Malware Analysis Report

2025-03-15 05:04

Sample ID 231212-bhe16sccgn
Target 0ae6bdb537d4e23dfc6e6e06be4b4166.bin
SHA256 698b3e0cd4741444da9a14e8b43e3a2c9b166b036f5a9bafd5625cd93ab829c9
Tags
smokeloader redline zgrat @oleh_ps livetraffic up3 backdoor infostealer rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

698b3e0cd4741444da9a14e8b43e3a2c9b166b036f5a9bafd5625cd93ab829c9

Threat Level: Known bad

The file 0ae6bdb537d4e23dfc6e6e06be4b4166.bin was found to be: Known bad.

Malicious Activity Summary

smokeloader redline zgrat @oleh_ps livetraffic up3 backdoor infostealer rat trojan

ZGRat

RedLine

RedLine payload

SmokeLoader

Detect ZGRat V1

Smokeloader family

Downloads MZ/PE file

Deletes itself

Executes dropped EXE

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-12 01:08

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-12 01:08

Reported

2023-12-12 01:11

Platform

win7-20231025-en

Max time kernel

45s

Max time network

72s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8E7A.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E7A.exe
PID 1200 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E7A.exe
PID 1200 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E7A.exe
PID 1200 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\8E7A.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe

"C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe"

C:\Users\Admin\AppData\Local\Temp\8E7A.exe

C:\Users\Admin\AppData\Local\Temp\8E7A.exe

C:\Users\Admin\AppData\Local\Temp\D3B4.exe

C:\Users\Admin\AppData\Local\Temp\D3B4.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\DD47.exe

C:\Users\Admin\AppData\Local\Temp\DD47.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\is-D3ERJ.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D3ERJ.tmp\tuc3.tmp" /SL5="$8001A,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\E978.exe

C:\Users\Admin\AppData\Local\Temp\E978.exe

Network

Country Destination Domain Proto
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:17066 tcp
FR 185.221.198.96:80 185.221.198.96 tcp
MD 176.123.7.190:32927 tcp

Files

memory/2428-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/2428-2-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1200-1-0x00000000029B0000-0x00000000029C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8E7A.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

memory/2780-12-0x0000000000120000-0x000000000015C000-memory.dmp

memory/2780-17-0x0000000074940000-0x000000007502E000-memory.dmp

memory/2780-18-0x0000000007400000-0x0000000007440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D3B4.exe

MD5 b5b1a2a7198b9317ba9d9752ebc6244b
SHA1 e7cbde1f692645948114418e6b35e9c8ed2ca456
SHA256 839a4e27c750c86d1ddd3df05272f42ad78bea19db6df9749ba4d6689cef5259
SHA512 4c2dab541917aab77dd85c8a5588cc353d9061e6936208b5cbfa5eacaf206510360499345de2a0a960408e9f16ee186306cd799e3ef6a29798a536db64819aa5

C:\Users\Admin\AppData\Local\Temp\D3B4.exe

MD5 bb8c0b655c3940bac71ab49b4c03d70d
SHA1 f53f8c93adcd33acde37cd0dc40eb715adcca3ee
SHA256 2da3b415a0e89ca502778feccae24dd1fa6c2d6af0ebc1f24b6f0ab9ac9acce6
SHA512 b524f785d1e15bf0c1280c563b6da8cd84595cfbdf173afbcdd0b313c3e0e04eccb8bc808b9aeb810728ab02c4f2cf9432b3f210e90c9eefb765e0ab333f03a7

memory/2628-26-0x0000000074940000-0x000000007502E000-memory.dmp

memory/2628-27-0x0000000000210000-0x00000000016C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 b85715009d99b78cc660b2414908f541
SHA1 8c3361ab7536adb3695710a35d775b29b2f9313b
SHA256 d0acaeee2330fe62a45faa18f51d43dbc90ae59720171e00cd3d23efed88e0dc
SHA512 62aa7639b93c385ab196f8ef0ef4e3279aef8e4f07513f1c060cdfad870a5b849c201670884289719ea89cf303581391e0b0d347621e4cc02cf235769ec77f61

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 b279e33b651b00da2d55eed762283bd7
SHA1 d50ba7a8de3b5a21a2e9d7d3e6679526c00d92cc
SHA256 05078ebe372536e402cdfacb28a3c154f332944a470cc32cd06c0dc710903f63
SHA512 fe666d4d833cacbca1c5cda484b3397093b53e930030715b064fe99ac810974fe42d35688928672029c49bae553f0080672ce87218c621f98df5f2f8cae2decc

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 8a0fb7753c6bd31bff90ebd089e2de57
SHA1 8646689183a3a2496b09cb3741567dd32acde0ff
SHA256 08419bdaca6913073d04eba08de665628ce7ab432b6ab9ea1b77316f8c67260f
SHA512 4eceaaa476aab072048f286d9d43891fd3020ddfd273f7b624d6fae3ffe517955f97eb8a0ac5b575c7b36d804c91724b4b0e40046f0afaebd931b6dc5c28e95b

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3cbbfb3e7305fadaa35fad31a0476467
SHA1 15914071c3a5b9f86a137bbebb6b1e2caeaba7b0
SHA256 a98264b298f7500f5c2a783e2936d1e8029ad5ea45411814485e63f3b894387c
SHA512 2054b2e94abcc946051a3033f36bb7fad770f7d9cbe647891eef009b8c94f860a7217e63ba5447d4386a25ffa2875890b84e57d04c1ea1871c702feb463dde06

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 57e217153d5dd3f068286b31c38063af
SHA1 79240bae06348b3a482446a5da0c557559d1c041
SHA256 e314cb44e0a8b398d0dbc879c6416a574c6db429a8e1538c99d3c37f8ddaac89
SHA512 788312b1a017b464d3fa54d4f42cbb797f7000e85be2a9fb6d25d641a0a5da980b84d35f6e97a378a8b9c8e38f251cbff92050abec9b1b41eff4b37aa62d0604

memory/1236-66-0x0000000000A30000-0x0000000000F24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 28a86a35ec08fe26585ead1ee350bc29
SHA1 c302e0bff9803f249fed20c1be8f800085dc920c
SHA256 151ac17da0896098a07ffcab009ee968c39bc64b486a3f1a8a2725d104c3d8d5
SHA512 cebfd37a52b3b7f3e59ca47eb059825aba9e1b851711e25b13286e4219cfa430af7a5dcff02c6ce29ef34bba718dc156d58400ba3642abb70a5174373a6c8da7

memory/1236-67-0x0000000074940000-0x000000007502E000-memory.dmp

memory/1800-71-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1800-65-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 83fba62e5d3298f16e8b4637b17ff671
SHA1 ef3579418ce4cfebbd28a1f3459ce554626210a5
SHA256 d210396b132186429bfb5dd07b05824b73b854a1d5239e775a7cb08a490bc232
SHA512 c278d80cd111ca5352accec45544bb24c1b2ecb0777bb607001c139d2de1947c62db6f3958ab268950d96766332608594f8e4001d043e638e6160ebbb56dc447

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 2fcf22f4290694a3e3b30446ce33f6a8
SHA1 cb7e3fa8352bdff414e2aeb07bb955f9e21a4164
SHA256 c4af1997b04e5d8109edb5be86630e84a00a39dc94d10910220b0c53386eb935
SHA512 2e27da11e81d18c2f58f849ed9bb5283b9fc8a47c9140a29aa5d14e2619bc1829a5de26f274384016970dd7ff96097350c7550c25dff7b1b0056e4a007cee8a6

memory/1236-79-0x0000000005040000-0x0000000005080000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 b411ddf30c1b3e7a90da8a2e85eee1ee
SHA1 3a63f33e6d3b269c907a5b36d57e2445fa316592
SHA256 61cf793f08d6d77d8dcf35832a061b6e8d7869658612d0722c556149866d46bc
SHA512 cb8f566d31af5204e5dea5acbbc782755eca6bb3b9fa62256fcd4e1d664451c4b0a485b08161c684223cfd13ee17a57a50bd1e452506df50fa3ee7f0d013929b

memory/2848-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-AN539.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-AN539.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/1028-112-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2848-111-0x0000000000400000-0x0000000000409000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-AN539.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2912-126-0x0000000002580000-0x0000000002978000-memory.dmp

memory/2780-133-0x0000000074940000-0x000000007502E000-memory.dmp

memory/2984-132-0x0000000000990000-0x00000000009CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E978.exe

MD5 6bf5cd98261f9cd8a4250c13732db723
SHA1 d31c54eece8439fc0fa3e74c6240802dfd80d4b0
SHA256 caccf2eca246b700d76af03b2a03f67c25325001e0b6d2c38332d82e2ac32703
SHA512 0e2de482a843eae633a42097df1eda8b359584764915755132da0763ac88ac9e1d264a59aa441583f5a84eed4ae82e2e7e1369d86815f3fd2a812aac07cee72e

memory/2984-134-0x0000000074940000-0x000000007502E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E978.exe

MD5 b679b0d8ac64e517fd8e5216b0b694e7
SHA1 54320da731048423f187b7d6142bf0a849ae58b6
SHA256 8cb8201c78e1352b3c3910cfa455a09a01335cbc7d0558670ca88b1b42b046d0
SHA512 32192d59f6ff2d453666c59de634fbc69c8496ea6a114a72ef66324b3d677d041e5f5591f1c8d81b79e414d568801ebf0a301b330a9af67cfbd5e6a67b885faa

\??\c:\users\admin\appdata\local\temp\is-d3erj.tmp\tuc3.tmp

MD5 5525670a9e72d77b368a9aa4b8c814c1
SHA1 3fdad952ea00175f3a6e549b5dca4f568e394612
SHA256 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978
SHA512 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a

memory/2516-95-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2984-136-0x0000000007100000-0x0000000007140000-memory.dmp

memory/2780-135-0x0000000007400000-0x0000000007440000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-12 01:08

Reported

2023-12-12 01:11

Platform

win10v2004-20231127-en

Max time kernel

37s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CA84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FB87.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3264 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA84.exe
PID 3264 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA84.exe
PID 3264 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\CA84.exe
PID 3264 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB87.exe
PID 3264 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB87.exe
PID 3264 wrote to memory of 1940 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB87.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe

"C:\Users\Admin\AppData\Local\Temp\0ae6bdb537d4e23dfc6e6e06be4b4166.exe"

C:\Users\Admin\AppData\Local\Temp\CA84.exe

C:\Users\Admin\AppData\Local\Temp\CA84.exe

C:\Users\Admin\AppData\Local\Temp\FB87.exe

C:\Users\Admin\AppData\Local\Temp\FB87.exe

C:\Users\Admin\AppData\Local\Temp\1F1.exe

C:\Users\Admin\AppData\Local\Temp\1F1.exe

C:\Users\Admin\AppData\Local\Temp\463.exe

C:\Users\Admin\AppData\Local\Temp\463.exe

C:\Users\Admin\AppData\Local\Temp\5FA.exe

C:\Users\Admin\AppData\Local\Temp\5FA.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
FR 185.221.198.96:80 185.221.198.96 tcp

Files

memory/5100-0-0x0000000000400000-0x000000000040B000-memory.dmp

memory/3264-1-0x0000000002A50000-0x0000000002A66000-memory.dmp

memory/5100-2-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CA84.exe

MD5 9f1265c20060a18b398fa1cc9eecd74f
SHA1 ed932cffcbeb7820e541f3751c4e835b3d72695d
SHA256 84cb5b6c51eb19008e1dae4bf5c6824def9cf1d981d71ece3bfd658f2766070e
SHA512 7e91bf1a941ecc76878ec48cfd33e82b0179cdf83af23c35751c20a7d681cbbe8460f71bc544813abeea1f7b3a6a453541b119870002dcbaf8ef7073961321c9

C:\Users\Admin\AppData\Local\Temp\FB87.exe

MD5 9d4a0b464b90b7f96805f178b41d4aa9
SHA1 75a35c7339aff85e7f69f32a615ba7a1a3e344b2
SHA256 3daa8e79e464a99dfed28606a361e307bef6c4e7505fd6b5fc59552de3d8a80d
SHA512 1d793c73096253e6ec3db3099ca5778911725ba5c01961138b770c07044b29a4bf8fab5034ffaf033d6eca25ac491339577a7b7dbc8fd65891d03b7342360ccd

C:\Users\Admin\AppData\Local\Temp\FB87.exe

MD5 8da6fe11901870fc725d473f083c19da
SHA1 4d666be4a0966526187dd3b5ced15b0729a8bba3
SHA256 ed22a75aaccae17f5f13a2010a582e2956e391ad4d982b147384df44eec4e249
SHA512 e2a4972ed7470b636761ee81001943ae1bfe58b03d44bb2205274e03bf9beb729cc16d41c05fd60d1c0680bc98cc23c4bd0b49f15e8473ad8a336f1d3ab3aab6

memory/1940-16-0x0000000075150000-0x0000000075900000-memory.dmp

memory/1940-17-0x0000000000270000-0x0000000001726000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1F1.exe

MD5 dcd0ce0b9ab4370542d961e595a9130b
SHA1 174c2117647c13afc2196e3a94f570965b1c896d
SHA256 a60eb2bb280ed65b33b0aef6f557e12f1fa59f6155c4be68516ba9e023f16d9d
SHA512 97f4a4f34dd2109cf59367cd20c45048ec1c76c87f7d43ad474ea6343c2bcf3506602e7ff8ca1d41f85a8d995789b16083a40d4c42b9f1493a938c050128233d

C:\Users\Admin\AppData\Local\Temp\1F1.exe

MD5 c608c2fde6108cc381aa15c9f0e7660f
SHA1 91c4f7b689efc5eeb37094e7e53afa4f2194a04b
SHA256 9ab7581a26e1294fdeb9bb0e245a27446ca1db24a2ab44055763c70bfae87030
SHA512 bd026f6d4c3652d506e1cbe5a3952b1370896fcbd4f8acc303b77df7ca66901ab0a1ab8d2c4d0e4bbf90964df2275bba50d81b1727bce65785d7e632cf853d1f

memory/644-23-0x0000000075150000-0x0000000075900000-memory.dmp

memory/644-24-0x0000000000A60000-0x0000000000F54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\463.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2408-29-0x00000000003C0000-0x00000000003FC000-memory.dmp