Analysis Overview
SHA256
03469423c7c63f0144fc8e3135db3efd65f0a15bbc80c374236792f820633310
Threat Level: Known bad
The file 5738d596be68071de7786712b5410024 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: CmdExeWriteProcessMemorySpam
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-12 18:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-12 18:47
Reported
2024-01-12 18:50
Platform
win7-20231215-en
Max time kernel
135s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe
"C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ready\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e file.zip -p___________20689pwd2342pwd16763___________ -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_10.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_9.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_8.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "janhidf.exe"
C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe
"janhidf.exe"
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_4.zip -oextracted
Network
| Country | Destination | Domain | Proto |
| NL | 45.14.12.90:52072 | tcp | |
| NL | 45.14.12.90:52072 | tcp | |
| NL | 45.14.12.90:52072 | tcp | |
| NL | 45.14.12.90:52072 | tcp | |
| NL | 45.14.12.90:52072 | tcp | |
| NL | 45.14.12.90:52072 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ready\main.bat
| MD5 | 3afb4af06ef85bcec37d3493910949b7 |
| SHA1 | 8dece16a9f45866453ee6af0f1cabaaef5b11448 |
| SHA256 | c17d67303f4483cb9a3c3e3f974a26c6c4482f1042aba973cc4a37c686d0803f |
| SHA512 | 832067f4f08e111d22aef14ff0a2d86b9e86ae6ae193cfe33486c30c7cd172aa64d19f0729ced4dd3bb08f28feffd992dec416d1d383fc308ac4640c34dae180 |
C:\Users\Admin\AppData\Local\Temp\ready\file.bin
| MD5 | 80ee31171fbd4fa75c6ef69c74c086a5 |
| SHA1 | 95a88efc5b00b0d0a772a2350543f758a3ada61f |
| SHA256 | 571438548221628d90c3847d21c4bb32172a90aa204bebbfaa08e6e551679675 |
| SHA512 | 5bf5b8bd01a753ff2fb53e249ac9aae53958711f3c0d8abf92d38ca896fa7029a12f41afb6c736c31690db6a007b772aeefeec7554177567b45ec4aa8330af9c |
\Users\Admin\AppData\Local\Temp\ready\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | 689c2cc5525bd008b965cd9b901603aa |
| SHA1 | 0e402d9d5a0b7e756add4e69bd65a2bc555e9530 |
| SHA256 | 11e76f3f041f18b96785856c53c2517b7f2a3e07f9106f3ce0d56056493fac3f |
| SHA512 | 4411c1db84d01818fe3fbd22f0e9e41a28896986f443d78dbd574c5a4d4e9b70822a30d6ba79b93f4d7a3c2f8a8c35d15ba02ae4fe699191595d3131a5148412 |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | d70338725e346f223b73e603284677a1 |
| SHA1 | 3f797a357008ec344aeb7db7090a9f9529aae1da |
| SHA256 | 4ea148b631c2401cb7ec9b2e42cbd3d4a77fa018bec19c2b35405bcf6ad298fe |
| SHA512 | b888b10321738bdd97d13c1372ae649c0953f9eca26959e3b7a77c7995ee41b524e05d96de7618d886ba82fd31495e2f911869d91bace3e6c5597548b24ef8eb |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | 10d803c03b2ec478a532deb9133f8166 |
| SHA1 | f199af33624481fe84f4924cac8fae2144159af1 |
| SHA256 | 5a22ca08f6b141530f98bf8a9dbb2108e626eee4f82484b1a80513ee954a4f14 |
| SHA512 | 33ce6066b93fadd399b8f83389d1b6edc99053c91d8522185e0768547f7a5622ecc317296d2ec06acb59db17350ccb43d6949eab633da4a92e4c65297313f81b |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_10.zip
| MD5 | 752679ebac1f52b7228a8d3f933e240c |
| SHA1 | 52c04db5184f3be4e207ea7f429aad1b14b27827 |
| SHA256 | 76f2b5cb35b847436d99988b77eef7f1ad3af73bddbc39aba439e1970724a495 |
| SHA512 | 57589053bfa11a90a43ac894881d65b45f8af3fbf870e804ca2fbf96557a16cd9ece0399809888fc000ed2dd431cba87ac6d4da8889fef6930d9086c794d32c8 |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_9.zip
| MD5 | 7be328380791baf2e2427349b5ac2b08 |
| SHA1 | 1b10efbfeca8ba85dd4af53b1066ee338bba9120 |
| SHA256 | 14a5a7e340f07b9859bd2694f7aa7f71f2a6f31400afc0d16ce79db740190d95 |
| SHA512 | 1bc4672bc9b6178b5baa1934ce6114c0a0c4d052df45099ac4a946c8ad360f8bf9a1d56e8bccb8847571a333c809698da798f8d0308dfeaf35501dfa1407be4c |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | 5f767bd3ffdbef363b72a13006391f50 |
| SHA1 | 19dbdc2a5092f6581a7a531df5717752c736bab2 |
| SHA256 | d4e39627e447016054ae28f93f70ae3734415bea00759d63240432f7f82847b8 |
| SHA512 | 3dfb04b17a7d97aa242629d9b122181f3288d92fe7023a8906d854ee2ab7aab27a8e16a7795c59403ec0a6ecbc9868ca659a246e6f60328825895d1fbc9ce8e5 |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | 6291e81da558e318ab93360d360aacf5 |
| SHA1 | 8a94438b78e4403327d19cce4d3549052511c86d |
| SHA256 | 967ea301491c296910c15ad9a256af4243261cc0608fe67bb27039a1140311b3 |
| SHA512 | 3ecc459eeeabd46742929ad25a7d5b9973f02ea70fc47a7cc2926dbf90407bee18bfcb7605394cb1a3e99b7da478d439b42d4177941d02553466c436b5fa9f79 |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | 5818fc4dd99c5a4e588d261220db82b7 |
| SHA1 | 0870f5ce420f76ed0e66396d159c6b074e0ea21e |
| SHA256 | 631d4f6bb1d59821d0a8a9e6c7089c1fd46d44ffc0042eebc144668bef86a417 |
| SHA512 | a041d92b77c55e1d0381f8451cb543f1b1f80afcfd14429c2b7b82690b50c63420cdf5567ea8e737507fa42a00ab1f2973d70d7d1469e6bab5b61b3f00dfa3bd |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | d6223015ded76e77040965ed6491a509 |
| SHA1 | fc1cbb649313f6eaa929193deebb40edd8671c63 |
| SHA256 | a17e4430226d6fc1fca49caf4f74adfa3ba54ce6ec88fe8ce27acf2ec9e8915e |
| SHA512 | 17e4341d16accb95bfa565cd342da4b6f311d4152f3afd450e0f2c6065ac2953baa831ab1ecf1944df6e16c2073252b5cb6fd53f2e806390fa53c53d320ae433 |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_6.zip
| MD5 | 110d098300a79bf77df3e1f9dc000854 |
| SHA1 | 7fc902980a6ad5c49d2a1592b17aa94d6cd63bc6 |
| SHA256 | 3b5a7ae6a43ca5e3cb3280a6463ed79f7ae688eeae2a81114d24d1bc8f8048c3 |
| SHA512 | 7e4051d93a0f543a686e9b0bb5d705ee542a1658ab60f7e23c517a6221b2f8bc11f2c22442b58a5a9eb602078bc03956908cab6adf0dca501b975d1a6940cedd |
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
| MD5 | 07c85cf88c73ddf572aa9d11afb23d96 |
| SHA1 | e116ac67460c0faea4095016545e9e73f7b45f1a |
| SHA256 | b316e1f050dd514864a3d937aff41c80a2a3c5ab527d692088154186d9ce4edd |
| SHA512 | 58af7369361f2a5dda1c3af6ff53b6e0ead1f7ec7f02b85434ae2637892bf7e1599c36f36d12c821f93491dd42b6ece4c81180919033c3efb146e61a52823237 |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_7.zip
| MD5 | d9f067d9b53e9dac1d72d801b5348c12 |
| SHA1 | ccdfdf4205d670f422facdfc772405ae11096000 |
| SHA256 | e00256861aca90c8f701ab67cd4442cee23ace47ebb7fe87d368814701f013ab |
| SHA512 | 950c1b2b805bfa666eafb6acd6ffababc40373110c567e70b15fe54d06a505a26656b94361d09ae00c64929d46726c439b6c041e2200988b6c76c05fbe29b098 |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_8.zip
| MD5 | f268400b4f4630f70e6220f9f73ca770 |
| SHA1 | f7c0717bb47ef3d3f075d7fbe62ae9146cccd561 |
| SHA256 | 5216fd47e01f7a9c5dd503f3576c2bb6b54f5bdf51f942c4e0c230eaa5a3a0b4 |
| SHA512 | a7ef869820d1294431c5a351bb423c024af5b07d4adc6abe50074996dfefbb05ddf68451cb060ecc263d85a608195f3206aaf9eaa2c9e7bb8ab573e51deb63e1 |
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
| MD5 | d5a4f7252db87294f50c40648900fa5f |
| SHA1 | 12a5cd05f3a4f0fab6ce4f5a38f495b7e6c6d465 |
| SHA256 | 15b7220662df6f13bdd8dd91b805b7a52da043a797842d57cc700aa5785676ab |
| SHA512 | bca9b2c16544d89df6ac412c2854bf569ae8a088c402065060bd60974ebaafb83c1370855c94354bd4f8c6a176989e48c459bab6edbb5027799f59e1c836b0ab |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | 92dff693608c7b6b751950bef63eff73 |
| SHA1 | 988841ec4d99443a4f1bde81b6a0691d87426ae1 |
| SHA256 | d17cfab43ede359fd611854048a77080d9083cd78c27ad5b6883333b7333689e |
| SHA512 | af1408e76b5e2e4d0f38b149155b4338aa73976d46b4455748ac1fd87bff65bb3b81747a454fe2caed9c655692b9203d29374e9742e3c60f9eb43d4cc4df923d |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_3.zip
| MD5 | 50c959de88daba22ae8ce3d253dd13d7 |
| SHA1 | 2499ec1a7a172282c79702a1387aa9b5824cb8df |
| SHA256 | 15d67b78a9641a6d59f77d1a81921fc376ccfe52f60d67dd3e56005b3f621914 |
| SHA512 | 461d3f50bd4885e6d144a2972d012cc33ffae439ce2899a4422c17f601eea49c86cc97927933ef6f50f8329fa5f9b58748ac4e4809167460c9bc03bc5911b6ce |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_2.zip
| MD5 | e5bb59fdbd11b8fef49f264fd5bd3c6e |
| SHA1 | e4beff350bbc47c546a0be7aea44619047487241 |
| SHA256 | 4217b0a7ec80903416e41e0f7bdefbf83c057ebd37578b495021e04b23e96bc3 |
| SHA512 | b549cf1d0ac48233a89abf96513d2ce3556a8cc1c59267b26fd4afb7f51613b3a480a974271dc26cdca8a15920635d3044a7de72839447dc255dedbfbef4561b |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | 8f1a39012a7db9ef468084fea1a97a73 |
| SHA1 | 31363a902f18db82f9cb165d6713dd5158acfc77 |
| SHA256 | 4c679901c55b6e674e128c96bca3916e97fb7e7c4c206caedbb8d4d5799bfe95 |
| SHA512 | 4da560710ad4437d1c9285ed096e69ebbc4d0da6a001bfd6aa92ee7333a9b9200bc8c442f1c117e16176b54f3df68b68d7c800d553b55a002640672e84359f03 |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\ANTIAV~1.DAT
| MD5 | 0c896387b0765d8ea6528edd6a489c8a |
| SHA1 | e1c42a6c1dd3f367db45d97896e67d79e855e8a1 |
| SHA256 | 16420c770b7bd9bce02a13cdccc675000747e1a850f8e51dcde1c2f62e861e08 |
| SHA512 | d1ef26df7cb94c571d23bbb55e5cd3302cceb46edc1533115a2aa5ed2ae02d6b3bd69fda46ebaccc508d30b35629fce79a3f104bbec713709cf28cb6663a80fc |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\janhidf.exe
| MD5 | a42608e928cfd28602e252d4feb52352 |
| SHA1 | 243d378906e9a4c355c3091ccf2763e0dfdbe33b |
| SHA256 | 10a5bbeeb39216bde492a246b1b003bcb2d7c0895dea287b5f8ad4f3428ef3cc |
| SHA512 | ce6a597bd3caee4f141d12c987b41d4041adee78437a8c1803a84c24968a6f35eb3cd3779270479c836e25f19770981f74bfc3ed7509aee44c7a4ef70e2d667d |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_1.zip
| MD5 | 9f4f7b66d6cd9adbff1492ec77be9126 |
| SHA1 | 13f8d7df286a9c89e42708caf9aaf59c0edbab98 |
| SHA256 | 4ef2a3cbb5bd9b054c59c316bb294cbc3eb53a7996a85bb4b69683c98edbabc2 |
| SHA512 | 0eac85d3976b46ea59ea1d5469d9b35680a3c1cbac0f0e72c245b64db574befd5a045b3506b247ac4eaee634f4466ed33728d781907bd64b2b31b7b68c13c944 |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | 6d806f416ddad629f99a51e86179e4ec |
| SHA1 | d3fccd0022d31fb1be48c243a774d577f87469fe |
| SHA256 | 5cf11df592da7f035b4839a56f644eb5c07e2488635208f9333a3d5cec036523 |
| SHA512 | 2ff397098879cabcc462315fa9676e494a24bbc576586e2674ced4ef6592f6340758c6ebc3a5718cd43fce96392eb4ae7074bead8c435d01678f2d166cc067df |
\Users\Admin\AppData\Local\Temp\ready\7z.exe
| MD5 | 4416cb5f95548fb06371ab3df79238fb |
| SHA1 | 796963cae899260aab2b8e6f93f5c2d039dff2cc |
| SHA256 | bfd6d0eee7bc984f20459d538efa183321d790627adcb0ae3fcf3b36283dd172 |
| SHA512 | 524ed177f5ec0388482a485595c2c51f7b8229c1694a1420e6543d3883a3abfc69b4371126f775e0c8b20e08257bdef12aa4d0c4d15e64330673cd8e53d40a5d |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_4.zip
| MD5 | dd12a31f83517dd645ef8974616d2c30 |
| SHA1 | 02126fa349cb10b600e430ad9ad6b75ca365304c |
| SHA256 | fa94fd89a5c7ecceeca8a8c9550acd00ffa11f2d450d4e34de1e09d21c96ab65 |
| SHA512 | fc47aaed6155817171b58a0e4663f3fd338732fb4d5cb3af60b23e196e48444726f3ecd248f0e7015c831b62dfbe6daf9dfa3877561715261b2b3499939b93af |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | c5a7139baa557af5030a20d2664f0bb8 |
| SHA1 | 4e485ba135a06c97b580bd8acbf72510ac5b23d2 |
| SHA256 | 621edef2fcb601b6572bc6f5b6f1c5b660d216c3748ec42d7b43815b2c0445a8 |
| SHA512 | 91af4ebe9f55c4469b8455215a8191e9747ee958417d9b6af033ff10b2a33c43c5a47a406dc2f52edc7000cb8eb733ef9901e2a5869d75f59ed1903c8a2148ee |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_5.zip
| MD5 | 285d432d435cd6fb30a14b26d785ae5c |
| SHA1 | 1bba0e1cd964177543561233df0117f210184610 |
| SHA256 | 82123a06b9ed0f527fed2d987b222befb12023e077bc0187c15ca7389351043f |
| SHA512 | f6c2c6eebd2e1c451f4a4cbb92ee81601a24df97584a6636bf712fe23ba6e2adf2b1c3b1b62de2f28cd0eeb93d07cac12c96548897be42c093c885995c5131a6 |
\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | 71c52bef0ff7df8e85832ddef610d016 |
| SHA1 | 03891360975cb14efdedb09882b1ed36e15e07dd |
| SHA256 | d01a0ee5178283d7f18fb4a9e4826e12eda8160b4f6f5adf5651813837300b29 |
| SHA512 | 69d212913e745ef3445878b8faf87ef233d3451f454c40beee985dba0c52535a9fecef095323b99b06774343774900423bc4dc393bd8dd6e99bb08d4062d4041 |
memory/1016-99-0x0000000001230000-0x000000000124E000-memory.dmp
memory/1016-100-0x0000000073E70000-0x000000007455E000-memory.dmp
memory/1016-101-0x0000000001000000-0x0000000001040000-memory.dmp
memory/1016-102-0x0000000073E70000-0x000000007455E000-memory.dmp
memory/1016-103-0x0000000001000000-0x0000000001040000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-12 18:47
Reported
2024-01-12 18:50
Platform
win10v2004-20231222-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ready\7z.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe
"C:\Users\Admin\AppData\Local\Temp\5738d596be68071de7786712b5410024.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ready\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e file.zip -p___________20689pwd2342pwd16763___________ -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_8.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\janhidf.exe
"janhidf.exe"
C:\Windows\system32\attrib.exe
attrib +H "janhidf.exe"
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_9.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
7z.exe e extracted/file_10.zip -oextracted
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| NL | 45.14.12.90:52072 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.109.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| NL | 45.14.12.90:52072 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| NL | 45.14.12.90:52072 | tcp | |
| US | 8.8.8.8:53 | 198.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 45.14.12.90:52072 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 45.14.12.90:52072 | tcp | |
| NL | 45.14.12.90:52072 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ready\main.bat
| MD5 | 3afb4af06ef85bcec37d3493910949b7 |
| SHA1 | 8dece16a9f45866453ee6af0f1cabaaef5b11448 |
| SHA256 | c17d67303f4483cb9a3c3e3f974a26c6c4482f1042aba973cc4a37c686d0803f |
| SHA512 | 832067f4f08e111d22aef14ff0a2d86b9e86ae6ae193cfe33486c30c7cd172aa64d19f0729ced4dd3bb08f28feffd992dec416d1d383fc308ac4640c34dae180 |
C:\Users\Admin\AppData\Local\Temp\ready\file.bin
| MD5 | 4c8c55cced3cb71d93234a2dd5bfb21a |
| SHA1 | d439bc492d1e0b95923eec971ca4af617a7e0f9c |
| SHA256 | 28dc476829c3c92271d67791becd6e7623e7b15ef2f44d0602c9b1435dc67500 |
| SHA512 | cb6114635dc4f0a33a75ef8b9cc5e9fe4a1495b1e44ddab8ed08ec42922cb410fe65a3942055375de12ff2427c275a02134f7e19fb844561daa1b86f6371fe5e |
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\ready\7z.exe
| MD5 | f1ceb742b0adaa20196016a3a94d454b |
| SHA1 | 4482fa8c46273bfdec7b28f2154ea03d07b611ca |
| SHA256 | fbcb24ed51dc5cdecff1a7b883f401907f526a0331d5c966f50112ffe2c4bc01 |
| SHA512 | f1754053fdd5eaa11053d66c812d825bf5273bf93f9a31927bf21c3b6cf29e880c4617602fb0633c57a3106eecc60bff89e9502567c2893ba409387a6216999d |
memory/5040-83-0x00000000008E0000-0x00000000008FE000-memory.dmp
memory/5040-84-0x0000000073A90000-0x0000000074240000-memory.dmp
memory/5040-85-0x0000000005920000-0x0000000005EC4000-memory.dmp
memory/5040-87-0x00000000054A0000-0x0000000005532000-memory.dmp
memory/5040-88-0x0000000005450000-0x0000000005462000-memory.dmp
memory/5040-89-0x0000000005580000-0x00000000055BC000-memory.dmp
memory/5040-86-0x00000000064F0000-0x0000000006B08000-memory.dmp
memory/5040-91-0x0000000006260000-0x00000000062AC000-memory.dmp
memory/5040-90-0x00000000056C0000-0x00000000056D0000-memory.dmp
memory/5040-92-0x00000000063D0000-0x00000000064DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_5.zip
| MD5 | 285d432d435cd6fb30a14b26d785ae5c |
| SHA1 | 1bba0e1cd964177543561233df0117f210184610 |
| SHA256 | 82123a06b9ed0f527fed2d987b222befb12023e077bc0187c15ca7389351043f |
| SHA512 | f6c2c6eebd2e1c451f4a4cbb92ee81601a24df97584a6636bf712fe23ba6e2adf2b1c3b1b62de2f28cd0eeb93d07cac12c96548897be42c093c885995c5131a6 |
C:\Users\Admin\AppData\Local\Temp\ready\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_6.zip
| MD5 | 110d098300a79bf77df3e1f9dc000854 |
| SHA1 | 7fc902980a6ad5c49d2a1592b17aa94d6cd63bc6 |
| SHA256 | 3b5a7ae6a43ca5e3cb3280a6463ed79f7ae688eeae2a81114d24d1bc8f8048c3 |
| SHA512 | 7e4051d93a0f543a686e9b0bb5d705ee542a1658ab60f7e23c517a6221b2f8bc11f2c22442b58a5a9eb602078bc03956908cab6adf0dca501b975d1a6940cedd |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_7.zip
| MD5 | d9f067d9b53e9dac1d72d801b5348c12 |
| SHA1 | ccdfdf4205d670f422facdfc772405ae11096000 |
| SHA256 | e00256861aca90c8f701ab67cd4442cee23ace47ebb7fe87d368814701f013ab |
| SHA512 | 950c1b2b805bfa666eafb6acd6ffababc40373110c567e70b15fe54d06a505a26656b94361d09ae00c64929d46726c439b6c041e2200988b6c76c05fbe29b098 |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_8.zip
| MD5 | f268400b4f4630f70e6220f9f73ca770 |
| SHA1 | f7c0717bb47ef3d3f075d7fbe62ae9146cccd561 |
| SHA256 | 5216fd47e01f7a9c5dd503f3576c2bb6b54f5bdf51f942c4e0c230eaa5a3a0b4 |
| SHA512 | a7ef869820d1294431c5a351bb423c024af5b07d4adc6abe50074996dfefbb05ddf68451cb060ecc263d85a608195f3206aaf9eaa2c9e7bb8ab573e51deb63e1 |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_9.zip
| MD5 | 7be328380791baf2e2427349b5ac2b08 |
| SHA1 | 1b10efbfeca8ba85dd4af53b1066ee338bba9120 |
| SHA256 | 14a5a7e340f07b9859bd2694f7aa7f71f2a6f31400afc0d16ce79db740190d95 |
| SHA512 | 1bc4672bc9b6178b5baa1934ce6114c0a0c4d052df45099ac4a946c8ad360f8bf9a1d56e8bccb8847571a333c809698da798f8d0308dfeaf35501dfa1407be4c |
C:\Users\Admin\AppData\Local\Temp\ready\extracted\file_10.zip
| MD5 | 5bb135d42aac5b8fea4c41e4f0e682fb |
| SHA1 | 7f462309a386c1f2b496f9f7b972458dd513af9f |
| SHA256 | 7cf3d534397c1618d5984387ea3d319744a1c9fc450d01003f5953355fb9128b |
| SHA512 | 4026241c9f003c9a96286b235d3314fe2e0212d914f255242dadc0e454a71adaed6f67fc8a4b49c7fda285a5bb9ec1ae703723a0c1942906b0060d299b1e4df8 |
memory/5040-93-0x0000000073A90000-0x0000000074240000-memory.dmp
memory/5040-94-0x00000000056C0000-0x00000000056D0000-memory.dmp