.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3008 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\otIXAOPqOVgvIKePlwFQLX.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 3008 wrote to memory of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\otIXAOPqOVgvIKePlwFQLX.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\otIXAOPqOVgvIKePlwFQLX.exe
"C:\Users\Admin\AppData\Local\Temp\otIXAOPqOVgvIKePlwFQLX.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 564
Network
Files
memory/3008-54-0x00000000747E0000-0x0000000074ECE000-memory.dmp
memory/3008-53-0x00000000002A0000-0x0000000000330000-memory.dmp
memory/3008-55-0x00000000048D0000-0x0000000004910000-memory.dmp
memory/3008-56-0x00000000747E0000-0x0000000074ECE000-memory.dmp
memory/3008-57-0x00000000048D0000-0x0000000004910000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
31s
Max time network
35s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file execution options in registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perfmon.exe | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe | C:\Windows\scvsots.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\wimnat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ooaaya.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\opperce.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zmtrwm.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\ime\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\Networks\taskmgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\P: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\scvsots.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\scvsots.exe | N/A |
Creates a Windows Service
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\zmtrwm.exe | C:\Windows\TEMP\opperce.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmtrwm.exe | C:\Windows\TEMP\opperce.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\SysWOW64\ooaaya.exe | C:\Windows\TEMP\wimnat.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ooaaya.exe | C:\Windows\TEMP\wimnat.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\scvsots.exe | C:\Users\Admin\AppData\Local\Temp\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\ssleay32.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\cnli-1.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\libeay32.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\coli-0.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\AppCapture_x64.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\spoolsrv.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\AppCapture_x64.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\crli-0.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\trch-1.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\spoolsrv.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\svchost.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\svchost.exe | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\svchost.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.xml | C:\Windows\scvsots.exe | N/A |
| File opened for modification | C:\Windows\svchost.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\libeay32.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\libxml2.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\AppCapture_x32.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\coli-0.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\crli-0.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\tibe-2.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\tucl-1.dll | C:\Windows\scvsots.exe | N/A |
| File opened for modification | C:\Windows\spoolsrv.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\tibe-2.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\exma-1.dll | C:\Windows\scvsots.exe | N/A |
| File opened for modification | C:\Windows\InfusedAppe\Priess\ip.txt | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\svchost.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\ucl.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\ucl.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\svchost.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\exma-1.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\posh-0.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\spoolsrv.exe | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\trch-1.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\scvsots.exe | C:\Users\Admin\AppData\Local\Temp\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\Priess\GoogleCdoeUpdate.exe | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\cnli-1.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\tucl-1.dll | C:\Windows\scvsots.exe | N/A |
| File opened for modification | C:\Windows\ime\scvsots.exe | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\libxml2.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\ssleay32.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\trfo-2.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\svchost.exe | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\trfo-2.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\AppCapture_x32.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\xdvl-0.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\Corporate\scvhost.exe | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\Priess\ip.txt | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\ime\scvsots.exe | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\zlib1.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\spoolsrv.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\posh-0.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\spoolsrv.exe | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\UnattendGC\specials\xdvl-0.dll | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\svchost.xml | C:\Windows\scvsots.exe | N/A |
| File created | C:\Windows\InfusedAppe\LocalService\specials\zlib1.dll | C:\Windows\scvsots.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\ooaaya.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\ooaaya.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\scvsots.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadDecision = "0" | C:\Windows\scvsots.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8\WpadDecisionTime = 4058a0ae14ced901 | C:\Windows\scvsots.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\scvsots.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadDecisionTime = 4058a0ae14ced901 | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie | C:\Windows\SysWOW64\ooaaya.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\scvsots.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\scvsots.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadDecisionReason = "1" | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\scvsots.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f006e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\26-77-e4-86-2b-a8 | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum | C:\Windows\SysWOW64\ooaaya.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890}\WpadNetworkName = "Network 2" | C:\Windows\scvsots.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8\WpadDecisionReason = "1" | C:\Windows\scvsots.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\ActiveMovie\devenum\Version = "7" | C:\Windows\SysWOW64\ooaaya.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8 | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\scvsots.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-77-e4-86-2b-a8\WpadDecision = "0" | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum | C:\Windows\SysWOW64\ooaaya.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\scvsots.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4FD475B9-6389-42D6-88EE-DC8230216890} | C:\Windows\scvsots.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "txtfile" | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.js\ = "txtfile" | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "txtfile" | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "txtfile" | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "txtfile" | C:\Windows\scvsots.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.bat\ = "txtfile" | C:\Windows\scvsots.exe | N/A |
Runs net.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\ime\scvsots.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\scvsots.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\scvsots.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\scvsots.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\wimnat.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ooaaya.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\opperce.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\zmtrwm.exe | N/A |
| N/A | N/A | C:\Windows\ime\scvsots.exe | N/A |
| N/A | N/A | C:\Windows\ime\scvsots.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\scvsots.exe
"C:\Users\Admin\AppData\Local\Temp\scvsots.exe"
C:\Windows\scvsots.exe
C:\Windows\scvsots.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /delete /tn * /f
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn * /f
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c sc config LanmanServer start= disabled
C:\Windows\TEMP\wimnat.exe
C:\Windows\TEMP\wimnat.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Netframework" /ru system /tr "cmd /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F"
C:\Windows\SysWOW64\cmd.exe
cmd /c net stop LanmanServer
C:\Windows\SysWOW64\cmd.exe
cmd /c net stop MpsSvc
C:\Windows\SysWOW64\cmd.exe
cmd /c net stop SharedAccess
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc minute /mo 1 /tn "Flash" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc minute /mo 1 /tn "Netframework" /ru system /tr "cmd /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F"
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc minute /mo 1 /tn "Miscfost" /ru system /tr "cmd /c C:\Windows\ime\scvsots.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Miscfost" /ru system /tr "cmd /c C:\Windows\ime\scvsots.exe"
C:\Windows\SysWOW64\net.exe
net stop MpsSvc
C:\Windows\SysWOW64\net.exe
net stop LanmanServer
C:\Windows\SysWOW64\sc.exe
sc config LanmanServer start= disabled
C:\Windows\SysWOW64\net.exe
net stop SharedAccess
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Flash" /ru system /tr "cmd /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F"
C:\Windows\SysWOW64\ooaaya.exe
C:\Windows\SysWOW64\ooaaya.exe
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop LanmanServer
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop MpsSvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop SharedAccess
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\opperce.exe
C:\Windows\TEMP\opperce.exe
C:\Windows\SysWOW64\zmtrwm.exe
C:\Windows\SysWOW64\zmtrwm.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {D1562A46-51A3-4022-A1A0-2D7E6427549E} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F
C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c C:\Windows\ime\scvsots.exe
C:\Windows\system32\cmd.EXE
C:\Windows\system32\cmd.EXE /c echo Y|cacls C:\Windows\scvsots.exe /p everyone:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\system32\cacls.exe
cacls C:\Windows\scvsots.exe /p everyone:F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\ime\scvsots.exe
C:\Windows\ime\scvsots.exe
C:\Windows\system32\cacls.exe
cacls C:\Windows\TEMP\Networks\taskmgr.exe /p everyone:F
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
C:\Windows\TEMP\Networks\taskmgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | a88.bulehero.in | udp |
| US | 206.191.152.37:57890 | a88.bulehero.in | tcp |
| US | 8.8.8.8:53 | a88.heroherohero.info | udp |
| N/A | 10.127.0.110:80 | tcp | |
| N/A | 10.127.0.110:80 | tcp | |
| N/A | 10.127.0.1:32998 | tcp | |
| US | 8.8.8.8:53 | a45.bulehero.in | udp |
| US | 206.191.152.37:1356 | a45.bulehero.in | tcp |
| US | 8.8.8.8:53 | off.heroherohero.info | udp |
| US | 206.191.152.37:1356 | a45.bulehero.in | tcp |
| US | 8.8.8.8:53 | 2018.ip138.com | udp |
| CN | 59.57.14.11:80 | 2018.ip138.com | tcp |
| US | 206.191.152.37:1356 | a45.bulehero.in | tcp |
| US | 206.191.152.37:1356 | a45.bulehero.in | tcp |
| US | 206.191.152.37:1356 | a45.bulehero.in | tcp |
| US | 206.191.152.37:1356 | a45.bulehero.in | tcp |
| US | 206.191.152.37:1356 | a45.bulehero.in | tcp |
| US | 206.191.152.37:1356 | a45.bulehero.in | tcp |
Files
memory/2556-54-0x0000000000400000-0x00000000007D8000-memory.dmp
C:\Windows\scvsots.exe
| MD5 | fd409d4d20e580215c1ec0803eed9725 |
| SHA1 | 02f9cf94ed6ab9e780755215857c9ba0a3e25065 |
| SHA256 | 483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79 |
| SHA512 | 253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38 |
memory/2180-57-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/2556-58-0x0000000000400000-0x00000000007D8000-memory.dmp
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
memory/2180-65-0x0000000000400000-0x00000000007D8000-memory.dmp
memory/2180-66-0x0000000000400000-0x00000000007D8000-memory.dmp
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
C:\Windows\Temp\wimnat.exe
| MD5 | 2334bb8baf5e062683d8ec67b7ac531e |
| SHA1 | 5419ddccabaa0a0b98fd6783c8341012c40db522 |
| SHA256 | 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e |
| SHA512 | ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8 |
\Windows\Temp\wimnat.exe
| MD5 | 2334bb8baf5e062683d8ec67b7ac531e |
| SHA1 | 5419ddccabaa0a0b98fd6783c8341012c40db522 |
| SHA256 | 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e |
| SHA512 | ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8 |
\Windows\Temp\wimnat.exe
| MD5 | 2334bb8baf5e062683d8ec67b7ac531e |
| SHA1 | 5419ddccabaa0a0b98fd6783c8341012c40db522 |
| SHA256 | 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e |
| SHA512 | ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8 |
C:\Windows\Temp\wimnat.exe
| MD5 | 2334bb8baf5e062683d8ec67b7ac531e |
| SHA1 | 5419ddccabaa0a0b98fd6783c8341012c40db522 |
| SHA256 | 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e |
| SHA512 | ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8 |
C:\Windows\scvsots.exe
| MD5 | fd409d4d20e580215c1ec0803eed9725 |
| SHA1 | 02f9cf94ed6ab9e780755215857c9ba0a3e25065 |
| SHA256 | 483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79 |
| SHA512 | 253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38 |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
memory/2692-92-0x0000000010000000-0x0000000010008000-memory.dmp
C:\Windows\TEMP\wimnat.exe
| MD5 | 2334bb8baf5e062683d8ec67b7ac531e |
| SHA1 | 5419ddccabaa0a0b98fd6783c8341012c40db522 |
| SHA256 | 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e |
| SHA512 | ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8 |
C:\Windows\SysWOW64\ooaaya.exe
| MD5 | 2334bb8baf5e062683d8ec67b7ac531e |
| SHA1 | 5419ddccabaa0a0b98fd6783c8341012c40db522 |
| SHA256 | 6c310b9829fe5fac50b0ea752242b456b3b86462dee46624337715831deb8b2e |
| SHA512 | ee0e3f619f0294e3e67e324cab582dd790ba2c15ae08365c0481fd07e32949428c9f4f4872572f52df02be3cd558c78be8af5696da4731b528019ad6706770f8 |
C:\Windows\Temp\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
\Windows\Temp\opperce.exe
| MD5 | a7195beae808ba6cd4e4e373f4b540ed |
| SHA1 | 16ee2c2da78116fe3a08aeef07b25df4455a5736 |
| SHA256 | bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614 |
| SHA512 | 6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3 |
C:\Windows\Temp\opperce.exe
| MD5 | a7195beae808ba6cd4e4e373f4b540ed |
| SHA1 | 16ee2c2da78116fe3a08aeef07b25df4455a5736 |
| SHA256 | bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614 |
| SHA512 | 6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3 |
\Windows\Temp\opperce.exe
| MD5 | a7195beae808ba6cd4e4e373f4b540ed |
| SHA1 | 16ee2c2da78116fe3a08aeef07b25df4455a5736 |
| SHA256 | bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614 |
| SHA512 | 6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3 |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
C:\Windows\TEMP\opperce.exe
| MD5 | a7195beae808ba6cd4e4e373f4b540ed |
| SHA1 | 16ee2c2da78116fe3a08aeef07b25df4455a5736 |
| SHA256 | bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614 |
| SHA512 | 6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3 |
C:\Windows\SysWOW64\zmtrwm.exe
| MD5 | a7195beae808ba6cd4e4e373f4b540ed |
| SHA1 | 16ee2c2da78116fe3a08aeef07b25df4455a5736 |
| SHA256 | bc57aa3e6562468e09cc341cdeaae364b13a33aab9e75a7e11d1dabba1788614 |
| SHA512 | 6e9f15d2198d0ed8d8ef06866ee2d49293be0223034013922267123d6c8a8695e57c5bc9beb8939cbff905f5e5de2b58b99110aa17f2aa04176cd659679b87c3 |
C:\Windows\InfusedAppe\LocalService\svchost.xml
| MD5 | 09d45ae26830115fd8d9cdc2aa640ca5 |
| SHA1 | 41a6ad8d88b6999ac8a3ff00dd9641a37ee20933 |
| SHA256 | cf33a92a05ba3c807447a5f6b7e45577ed53174699241da360876d4f4a2eb2de |
| SHA512 | 1a97f62f76f6f5a7b668eadb55f08941b1d8dfed4a28c4d7a4f2494ff57e998407ec2d0fedaf7f670eb541b1fda40ca5e429d4d2a87007ec45ea5d10abd93aa5 |
C:\Windows\InfusedAppe\LocalService\spoolsrv.xml
| MD5 | 497080fed2000e8b49ee2e97e54036b1 |
| SHA1 | 4af3fae881a80355dd09df6e736203c30c4faac5 |
| SHA256 | 756f44f1d667132b043bfd3da16b91c9f6681e5d778c5f07bb031d62ff00d380 |
| SHA512 | 4f8bd09f9d8d332c436beb8164eec90b0e260b69230f102565298beff0db37265be1ae5eb70acf60e77d5589c61c7ee7f01a02d2a30ac72d794a04efef6f25df |
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
memory/2180-237-0x0000000000400000-0x00000000007D8000-memory.dmp
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
C:\Windows\ime\scvsots.exe
| MD5 | fd409d4d20e580215c1ec0803eed9725 |
| SHA1 | 02f9cf94ed6ab9e780755215857c9ba0a3e25065 |
| SHA256 | 483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79 |
| SHA512 | 253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38 |
C:\Windows\IME\scvsots.exe
| MD5 | fd409d4d20e580215c1ec0803eed9725 |
| SHA1 | 02f9cf94ed6ab9e780755215857c9ba0a3e25065 |
| SHA256 | 483b9102b4ad847f5e96aa478792a613d2a51ef605c8224afe0a369d09a75e79 |
| SHA512 | 253c22cf2895865c407055900617298a71ac9529769561fd0e0f7d373e0461b77db2b6b5b37d383560eca56b833b3e704130b5ade3f09569f369d3850e03fa38 |
memory/2960-245-0x0000000000400000-0x00000000007D8000-memory.dmp
C:\Windows\TEMP\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
memory/2960-247-0x0000000000400000-0x00000000007D8000-memory.dmp
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\Temp\Networks\taskmgr.exe
| MD5 | 458a2b86b2c610cc66b3aa081c45584b |
| SHA1 | 1771b2d47e29076ef9caaadc520cd3f73cbcbae2 |
| SHA256 | ec616b6475f04802a385a5d1841843e48d7dc115eaf7bc6221ebe4f2d6803e7e |
| SHA512 | 6d8758f4adc7c75e9daa84dea269c2d768e34644326fac8b836a4ee9eaf5ff7dbba23d0d4c1b424e2f1058e9c3ce0012d4acb7ed455d95c21581400fbf9355ac |
C:\Windows\TEMP\Networks\config.json
| MD5 | 490fb7bd62699dadef26dac8e88eefa3 |
| SHA1 | e4bf283392140ab9c01fbb2fae68a078c17d78e5 |
| SHA256 | f9f52693118dcf9028ff18bd821a9052f4cc09f919489ec9ba07d36b0612da04 |
| SHA512 | 911f9e6d323321709a3a34c7d3a093c7c00338145746fec1a020f6ef74cb3cd7b47205577aa6a26f06f2bd4c7db1102b486e49bb4b8a0fccdb5bd19e50d88936 |
Analysis: behavioral17
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
21s
Max time network
20s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\glash.exe
"C:\Users\Admin\AppData\Local\Temp\glash.exe"
Network
Files
memory/2168-54-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2168-55-0x0000000000400000-0x000000000048E000-memory.dmp
memory/2168-56-0x0000000000230000-0x0000000000231000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
23s
Max time network
19s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ted.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\ted.exe
"C:\Users\Admin\AppData\Local\Temp\ted.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mydocuments1.is | udp |
Files
memory/312-54-0x0000000074B50000-0x00000000750FB000-memory.dmp
memory/312-55-0x0000000074B50000-0x00000000750FB000-memory.dmp
memory/312-56-0x0000000000A90000-0x0000000000AD0000-memory.dmp
memory/312-57-0x0000000074B50000-0x00000000750FB000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
22s
Max time network
19s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\v72d8z2.exe
"C:\Users\Admin\AppData\Local\Temp\v72d8z2.exe"
Network
Files
memory/1876-54-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1876-55-0x0000000000400000-0x0000000000515000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
13s
Max time network
20s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2364 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2364 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2364 wrote to memory of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\1.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 560
Network
Files
memory/2364-53-0x0000000000AA0000-0x0000000000AE0000-memory.dmp
memory/2364-54-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2364-55-0x00000000048B0000-0x00000000048F0000-memory.dmp
memory/2364-56-0x0000000074420000-0x0000000074B0E000-memory.dmp
memory/2364-57-0x00000000048B0000-0x00000000048F0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
23s
Max time network
19s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Terracotta.exe
"C:\Users\Admin\AppData\Local\Temp\Terracotta.exe"
Network
Files
memory/2988-54-0x0000000000050000-0x0000000000051000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
44s
Max time network
19s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2080 set thread context of 1272 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 1872 set thread context of 1272 | N/A | C:\Windows\SysWOW64\cmstp.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmstp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bin.exe"
Network
Files
memory/2080-54-0x0000000000A70000-0x0000000000D73000-memory.dmp
memory/1272-56-0x0000000000010000-0x0000000000020000-memory.dmp
memory/2080-55-0x0000000000E00000-0x0000000000E2A000-memory.dmp
memory/2080-57-0x0000000000190000-0x00000000001A4000-memory.dmp
memory/1272-58-0x00000000045A0000-0x000000000466F000-memory.dmp
memory/1872-59-0x0000000000FE0000-0x0000000000FF8000-memory.dmp
memory/1872-60-0x0000000000FE0000-0x0000000000FF8000-memory.dmp
memory/1872-61-0x00000000000D0000-0x00000000000FA000-memory.dmp
memory/1872-62-0x0000000000B90000-0x0000000000E93000-memory.dmp
memory/1272-63-0x00000000045A0000-0x000000000466F000-memory.dmp
memory/1872-65-0x0000000000960000-0x00000000009F3000-memory.dmp
memory/1872-66-0x00000000000D0000-0x00000000000FA000-memory.dmp
memory/1272-67-0x0000000006AD0000-0x0000000006BFE000-memory.dmp
memory/1272-68-0x0000000006AD0000-0x0000000006BFE000-memory.dmp
memory/1272-70-0x0000000006AD0000-0x0000000006BFE000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
22s
Max time network
19s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\stealedd517v2.exe
"C:\Users\Admin\AppData\Local\Temp\stealedd517v2.exe"
Network
Files
memory/2468-54-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2468-55-0x0000000000400000-0x0000000000521000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
21s
Max time network
18s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\steel.exe
"C:\Users\Admin\AppData\Local\Temp\steel.exe"
Network
Files
memory/2084-54-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2084-55-0x0000000000400000-0x00000000004A4000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
18s
Max time network
19s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bg.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bg.exe
"C:\Users\Admin\AppData\Local\Temp\bg.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ʱ.org | udp |
Files
memory/1136-53-0x00000000741F0000-0x00000000748DE000-memory.dmp
memory/1136-54-0x00000000013C0000-0x0000000001476000-memory.dmp
memory/1136-55-0x0000000006F90000-0x0000000007120000-memory.dmp
memory/1136-56-0x00000000009D0000-0x0000000000A10000-memory.dmp
memory/1136-57-0x00000000002A0000-0x00000000002C2000-memory.dmp
memory/1136-58-0x00000000741F0000-0x00000000748DE000-memory.dmp
memory/1136-59-0x00000000009D0000-0x0000000000A10000-memory.dmp
memory/1136-60-0x00000000741F0000-0x00000000748DE000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
30s
Max time network
19s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3000 set thread context of 2240 | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | C:\Users\Admin\AppData\Local\Temp\ej.exe |
| PID 2240 set thread context of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | C:\Windows\Explorer.EXE |
| PID 2240 set thread context of 1284 | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | C:\Windows\Explorer.EXE |
| PID 2824 set thread context of 1284 | N/A | C:\Windows\SysWOW64\control.exe | C:\Windows\Explorer.EXE |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\control.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ej.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\ej.exe
"C:\Users\Admin\AppData\Local\Temp\ej.exe"
C:\Users\Admin\AppData\Local\Temp\ej.exe
C:\Users\Admin\AppData\Local\Temp\ej.exe"
C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ej.exe"
Network
Files
memory/3000-56-0x0000000000350000-0x0000000000356000-memory.dmp
memory/3000-57-0x0000000077500000-0x00000000775D6000-memory.dmp
memory/2240-58-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2240-60-0x00000000066D0000-0x00000000069D3000-memory.dmp
memory/2240-61-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2240-62-0x0000000001C10000-0x0000000001C24000-memory.dmp
memory/1284-63-0x00000000040C0000-0x0000000004193000-memory.dmp
memory/2240-65-0x0000000000400000-0x000000000042A000-memory.dmp
memory/2240-66-0x0000000001C50000-0x0000000001C64000-memory.dmp
memory/1284-68-0x00000000070B0000-0x00000000071F7000-memory.dmp
memory/2824-71-0x0000000000CF0000-0x0000000000D0F000-memory.dmp
memory/2824-70-0x0000000000CF0000-0x0000000000D0F000-memory.dmp
memory/2824-72-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/2824-73-0x0000000002110000-0x0000000002413000-memory.dmp
memory/1284-76-0x000007FEF5C00000-0x000007FEF5D43000-memory.dmp
memory/1284-77-0x000007FE7BB70000-0x000007FE7BB7A000-memory.dmp
memory/1284-78-0x00000000070B0000-0x00000000071F7000-memory.dmp
memory/1284-81-0x0000000000010000-0x0000000000020000-memory.dmp
memory/2824-80-0x0000000000430000-0x00000000004C3000-memory.dmp
memory/2824-79-0x0000000000080000-0x00000000000AA000-memory.dmp
memory/1284-83-0x0000000007200000-0x000000000730A000-memory.dmp
memory/1284-84-0x0000000007200000-0x000000000730A000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
20s
Max time network
19s
Command Line
Signatures
Azorult
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe
"C:\Users\Admin\AppData\Local\Temp\johngotovo (2)_original_original.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | frontrabot.info | udp |
| US | 8.8.8.8:53 | frontrabot.info | udp |
Files
memory/2164-55-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-56-0x00000000777A0000-0x00000000777A1000-memory.dmp
memory/2164-57-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2164-62-0x0000000076C80000-0x0000000076D90000-memory.dmp
memory/2164-64-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-63-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-66-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-65-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-69-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-68-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-67-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-70-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-72-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-73-0x0000000010000000-0x000000001006A000-memory.dmp
memory/2164-82-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2164-81-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2164-78-0x0000000010000000-0x000000001006A000-memory.dmp
memory/2164-83-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2164-84-0x0000000000280000-0x00000000002C0000-memory.dmp
memory/2164-88-0x0000000000670000-0x00000000009B5000-memory.dmp
memory/2164-94-0x0000000010000000-0x000000001006A000-memory.dmp
memory/2164-97-0x000000007EFDF000-0x000000007EFE0000-memory.dmp
memory/2164-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2164-95-0x000000007EFDB000-0x000000007EFDE000-memory.dmp
memory/2164-98-0x0000000010000000-0x000000001006A000-memory.dmp
memory/2164-99-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2164-104-0x0000000076C80000-0x0000000076D90000-memory.dmp
memory/2164-103-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2164-105-0x0000000002F80000-0x0000000003080000-memory.dmp
memory/2164-106-0x0000000003230000-0x0000000003240000-memory.dmp
memory/2164-107-0x0000000003410000-0x0000000003510000-memory.dmp
memory/2164-108-0x0000000002CD0000-0x0000000002CE0000-memory.dmp
memory/2164-109-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2164-111-0x0000000003190000-0x00000000031A0000-memory.dmp
memory/2164-110-0x0000000003510000-0x0000000003610000-memory.dmp
memory/2164-112-0x0000000010000000-0x000000001006A000-memory.dmp
memory/2164-113-0x00000000009C0000-0x0000000000D0A000-memory.dmp
memory/2164-114-0x00000000777A0000-0x00000000777A1000-memory.dmp
memory/2164-115-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2164-116-0x0000000076C80000-0x0000000076D90000-memory.dmp
C:\Users\Admin\AppData\Local\Turbo.net\Sandbox\GOVNO\8.4.1.1\xsandbox.bin
| MD5 | ec3d19e8e9b05d025cb56c2a98ead8e7 |
| SHA1 | 748532edeb86496c8efe5e2327501d89ec1f13df |
| SHA256 | edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4 |
| SHA512 | 175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349 |
memory/2164-119-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2164-121-0x0000000076C80000-0x0000000076D90000-memory.dmp
memory/2164-122-0x00000000009C0000-0x0000000000D0A000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
40s
Max time network
36s
Command Line
Signatures
Pony,Fareit
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2088 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\shit.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2088 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\shit.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2088 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\shit.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2088 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\shit.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\shit.exe
"C:\Users\Admin\AppData\Local\Temp\shit.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259481735.bat" "C:\Users\Admin\AppData\Local\Temp\shit.exe" "
Network
| Country | Destination | Domain | Proto |
| RU | 185.222.202.114:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\259481735.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
C:\Users\Admin\AppData\Local\Temp\259481735.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
Analysis: behavioral30
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
21s
Max time network
19s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\update_z.exe
"C:\Users\Admin\AppData\Local\Temp\update_z.exe"
Network
Files
memory/2464-53-0x0000000000400000-0x0000000000480000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
20s
Max time network
19s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Builder.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Builder.exe"
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
23s
Max time network
19s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\POVOFJYqCoZfOoPkWOsSBcVYWIu.exe
"C:\Users\Admin\AppData\Local\Temp\POVOFJYqCoZfOoPkWOsSBcVYWIu.exe"
Network
Files
memory/3056-54-0x0000000000850000-0x00000000008A6000-memory.dmp
memory/3056-56-0x0000000000250000-0x0000000000290000-memory.dmp
memory/3056-55-0x0000000074300000-0x00000000749EE000-memory.dmp
memory/3056-57-0x00000000004D0000-0x0000000000516000-memory.dmp
memory/3056-58-0x0000000000810000-0x0000000000856000-memory.dmp
memory/3056-59-0x0000000074300000-0x00000000749EE000-memory.dmp
memory/3056-60-0x0000000000250000-0x0000000000290000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
13s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Zver.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2388 wrote to memory of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\Zver.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2388 wrote to memory of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\Zver.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2388 wrote to memory of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\Zver.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2388 wrote to memory of 2020 | N/A | C:\Users\Admin\AppData\Local\Temp\Zver.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Zver.exe
"C:\Users\Admin\AppData\Local\Temp\Zver.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 564
Network
Files
memory/2388-54-0x0000000000B30000-0x0000000000B72000-memory.dmp
memory/2388-55-0x0000000074B30000-0x000000007521E000-memory.dmp
memory/2388-56-0x0000000004420000-0x0000000004460000-memory.dmp
memory/2388-57-0x0000000074B30000-0x000000007521E000-memory.dmp
memory/2388-58-0x0000000004420000-0x0000000004460000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
28s
Max time network
36s
Command Line
Signatures
Remcos
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2492 set thread context of 856 | N/A | C:\Users\Admin\AppData\Local\Temp\a.exe | C:\Users\Admin\AppData\Local\Temp\a.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
C:\Users\Admin\AppData\Local\Temp\a.exe
"C:\Users\Admin\AppData\Local\Temp\a.exe"
Network
| Country | Destination | Domain | Proto |
| SE | 194.68.59.44:9074 | tcp | |
| SE | 194.68.59.44:9074 | tcp | |
| SE | 194.68.59.44:9074 | tcp | |
| SE | 194.68.59.44:9074 | tcp | |
| SE | 194.68.59.44:9074 | tcp |
Files
memory/2492-54-0x0000000074F10000-0x00000000754BB000-memory.dmp
memory/2492-56-0x0000000000260000-0x00000000002A0000-memory.dmp
memory/2492-55-0x0000000074F10000-0x00000000754BB000-memory.dmp
memory/856-57-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-59-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-61-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-63-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-65-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/856-68-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-70-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2492-71-0x0000000074F10000-0x00000000754BB000-memory.dmp
memory/856-73-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-75-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-77-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-76-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-79-0x0000000000400000-0x000000000041B000-memory.dmp
memory/856-81-0x0000000000400000-0x000000000041B000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
22s
Max time network
18s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\update_b.exe
"C:\Users\Admin\AppData\Local\Temp\update_b.exe"
Network
Files
memory/2192-53-0x0000000000400000-0x0000000000480000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
17s
Max time network
16s
Command Line
Signatures
Azorult
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe
"C:\Users\Admin\AppData\Local\Temp\johngotovo (2).exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | frontrabot.info | udp |
| US | 8.8.8.8:53 | frontrabot.info | udp |
Files
memory/2372-54-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-56-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2372-55-0x0000000077A40000-0x0000000077A41000-memory.dmp
memory/2372-57-0x0000000077510000-0x0000000077620000-memory.dmp
memory/2372-62-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-63-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-64-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-65-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-68-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-67-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-66-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-69-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-71-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-77-0x0000000010000000-0x000000001006A000-memory.dmp
memory/2372-72-0x0000000010000000-0x000000001006A000-memory.dmp
memory/2372-80-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2372-84-0x00000000003E0000-0x00000000003E1000-memory.dmp
memory/2372-83-0x00000000003D0000-0x00000000003D1000-memory.dmp
memory/2372-87-0x00000000005E0000-0x0000000000925000-memory.dmp
memory/2372-93-0x0000000010000000-0x000000001006A000-memory.dmp
memory/2372-91-0x0000000000E70000-0x0000000000EB0000-memory.dmp
memory/2372-94-0x000000007EFDB000-0x000000007EFDE000-memory.dmp
memory/2372-96-0x000000007EFDF000-0x000000007EFE0000-memory.dmp
memory/2372-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2372-97-0x0000000010000000-0x000000001006A000-memory.dmp
memory/2372-98-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2372-102-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2372-103-0x0000000077510000-0x0000000077620000-memory.dmp
memory/2372-104-0x0000000002D50000-0x0000000002E50000-memory.dmp
memory/2372-105-0x0000000010000000-0x000000001006A000-memory.dmp
memory/2372-106-0x0000000002CD0000-0x0000000002CE0000-memory.dmp
memory/2372-107-0x0000000003560000-0x0000000003660000-memory.dmp
memory/2372-108-0x0000000002FE0000-0x00000000030E0000-memory.dmp
memory/2372-110-0x0000000002FA0000-0x0000000002FB0000-memory.dmp
memory/2372-109-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2372-111-0x0000000003660000-0x0000000003760000-memory.dmp
memory/2372-112-0x0000000000930000-0x0000000000C7A000-memory.dmp
memory/2372-113-0x0000000077A40000-0x0000000077A41000-memory.dmp
memory/2372-114-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2372-115-0x0000000077510000-0x0000000077620000-memory.dmp
C:\Users\Admin\AppData\Local\Turbo.net\Sandbox\GOVNO\8.4.1.1\xsandbox.bin
| MD5 | ec3d19e8e9b05d025cb56c2a98ead8e7 |
| SHA1 | 748532edeb86496c8efe5e2327501d89ec1f13df |
| SHA256 | edb7be3ef6098a1e24d0c72bbc6f968dea773951a0dd07b63bad6d9009ae3bf4 |
| SHA512 | 175fb8432472b6795bb5db0eba61bc7b57331720825df5b048f3086815ba844df4f7e83e42ff9e8fe5ab01700675a774cb916677953d6e0088ffbf1fa2775349 |
memory/2372-119-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2372-121-0x0000000077510000-0x0000000077620000-memory.dmp
memory/2372-122-0x0000000000930000-0x0000000000C7A000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
38s
Max time network
19s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ktg.exe
"C:\Users\Admin\AppData\Local\Temp\ktg.exe"
Network
Files
memory/2228-54-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2228-55-0x0000000000400000-0x000000000048E000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
15s
Max time network
19s
Command Line
Signatures
Pony,Fareit
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\null.url | C:\Users\Admin\AppData\Local\Temp\ss.exe | N/A |
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2688 set thread context of 2616 | N/A | C:\Users\Admin\AppData\Local\Temp\ss.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ss.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ss.exe
"C:\Users\Admin\AppData\Local\Temp\ss.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC4D.tmp" "c:\Users\Admin\AppData\Local\Temp\traigy22\CSC78D03A35B7984DF6A7F03117A8B1DFFB.TMP"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259446729.bat" "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" "
Network
Files
memory/2688-54-0x00000000008A0000-0x00000000008FE000-memory.dmp
memory/2688-55-0x0000000074130000-0x000000007481E000-memory.dmp
memory/2688-56-0x0000000000810000-0x0000000000850000-memory.dmp
memory/2688-57-0x00000000001F0000-0x00000000001F8000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.cmdline
| MD5 | 21abb1e56326228edcd5bb5be040110c |
| SHA1 | a2909111f5931db17748529b7565c458a78c9884 |
| SHA256 | 820b0969fc10287878289d67337872449403ae59ec6c4976c54302b8266bb9e2 |
| SHA512 | 30b6b4668041a7980ad9464fd38a1bc084d1ad41bfc40193ad534b7f84ded05a624599fb771f7a975fd71ffc23068f90f7a970ea6482f92293e1950207d9f8c1 |
\??\c:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.0.cs
| MD5 | be3ee94e0df736f6079cf3f82039b9b9 |
| SHA1 | b1e5a6f2cf3790dd17e19dbe9d4f881b7922c817 |
| SHA256 | 44b89526f2f795feff6e5c6762e55466699f8e6b09f74aff7968b94c1249e1fd |
| SHA512 | 655b49fcd792823219e5381e2e232606e86296d46e8b6b37c1c2656eb98927bce532aca4179584a595b00c612c569ee870da00a5f8684cb461d2a29d948aedb7 |
\??\c:\Users\Admin\AppData\Local\Temp\traigy22\CSC78D03A35B7984DF6A7F03117A8B1DFFB.TMP
| MD5 | e10a9737bef7b773cdb882880be67d01 |
| SHA1 | 12ea760cd7650c709e0721a5426066ebb41ead05 |
| SHA256 | d9ac258e58a435cd703b9593d951e9b194810d425fb2b5cb215cdb0a9430c6af |
| SHA512 | 695fd374a5ece2ff5695156003bde2b6d125febfedd9fd7181f551b6479d9e63f48cbe19185e8dc536aea7c803e8c65d6b5463eacd83ab89aba73f221f2b2416 |
C:\Users\Admin\AppData\Local\Temp\RESBC4D.tmp
| MD5 | 59813bc7aa219b3ef2948d4a941855c1 |
| SHA1 | 8869c3383a92e88d4d315278020137f45d62807c |
| SHA256 | 358382c169d7534361a663728db1f347f60b0a1bc872e8c5cefac61b808cccf7 |
| SHA512 | a9c6bd411423d5d196996da95ac512425509c5256d6f25f5077a565f7fd22c8ba1b78a294991ed6ab22e4b929def8c13eed0986a397c317ededc01e899604f5d |
C:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.dll
| MD5 | ba381278aac27444670bef56e3318fa9 |
| SHA1 | 4895543d6548cab0b6822c3772fb81032998c65b |
| SHA256 | 0f9de8452cb226183eb90e291dcaf90fc9e53e681e875107cb44ece721c22d52 |
| SHA512 | d2c91cee6af3b7a04ae0e8439a06ba98fc2635cd528366549a74be8d70af409820d6ecd0369cf411828ba7435c18656cc9db0fbccab05f546325285d963126bc |
C:\Users\Admin\AppData\Local\Temp\traigy22\traigy22.pdb
| MD5 | 7e4c9c63fb43c38f20030d053991f891 |
| SHA1 | 800752c72739dcc64924fc03c9d648871df3bab0 |
| SHA256 | b5dc5baf8b8577b9fdb704da3af6654c19d2ca1586150ae54469f0be534418a9 |
| SHA512 | 30554be574af975618b5ed4e3c8592bd7cad0d67e6b4bb09eba2e39fc55f6e7be4df25db65349fd2c484aa04ec118fea35e66473c853360d665a5ac1779aabfc |
memory/2688-72-0x0000000000220000-0x0000000000228000-memory.dmp
memory/2688-74-0x0000000000600000-0x0000000000626000-memory.dmp
memory/2688-75-0x00000000002A0000-0x00000000002AC000-memory.dmp
memory/2688-78-0x0000000000570000-0x0000000000589000-memory.dmp
memory/2616-79-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2616-80-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2616-81-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2616-82-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2616-83-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2616-85-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2616-87-0x0000000000400000-0x0000000000419000-memory.dmp
memory/2688-88-0x0000000074130000-0x000000007481E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\259446729.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
memory/2616-97-0x0000000000420000-0x0000000000487000-memory.dmp
memory/2616-98-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\259446729.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
29s
Max time network
26s
Command Line
Signatures
Lokibot
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3060 set thread context of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\1221.exe | C:\Users\Admin\AppData\Local\Temp\1221.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1221.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1221.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1221.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1221.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1221.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3060 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\1221.exe | C:\Users\Admin\AppData\Local\Temp\1221.exe |
| PID 3060 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\1221.exe | C:\Users\Admin\AppData\Local\Temp\1221.exe |
| PID 3060 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\1221.exe | C:\Users\Admin\AppData\Local\Temp\1221.exe |
| PID 3060 wrote to memory of 2580 | N/A | C:\Users\Admin\AppData\Local\Temp\1221.exe | C:\Users\Admin\AppData\Local\Temp\1221.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1221.exe
"C:\Users\Admin\AppData\Local\Temp\1221.exe"
C:\Users\Admin\AppData\Local\Temp\1221.exe
"C:\Users\Admin\AppData\Local\Temp\1221.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | botnet.americaircairmakan.com | udp |
Files
memory/3060-53-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/3060-54-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/3060-55-0x0000000000260000-0x0000000000261000-memory.dmp
memory/2580-56-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/3060-57-0x0000000000400000-0x00000000004CC000-memory.dmp
memory/2580-59-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2580-60-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4219371764-2579186923-3390623117-1000\0f5007522459c86e95ffcc62f32308f1_a858d4fe-e318-4442-a90a-f02c78216cd3
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4219371764-2579186923-3390623117-1000\0f5007522459c86e95ffcc62f32308f1_a858d4fe-e318-4442-a90a-f02c78216cd3
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
memory/2580-102-0x0000000000400000-0x00000000004A2000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
31s
Max time network
26s
Command Line
Signatures
Pony,Fareit
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1544 wrote to memory of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1544 wrote to memory of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1544 wrote to memory of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1544 wrote to memory of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe
"C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259460457.bat" "C:\Users\Admin\AppData\Local\Temp\amdcontroller.exe" "
Network
| Country | Destination | Domain | Proto |
| RU | 185.222.202.114:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\259460457.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
C:\Users\Admin\AppData\Local\Temp\259460457.bat
| MD5 | 3880eeb1c736d853eb13b44898b718ab |
| SHA1 | 4eec9d50360cd815211e3c4e6bdd08271b6ec8e6 |
| SHA256 | 936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7 |
| SHA512 | 3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b |
Analysis: behavioral16
Detonation Overview
Submitted
2023-08-13 18:33
Reported
2023-08-13 18:34
Platform
win7-20230712-en
Max time kernel
36s
Max time network
17s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Registry Key Name = "C:\\Users\\Admin\\AppData\\Local\\Temp\\subfolder\\filename.vbs" | C:\Windows\SysWOW64\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fban4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2580 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\fban4.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 2580 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\fban4.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 2580 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\fban4.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 2580 wrote to memory of 2440 | N/A | C:\Users\Admin\AppData\Local\Temp\fban4.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 2440 wrote to memory of 2992 | N/A | C:\Windows\SysWOW64\WScript.exe | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe |
| PID 2440 wrote to memory of 2992 | N/A | C:\Windows\SysWOW64\WScript.exe | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe |
| PID 2440 wrote to memory of 2992 | N/A | C:\Windows\SysWOW64\WScript.exe | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe |
| PID 2440 wrote to memory of 2992 | N/A | C:\Windows\SysWOW64\WScript.exe | C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\fban4.exe
"C:\Users\Admin\AppData\Local\Temp\fban4.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs"
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
"C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe"
Network
Files
memory/2580-56-0x0000000000270000-0x0000000000276000-memory.dmp
memory/2580-57-0x0000000077620000-0x00000000776F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.vbs
| MD5 | 61303679134d10e8f1f35236fec661e6 |
| SHA1 | ed31726523d21be75c47e699eec4b76aeaa376d5 |
| SHA256 | 047c78d7dbb5709dc8eee29b69d2a42aebe9249723105a56b8689c4657cb5331 |
| SHA512 | 8fe11c1e624fbbc600f0402514b67f1b61c5123eba826bb50113858b96f283792cc9defdf1aa5c101c64e8ef65c0dd9ed6032debcb6f94dcbf8fcde90f2c3610 |
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | b71a202427c3900cf14b4f0226883074 |
| SHA1 | a44ccbf7f1f59986075dad8b31b11ba69c12e00c |
| SHA256 | c8be7b87eaf410f1eb7de57f7050f9435103b9a07a1e6579cf606ce4b868bada |
| SHA512 | 9b5f826fa0c4872d98409a66704d279e55931897853a73b9737e8acd8f2b368ba538fd0ec9844911ca1eebe9afb43402f13544db95c60ff72aa98ab2bff3bdb1 |
\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | b71a202427c3900cf14b4f0226883074 |
| SHA1 | a44ccbf7f1f59986075dad8b31b11ba69c12e00c |
| SHA256 | c8be7b87eaf410f1eb7de57f7050f9435103b9a07a1e6579cf606ce4b868bada |
| SHA512 | 9b5f826fa0c4872d98409a66704d279e55931897853a73b9737e8acd8f2b368ba538fd0ec9844911ca1eebe9afb43402f13544db95c60ff72aa98ab2bff3bdb1 |
\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | b71a202427c3900cf14b4f0226883074 |
| SHA1 | a44ccbf7f1f59986075dad8b31b11ba69c12e00c |
| SHA256 | c8be7b87eaf410f1eb7de57f7050f9435103b9a07a1e6579cf606ce4b868bada |
| SHA512 | 9b5f826fa0c4872d98409a66704d279e55931897853a73b9737e8acd8f2b368ba538fd0ec9844911ca1eebe9afb43402f13544db95c60ff72aa98ab2bff3bdb1 |
C:\Users\Admin\AppData\Local\Temp\subfolder\filename.exe
| MD5 | b71a202427c3900cf14b4f0226883074 |
| SHA1 | a44ccbf7f1f59986075dad8b31b11ba69c12e00c |
| SHA256 | c8be7b87eaf410f1eb7de57f7050f9435103b9a07a1e6579cf606ce4b868bada |
| SHA512 | 9b5f826fa0c4872d98409a66704d279e55931897853a73b9737e8acd8f2b368ba538fd0ec9844911ca1eebe9afb43402f13544db95c60ff72aa98ab2bff3bdb1 |