Analysis Overview
SHA256
e2d38fff6489893582da7827bf3f5179f7ced39a1391f736ea55d86b695b8e82
Threat Level: Known bad
The file 51c9d8f09a73802a05455e7aa8fd9953 was found to be: Known bad.
Malicious Activity Summary
CryptBot
CryptBot payload
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Runs ping.exe
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-10 22:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-10 22:30
Reported
2024-01-10 22:32
Platform
win7-20231129-en
Max time kernel
28s
Max time network
147s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953.exe
"C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953.exe"
C:\Windows\SysWOW64\PING.EXE
ping SCFGBRBT -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com y
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
Vigilanza.exe.com y
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^MUDMsvnAuDtONRMrwaGsxlhulYeCQOaTIUmgfUabcdKNJUYWSnXNYFQBGvCzzWKskkuSsbOiZpVrAmbdZuJsQEUetXHSaZ$" Abbozzo.dif
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Apparve.dif
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | JMwiYjzhjaAGdrOzQVOqtvboX.JMwiYjzhjaAGdrOzQVOqtvboX | udp |
| US | 8.8.8.8:53 | lyswug41.top | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiude.dif
| MD5 | aae87cad33c3bbb56b9df7a1837a8ced |
| SHA1 | b4a12f104badd0b8c91b6b62438b376dd51a0187 |
| SHA256 | 5890e708590caaca669b1b3d6a18d12728f64942aeced13ce2ce0af3e4f0fb6a |
| SHA512 | d95373d96ceaa83a3224c9476f88d75c31571c04a53b49888431dd423b0b599a42dc621039a1a6b8eb9b6a946a156a99034748ec6b603b68a4fe69967c4a067d |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y
| MD5 | 17043819de2eed5c3704d2670da0889c |
| SHA1 | f1bc813e48b58ca9cb0a8062a49e0bf8a1116504 |
| SHA256 | 977ba09199b8d39c659d1c2dff13b6ad9fd7985bc7c9d878fe3f68bd63d7559b |
| SHA512 | d64e3823d5a2991690bd95d7bf7fc59265b7ba9489c7a56e81e54c955eba8ab1defd73b6da68afc563cf0790eb89607dfc8cf85b2e00046b46e23f1b0e80548b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
| MD5 | 4023d1b0586842023de0b9395474ce12 |
| SHA1 | 328e7e64f7e144f45ac66980b05b6abba895688a |
| SHA256 | e85c1d2e1255257b3cbe9915d5379b874056bdef2d96fc278c8ad925567059f2 |
| SHA512 | ea7915c59af162327da67b7c0796f116204a235236a2addaded07fb0ae93f8330939adc209035c129794efaee0c48d3a4fbab668128376c9339221a2fe3df5b8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ero.dif
| MD5 | 2ace3d9cf2c2a4956d8a37e20852c42d |
| SHA1 | 2268568fbaec8f882a90f344532d8d8b0c403ae3 |
| SHA256 | 28cba2caf69fcfb01c71b30156e59f581aa03298dc9398e41c627e5f772299e1 |
| SHA512 | 7948101bf36ef56178b5097dbc13eecaac9980e99e8a68cdcfd5668933afa4f853acaf6cea038bc5ffbc3369ddc6813d9a04ff2dab1954fa1525aec11a5de1ce |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
| MD5 | 795a5b41c883df086d9704b953d6995c |
| SHA1 | 9e280078252568a45ce021557cfc23d735a1b827 |
| SHA256 | 6f3c2497ab0e8b409d2cb7fa8d72d886cd06cab6233b7a8496d531a35e98f40c |
| SHA512 | 9d187fe00c98aa8daa6510d5defba5ec78120982e1af7b48eea0051e21402c9f1d5919d9be416626a398386943b6e89acfd536935938c980e46aeab45689c7e4 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
| MD5 | 3c97943ebc75df6eea5146f3eb62d92c |
| SHA1 | ecfc968cff6a8093ef799a5bde18d71d90bbf5a3 |
| SHA256 | be338be0b1a29cd295a255742a1ca94d1473f83c7c153dca400f4e463bac262c |
| SHA512 | 780c524b6cd6b2ef98cd88e80f8fbad0dc4a4f40e9e28cc45a3f99ebd67d23ca995bbbf4338785c93a129e0f7472304a66de51c7ade4d8408dd336034f1f661c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
| MD5 | 80bfe7a0c2c6587264584b2c14daa42f |
| SHA1 | eb5a8d5a7d640746a331c1863a637ab05e9a3f6e |
| SHA256 | c1bf242daefdf134de5342b2fbb60151cabe38a5c757a0dff321438bf27937ac |
| SHA512 | d3bc074c542962644c23627cf4d62cd4211d20e2e6c42dacbc8c7af7eede2b5cd509e1855c03b1547b24e35c4e129568e7e84318ebcf4500933e8bf2d4036f0e |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
| MD5 | f99d4d643a31e2dbdfc85103641220fd |
| SHA1 | 62a3617d28c90366ed7f2bb5401aefa7257e5d14 |
| SHA256 | 76fbcf9dbb081c556bee77f0ea39f0beaab3323ab37227c82941aa48feab9f63 |
| SHA512 | 9efba35219c781611ddbd54786ce16f37b028f54fba515f58e706ac189c891dda86b7ba98f6b5c0f98000b8b183aeead056f3586c42b65ce50b47c5ea59c7192 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Abbozzo.dif
| MD5 | c69628aaeeec4d0395fe60979b67dc2b |
| SHA1 | c52c7b9f7339fad8a8d28790292fa38aea3a1bdf |
| SHA256 | 78b083afd1ae22a820334448d5c47f67aaf096103b3d2a7ff2862b7437a69449 |
| SHA512 | 4e4f78624183d20f27747e8140466fc13855ee787fbcca6540618ede4c939d4e17b349174140d379a845370a7a7fa63bfaef7a4dd33552d5cd3aa277f40c91d5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparve.dif
| MD5 | ed9121c7368700aa3cc49ba2d4c2e6b8 |
| SHA1 | b3b287d04addba4f3c58abdddf68fb6c6f05847e |
| SHA256 | 85c9a4a8d0042e183d90b8effa79306da4d71e45ff103a3ba933bfe016897b9d |
| SHA512 | 24c8965ca680407ab4e586ffdec988c60bd8bd9714ffccf186937411f6257e05b014a46dd208e1008760bf47851ccb6a762821686506948747d49cf89d677440 |
memory/2672-24-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/2672-27-0x0000000003830000-0x00000000038D3000-memory.dmp
memory/2672-26-0x0000000003830000-0x00000000038D3000-memory.dmp
memory/2672-25-0x0000000003830000-0x00000000038D3000-memory.dmp
memory/2672-28-0x0000000003830000-0x00000000038D3000-memory.dmp
memory/2672-29-0x0000000003830000-0x00000000038D3000-memory.dmp
memory/2672-30-0x0000000003830000-0x00000000038D3000-memory.dmp
memory/2672-31-0x0000000003830000-0x00000000038D3000-memory.dmp
memory/2672-32-0x0000000003070000-0x0000000003071000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\_Files\_Information.txt
| MD5 | b6f28e0db9c04b42e66917b0344a7688 |
| SHA1 | e68d17eecd71fb33c224e708897bdccaba2d8297 |
| SHA256 | d2be3f7d94fe29e59555253792128d8200c2a467c3e912f57487b929a7d842b5 |
| SHA512 | f753810e963d62ec6d8ab6eadccde0524c6f1d3fdcda812434a955e732b233adf0dfa9ba4ccdfab3fddbbc187a1654ccaaffbbe9d8f62599f0e2c7141f2bc52f |
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\_Files\_Information.txt
| MD5 | d1d750acc96cf6bf0278e1b5e5c5b243 |
| SHA1 | e0d8485561b0cf7cddef2f1b3375d23a88a19a8d |
| SHA256 | cbdc73c3287841c37f051f6874f55da3f702e53e833b2ea7762df844985f267c |
| SHA512 | bf8d8c4a9b15d9752ccb0b081afc3184638f508736a90db152fe037d733b3bbbb17193acce7d601e2544865b3416411568efd440b2e69a062f61a9be3abdf995 |
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\_Files\_Information.txt
| MD5 | 4ac8e09637816196fb8a4114e4efa43a |
| SHA1 | d800aa8ac2d00434246391f1f5788b8024f8d1c2 |
| SHA256 | 0512d272a9b8e30b336f2392e078020dbb007052f19865062e6c666cd2309862 |
| SHA512 | af0ae070c1a7339b9939ad4b9854bd7c8a3e40919fc9712f38a1a3d51735baf569f1d2a5f53be4f7a190593606bb52ba9d06995e41c4b42f7de28191c4c55d80 |
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\_Files\_Information.txt
| MD5 | a14c8b58522ac4be07be3300e3812f3c |
| SHA1 | d6742c4fba97716bc89ceadfeefe947d336ab670 |
| SHA256 | 728e23be9a9a6032b67a1ba39af9be7decae664e2cbc24963cd774e7356d8ee3 |
| SHA512 | bad88aeb3d8d41032a7904cfc707142522485b83380ff7e0d25843bc7c95bf56d4c141a54cc6b44f41c54963f516e39ad3e650d73e96bdbaa87300b61c74a6b6 |
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\files_\system_info.txt
| MD5 | 5ee6c12702e3d1f338be1248ec517f21 |
| SHA1 | 577baee01d2b81a4eb1732b1613c4694247a0d14 |
| SHA256 | 75b17b57dddf3b2c1ed0293a27d28635e2e319380c6a04a5b55d6b7b4f552efe |
| SHA512 | 979d6ad98524554111efec5c16a394aa73f3260c4a0211175dc466bf3ce0160d4d3db9bed4d3b3eb80d7de23cd94bcb83cb43d2b81132fe99479a93b692f5f20 |
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\_Files\_Screen_Desktop.jpeg
| MD5 | cfbf8e06d788fef68a6f5657f663fa64 |
| SHA1 | 4651b5b60133043c6f5b7222cf64b6629b5b43c2 |
| SHA256 | caa69101bd3addc5fe75ccff8e29de2b8d3cd50a5d1c495aadf0b6f6a48f744b |
| SHA512 | 9a023f2b0f7c978a71a89957c51c237dad9230ae31abd5130c84d02e05ce70b7c0303998f812ec7a0bed039c4e7e5d5d1e22b94fa1d92a32291aa648f1d4347c |
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\_Files\_Files\EditPush.txt
| MD5 | 47d0a2370dc7d2a762c757eb4f042f02 |
| SHA1 | ab82c2a3552283db232cd3deaec7aafe7c1e1dd7 |
| SHA256 | 74e4fe1ab0ae6210acaafe1e37bf87b008729661693e01e982a89078667371a2 |
| SHA512 | 397305998358b44c11c47a6892d95f4c36326c49a854c7955cd78df687f0fee0e32348a31e3550313e35c4765f6e882a57f166d4cfbc10297c6988ee2a82b6ba |
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\files_\system_info.txt
| MD5 | 6416daadc0350f049797e71ead9cb29a |
| SHA1 | f5663167644c9539a987ec838a95c3d60ab9b1c6 |
| SHA256 | 4068cd31068ec8d5782ff9620c0ec691fe9f49f91c541014c0c36a17ebcba0e3 |
| SHA512 | eca43c121313fd013b3860c1752e5da633e8698f1b64caa4ed4a5147b705ecf1e5ed1341616107a1eee7c3a6f93da87cdc88f3381a352e7494d08618e5b528cb |
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\files_\system_info.txt
| MD5 | ef506fe9a995293194aaa5a57d134a34 |
| SHA1 | 53f5703735f7baab715aaa0e11ba96806db4e895 |
| SHA256 | 321393963a00fc6059335fdb9f6e3d1fe7af92c51390a43b382edc75680220ca |
| SHA512 | c458d11d66e5a5f3df70979500031f997a33022b2eb8805f3b2c6acda0f91ddc5c61ef2fd6b66e9ebdf1e441e5904b86336b2af81002d702a47530e27bd2d416 |
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\files_\system_info.txt
| MD5 | 1c44f59890c7e4bb03e57a6398fa10db |
| SHA1 | 1f7001e06b2c9006796c31a82ab88e78a4c6e7e4 |
| SHA256 | 21bfd74d1359010a3dda4f392792ff987b9828c4038461b1ac21a81749c3b9cc |
| SHA512 | e70a95e6714c72566c49b11a41db5d7c9d9261e0322a458b37c781aa6c9bebde6edd716a1e91e6fef37c59881058d0d329ecb5242557d0f6fb52edd97b503e6e |
memory/2672-256-0x0000000003830000-0x00000000038D3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OzKDZoTYtE\DjwzUEG0dn2CaM.zip
| MD5 | 3a59004bd89afdd234503a25d3383c58 |
| SHA1 | 82d075e64b01759c3122125daf4b87090fd02626 |
| SHA256 | f3472edac42b2becd4fae831337f686043b52e9e368ceb0d3c6dd29d1b3d43dc |
| SHA512 | 7d5fea53094b94b900e625084485f702d9dc2cf4e1c6212bb5d748f596885c2d6992468f15d63fc33b3001688eea4b0df6ac3bbfc7d2717b4472f3b7021db070 |
memory/2672-258-0x0000000003070000-0x0000000003071000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-10 22:30
Reported
2024-01-10 22:33
Platform
win10v2004-20231215-en
Max time kernel
193s
Max time network
215s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953.exe
"C:\Users\Admin\AppData\Local\Temp\51c9d8f09a73802a05455e7aa8fd9953.exe"
C:\Windows\SysWOW64\dllhost.exe
dllhost.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Apparve.dif
C:\Windows\SysWOW64\cmd.exe
cmd
C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^MUDMsvnAuDtONRMrwaGsxlhulYeCQOaTIUmgfUabcdKNJUYWSnXNYFQBGvCzzWKskkuSsbOiZpVrAmbdZuJsQEUetXHSaZ$" Abbozzo.dif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
Vigilanza.exe.com y
C:\Windows\SysWOW64\PING.EXE
ping VFMDDVWB -n 30
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com y
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com y
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | JMwiYjzhjaAGdrOzQVOqtvboX.JMwiYjzhjaAGdrOzQVOqtvboX | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Apparve.dif
| MD5 | ed9121c7368700aa3cc49ba2d4c2e6b8 |
| SHA1 | b3b287d04addba4f3c58abdddf68fb6c6f05847e |
| SHA256 | 85c9a4a8d0042e183d90b8effa79306da4d71e45ff103a3ba933bfe016897b9d |
| SHA512 | 24c8965ca680407ab4e586ffdec988c60bd8bd9714ffccf186937411f6257e05b014a46dd208e1008760bf47851ccb6a762821686506948747d49cf89d677440 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Abbozzo.dif
| MD5 | 56be969732eb8d40539f4996f11003bf |
| SHA1 | fde5e246db4e864deaba285db78c9bea50bcaf72 |
| SHA256 | 294c98105913e6507a1a9d64feb1a9954ee5a2c9f1240ee151ee711f73e36aec |
| SHA512 | 5e60e4e0e4b4b46009232c71a91e70ac173bc8d507a6d9679ffb7f18c4b2481c61aff47746845a31ef4841b8b4d282f697292b488099a420fdfeb97c39ccbda7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Chiude.dif
| MD5 | 8905857f90c02a6d4175cf169311a3ff |
| SHA1 | 3cd095cf284ba240259a2f96189dc97f924e4772 |
| SHA256 | 5ee655b903a03727768eb421d9f7c4b1db02b88b96462d30bb6f903d80ea9d8a |
| SHA512 | 824bf266770d08e68a7f544e99d8f51fd0f2c04a5a9ec97a2bd89d325857a4dce4be03e11f6f4adeb65d1a329e72fe01824cc8c8f6c75e90d732168e66e95075 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ero.dif
| MD5 | dd0cd3862ffea01b0574e2fc841a9d0a |
| SHA1 | 35a3d5df1f3f4199b0c38b9b1a341876b2121d3d |
| SHA256 | fdfc18b03172b2755cc2d9412c6942864b23d2c1f9eb471637e6042ff692beea |
| SHA512 | 0f10defb0a48827863b7ba710ca3ef0d2dc759bf7e0bdf426bfc35b3da371e4a69c60a90e69328844a994dea1ce8b52a6e55fb81df6710fb86309e4963653976 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Vigilanza.exe.com
| MD5 | 487cd726828fd2a8790984213fc3df98 |
| SHA1 | 4cecb2986565869fce44f52347e8203f9c0f4768 |
| SHA256 | dcbf9008fe3a7b34cf20187b1a97c5094cbce6363d5173bcb61bae6055c8b9a4 |
| SHA512 | 93100ad0a485ec3e91b8b4fa65b33053b0a3e4229b0c00183c385c112dfb9dcd45bcb3c893ae95a8090cbdbe4aaa66c0eeeb0b07b8ba898ae9f14d14a8382b91 |
memory/2588-24-0x0000000001320000-0x0000000001321000-memory.dmp
memory/2588-25-0x0000000004E80000-0x0000000004F23000-memory.dmp
memory/2588-26-0x0000000004E80000-0x0000000004F23000-memory.dmp
memory/2588-27-0x0000000004E80000-0x0000000004F23000-memory.dmp
memory/2588-28-0x0000000004E80000-0x0000000004F23000-memory.dmp
memory/2588-29-0x0000000004E80000-0x0000000004F23000-memory.dmp
memory/2588-30-0x0000000004E80000-0x0000000004F23000-memory.dmp