Analysis Overview
SHA256
698b3e0cd4741444da9a14e8b43e3a2c9b166b036f5a9bafd5625cd93ab829c9
Threat Level: Known bad
The file 0ae6bdb537d4e23dfc6e6e06be4b4166.bin was found to be: Known bad.
Malicious Activity Summary
ZGRat
RedLine
RedLine payload
SmokeLoader
Detect ZGRat V1
Smokeloader family
Downloads MZ/PE file
Deletes itself
Executes dropped EXE
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-12 01:08
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-12 01:08
Reported
2023-12-12 01:11
Platform
win7-20231025-en
Max time kernel
45s
Max time network
72s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E7A.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1200 wrote to memory of 2780 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E7A.exe |
| PID 1200 wrote to memory of 2780 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E7A.exe |
| PID 1200 wrote to memory of 2780 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E7A.exe |
| PID 1200 wrote to memory of 2780 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E7A.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe
"C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe"
C:\Users\Admin\AppData\Local\Temp\8E7A.exe
C:\Users\Admin\AppData\Local\Temp\8E7A.exe
C:\Users\Admin\AppData\Local\Temp\D3B4.exe
C:\Users\Admin\AppData\Local\Temp\D3B4.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\DD47.exe
C:\Users\Admin\AppData\Local\Temp\DD47.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\is-D3ERJ.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D3ERJ.tmp\tuc3.tmp" /SL5="$8001A,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\E978.exe
C:\Users\Admin\AppData\Local\Temp\E978.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/2428-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2428-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1200-1-0x00000000029B0000-0x00000000029C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8E7A.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
memory/2780-12-0x0000000000120000-0x000000000015C000-memory.dmp
memory/2780-17-0x0000000074940000-0x000000007502E000-memory.dmp
memory/2780-18-0x0000000007400000-0x0000000007440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D3B4.exe
| MD5 | b5b1a2a7198b9317ba9d9752ebc6244b |
| SHA1 | e7cbde1f692645948114418e6b35e9c8ed2ca456 |
| SHA256 | 839a4e27c750c86d1ddd3df05272f42ad78bea19db6df9749ba4d6689cef5259 |
| SHA512 | 4c2dab541917aab77dd85c8a5588cc353d9061e6936208b5cbfa5eacaf206510360499345de2a0a960408e9f16ee186306cd799e3ef6a29798a536db64819aa5 |
C:\Users\Admin\AppData\Local\Temp\D3B4.exe
| MD5 | bb8c0b655c3940bac71ab49b4c03d70d |
| SHA1 | f53f8c93adcd33acde37cd0dc40eb715adcca3ee |
| SHA256 | 2da3b415a0e89ca502778feccae24dd1fa6c2d6af0ebc1f24b6f0ab9ac9acce6 |
| SHA512 | b524f785d1e15bf0c1280c563b6da8cd84595cfbdf173afbcdd0b313c3e0e04eccb8bc808b9aeb810728ab02c4f2cf9432b3f210e90c9eefb765e0ab333f03a7 |
memory/2628-26-0x0000000074940000-0x000000007502E000-memory.dmp
memory/2628-27-0x0000000000210000-0x00000000016C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | b85715009d99b78cc660b2414908f541 |
| SHA1 | 8c3361ab7536adb3695710a35d775b29b2f9313b |
| SHA256 | d0acaeee2330fe62a45faa18f51d43dbc90ae59720171e00cd3d23efed88e0dc |
| SHA512 | 62aa7639b93c385ab196f8ef0ef4e3279aef8e4f07513f1c060cdfad870a5b849c201670884289719ea89cf303581391e0b0d347621e4cc02cf235769ec77f61 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | b279e33b651b00da2d55eed762283bd7 |
| SHA1 | d50ba7a8de3b5a21a2e9d7d3e6679526c00d92cc |
| SHA256 | 05078ebe372536e402cdfacb28a3c154f332944a470cc32cd06c0dc710903f63 |
| SHA512 | fe666d4d833cacbca1c5cda484b3397093b53e930030715b064fe99ac810974fe42d35688928672029c49bae553f0080672ce87218c621f98df5f2f8cae2decc |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 8a0fb7753c6bd31bff90ebd089e2de57 |
| SHA1 | 8646689183a3a2496b09cb3741567dd32acde0ff |
| SHA256 | 08419bdaca6913073d04eba08de665628ce7ab432b6ab9ea1b77316f8c67260f |
| SHA512 | 4eceaaa476aab072048f286d9d43891fd3020ddfd273f7b624d6fae3ffe517955f97eb8a0ac5b575c7b36d804c91724b4b0e40046f0afaebd931b6dc5c28e95b |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 3cbbfb3e7305fadaa35fad31a0476467 |
| SHA1 | 15914071c3a5b9f86a137bbebb6b1e2caeaba7b0 |
| SHA256 | a98264b298f7500f5c2a783e2936d1e8029ad5ea45411814485e63f3b894387c |
| SHA512 | 2054b2e94abcc946051a3033f36bb7fad770f7d9cbe647891eef009b8c94f860a7217e63ba5447d4386a25ffa2875890b84e57d04c1ea1871c702feb463dde06 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 57e217153d5dd3f068286b31c38063af |
| SHA1 | 79240bae06348b3a482446a5da0c557559d1c041 |
| SHA256 | e314cb44e0a8b398d0dbc879c6416a574c6db429a8e1538c99d3c37f8ddaac89 |
| SHA512 | 788312b1a017b464d3fa54d4f42cbb797f7000e85be2a9fb6d25d641a0a5da980b84d35f6e97a378a8b9c8e38f251cbff92050abec9b1b41eff4b37aa62d0604 |
memory/1236-66-0x0000000000A30000-0x0000000000F24000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 28a86a35ec08fe26585ead1ee350bc29 |
| SHA1 | c302e0bff9803f249fed20c1be8f800085dc920c |
| SHA256 | 151ac17da0896098a07ffcab009ee968c39bc64b486a3f1a8a2725d104c3d8d5 |
| SHA512 | cebfd37a52b3b7f3e59ca47eb059825aba9e1b851711e25b13286e4219cfa430af7a5dcff02c6ce29ef34bba718dc156d58400ba3642abb70a5174373a6c8da7 |
memory/1236-67-0x0000000074940000-0x000000007502E000-memory.dmp
memory/1800-71-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1800-65-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 83fba62e5d3298f16e8b4637b17ff671 |
| SHA1 | ef3579418ce4cfebbd28a1f3459ce554626210a5 |
| SHA256 | d210396b132186429bfb5dd07b05824b73b854a1d5239e775a7cb08a490bc232 |
| SHA512 | c278d80cd111ca5352accec45544bb24c1b2ecb0777bb607001c139d2de1947c62db6f3958ab268950d96766332608594f8e4001d043e638e6160ebbb56dc447 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 2fcf22f4290694a3e3b30446ce33f6a8 |
| SHA1 | cb7e3fa8352bdff414e2aeb07bb955f9e21a4164 |
| SHA256 | c4af1997b04e5d8109edb5be86630e84a00a39dc94d10910220b0c53386eb935 |
| SHA512 | 2e27da11e81d18c2f58f849ed9bb5283b9fc8a47c9140a29aa5d14e2619bc1829a5de26f274384016970dd7ff96097350c7550c25dff7b1b0056e4a007cee8a6 |
memory/1236-79-0x0000000005040000-0x0000000005080000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | b411ddf30c1b3e7a90da8a2e85eee1ee |
| SHA1 | 3a63f33e6d3b269c907a5b36d57e2445fa316592 |
| SHA256 | 61cf793f08d6d77d8dcf35832a061b6e8d7869658612d0722c556149866d46bc |
| SHA512 | cb8f566d31af5204e5dea5acbbc782755eca6bb3b9fa62256fcd4e1d664451c4b0a485b08161c684223cfd13ee17a57a50bd1e452506df50fa3ee7f0d013929b |
memory/2848-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-AN539.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-AN539.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/1028-112-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2848-111-0x0000000000400000-0x0000000000409000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-AN539.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2912-126-0x0000000002580000-0x0000000002978000-memory.dmp
memory/2780-133-0x0000000074940000-0x000000007502E000-memory.dmp
memory/2984-132-0x0000000000990000-0x00000000009CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E978.exe
| MD5 | 6bf5cd98261f9cd8a4250c13732db723 |
| SHA1 | d31c54eece8439fc0fa3e74c6240802dfd80d4b0 |
| SHA256 | caccf2eca246b700d76af03b2a03f67c25325001e0b6d2c38332d82e2ac32703 |
| SHA512 | 0e2de482a843eae633a42097df1eda8b359584764915755132da0763ac88ac9e1d264a59aa441583f5a84eed4ae82e2e7e1369d86815f3fd2a812aac07cee72e |
memory/2984-134-0x0000000074940000-0x000000007502E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E978.exe
| MD5 | b679b0d8ac64e517fd8e5216b0b694e7 |
| SHA1 | 54320da731048423f187b7d6142bf0a849ae58b6 |
| SHA256 | 8cb8201c78e1352b3c3910cfa455a09a01335cbc7d0558670ca88b1b42b046d0 |
| SHA512 | 32192d59f6ff2d453666c59de634fbc69c8496ea6a114a72ef66324b3d677d041e5f5591f1c8d81b79e414d568801ebf0a301b330a9af67cfbd5e6a67b885faa |
\??\c:\users\admin\appdata\local\temp\is-d3erj.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
memory/2516-95-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2984-136-0x0000000007100000-0x0000000007140000-memory.dmp
memory/2780-135-0x0000000007400000-0x0000000007440000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-12 01:08
Reported
2023-12-12 01:11
Platform
win10v2004-20231127-en
Max time kernel
37s
Max time network
77s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CA84.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB87.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3264 wrote to memory of 1372 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CA84.exe |
| PID 3264 wrote to memory of 1372 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CA84.exe |
| PID 3264 wrote to memory of 1372 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CA84.exe |
| PID 3264 wrote to memory of 1940 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB87.exe |
| PID 3264 wrote to memory of 1940 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB87.exe |
| PID 3264 wrote to memory of 1940 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FB87.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe
"C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe"
C:\Users\Admin\AppData\Local\Temp\CA84.exe
C:\Users\Admin\AppData\Local\Temp\CA84.exe
C:\Users\Admin\AppData\Local\Temp\FB87.exe
C:\Users\Admin\AppData\Local\Temp\FB87.exe
C:\Users\Admin\AppData\Local\Temp\1F1.exe
C:\Users\Admin\AppData\Local\Temp\1F1.exe
C:\Users\Admin\AppData\Local\Temp\463.exe
C:\Users\Admin\AppData\Local\Temp\463.exe
C:\Users\Admin\AppData\Local\Temp\5FA.exe
C:\Users\Admin\AppData\Local\Temp\5FA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| FR | 185.221.198.96:80 | 185.221.198.96 | tcp |
Files
memory/5100-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3264-1-0x0000000002A50000-0x0000000002A66000-memory.dmp
memory/5100-2-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CA84.exe
| MD5 | 9f1265c20060a18b398fa1cc9eecd74f |
| SHA1 | ed932cffcbeb7820e541f3751c4e835b3d72695d |
| SHA256 | 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e |
| SHA512 | 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9 |
C:\Users\Admin\AppData\Local\Temp\FB87.exe
| MD5 | 9d4a0b464b90b7f96805f178b41d4aa9 |
| SHA1 | 75a35c7339aff85e7f69f32a615ba7a1a3e344b2 |
| SHA256 | 3daa8e79e464a99dfed28606a361e307bef6c4e7505fd6b5fc59552de3d8a80d |
| SHA512 | 1d793c73096253e6ec3db3099ca5778911725ba5c01961138b770c07044b29a4bf8fab5034ffaf033d6eca25ac491339577a7b7dbc8fd65891d03b7342360ccd |
C:\Users\Admin\AppData\Local\Temp\FB87.exe
| MD5 | 8da6fe11901870fc725d473f083c19da |
| SHA1 | 4d666be4a0966526187dd3b5ced15b0729a8bba3 |
| SHA256 | ed22a75aaccae17f5f13a2010a582e2956e391ad4d982b147384df44eec4e249 |
| SHA512 | e2a4972ed7470b636761ee81001943ae1bfe58b03d44bb2205274e03bf9beb729cc16d41c05fd60d1c0680bc98cc23c4bd0b49f15e8473ad8a336f1d3ab3aab6 |
memory/1940-16-0x0000000075150000-0x0000000075900000-memory.dmp
memory/1940-17-0x0000000000270000-0x0000000001726000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1F1.exe
| MD5 | dcd0ce0b9ab4370542d961e595a9130b |
| SHA1 | 174c2117647c13afc2196e3a94f570965b1c896d |
| SHA256 | a60eb2bb280ed65b33b0aef6f557e12f1fa59f6155c4be68516ba9e023f16d9d |
| SHA512 | 97f4a4f34dd2109cf59367cd20c45048ec1c76c87f7d43ad474ea6343c2bcf3506602e7ff8ca1d41f85a8d995789b16083a40d4c42b9f1493a938c050128233d |
C:\Users\Admin\AppData\Local\Temp\1F1.exe
| MD5 | c608c2fde6108cc381aa15c9f0e7660f |
| SHA1 | 91c4f7b689efc5eeb37094e7e53afa4f2194a04b |
| SHA256 | 9ab7581a26e1294fdeb9bb0e245a27446ca1db24a2ab44055763c70bfae87030 |
| SHA512 | bd026f6d4c3652d506e1cbe5a3952b1370896fcbd4f8acc303b77df7ca66901ab0a1ab8d2c4d0e4bbf90964df2275bba50d81b1727bce65785d7e632cf853d1f |
memory/644-23-0x0000000075150000-0x0000000075900000-memory.dmp
memory/644-24-0x0000000000A60000-0x0000000000F54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\463.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/2408-29-0x00000000003C0000-0x00000000003FC000-memory.dmp