Malware Analysis Report

2024-10-23 17:14

Sample ID 240111-f5m3hsgbg4
Target 52a88d8066d72a7ec1b37a2ba80e003e
SHA256 9c59a45822d8c627c37d5e39d98685debf5d8d81819968b5d5add076ac2fc572
Tags
cryptbot discovery persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c59a45822d8c627c37d5e39d98685debf5d8d81819968b5d5add076ac2fc572

Threat Level: Known bad

The file 52a88d8066d72a7ec1b37a2ba80e003e was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery persistence spyware stealer

CryptBot

CryptBot payload

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-11 05:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-11 05:27

Reported

2024-01-11 05:30

Platform

win7-20231215-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\dllhost.exe
PID 3028 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\dllhost.exe
PID 3028 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\dllhost.exe
PID 3028 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\dllhost.exe
PID 3028 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2404 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2716 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2716 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2716 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2716 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 2716 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 2716 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 2716 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 2716 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2716 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2716 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2716 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 2980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 2980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 2980 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe

"C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe"

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Deposto.aiff

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^TLMjEDpTLcIIJMGgbxtWhmcEZvxziWQdzsVQqSkGdZcGCwYlYfTIltkxfojipQMOEsgaRQgEobGhrPwYblxRriyfyABRGtbmhHwlMGaowgANnYsmi$" Illusione.aiff

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

Fra.exe.com Z

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com Z

Network

Country Destination Domain Proto
US 8.8.8.8:53 ZuZvNQkRRjP.ZuZvNQkRRjP udp
US 8.8.8.8:53 haiwpj11.top udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deposto.aiff

MD5 48dd3606008d6ff627aa4a5eb3001ff5
SHA1 f68612a5bbf822b32993d4d1451072e42d27ab40
SHA256 4de260e84b9b84cad526fcf175d03721f553849318a8ea161bf567d0e7c9fe2e
SHA512 8c0c06aecd1c65f68fd9a61204beb95279200c067f14679722fdb79ca870d3482023244e22e6f8d5f55d26c8213c637832b14494697135ffdd6a6b226305192f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.aiff

MD5 c05dc97cb781e42e9269d142ef1cc85a
SHA1 70eb77a8114cc888ca94a6c34c8031596759e20a
SHA256 5ff41adbaf12ef578a860c1333d2fc55045816f9c6582996baf058440570ca48
SHA512 89c1eb5553ff1ae360d487f6a30cafc08d0b03f16b676c6fc09bfabc667937a2133af82f430cacc6eb6b0c764ab3daefcd6f22e99a31d058cad035b35316c03f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sabato.aiff

MD5 c98e5c79fc362b26b950321217d594e8
SHA1 94a92bca9baa45ecf31c6e8b87cecc8b18ce3d1a
SHA256 7ecd423bfd509cc671d7d02296c49b68f8eff7f0e3135298db558ecebc7b2484
SHA512 247bdfa0ddded5781a1d81306ae783c9da1ed00a70efd7fc3646fae12d63713009257575f014548d0bc4bcbd096c8da5b615a34a41d9e635f0eba9ce9f3c1c82

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

MD5 6f7d98bc6e164eb29073363e832595ce
SHA1 808c4325bb5fb82f539efb5ac3b8fd6178310117
SHA256 8266eda839aa64ab57f7db08dbea6f4e4cd7071bd443a85974682e5af1b893ed
SHA512 24405dac4d81c8b31dc6a1adf0d108ef090111ed4f591cced3c16661bf2656cf14b7bd44aef6a6df29ea12fcac598c3de0229e2a8bbe85b5cd49a86763972f8e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Z

MD5 2c39e6a88dba96495cb7252b700c9ffa
SHA1 22f46bc0b3a955372eeacafe8126b47f7f535dc6
SHA256 58ad5300aebd30a8464eea51c1983e0ecca7c2f0166e6728d8456cde1d45e848
SHA512 0d295e431bcd7497aded38f66f8ba15e13dae0d376d2ae48ab249db13637002b5977044f06982f090ab75a3509722904258c917dd87a9efa05cbbc7812190ac9

\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

MD5 fe3ff2a3c79fa472682abe26174bff37
SHA1 d36feb759d24c844d505ed66ae6a660efb9090c9
SHA256 0c084f2767a5db47100fb91057438c609cad97462a11c9bd44c657a676bbab72
SHA512 83069e123eccf6a8f132456ee1736944707863197888c5539e132078f828e5d1f21f5f39f7ac057fceb2258820e54993775d779eb361a28c7692899721b4a40e

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

MD5 b01ad7567605c541bf62c2df1388af20
SHA1 7efeb94eb6974c4735a02e7e76a826143c1bfb15
SHA256 e2f02696de5956fb46836e288ff474f908874cf5f155d400e079ea45704e1073
SHA512 e4f6b5be446a1e60aa827d78365282a333d75850b8ba135530e2f3c74b7775866aada0beb5a4f3b33910005754652565a0738b30fac9201cabb130995fed246d

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

MD5 16caf563e4f5e233830f744c6a5f7c8f
SHA1 f781991271cf75b72a4cd2d1b3d09c3174fc04de
SHA256 55cac62e2a0754bfbb38d0799c01dfb60b7178f01d4d20882d7be0c5832dd5f3
SHA512 5dc0b468ebdba6fb8a22c0372382a228c7a2c4aa14915c991b09870af671a550b1ac720c090aca66901a41b59c4a9aa3b60411ce69f90bc90e0c15b8e2399139

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riaprirmi.aiff

MD5 626f21b7b43ce33e1f9f4f58ff61b89d
SHA1 ddfa2975f01b30c85e81e26b63f4eb0dee2766df
SHA256 9716c229831f3bf48f20935afb0802f791f3cb6776e470cc141d45117db63fd7
SHA512 3bd9ceb04ccbb5aab9437c4691457f9b066321be64fa62005b69f4e3238afec577abf313ec309400ee2fc41819a3bbc1b55630bc130ec0f915059a193cd6ddd1

memory/2572-24-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2572-25-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2572-26-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2572-27-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2572-28-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2572-29-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2572-30-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2572-31-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2572-32-0x00000000008A0000-0x00000000008A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aUt0hfTuI\_Files\_Information.txt

MD5 f3b003e566651027ec510636ebc1bc44
SHA1 49ee16ba5e0025d6ebc7d2b2577e1134dbbf8a35
SHA256 0c958ec929d3c4da48407d70acf1a6d2d79f5307cf25de049b4671aeac1860db
SHA512 ce79a2f67096480d00eb40cb9f5f5f89210b060aa9445899eb7caa94743ab9b306cbcd6133182fa5ea61a04d2ae8d4128467a6590b1ebb78e821697429ac00f0

C:\Users\Admin\AppData\Local\Temp\aUt0hfTuI\_Files\_Information.txt

MD5 98ef63bebae9b2eac75400bc98308444
SHA1 b5fcf5ddf13c95f98d2b48c9327f43c02f713ce1
SHA256 f70011fb8088e842ee0e5d870272c94b2aa4d478c26c8a89885d5894be7b8731
SHA512 bc298779596359ccfdb7d5e3fdb8aa6dea57eb03a82a16b9c00f0ec8212af7f691f870cc54c1b54cb31de7c846275c3559f48a11fa0e9f758d752feec1a42ff0

C:\Users\Admin\AppData\Local\Temp\aUt0hfTuI\files_\system_info.txt

MD5 dbf3b0673cc60566d2b34258f9e9224f
SHA1 63b4a9216a97b40840f7c04d7838b72ce66b2cd0
SHA256 999f14279fcf99b1ea09b454de507e8e9f1e5e9d5cac6ae97e464607e8777a27
SHA512 d874fab5fdceaaa206c6ab4ce350203fd0fcf47999ddb28da52dff5e57f024410148a37ddf0300c4a5a6e142d5338d10361724667a0fa7d2948045e50db87465

C:\Users\Admin\AppData\Local\Temp\aUt0hfTuI\files_\system_info.txt

MD5 cbd2e2f783fee7c457af73f786a300cb
SHA1 ec469e4cd3c5da79c97dd5271f0879537d5139f2
SHA256 b8d95e9a969af2883a938bac2800d40d5feb825427a4b8d508d320405c8ffca3
SHA512 7cd06138ccaee112f7f8329bfea95964c59bf8a086b08cc4751673c57f608dcf538ad3b920ec72086f33728ac6220fbf97a72b0d9755237f2185f34beca35253

C:\Users\Admin\AppData\Local\Temp\aUt0hfTuI\files_\system_info.txt

MD5 7a003e833a2951c8da3ab29bd83caf48
SHA1 9943c204cab2b2420a658080424d9a14a11130e5
SHA256 9aaea319fd674eaa5560790838a56b04d437fd67aaa5f7b7aca47006781b5ff7
SHA512 4fa9a96890f9fc8a5fc9c2eda3312d31bc4d2df0e4e622f5a36373696e906c107cd55b50a574dfbd4013231b8ab7b031869633c9d567f371a6568c187e59bf88

C:\Users\Admin\AppData\Local\Temp\aUt0hfTuI\files_\system_info.txt

MD5 d4f373e76cf6b9826202dc53a2b66dde
SHA1 c662a52866994158d0ed032d16568570cd09fcee
SHA256 ca91c55fd8cebbd5af9cf87e81fac37ad06c9fea2cd045ac2b450b57cd0a3373
SHA512 bec36e4b9cb403f6f5b5ff16e3834e5c126fba777b7cf070378d6fbbd7cacc72197faa6bdce407ed3e971ff80c6caa292b9ada8a4e12937339db88a72715d640

C:\Users\Admin\AppData\Local\Temp\aUt0hfTuI\files_\system_info.txt

MD5 9883359bd9a04529adf9f8782607e258
SHA1 03feb00a3ee454406209cb5c956ab7628380a363
SHA256 8b9709ce41f80f30fa093bec78b73383d6d72ee368f9500b849518c01533eff1
SHA512 3332c3242f73a94a6cd1259885af20245450bc8c394918faa3a9719cfd3050517ec9e3361a22840f8de0964e237ec8f92a0bc19ee71b0cbb36da7ab555aa930c

C:\Users\Admin\AppData\Local\Temp\aUt0hfTuI\_Files\_Screen_Desktop.jpeg

MD5 39066359aa51100896da9cb3b5c635d0
SHA1 34cae7183575ec2c264bb2f82555dea585ca50a8
SHA256 75c09068d558bb6c91b4bfd03bdc4a36e6cf6ed79c7a7b9e545005d85182b140
SHA512 21cac45f876d2a1507c0c40c04ee46237eb2984591aee5bb7254ff3c3b350ff580e33da99a59b6a71a1e3a55728393d7b6827755f90d76c134baf19e2f988621

memory/2572-251-0x00000000039B0000-0x0000000003A53000-memory.dmp

memory/2572-252-0x00000000008A0000-0x00000000008A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aUt0hfTuI\GxqKAwLa4eQXed.zip

MD5 29366ba0ff3fb6ac7ec22ce45d779514
SHA1 986686f0ae0282342fa93595af769c35d8ba952f
SHA256 fd6d82f16be593cc6a3b706685f10c40c3ed28076d2fdabd274a434732b51e61
SHA512 0022e8626aac59c9edaf69d941275df1091cdc8cd3828a191c4d5ce378feec18195b69f306b26b521805616e803b8275c2adb0647edbb8421fd6e67ead17a000

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-11 05:27

Reported

2024-01-11 05:30

Platform

win10v2004-20231215-en

Max time kernel

153s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\dllhost.exe
PID 2740 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\dllhost.exe
PID 2740 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\dllhost.exe
PID 2740 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5016 wrote to memory of 3852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3852 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3852 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3852 wrote to memory of 1072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3852 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 3852 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 3852 wrote to memory of 484 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 3852 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3852 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3852 wrote to memory of 4996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 484 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 484 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com
PID 484 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

Processes

C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe

"C:\Users\Admin\AppData\Local\Temp\52a88d8066d72a7ec1b37a2ba80e003e.exe"

C:\Windows\SysWOW64\dllhost.exe

dllhost.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c cmd < Deposto.aiff

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\SysWOW64\findstr.exe

findstr /V /R "^TLMjEDpTLcIIJMGgbxtWhmcEZvxziWQdzsVQqSkGdZcGCwYlYfTIltkxfojipQMOEsgaRQgEobGhrPwYblxRriyfyABRGtbmhHwlMGaowgANnYsmi$" Illusione.aiff

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

Fra.exe.com Z

C:\Windows\SysWOW64\PING.EXE

ping localhost -n 30

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com Z

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 19.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 ZuZvNQkRRjP.ZuZvNQkRRjP udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 9.179.89.13.in-addr.arpa udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 haiwpj11.top udp
US 8.8.8.8:53 haiwpj11.top udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Deposto.aiff

MD5 48dd3606008d6ff627aa4a5eb3001ff5
SHA1 f68612a5bbf822b32993d4d1451072e42d27ab40
SHA256 4de260e84b9b84cad526fcf175d03721f553849318a8ea161bf567d0e7c9fe2e
SHA512 8c0c06aecd1c65f68fd9a61204beb95279200c067f14679722fdb79ca870d3482023244e22e6f8d5f55d26c8213c637832b14494697135ffdd6a6b226305192f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Illusione.aiff

MD5 c05dc97cb781e42e9269d142ef1cc85a
SHA1 70eb77a8114cc888ca94a6c34c8031596759e20a
SHA256 5ff41adbaf12ef578a860c1333d2fc55045816f9c6582996baf058440570ca48
SHA512 89c1eb5553ff1ae360d487f6a30cafc08d0b03f16b676c6fc09bfabc667937a2133af82f430cacc6eb6b0c764ab3daefcd6f22e99a31d058cad035b35316c03f

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sabato.aiff

MD5 c98e5c79fc362b26b950321217d594e8
SHA1 94a92bca9baa45ecf31c6e8b87cecc8b18ce3d1a
SHA256 7ecd423bfd509cc671d7d02296c49b68f8eff7f0e3135298db558ecebc7b2484
SHA512 247bdfa0ddded5781a1d81306ae783c9da1ed00a70efd7fc3646fae12d63713009257575f014548d0bc4bcbd096c8da5b615a34a41d9e635f0eba9ce9f3c1c82

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Fra.exe.com

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riaprirmi.aiff

MD5 2be154b18d3fa64af5604d87f165124a
SHA1 cee27b6c43346a5aaa94e35c73ec068302da80fd
SHA256 0c1c7d41910377731bbd354dac74ddfd50a116bc3e5dfe0062178fe2acb57bde
SHA512 79487399a6743b1d47a2312dbd70c792e6af2dafc44abceacb521121f049733436007a955783d69abe740882e0c04cb6bfd8a236cd33df235748ee3a9e16e4e2

memory/2192-22-0x0000000002300000-0x0000000002301000-memory.dmp

memory/2192-23-0x0000000000070000-0x0000000000113000-memory.dmp

memory/2192-24-0x0000000000070000-0x0000000000113000-memory.dmp

memory/2192-25-0x0000000000070000-0x0000000000113000-memory.dmp

memory/2192-26-0x0000000000070000-0x0000000000113000-memory.dmp

memory/2192-27-0x0000000000070000-0x0000000000113000-memory.dmp

memory/2192-28-0x0000000000070000-0x0000000000113000-memory.dmp

memory/2192-29-0x0000000000070000-0x0000000000113000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\WkIutAc\_Files\_Information.txt

MD5 7c6ba2fa5cd8e50c8716ef38fbcfabc1
SHA1 d9f7f2c04041937ce263fc2ecdcd82efb1756b6f
SHA256 9b181d0fba0524f1907d19797e7ad5ecfdf6dea6ccc8b4cf49c1fc09ddd7d6a1
SHA512 a0e0c787fb1dd0f1b233bc71f0a0ae6f57e2486f64eddfa4519a0e7054306ef8324a7a1a3cd1d971e9e10289e01e4fcaa1fd79f76d3b85e0bd121f3ff0f96e8a

C:\Users\Admin\AppData\Local\Temp\WkIutAc\_Files\_Information.txt

MD5 6b1a7f09b60a8efa3b51ce1992965497
SHA1 5ad03a21092ffbe280b9457f8498fd6f14ec0cef
SHA256 a6271392ef4c427b902626c7d5e05d6aa4654ea3aa75e2abb0d56241ab7c9d91
SHA512 bd3ebc7899c5103a38a27caaaf342738a57b66cc25c566abe0d76b2d418418f479fed0fc8e23bc02e1f2cddc5bb1e6f1694fad66b197627ed0dd6bac0be4d447

C:\Users\Admin\AppData\Local\Temp\WkIutAc\_Files\_Screen_Desktop.jpeg

MD5 4ba722c23616e093af783734f0af480b
SHA1 729554b4c61718f9b10a14a8a35addf13320496a
SHA256 263ea9e1f8a65d9827346412870630d6ce02aeebbe75c8297863fc1d35e13880
SHA512 2afde27f4df5e042cb442ec89841e1734f671123bed42405d6abc21001967a7be151e9aa402443503e33f38c903872e73359b6d6317e339d9225ec591d2baf47

C:\Users\Admin\AppData\Local\Temp\WkIutAc\files_\system_info.txt

MD5 567ff43b0b6995da05a8f4321fa22d5e
SHA1 061c252d79f2a3c9d44c3c0022e57f3529555e1d
SHA256 b4260d886ab55a9d1cb0995023eb5bd615cc730af779adb2e410f4aa9d0774fa
SHA512 b25ad7ddcd1ce647ec669dad1e58a31c68f04defe2115306ab97dc4b01dfc51f63d51bd380253bd69c726904163706cfe083ed1df2e8e63e28ccec189066c76c

C:\Users\Admin\AppData\Local\Temp\WkIutAc\vfXKQXrnUMNxpV.zip

MD5 1ed4556b393fb5569dac05107b9d5f5f
SHA1 1085a11ecaecb528bc1edb6982668edde5faa406
SHA256 3b2e6d542ae11f6e849b4903eb2d41a090c6fae5ce12e4465a1b285813f3c1b3
SHA512 fa0eab85028db2556f8f250bf4bb9dde872ba7f4d0adcb5e5cada2cdf277e8ea982913ab7680fad9d937e729d0eeb74c1c4268db05992a02d307c388e86e3629

memory/2192-236-0x0000000000070000-0x0000000000113000-memory.dmp