Analysis Overview
SHA256
19a43555e70d8b085c71f433d667db090babe8936feaf3b2102299bc2d8a0467
Threat Level: Known bad
The file 3X0 0DAY.bin.zip was found to be: Known bad.
Malicious Activity Summary
StormKitty payload
AsyncRat
StormKitty
Modifies boot configuration data using bcdedit
Deletes shadow copies
Async RAT payload
Disables Task Manager via registry modification
Loads dropped DLL
.NET Reactor proctector
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Looks up external IP address via web service
Maps connected drives based on registry
Looks up geolocation information via web service
Adds Run key to start application
Drops desktop.ini file(s)
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Interacts with shadow copies
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Runs ping.exe
Uses Volume Shadow Copy service COM API
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Creates scheduled task(s)
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-19 19:17
Signatures
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-19 19:17
Reported
2023-09-19 19:19
Platform
win7-20230831-en
Max time kernel
59s
Max time network
61s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes shadow copies
Disables Task Manager via registry modification
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\0.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\0.EXE" | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\636a3332b79fbf079758744a37210051\Admin@ZWKQHIWB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\636a3332b79fbf079758744a37210051\Admin@ZWKQHIWB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Recorded TV\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\636a3332b79fbf079758744a37210051\Admin@ZWKQHIWB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\AppData\Local\636a3332b79fbf079758744a37210051\Admin@ZWKQHIWB_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Public\Recorded TV\Sample Media\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\636a3332b79fbf079758744a37210051\Admin@ZWKQHIWB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\AppData\Local\636a3332b79fbf079758744a37210051\Admin@ZWKQHIWB_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\636a3332b79fbf079758744a37210051\Admin@ZWKQHIWB_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\AppData\Local\636a3332b79fbf079758744a37210051\Admin@ZWKQHIWB_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2588 set thread context of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\README_6642462.txt | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Program Files (x86)\README_6642462.txt | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\README_6642462.txt | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3X0 0DAY.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\3X0 0DAY.exe
"C:\Users\Admin\AppData\Local\Temp\3X0 0DAY.exe"
C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe
"C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe"
C:\Users\Admin\AppData\Local\Temp\ss.exe
"C:\Users\Admin\AppData\Local\Temp\ss.exe"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F2E.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Users\Admin\AppData\Local\Temp\0.EXE
C:\Users\Admin\AppData\Local\Temp\0.EXE
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\PING.EXE
ping -n 1 -w 5000 10.10.254.254
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:3389 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.114.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.121.141:80 | apps.identrust.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
Files
memory/1692-0-0x00000000012D0000-0x0000000001356000-memory.dmp
memory/1692-1-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp
memory/1692-2-0x000000001B250000-0x000000001B2D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe
| MD5 | 4afe3dac15e0b93b5bd0b746b16866ed |
| SHA1 | 42029929f6907201204876c858b0e40b901ef908 |
| SHA256 | 53f0c62c97546c1a8e2bf493fa8bd6247a5651f010b66d91caf9b1a8e7cc76cc |
| SHA512 | b7dbacbdaa5c4ec291b7a12b39a694dad667b5cfdacc8bcfbd358d1199f10eac8e23601c48b0d464bbec69e649e6e548678d44be7783d7088d50a7c7e876dfcf |
C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe
| MD5 | 4afe3dac15e0b93b5bd0b746b16866ed |
| SHA1 | 42029929f6907201204876c858b0e40b901ef908 |
| SHA256 | 53f0c62c97546c1a8e2bf493fa8bd6247a5651f010b66d91caf9b1a8e7cc76cc |
| SHA512 | b7dbacbdaa5c4ec291b7a12b39a694dad667b5cfdacc8bcfbd358d1199f10eac8e23601c48b0d464bbec69e649e6e548678d44be7783d7088d50a7c7e876dfcf |
C:\Users\Admin\AppData\Local\Temp\ss.exe
| MD5 | bfa7d185d8a17305acf52d9387b15cdf |
| SHA1 | e240233de01a24722be36f2b5fdab8eca32e0c8d |
| SHA256 | 37297ecba096d6aee5cfd6af09b0dc5dde28aad5bae73258390fc7c1c9603b0b |
| SHA512 | 56730df2e1f03991d95899da389ddd9d729df5ff6a732757668cdfec6bb1241a9e2d035a570c1017afb1565c715b3da293d097f0419994e1279dba92d5e1e861 |
C:\Users\Admin\AppData\Local\Temp\ss.exe
| MD5 | bfa7d185d8a17305acf52d9387b15cdf |
| SHA1 | e240233de01a24722be36f2b5fdab8eca32e0c8d |
| SHA256 | 37297ecba096d6aee5cfd6af09b0dc5dde28aad5bae73258390fc7c1c9603b0b |
| SHA512 | 56730df2e1f03991d95899da389ddd9d729df5ff6a732757668cdfec6bb1241a9e2d035a570c1017afb1565c715b3da293d097f0419994e1279dba92d5e1e861 |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | c6b4de7dbe7927a9734bc01b9480a6ae |
| SHA1 | 174834f428e1b20b7c57326d1d4b79d3292e3b26 |
| SHA256 | ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5 |
| SHA512 | 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9 |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | c6b4de7dbe7927a9734bc01b9480a6ae |
| SHA1 | 174834f428e1b20b7c57326d1d4b79d3292e3b26 |
| SHA256 | ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5 |
| SHA512 | 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9 |
memory/1692-22-0x000007FEF5BD0000-0x000007FEF65BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | c6b4de7dbe7927a9734bc01b9480a6ae |
| SHA1 | 174834f428e1b20b7c57326d1d4b79d3292e3b26 |
| SHA256 | ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5 |
| SHA512 | 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9 |
memory/2656-26-0x0000000074A80000-0x000000007516E000-memory.dmp
memory/2588-27-0x0000000074A80000-0x000000007516E000-memory.dmp
memory/2656-28-0x0000000000B00000-0x0000000000B08000-memory.dmp
memory/2588-29-0x00000000012E0000-0x000000000132A000-memory.dmp
C:\Users\Admin\AppData\Roaming\.exe
| MD5 | 4afe3dac15e0b93b5bd0b746b16866ed |
| SHA1 | 42029929f6907201204876c858b0e40b901ef908 |
| SHA256 | 53f0c62c97546c1a8e2bf493fa8bd6247a5651f010b66d91caf9b1a8e7cc76cc |
| SHA512 | b7dbacbdaa5c4ec291b7a12b39a694dad667b5cfdacc8bcfbd358d1199f10eac8e23601c48b0d464bbec69e649e6e548678d44be7783d7088d50a7c7e876dfcf |
memory/2656-31-0x0000000004C90000-0x0000000004CD0000-memory.dmp
memory/2448-32-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2448-34-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2448-36-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2448-37-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2448-38-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2448-40-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2448-42-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2448-44-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2588-45-0x0000000074A80000-0x000000007516E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7F2E.tmp.cmd
| MD5 | 030b43dd0c694301fc587f0f2c2b9e41 |
| SHA1 | 6c8c48ba1806cfadb425b49846f3074c0a74f0a2 |
| SHA256 | 42656584f60d2f5757fe2879ecf2215d1be6c2fcde6ddc380383652d62594d5b |
| SHA512 | 38beaa0de0d46ffaa09b3709e098e11562fe1c1d61c1026cc9d49d21a7edb78a15321a3426a4639644fc2f2113c7d71a6ac88befd22582e97f83953fbcfc001c |
memory/2656-55-0x0000000074A80000-0x000000007516E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7F2E.tmp.cmd
| MD5 | 030b43dd0c694301fc587f0f2c2b9e41 |
| SHA1 | 6c8c48ba1806cfadb425b49846f3074c0a74f0a2 |
| SHA256 | 42656584f60d2f5757fe2879ecf2215d1be6c2fcde6ddc380383652d62594d5b |
| SHA512 | 38beaa0de0d46ffaa09b3709e098e11562fe1c1d61c1026cc9d49d21a7edb78a15321a3426a4639644fc2f2113c7d71a6ac88befd22582e97f83953fbcfc001c |
memory/2256-57-0x0000000071160000-0x000000007170B000-memory.dmp
memory/2256-58-0x0000000071160000-0x000000007170B000-memory.dmp
memory/2256-59-0x0000000002610000-0x0000000002650000-memory.dmp
memory/2256-60-0x0000000002610000-0x0000000002650000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0.EXE
| MD5 | 416eb366bde2537ebf88aaa8fcbb868c |
| SHA1 | 6fcd8c1cce7acf7ace95dad8664e4acb934358b1 |
| SHA256 | 83d47e22c111e450eded98abc855449cf42ec1916c9b92b47d18bd951b74b890 |
| SHA512 | e81bd2e313789d2f5fc36626a6574a52253c20c83dd66b9e9a52f93a9fb09d1af96e4b46166d044a76263c075e81be6844de248ed511434df4521dea23760b67 |
\Users\Admin\AppData\Local\Temp\0.EXE
| MD5 | 416eb366bde2537ebf88aaa8fcbb868c |
| SHA1 | 6fcd8c1cce7acf7ace95dad8664e4acb934358b1 |
| SHA256 | 83d47e22c111e450eded98abc855449cf42ec1916c9b92b47d18bd951b74b890 |
| SHA512 | e81bd2e313789d2f5fc36626a6574a52253c20c83dd66b9e9a52f93a9fb09d1af96e4b46166d044a76263c075e81be6844de248ed511434df4521dea23760b67 |
C:\Users\Admin\AppData\Local\Temp\0.EXE
| MD5 | 416eb366bde2537ebf88aaa8fcbb868c |
| SHA1 | 6fcd8c1cce7acf7ace95dad8664e4acb934358b1 |
| SHA256 | 83d47e22c111e450eded98abc855449cf42ec1916c9b92b47d18bd951b74b890 |
| SHA512 | e81bd2e313789d2f5fc36626a6574a52253c20c83dd66b9e9a52f93a9fb09d1af96e4b46166d044a76263c075e81be6844de248ed511434df4521dea23760b67 |
memory/756-66-0x0000000000090000-0x00000000000A4000-memory.dmp
memory/756-67-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp
memory/756-68-0x000000001B200000-0x000000001B280000-memory.dmp
memory/2256-69-0x0000000071160000-0x000000007170B000-memory.dmp
C:\Users\Admin\AppData\Local\636a3332b79fbf079758744a37210051\Admin@ZWKQHIWB_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/2448-139-0x0000000004D50000-0x0000000004D90000-memory.dmp
memory/756-143-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp
memory/756-144-0x000000001B200000-0x000000001B280000-memory.dmp
memory/756-145-0x000000001B200000-0x000000001B280000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabBB5C.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\TarBBCD.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ffe85afd5660752a5cd897a4ebcc1e61 |
| SHA1 | 0f89dc12d9ed546f0650d05d9ec8263c63bb923f |
| SHA256 | fb04e6d3de4aedc63a49ddd97fe2da814a5f19170c72bd6addbaed47f29b4d38 |
| SHA512 | cf7573ca92ed27dd69a179b017853d67e9b618e9ba01e4ef7f287c8c06096ee3a3d15a74d11701506fb6c9737051509349b9f3d0ec776e08730e33a95007848b |
C:\Users\Admin\AppData\Local\e6d71db13c291cb99d37d4012713ec94\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2448-212-0x0000000004D50000-0x0000000004D90000-memory.dmp
memory/756-213-0x000000001B200000-0x000000001B280000-memory.dmp
C:\vcredist2010_x86.log.html
| MD5 | b18a9cf36e85a5b13498649ce8853a1d |
| SHA1 | e8e4155ec7ca326d0f0f101ff9e0811c0c228995 |
| SHA256 | 81f5c3562d5f2bf4905d77654c8332a0efb9911418e4522851aa259051ef1a6e |
| SHA512 | 82976382874f70d178c75ec0039327279818eaf70024cfe9057c80911ba0d8a84dfe9d7f39b01be944d5751deb3d5d60808106c01bc68214af4689a744fab4f3 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\README_6642462.txt
| MD5 | ed0328e862ba419346c4086a01059ff6 |
| SHA1 | f861f6837794c9f0160f48a98454d61672922d7a |
| SHA256 | 97a9b0736f7adca8b8642e91b9709e4d3ead990cd21263a3492ad429366b3d69 |
| SHA512 | cbb01e34c268ed49bc3210aca9fa127b52e93da8989e5b46535a352c5f7b0482556e53112b56ca129e8445d1808f518254531bbc4e9be46962cd6ad1c360356d |
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml
| MD5 | 6a3f58d467a86e5b0893c72f0af494c0 |
| SHA1 | d4589638adda7b23c3c68be4cebd4d102617e202 |
| SHA256 | ec73a73358c37f38bc0a4b83a13cf00b4c2041cc234b29a8448f051efcfd7d1f |
| SHA512 | 6c6db25e3f484a751d467c5e99c5d420b88eceb081b345fe18f76c377e81b1306217ec58e64f097819ac082b308860aea8f18ba34772d9b60b669e5640ecb3b1 |
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi
| MD5 | e46ed973e950ec3696db821d17ceb7ae |
| SHA1 | df954b57b0dc8cc37f0c4997e0d9cb8342a4c39e |
| SHA256 | 1f3771e94805f4a8995931523b881e8244146b27dc768a3afe733c2d5128fee6 |
| SHA512 | 3b6aaf75ba1f8d9bde3c3139891ca0305867d546d3f213756c385dbfa9763d00dcd35c7278655cf401cd5330bd4e7d5d9b1563a9356c06783d525da453d85d95 |
C:\Users\Admin\AppData\Local\Temp\update.bat
| MD5 | 006c4a11f8f7da454e4c20b8bad85526 |
| SHA1 | 7b8c5ac8182a520117e6a1a321b5b9a93e3192a6 |
| SHA256 | 278b5121b5c5b09aaafcaa97e228ccbc198cf369787f74dc13790cc821f9665d |
| SHA512 | b4a3258dc6c26695e60013cf33221a72ea9b62f5559f5e18ef579f06aef935d1b299b7c390d62d6e7f74b2e333800b4e3502afc7cd61dc0ec8187b098cb053d1 |
C:\Users\Admin\AppData\Roaming\delback.bat
| MD5 | 2450c91afcc2d4cc3dea374820bed314 |
| SHA1 | dd1b61d0aa6d1769018c1d3144de9bb960a64d3c |
| SHA256 | 4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df |
| SHA512 | b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91 |
memory/756-1287-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\update.bat
| MD5 | 006c4a11f8f7da454e4c20b8bad85526 |
| SHA1 | 7b8c5ac8182a520117e6a1a321b5b9a93e3192a6 |
| SHA256 | 278b5121b5c5b09aaafcaa97e228ccbc198cf369787f74dc13790cc821f9665d |
| SHA512 | b4a3258dc6c26695e60013cf33221a72ea9b62f5559f5e18ef579f06aef935d1b299b7c390d62d6e7f74b2e333800b4e3502afc7cd61dc0ec8187b098cb053d1 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-19 19:17
Reported
2023-09-19 19:19
Platform
win10v2004-20230915-en
Max time kernel
60s
Max time network
64s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes shadow copies
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Disables Task Manager via registry modification
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3X0 0DAY.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\0.EXE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\0.EXE" | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\be3ced97a182cf3ef6423d93afc00fdb\Admin@MDUTPCWA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\AppData\Local\be3ced97a182cf3ef6423d93afc00fdb\Admin@MDUTPCWA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\be3ced97a182cf3ef6423d93afc00fdb\Admin@MDUTPCWA_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\AppData\Local\be3ced97a182cf3ef6423d93afc00fdb\Admin@MDUTPCWA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\AppData\Local\be3ced97a182cf3ef6423d93afc00fdb\Admin@MDUTPCWA_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\be3ced97a182cf3ef6423d93afc00fdb\Admin@MDUTPCWA_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\be3ced97a182cf3ef6423d93afc00fdb\Admin@MDUTPCWA_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| File created | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 536 set thread context of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\README_3892809.txt | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| File created | C:\Program Files (x86)\README_3892809.txt | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\README_3892809.txt | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Interacts with shadow copies
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\vssadmin.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3X0 0DAY.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Payload.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\3X0 0DAY.exe
"C:\Users\Admin\AppData\Local\Temp\3X0 0DAY.exe"
C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe
"C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe"
C:\Users\Admin\AppData\Local\Temp\ss.exe
"C:\Users\Admin\AppData\Local\Temp\ss.exe"
C:\Users\Admin\AppData\Local\Temp\Payload.exe
"C:\Users\Admin\AppData\Local\Temp\Payload.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name '' -Value '"C:\Users\Admin\AppData\Roaming\.exe"' -PropertyType 'String'
C:\Windows\SysWOW64\cmd.exe
"cmd" /C schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \ /tr "C:\Users\Admin\AppData\Roaming\.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp978D.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Users\Admin\AppData\Local\Temp\0.EXE
C:\Users\Admin\AppData\Local\Temp\0.EXE
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
C:\Windows\system32\PING.EXE
ping -n 1 -w 5000 10.10.254.254
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} recoveryenabled no
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| N/A | 127.0.0.1:3389 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.18.115.97:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.115.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | google.com | udp |
Files
memory/1272-0-0x0000000000AC0000-0x0000000000B46000-memory.dmp
memory/1272-1-0x00007FFA74BF0000-0x00007FFA756B1000-memory.dmp
memory/1272-2-0x000000001B8B0000-0x000000001B8C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe
| MD5 | 4afe3dac15e0b93b5bd0b746b16866ed |
| SHA1 | 42029929f6907201204876c858b0e40b901ef908 |
| SHA256 | 53f0c62c97546c1a8e2bf493fa8bd6247a5651f010b66d91caf9b1a8e7cc76cc |
| SHA512 | b7dbacbdaa5c4ec291b7a12b39a694dad667b5cfdacc8bcfbd358d1199f10eac8e23601c48b0d464bbec69e649e6e548678d44be7783d7088d50a7c7e876dfcf |
C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe
| MD5 | 4afe3dac15e0b93b5bd0b746b16866ed |
| SHA1 | 42029929f6907201204876c858b0e40b901ef908 |
| SHA256 | 53f0c62c97546c1a8e2bf493fa8bd6247a5651f010b66d91caf9b1a8e7cc76cc |
| SHA512 | b7dbacbdaa5c4ec291b7a12b39a694dad667b5cfdacc8bcfbd358d1199f10eac8e23601c48b0d464bbec69e649e6e548678d44be7783d7088d50a7c7e876dfcf |
C:\Users\Admin\AppData\Local\Temp\ss.exe
| MD5 | bfa7d185d8a17305acf52d9387b15cdf |
| SHA1 | e240233de01a24722be36f2b5fdab8eca32e0c8d |
| SHA256 | 37297ecba096d6aee5cfd6af09b0dc5dde28aad5bae73258390fc7c1c9603b0b |
| SHA512 | 56730df2e1f03991d95899da389ddd9d729df5ff6a732757668cdfec6bb1241a9e2d035a570c1017afb1565c715b3da293d097f0419994e1279dba92d5e1e861 |
C:\Users\Admin\AppData\Local\Temp\ss.exe
| MD5 | bfa7d185d8a17305acf52d9387b15cdf |
| SHA1 | e240233de01a24722be36f2b5fdab8eca32e0c8d |
| SHA256 | 37297ecba096d6aee5cfd6af09b0dc5dde28aad5bae73258390fc7c1c9603b0b |
| SHA512 | 56730df2e1f03991d95899da389ddd9d729df5ff6a732757668cdfec6bb1241a9e2d035a570c1017afb1565c715b3da293d097f0419994e1279dba92d5e1e861 |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | c6b4de7dbe7927a9734bc01b9480a6ae |
| SHA1 | 174834f428e1b20b7c57326d1d4b79d3292e3b26 |
| SHA256 | ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5 |
| SHA512 | 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9 |
C:\Users\Admin\AppData\Local\Temp\sosis_protected.exe
| MD5 | 4afe3dac15e0b93b5bd0b746b16866ed |
| SHA1 | 42029929f6907201204876c858b0e40b901ef908 |
| SHA256 | 53f0c62c97546c1a8e2bf493fa8bd6247a5651f010b66d91caf9b1a8e7cc76cc |
| SHA512 | b7dbacbdaa5c4ec291b7a12b39a694dad667b5cfdacc8bcfbd358d1199f10eac8e23601c48b0d464bbec69e649e6e548678d44be7783d7088d50a7c7e876dfcf |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | c6b4de7dbe7927a9734bc01b9480a6ae |
| SHA1 | 174834f428e1b20b7c57326d1d4b79d3292e3b26 |
| SHA256 | ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5 |
| SHA512 | 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9 |
C:\Users\Admin\AppData\Local\Temp\ss.exe
| MD5 | bfa7d185d8a17305acf52d9387b15cdf |
| SHA1 | e240233de01a24722be36f2b5fdab8eca32e0c8d |
| SHA256 | 37297ecba096d6aee5cfd6af09b0dc5dde28aad5bae73258390fc7c1c9603b0b |
| SHA512 | 56730df2e1f03991d95899da389ddd9d729df5ff6a732757668cdfec6bb1241a9e2d035a570c1017afb1565c715b3da293d097f0419994e1279dba92d5e1e861 |
C:\Users\Admin\AppData\Local\Temp\Payload.exe
| MD5 | c6b4de7dbe7927a9734bc01b9480a6ae |
| SHA1 | 174834f428e1b20b7c57326d1d4b79d3292e3b26 |
| SHA256 | ba5134015f931eb3e0f6fc76dc41503470de67b51883f3b66a1bc91c82f6bcb5 |
| SHA512 | 11d403a8ee200fc91d52fcca8558557f2e0c48f3224a2d3cb6744a16212b911d7e38f5a30b400d7dee6f11a6bad0cb7f576bf13c7c24eb3003365a3db5860eb9 |
memory/1272-37-0x00007FFA74BF0000-0x00007FFA756B1000-memory.dmp
memory/536-40-0x0000000000D80000-0x0000000000DCA000-memory.dmp
memory/5088-41-0x0000000000FB0000-0x0000000000FB8000-memory.dmp
memory/5088-42-0x0000000074970000-0x0000000075120000-memory.dmp
memory/536-44-0x0000000005DC0000-0x0000000006364000-memory.dmp
memory/536-43-0x0000000074970000-0x0000000075120000-memory.dmp
memory/5088-46-0x0000000005A60000-0x0000000005A70000-memory.dmp
memory/2848-48-0x0000000000400000-0x0000000000440000-memory.dmp
memory/992-47-0x0000000000400000-0x0000000000400000-memory.dmp
memory/536-50-0x0000000074970000-0x0000000075120000-memory.dmp
memory/2848-51-0x0000000074970000-0x0000000075120000-memory.dmp
memory/2848-52-0x00000000057D0000-0x0000000005836000-memory.dmp
memory/1524-53-0x0000000002370000-0x00000000023A6000-memory.dmp
memory/1524-54-0x0000000074970000-0x0000000075120000-memory.dmp
memory/2848-55-0x0000000005750000-0x0000000005760000-memory.dmp
memory/1524-56-0x0000000004840000-0x0000000004850000-memory.dmp
memory/1524-57-0x0000000004840000-0x0000000004850000-memory.dmp
memory/1524-58-0x0000000004E80000-0x00000000054A8000-memory.dmp
memory/1524-59-0x0000000004BD0000-0x0000000004BF2000-memory.dmp
memory/1524-60-0x0000000004D70000-0x0000000004DD6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xnmwa5qp.xyd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1524-68-0x00000000056D0000-0x0000000005A24000-memory.dmp
memory/1524-71-0x0000000005C90000-0x0000000005CAE000-memory.dmp
memory/1524-72-0x0000000005CE0000-0x0000000005D2C000-memory.dmp
memory/5088-76-0x0000000074970000-0x0000000075120000-memory.dmp
memory/1524-77-0x0000000004840000-0x0000000004850000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp978D.tmp.cmd
| MD5 | e023cd0658a8fe4ba1fb59175e657c7e |
| SHA1 | 4121e2e20ae66f30aec7689f9a9e3a13666e1104 |
| SHA256 | 921ebe2283508288db9ee774dec91a4f42f8022f0b974f2f389a8275ce831249 |
| SHA512 | 5f99c9df63fb374dedadf5699e791b6bbffd95ee4c4fc34fff084c426ef17f3bbae72e9d1eccfb5f455c7f5975801b60d40858c0af5de8146192150e3d06d003 |
memory/1524-79-0x000000007FB80000-0x000000007FB90000-memory.dmp
memory/1524-80-0x0000000006280000-0x00000000062B2000-memory.dmp
memory/1524-81-0x00000000700A0000-0x00000000700EC000-memory.dmp
memory/1524-91-0x0000000006240000-0x000000000625E000-memory.dmp
memory/1524-92-0x0000000006E80000-0x0000000006F23000-memory.dmp
memory/1524-93-0x00000000075F0000-0x0000000007C6A000-memory.dmp
memory/1524-94-0x0000000006FB0000-0x0000000006FCA000-memory.dmp
memory/1524-95-0x0000000007020000-0x000000000702A000-memory.dmp
memory/2848-96-0x0000000006160000-0x00000000061F2000-memory.dmp
memory/1524-97-0x0000000007230000-0x00000000072C6000-memory.dmp
memory/1524-98-0x00000000071B0000-0x00000000071C1000-memory.dmp
C:\Users\Admin\AppData\Local\be3ced97a182cf3ef6423d93afc00fdb\Admin@MDUTPCWA_en-US\Browsers\Firefox\Bookmarks.txt
| MD5 | 2e9d094dda5cdc3ce6519f75943a4ff4 |
| SHA1 | 5d989b4ac8b699781681fe75ed9ef98191a5096c |
| SHA256 | c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142 |
| SHA512 | d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7 |
memory/1524-156-0x0000000007200000-0x000000000720E000-memory.dmp
memory/1524-158-0x0000000007210000-0x0000000007224000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0.EXE
| MD5 | 416eb366bde2537ebf88aaa8fcbb868c |
| SHA1 | 6fcd8c1cce7acf7ace95dad8664e4acb934358b1 |
| SHA256 | 83d47e22c111e450eded98abc855449cf42ec1916c9b92b47d18bd951b74b890 |
| SHA512 | e81bd2e313789d2f5fc36626a6574a52253c20c83dd66b9e9a52f93a9fb09d1af96e4b46166d044a76263c075e81be6844de248ed511434df4521dea23760b67 |
C:\Users\Admin\AppData\Local\Temp\0.EXE
| MD5 | 416eb366bde2537ebf88aaa8fcbb868c |
| SHA1 | 6fcd8c1cce7acf7ace95dad8664e4acb934358b1 |
| SHA256 | 83d47e22c111e450eded98abc855449cf42ec1916c9b92b47d18bd951b74b890 |
| SHA512 | e81bd2e313789d2f5fc36626a6574a52253c20c83dd66b9e9a52f93a9fb09d1af96e4b46166d044a76263c075e81be6844de248ed511434df4521dea23760b67 |
memory/2848-162-0x0000000074970000-0x0000000075120000-memory.dmp
memory/2460-163-0x0000000000FA0000-0x0000000000FB4000-memory.dmp
memory/1524-164-0x0000000007300000-0x000000000731A000-memory.dmp
memory/2460-165-0x00007FFA748C0000-0x00007FFA75381000-memory.dmp
memory/1524-166-0x00000000072F0000-0x00000000072F8000-memory.dmp
memory/2848-168-0x0000000005750000-0x0000000005760000-memory.dmp
memory/1524-169-0x0000000004840000-0x0000000004850000-memory.dmp
memory/1524-167-0x0000000074970000-0x0000000075120000-memory.dmp
memory/1524-172-0x0000000007330000-0x0000000007352000-memory.dmp
memory/1524-180-0x0000000074970000-0x0000000075120000-memory.dmp
memory/2460-239-0x00007FFA748C0000-0x00007FFA75381000-memory.dmp
C:\Users\Admin\AppData\Local\be3ced97a182cf3ef6423d93afc00fdb\Admin@MDUTPCWA_en-US\System\Process.txt
| MD5 | ee3099e060ec4f48e4db7e10b12b94d5 |
| SHA1 | 2409ea5ccda90c2016c343c90a656df3952f7168 |
| SHA256 | 324cfe61145f19bf0f94e006e7888e9159cf04eb1f35de9c3994491cb2b4b5d1 |
| SHA512 | 3837c1a417309e11dc29e263a8e8d5de13ca5a8960606fa6dd10424985ac45cdf29a2a528f1d5225f3a19f60147ab6afa85502982c5804b6862ded36dd919596 |
memory/2848-268-0x0000000005750000-0x0000000005760000-memory.dmp
memory/2848-273-0x00000000071E0000-0x00000000071EA000-memory.dmp
C:\vcredist2010_x86.log.html
| MD5 | f62dd9a238ee562649873859e3cc2095 |
| SHA1 | 41eb2f0cce39f993664c7d6053f3cfec3e8c5718 |
| SHA256 | 1ad4e97201e1a68b62c2b6ef5aba014ac7bfc161d26de283fba1b5be01e2bae5 |
| SHA512 | 34bb60728979bd2bad14713243c94febf386363ae8c1ad666ddfa3da2918a30a9838f725084b0a698867fbd63eeebd6445cd4e68ec5b430322f17ee365a50359 |
C:\Program Files (x86)\README_3892809.txt
| MD5 | 74c79ad5dafd710a0dc97f5d18534935 |
| SHA1 | e6b3e7b5681ac71593bdd67f10995326eacc61a8 |
| SHA256 | c6d76063e8087cbea77aa0617ae3699329c517a1417d454cc456d5fd94b7e99e |
| SHA512 | 1a86a0ff098d73d83d1b95f8684149659bfd87cc4c0d11c78b048ab84a290a35756ca1ded49a3f2f4057cd4010c9e4e013bb20bffad91335072a4d6db355a5d2 |
C:\Users\Admin\AppData\Local\be3ced97a182cf3ef6423d93afc00fdb\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
memory/2848-633-0x0000000005750000-0x0000000005760000-memory.dmp
memory/2848-661-0x0000000007A60000-0x0000000007A6A000-memory.dmp
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi
| MD5 | 9944d7c7b9dedc3ceaf314171fb367a0 |
| SHA1 | 0869182b1ff410cbb73527cece95e36ccca2cbae |
| SHA256 | 9fd59bf7cd805ca003efa084bc5497915153876a70cf4ba861ab3b105f406054 |
| SHA512 | 911d954062f418c3144ff5d5b1800353161ad438702611eea672676f68c390434f5ca26738ff9e7031ed1bb5a9d3a0ba45ca4f2b44af1f7ff9f6de1cf1d8d67b |
memory/2460-1019-0x00007FFA748C0000-0x00007FFA75381000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\update.bat
| MD5 | 006c4a11f8f7da454e4c20b8bad85526 |
| SHA1 | 7b8c5ac8182a520117e6a1a321b5b9a93e3192a6 |
| SHA256 | 278b5121b5c5b09aaafcaa97e228ccbc198cf369787f74dc13790cc821f9665d |
| SHA512 | b4a3258dc6c26695e60013cf33221a72ea9b62f5559f5e18ef579f06aef935d1b299b7c390d62d6e7f74b2e333800b4e3502afc7cd61dc0ec8187b098cb053d1 |
C:\Users\Admin\AppData\Roaming\delback.bat
| MD5 | 2450c91afcc2d4cc3dea374820bed314 |
| SHA1 | dd1b61d0aa6d1769018c1d3144de9bb960a64d3c |
| SHA256 | 4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df |
| SHA512 | b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91 |