Malware Analysis Report

2025-03-15 05:12

Sample ID 231211-d8zjlscaen
Target 0x000700000001626b-116.dat
SHA256 c45b7fe3ddcf8c055c2a9ef8e5d7dabd81e73df49efb9b3a471ec4a969fbfcc3
Tags
redline smokeloader @oleh_ps livetraffic up3 backdoor infostealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c45b7fe3ddcf8c055c2a9ef8e5d7dabd81e73df49efb9b3a471ec4a969fbfcc3

Threat Level: Known bad

The file 0x000700000001626b-116.dat was found to be: Known bad.

Malicious Activity Summary

redline smokeloader @oleh_ps livetraffic up3 backdoor infostealer trojan

Smokeloader family

RedLine payload

SmokeLoader

RedLine

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 03:41

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 03:41

Reported

2023-12-11 03:44

Platform

win7-20231023-en

Max time kernel

47s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9492.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D8C3.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1268 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\9492.exe
PID 1268 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\9492.exe
PID 1268 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\9492.exe
PID 1268 wrote to memory of 2904 N/A N/A C:\Users\Admin\AppData\Local\Temp\9492.exe
PID 1268 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\D8C3.exe
PID 1268 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\D8C3.exe
PID 1268 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\D8C3.exe
PID 1268 wrote to memory of 2504 N/A N/A C:\Users\Admin\AppData\Local\Temp\D8C3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe

"C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe"

C:\Users\Admin\AppData\Local\Temp\9492.exe

C:\Users\Admin\AppData\Local\Temp\9492.exe

C:\Users\Admin\AppData\Local\Temp\D8C3.exe

C:\Users\Admin\AppData\Local\Temp\D8C3.exe

C:\Users\Admin\AppData\Local\Temp\DAE6.exe

C:\Users\Admin\AppData\Local\Temp\DAE6.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\E9E5.exe

C:\Users\Admin\AppData\Local\Temp\E9E5.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
MD 176.123.7.190:32927 tcp

Files

memory/1464-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1464-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1268-1-0x0000000002A70000-0x0000000002A86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9492.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/2904-12-0x0000000000080000-0x00000000000BC000-memory.dmp

memory/2904-17-0x0000000074E30000-0x000000007551E000-memory.dmp

memory/2904-18-0x0000000007410000-0x0000000007450000-memory.dmp

memory/2504-25-0x0000000074E30000-0x000000007551E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D8C3.exe

MD5 cbeef82b7a11df90f89e21db5cca9ec5
SHA1 25f42ebeebb7313cb495716309405402bbef0f24
SHA256 969a4ac83b411ecd4e1e779a12ea63bf5652cacfe2b9663e6fe49ce4b06f5c7f
SHA512 137834384d3bcbe67bcb5abc02324fb4386ba079fefbba5b47d5a809a8552384ac166a0b98dcf9bf48f54294d406f3dfb1227cf1403094023aa71d298fa19aba

C:\Users\Admin\AppData\Local\Temp\D8C3.exe

MD5 ac437f0b8931209308e13b06843a6564
SHA1 15bba7d0bd670080cee652552c793aa0d407114b
SHA256 9f0396785b63277b4b665db6a0246dc1189c411eedf0d65cf8caae6ad111e32b
SHA512 ecf1c36d9c225c30ab50f9bb1a8d9d9dbb33cf8168302a4860f817e1ab244f1111e83511b6f560b05a184a7bd865ee5eda25a2c0b652018f6d3e9c3f2cbe537c

memory/2504-26-0x00000000009B0000-0x0000000001E66000-memory.dmp

memory/1884-32-0x0000000000090000-0x00000000000CC000-memory.dmp

memory/1884-33-0x0000000074E30000-0x000000007551E000-memory.dmp

memory/1884-34-0x00000000041D0000-0x0000000004210000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAE6.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d5670f0d50a88da39df770aaeddf46f2
SHA1 ff1681f68e53df1594769bd367b7fb0d3792f368
SHA256 fe455c4782a727e4954aa9f2b7b6e7c624008cbe9217625ab32701b41b3de011
SHA512 903e5b9b7ae0d52bda955429e0a90ddfbee8bf7bac3186f1d6ec3edcbb4a2312e008f51e2bc6f7251deef25de47d001cd60da1ccceff3b91d60e40b160ff3f12

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 ae8435e39af69efd3a8258d2252ef130
SHA1 fbf7ce9c0409afaf11857e07f7fdb3f5d6d47e4d
SHA256 0bed9d9e1811a60d12f578e485bcf11d774b5207a2b8fc3f50092e80c40922fc
SHA512 2352666c3e37f131966d4ec83e8e40012c7c95ae71225786fe89ec7f3eec6f6a7e63ba1241d2cc52f934f5b1d4960e4ce890c80fad8866f5a60e187f0d052430

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 00af0e524b4e4928e63cf3a61a197b5f
SHA1 4e57715bd53b224c5207e737b83b69708947e62c
SHA256 02dcc0b3d6561c67584f5a01193b829ed43bddc543002f37a2b9a00fdf7aba4e
SHA512 1a1dae422987767598715ac71a939279769764a522e7b3069d6e6fc0672b208fb6000d558c12197e6cd3b9070e8082b908a700747f359035531f4ef7889871bb

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1b34ee464944864d44f1f8bbb3dad7fa
SHA1 5768fe663d155465b3ee07e514dcf6a9d04238fe
SHA256 3a09158cf77af5ca18efa7960a35f90bf52564d458a7f65c656db6a6cc3e6323
SHA512 df69ceb08767681e3a36d64b69a98dfb9f20e6b88294861db5208bf586c209af82bdbd0d5feae0b34df7ab20f412cee947901e621181324289ed0234131974cf

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 70d6fecb6d5c67cb5a349153bcf0c855
SHA1 9025829bfe3fde42975be31207b731612ec0bcdc
SHA256 c3ef46bf69a9e8681074d73c050cbcd545292f842db350c6ece1f0b14ac03d6a
SHA512 22521cdcd0a069806c6548fd4d831b03f2820f666a2d61440c2a4110f881e042ba223d541e0bf0279c592df38edb36b686042022a39f64cbf4e7f0cd9659709f

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 41dbc0b5c50304824f41a120d3f313f1
SHA1 b981ad6be87b3d85a2edece6e1a5711248df420b
SHA256 68347eb9c581529076c2f94603dbc79e9787629e1e09d7417069e53c8d9c0364
SHA512 1b33f7b4d6a2af2acf55961b52dca21a6e748d128b02b401fa82fdd58e83bd44cb044d124e375057a228efd2b6e734783912c97ba7f3a8c36dbdf4a02782ea78

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 a7423abfff1f8d14e1be346efe9a4662
SHA1 db373ffcfc944dd56b7f4f0fd8ad11593ce5083a
SHA256 55f365ef9c8576b8d2d29017b8ba4a2634da7d87cc57cc5737821c3b199b06c0
SHA512 ced4ef9ded59b90821fe418dfc8c36cef4b0f777a44e96b5c1a494ac158ec00e2d22fea95b5c431b1bc60e3952d5bf0954fe8da2702e17df3459cb9912ebb89b

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 bedc6a3e6b76fa08e537780f39b88fd8
SHA1 e04763a7eb627acb295bc08aad1c638e746264a6
SHA256 5fd8fc433493db1c17dc91c5125454fe0e5031bb7a9c4d5a1ea89190c42c3379
SHA512 b16b3de428c8b77fd6fb1f5e9449bc394bb809b38dffc2698f1a5b3ae2e2d9fb6e761857e87ee6164776e41990a4012c625b5621b9a2474d827a7657deeaccf0

memory/2140-76-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2504-78-0x0000000074E30000-0x000000007551E000-memory.dmp

memory/1612-79-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1504-80-0x00000000027F0000-0x0000000002BE8000-memory.dmp

memory/2756-86-0x0000000074E30000-0x000000007551E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9E5.exe

MD5 dcc5159d5572687064ed6485f9c9d9bd
SHA1 e35d8b3194c98199a33a84c7a65c9d8ab1900be3
SHA256 786618896a897e764cee0d07326e3e0c2cbace97e1fd7485930ed8a00f021cfb
SHA512 09b581e07354927ce122f0ccbd9552fb61dedda33903eccaaff6423f89cdf4ab50bf728cf6e47b786d8b4c8f5fdd1baa9a2c4d5377ad635d37bf8e6d2ebe2820

C:\Users\Admin\AppData\Local\Temp\E9E5.exe

MD5 308a56558f07305c71dc0e6a73143ce9
SHA1 a9347824407368944f50d99dc5cb68465c011e78
SHA256 ef070c656fec7226d240e6af6406d4804703400b2d2a70ab051c8301c680cc4e
SHA512 260e6db20bcddb2dca0a676984ebf3083a413c3e51af88a5e6982543ffac154c865cc22bb27679c9da84583cce1d9f7725200482534dd4a5ebda09ed72a7c8b6

memory/2756-87-0x0000000000FA0000-0x0000000001552000-memory.dmp

memory/2756-89-0x00000000053C0000-0x0000000005400000-memory.dmp

memory/1644-91-0x0000000000890000-0x0000000000990000-memory.dmp

memory/1644-95-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1312-100-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2904-99-0x0000000007410000-0x0000000007450000-memory.dmp

memory/1312-97-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1312-94-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 4c74fcdbbe270ad0ace6b39b85430354
SHA1 3e0ce90a18724712167b66b624fdbc003cc724dd
SHA256 5975bd54ad9ca1ed6c8fab26611c9629cc4e0dbfe3457549d84268a963357a2f
SHA512 3f05d0227f84e69041af49bad29b589238ab42682a83916c4bbb9f9740df57c44ab930252bfc87414eede3737674565770337e81d116772fce7fbb361e9968be

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 8d4535c4c3a23d43b7c9bd5b3918d31d
SHA1 8d554ac1bd7f3ceabfed89f3fd87f02601ddec3e
SHA256 2b58f0f1427e6878e081699f09e04a22fe4ba30b578ee1ea4ae9687d2b12fe7b
SHA512 d37dda7c151b4be2b87bb70d53f520a12f7d11da2821a601d1147851f7b26a9cc5b51fa4f56894ba14e5d48ab0a4784488df0eb5a43b10951d3f34a0f6242bc5

memory/1504-101-0x00000000027F0000-0x0000000002BE8000-memory.dmp

memory/1884-102-0x0000000074E30000-0x000000007551E000-memory.dmp

memory/1504-103-0x0000000002BF0000-0x00000000034DB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 03:41

Reported

2023-12-11 03:44

Platform

win10v2004-20231127-en

Max time kernel

76s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F558.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5720.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5CBE.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\F558.exe
PID 3332 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\F558.exe
PID 3332 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\F558.exe
PID 3332 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\Temp\5720.exe
PID 3332 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\Temp\5720.exe
PID 3332 wrote to memory of 4228 N/A N/A C:\Users\Admin\AppData\Local\Temp\5720.exe
PID 3332 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CBE.exe
PID 3332 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CBE.exe
PID 3332 wrote to memory of 844 N/A N/A C:\Users\Admin\AppData\Local\Temp\5CBE.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe

"C:\Users\Admin\AppData\Local\Temp\0x000700000001626b-116.exe"

C:\Users\Admin\AppData\Local\Temp\F558.exe

C:\Users\Admin\AppData\Local\Temp\F558.exe

C:\Users\Admin\AppData\Local\Temp\5720.exe

C:\Users\Admin\AppData\Local\Temp\5720.exe

C:\Users\Admin\AppData\Local\Temp\5CBE.exe

C:\Users\Admin\AppData\Local\Temp\5CBE.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\7B05.exe

C:\Users\Admin\AppData\Local\Temp\7B05.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\is-DROPB.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DROPB.tmp\tuc3.tmp" /SL5="$E0090,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

memory/4756-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3332-1-0x0000000003010000-0x0000000003026000-memory.dmp

memory/4756-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F558.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

C:\Users\Admin\AppData\Local\Temp\5720.exe

MD5 08da88e6ead754a4fcd70d470c433796
SHA1 588e4dd2c9b67067e31f85954179123778f8afd9
SHA256 9c979bd00ca4a61775adfd66a3a956df638eec4391412dc7a249b813a1391b74
SHA512 04fa3be051678f4651c91dea11561b3c89b58144742fff84b7105b8115e0c937411e0a1e7f17091451b125aad919155d0b3adf53fa260aaf5aa66303fd471f30

C:\Users\Admin\AppData\Local\Temp\5720.exe

MD5 9682abf1ff8376ed771b4544f9d89a5e
SHA1 1e9dbd9c560c9f6744428916300f6fa07e2e28dd
SHA256 1322e8782e78af9be4e1e2139b3b620c83d69411c46e979466088471be88a144
SHA512 0e478af6b16d11761f66d7232e0866abc176c3a6199e4fd0d01cb055d7803d7605dcbea7df4ad1bd1e6b8fdf408e5053604830672077131dff47e0a5d84cd157

C:\Users\Admin\AppData\Local\Temp\5CBE.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/4228-20-0x0000000074960000-0x0000000075110000-memory.dmp

memory/844-21-0x0000000074960000-0x0000000075110000-memory.dmp

memory/844-22-0x0000000000680000-0x00000000006BC000-memory.dmp

memory/4228-23-0x0000000000F80000-0x0000000002436000-memory.dmp

memory/844-24-0x00000000079F0000-0x0000000007F94000-memory.dmp

memory/844-25-0x0000000007440000-0x00000000074D2000-memory.dmp

memory/844-27-0x0000000007630000-0x0000000007640000-memory.dmp

memory/844-28-0x00000000075E0000-0x00000000075EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 431870c626da5d5bcbc6804ec76c8b3d
SHA1 e9955b11b27d37fb177e30fda7a6f6d3df465d72
SHA256 4a866cc834204db8fdea083280ec90b5e4631ea81a6341131ca121d3d5c71e7b
SHA512 adcdb61b7f3449a8e6b33110a29c6c5d31c91b906d3135e2777e0ed8bdc3aec07666c5ca125171db2ebeb85078c0d7805788ff34d0a0be5c472905f3423153ae

memory/844-36-0x00000000085C0000-0x0000000008BD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7B05.exe

MD5 a68f7e520c17ad5fbdeca74827db2fab
SHA1 c36488bb8a004bcd5dd9e2ae9940b244045b7891
SHA256 4919fdfcefd8c32de5e15a31d35f545bb5ccff81b4c9490fdaa3f66fafd928dd
SHA512 d96e6d3fdfc33e44addfa30e529800c5791d0e0006487ece07c2c61417b853fbd6825af290d6ce6b3ce9d24ff077e0f600b2e3c09f62ed918f2782af4fc1fb2c

C:\Users\Admin\AppData\Local\Temp\7B05.exe

MD5 e27d09606853bd7cc337c2d338854824
SHA1 8a91c95ff2e6b5983c936c5a0ee11586d1dfeb70
SHA256 17acc7dd07b27037a73924112cc45711d2c6659d5101c0e8606957f2f36303d7
SHA512 5ed4e4510731c31cf34cf14628b7ac997b4d445bda754084f79e24df2e2d2118ff49ad3de1125f2fd8011b2a7161e3c14a3b658dc15f03a9eb572996c80631b2

memory/844-43-0x0000000007FA0000-0x00000000080AA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 84d81c950676c48dfff52116e4fc7f80
SHA1 28436963cb734db28a20e1e1a0b68416f54b6cb5
SHA256 d5e769b3cdaf2414216f3d91d3bc77291b5715f2d4f2372fd61d8a9aadfa6d10
SHA512 614f4703e886d24ef305441cbd0e3c8621e94d1b33d64de71d602c77c225fe296c406f628a1ae924806a127ea01a9d7ed5af7e758f960cd7a16a28d8c5621b60

memory/2688-44-0x0000000074960000-0x0000000075110000-memory.dmp

memory/2688-49-0x0000000000B70000-0x0000000001122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

memory/844-55-0x0000000007760000-0x000000000779C000-memory.dmp

memory/2688-58-0x0000000005C50000-0x0000000005CEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 2a1ead0f193538b1e134cda851538d51
SHA1 e88412aaae131de89926535a0c631706b4f3456d
SHA256 0bd3b948312dbc87df5959fcc1a2560064fb660b9a4b19a31fa4457e87e4b094
SHA512 a9dc2fbd74928f394741a8a9cd6bd3148d070a7cc452e1966954fb07761a8957a564911a058d327af4bdbe59639455c900493330734a55f73554cb0e2a6b74e1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b91430f48b85af11e965a1df11fdb59c
SHA1 f1a49262009044f0e0fdbf0450dd718935152372
SHA256 1f0c9c42e7c4ccce9aed15ce33dbcab11e5482432f2df6e260ca7c1b0a9eb90f
SHA512 9dee8362c90632a04f67835e53c8563f6680ae43e52320f15d2ef3090d669a5e7d93248ce174fa0f1878aa4b6dd907494464a728a3e40ec943c3faabf2dd7cfc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 db7cea14da34db0b4cf2fc3b40a46a5a
SHA1 32b621293e6366b45e2dcffe40b590bb985a9ee0
SHA256 e84e93c12bcbbf578467c9df3d68908e150ae82e74d8073a6ede2be977f284cf
SHA512 a9a64d63ebe5bcd1342e51e3f461eae3d2ef03c375a692a9fd59bdbcef9ff70d535e0ddf668c20797741dd86a3d91a9fe6b623c1d06c03c8b0c47a11793135f0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7340acb870497624606bf1474112656e
SHA1 62231ef800ae6389c39031ebc0b0e9ea91f21826
SHA256 8111a62f4478b427a8382c4aafcd40bd8c026f20f8608c325dd6375cfdebf8ba
SHA512 64ba586870dff4f49d0e4efdb98fbea5aea66144cda1a719fe6273a5414e58ad05f56853951d261c896c141bc12b70f90ec907e35b075c07700ccec250fa996f

memory/844-61-0x00000000078C0000-0x000000000790C000-memory.dmp

memory/2688-60-0x0000000005BE0000-0x0000000005BF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 df5dfc67daa14d0fb30d4b2e4193bd2d
SHA1 8ab837661f393e3949c5dd0647c0dc68767aa4a5
SHA256 171db0491441ac4c9e5a966a52e3e5ad578ee999548cc4a02b5968dad5afb58e
SHA512 09152a498f6079ef0961dd7865be386dc5e68844fbe11e1e5f8905f2557e3184d7b4fd1020d84b6b3cfa0d55b3c97f439c37941fc1ffa125dd5678a38158a316

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 69460f7f058e26e03a72fd2bbacde61d
SHA1 132b3cdda57b7f40d3f4c9fdd0ae697078811eee
SHA256 df16e7354f19dc0ee595d662a6de7825af8c7ef72cded084640f017d6378a21e
SHA512 5b6833168afb92c557b3314cc3ed5743f5e8f6bfd6bf31e592e78947786c02f1e785bcd60d52a110ea8b93e7003a4b67b431c4c1edf79fed4488241da35d140a

memory/456-80-0x0000000000A80000-0x0000000000A81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 c6188926b380d45e3e384bcbfaf0798a
SHA1 864a0987a82e79a53f15df9e117a8e4cfdb7c6b0
SHA256 52ce724f1df325548e1a0671790efae68ccd156efd5daeb8a464a1d11b04ae6e
SHA512 15028fc894d56308bcbe33d49506c4e8a01243811821b11fb9eb900b3b23ba5bafde77c8c36651cbd020692978b53c29975225393feae6634285c303eb4747bf

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 5a518debae1cc2912892c5c384bef0ea
SHA1 55450b5f73216b9cc9c8fae5289c324d3a30b43a
SHA256 410a6e0957c79decafc3d8c3417754169141a6acb754150caf46db2c80fa7333
SHA512 02c1e7f5332c0b91bf320133253bf98262d6fcc913a3757e6ac44014cd68eaf194314199458831b343d1a25dbd8dbdc513ff3ee8793315f04c469d218c808a8e

memory/844-46-0x0000000007700000-0x0000000007712000-memory.dmp

memory/2928-84-0x0000000000400000-0x0000000000414000-memory.dmp