Analysis Overview
SHA256
fa6a68e4dff9c701b5a7e4d621dfd67dda338e2c1eae3180d69abae2b2abafcd
Threat Level: Known bad
The file 5824addc5cace9168fb18810a557998d was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
SectopRAT
SectopRAT payload
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Views/modifies file attributes
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-13 05:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-13 05:50
Reported
2024-01-13 05:53
Platform
win7-20231215-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\build.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe
"C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "build.exe"""
C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
"build.exe"""
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e file.zip -p -oextracted
C:\Windows\system32\mode.com
mode 65,10
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
Network
| Country | Destination | Domain | Proto |
| NL | 45.14.49.109:21295 | tcp | |
| NL | 45.14.49.109:21295 | tcp | |
| NL | 45.14.49.109:21295 | tcp | |
| NL | 45.14.49.109:21295 | tcp | |
| NL | 45.14.49.109:21295 | tcp | |
| NL | 45.14.49.109:21295 | tcp | |
| NL | 45.14.49.109:21295 | tcp |
Files
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 0649841faf7eb6847162d24af9dd7297 |
| SHA1 | 2f56cf8f757cb08357edbfd22a3462b53a244da3 |
| SHA256 | b176bfdcf7f463940b31c0dd19579bccba918da7920b651d13d2c3999f4fcdff |
| SHA512 | 79c9b1c4ec559a87994bbeff3a339d503eff1685d7be86bd4e926dd12d44c052c1a599fd908715bfcdd6d2ab56c680352eeff163be6dfa95de1128204c068e45 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | c0eff909765c495bed6356ee10099050 |
| SHA1 | d1e0fc37ec60fa394f7cbce47ee45a60f29181f6 |
| SHA256 | c9e18d58acdbf3dce411706cc8c6bb9048ee2316c662d983a16b5510212d09b6 |
| SHA512 | f138ac5f0504576ebb85f2af8f0b513d779d4da3966c9e4650abc396e02ac1beb5fd210d1d848c739dd676c50999fbc5edfd8ef38c09f4cd9626db9f02b4fdd8 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | db2d86f04a9a62b2d0bf26900a4eab88 |
| SHA1 | a401d944d9af9428ec6fef97169144a7f494174c |
| SHA256 | c24888b93ce2b58c5937e36e152aa725b7fbb802e915135bd8464b8071374bf8 |
| SHA512 | fd519c2be1e7bd6d9c721d81ccbc8bfd74210572208913338c97df0da86e0bdccef16f32fb3467d4f6a420b3320bc41201e6a2e275b27fbd6887bcef04f30174 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip
| MD5 | 95b1e5aa02d225760ef7b74748a2f751 |
| SHA1 | 94f8d027b4331548074955b647cc28eb23720d69 |
| SHA256 | b8f4038bcfad7d68fbc130297072669f36c022ffb46457b6d227ffe698980460 |
| SHA512 | 304f86276bbd35a0862e60f0c02f7a22185df1221b5fc2dfd00e9c6e7936a072f670fe77364a1bba3e21cae9e67dac82cc2a5282f0590b8d1278b6c729bd6af3 |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 4316979f932910bf022d3f0ca0861f83 |
| SHA1 | 048e6b89b2d29f3c35df27199f60be16a4143cf6 |
| SHA256 | 172bb977c6a4e62d8a96bbae650be7ca6b091f4a13631c0a74865b6ccda95099 |
| SHA512 | 9c1e9bccda064cc2872cb88b5ea46be45b9b3e8909c87417239e571cb981cfcfda1521e72b6ca009b4cb1b8cb3dff7765eb6c671e96d8800b1d06c616185833e |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip
| MD5 | 88353e8a3843ec7ea0bb8ede2a66b820 |
| SHA1 | 12ad7b4843c9000a7c6fb3b4f0f7fbb61589cff4 |
| SHA256 | d8126f64b41cd5ea9fd3e5e7b2d11b156006d12c11878be6f9af30ecb0ca70be |
| SHA512 | 86e954104e83a01203dd78b56df0dacccfb2b42f394bef98f2281406ae37729a53ebc91f5b08ea3a86bbeb222c3f72dcaef44a2d31d121ad987564a48c417870 |
C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
| MD5 | 840ce01435f45bd7cfb31949c5790443 |
| SHA1 | 8ce20196db0eea2e1b04f575b8de95f1c09fc31e |
| SHA256 | 550d93df062facfe817ff3794e0703ce020c1c18fd21c4d9ebc92a96cba9f991 |
| SHA512 | 117992191ad03e3016429b94d8ad8152527d1643197bdff60d7ec7fb8554d93613b0c3d9d892c64016426133dfefa2f0d14c280074a888b8ad1f9fcfe51b55c1 |
memory/704-64-0x0000000000C90000-0x0000000000CAE000-memory.dmp
memory/704-65-0x0000000074870000-0x0000000074F5E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT
| MD5 | 72bce3686805dfc913556ded79e329ab |
| SHA1 | 3e4554b4c2ab1db9e09b153c643c44a5e87565fa |
| SHA256 | cb085d0d6f7377543b12481bb6af7d559089eddb082a57002703c96f039fbba5 |
| SHA512 | 7e2e58152d7df5afab697012487f71561be844a4b7c646079b8e31dfa42cf6a420c5e5e02e7aa861afc96ad2160de7af6d75f30b9fb0d9be27ab67ae796cda7d |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\build.exe
| MD5 | cd44299e11918b1e8e9c0cb01f52477b |
| SHA1 | ac7d5cf31cc8d3c5f71adc6192f8fd867dd05737 |
| SHA256 | 83e8f9e4943f9289d344f3442a9dbe3564afcf7a20531ffa979e9816babe53f1 |
| SHA512 | 8623cd7af5e24b1e86721e1a1c7945905b7c00b6132f52f9ea6ff4d434cd268c54277b786f9fa5a9f89c7cf4d617f0bb0c0b1b0d643a017cfe61b67193464809 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip
| MD5 | 580eab814576665d16a0faa6fff2bab6 |
| SHA1 | dca3a9c3936179181c3b5e08926d4d02a43221d7 |
| SHA256 | ee626cc556542301f01b701999b779f7cece5c8f133cdebf9bcd84012e0a0e19 |
| SHA512 | 4e9e02b9b2ff37702e857032065f9672d18325884dfa69fa292a4f74b76dff3b564a0b0fbaf0f6492f10e0e31dc90b8e6ccea46ef635398a24c330e6049d8b5c |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | c59e1661cab7cce318e2fd4b15ac1a03 |
| SHA1 | 138cc5fedacc18607d8b8299e273c22b0e0b0c9a |
| SHA256 | bfd1f423cf488c0f7084743f288096cf715f6311418a71ec91aafa747534acb9 |
| SHA512 | d89bb35aa89d6de5c51f2d5f90b9f7c8e2b301118462da6f8383dbe94ccc72cd41d88b597954c82fc2439693734f7029ea6d568f2ade75038d2fdc63de7a04a7 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 03641b846c3f22860d65affd546b2aaf |
| SHA1 | adf95544193cbdc0f35fe4e0cfab27fc33f42427 |
| SHA256 | e3ba4b3121b370afdd42018cb0c5f2e96f9a28f6e2137503a3fccb54d67b0ddc |
| SHA512 | 8a2395dabc5afe278ee6eb949acd5202dce918f46c70dfe05be439737d6163436d9c7cff5b45b79f726850982ce3b2a668a59966d1821d74b6762d677b47a015 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | af5233f6d4c806ecc112ee4b7623e4f8 |
| SHA1 | 53dcfd03b40a0dc7a6491745cfbeb8db23e3113c |
| SHA256 | c7722d8aad2e6a1d1c300d057c3674a894fac996bbf78feba48bfabf4214ae41 |
| SHA512 | 1181c1c0b4c7ef6464bf5d0be164601b3ad8c21b50ea7c1dc33fa60f0f629b7a4d1f8f2ff15298536e4c5b4a720d6d321e289e92cffe2b7a880e874ed6a1be84 |
memory/704-66-0x0000000004330000-0x0000000004370000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip
| MD5 | 1a1abb9d3c276d49b82533a01e5749de |
| SHA1 | 9afe72a88ef8416d4766765e849e4938db2cc347 |
| SHA256 | 03b5c136ce10551c43bbb8e241481bb14528bc86dd9981b05dcb13f7257043b1 |
| SHA512 | 7670ff5ca9fb150bdfb720b64ddb8b78c9899ea5022935a64de9f8e0e9f684110c347fb361122f20b46ee9c6feeba410f89012488f03d0a95a65748395d67bcd |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 9510b386175232e0738df036d80e4d66 |
| SHA1 | 8c00f923ec818d15fa07fab8e7c9cd8855efeb09 |
| SHA256 | 539a8a9158772888b16bfdae3b87e23b8369317622b319656ffc4cea7410a659 |
| SHA512 | 60264f7e76fa290103fd870ef5e6bb5a6989fa3b2e1a2f65d1906b147b58bd17c99ece80f224da88e6e0d9576fb28f3277da1fc5551a73464b4cccc4151eee52 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 2083f89979ad4cb16c504acade1e5dac |
| SHA1 | e730d5ff874c3d7ebe7c3cb40c0a7ea48b1f5153 |
| SHA256 | 0257bb90ceac230a7ccfe85ba0640d99fea52420a8a3d6535e20b1c0e95840a4 |
| SHA512 | 9953d04f6a28892df6de7a1367bcbc0f683aa523cc8ba2d53d95719ebc860a99cd6049bfc5716c7e15f389db83d6d571341ddedd4a555e48a8d113902e6f0af3 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 57abc5c06eeacc722f7fe2cd83e28544 |
| SHA1 | 0c00c42383b1252fa9c3d75d120119934d5b1fd5 |
| SHA256 | fffcb4af82b424440c49e2d078ab4d80d13e6ead384ec0151eca156410103e34 |
| SHA512 | 3d7453effa471bbf54ec3a231582035e739243479a93d20b41017b704352e08b95adaac4b7d3c5fe986d3351de04d0d9dc16c4ce416303ee931d0999b6e47a9b |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 80c05a105fe7d8071aee41467a7e50ff |
| SHA1 | 44c9c5335862523ea4a3918c344d41f3b3ff2a60 |
| SHA256 | aed52da3975b35c0dba3e95dabfaeab807e8ae0269e5bf0c101c0408915b6e04 |
| SHA512 | 952d8b2c1786dcd2e14764f74e8457187dbcbf660ef7ff2f6cc453e59792f351118d719ebe4f34126983ec996cf2f27cab093d2352785357c9d191558f296e58 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 9f92e325a79ffe793c898b1dfeb5a3f2 |
| SHA1 | 5483ef9e3a1a9dee90fd9fc6fd98e8c7a4a38eb2 |
| SHA256 | 260a5a8388fa1085f9d6deb7d6c354215195a50cc280a8af23701d9dbb3a0a56 |
| SHA512 | 8df6f48677ca31c15891fa578a9626cf648adf1719d1430a7b63a61e99b181eab80ecbb45f5cfbae08ef1927e08d6683597e00e3cec850292f5e21c33a3c96e0 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 65b5f127151e82a1e6db03da38c7614d |
| SHA1 | f2f6582660fefd9dd894701a56c667cb900f243b |
| SHA256 | 94f62fc658d1cc6cb993f2107b1ebe4558a3921caafef9cf868f212d8aa62503 |
| SHA512 | d2df55a3522369087fb221aaa6e4c65d0828239665cfdbbe8d5f768a9a2dd7edc036ffc0f2f7757c0b87495b0d9cce6ac0e833ea6efe7eb421abe099d548535d |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip
| MD5 | 4551328bc2245d4635af4b457bf0ee61 |
| SHA1 | 21c020d83ed6591496719587f4b8efe471cd1f10 |
| SHA256 | 54fe8a83fc59379b6eb9ea6f5592bee6ac6eb238abdc878f5e526a8f51127522 |
| SHA512 | 59205295b0acd34ea4d23bffe121fe0550f22d7c99e16e1d42989d3adbf3600c7f3dc90fa7283c3ec3c8118a276f1fec8205e8d8553a55459ec36398f99d4293 |
\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 578a21d631f7e1c30c6ef98aa4ddfe9e |
| SHA1 | 00bf9cffcce35fc3e7880979706b007722c0bcb9 |
| SHA256 | de921f104f0df636e298131280be9e08ff3dfae35b40bcd3dd06a18c3b0f1181 |
| SHA512 | a228b520e5d641713e678c4fea86c8588d39a2e65ce256d2ab0f130c9d9663cd49d4614076dedb03147126ceb8e92c722b3b56e5d12e8701e92f01c9b7e53918 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 1793d44a3f48937e86e6d255fa221e50 |
| SHA1 | 5613a82da5ce3de8646076eab24006a4c5f753f6 |
| SHA256 | 90dba1b7ff7ef84ea4b85d4bde926a1be0488cfa9cc3a362a6c56fd5e1b590c6 |
| SHA512 | b372f7a49743adb7c48aa05ed4febebb2219f43a4fa1bad1cbc6fbc722502e2f6dfd9a611c0108df5da9509fdb8ff127274f7715e6fadfc55e0f00db47d0a496 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 6032b52fa5dd0a8dd57eb9b26bd591e2 |
| SHA1 | b24f033c1f6422b17863c330cbc64e8c49f9b975 |
| SHA256 | 1bad7fa4d19da87ea8cec7efa2298b4b21671aa078cc50d8d3354902a21d1df3 |
| SHA512 | 96df90ebab377dc8e7b6f8a8aa465777d81ab6b3779b8caf825d87ef68164ceb98e5050a1e8c727c61bbdafd27d1523566448c49830fb24621e1e48c094c5ac4 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 42541fc596e0c7377a86b9197ea2c2a0 |
| SHA1 | 75c5648aed8fd6a88444889aa2e97622a319a538 |
| SHA256 | 48f7ffa2e4dbb103662b85954d62481d89684f3c28af501afc14c62673abeb8c |
| SHA512 | 5c16f2cf08991cc3323486bf933baad706713187e1d965c5236ad8f24038e818620ca76bf75beff046dcb292b12b8bd82f8dc7ae3be71e4ae4759f7ec9d4226e |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | b4a29bf2c9cf2190b1113cb6786acde3 |
| SHA1 | 2c3a84bfc8096b2e07bab943206e2046b5fc03e6 |
| SHA256 | aecd3cbe96e36b4262ff82f8fa7b3908d418842ce7434d60fb574e4cf433efcf |
| SHA512 | df37a74348738fe1aebc651cb191b1c75f1a5527e46183ef9f9009fb2ab2fb1df22cd87d0d7dcec8b10923da6b38128c59ebd34b2a59dbf698c46cd1157ea461 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 847d8d09a72890d8fcc0420f01f0324e |
| SHA1 | 8341ff6aa2accf2d36fddc3816f95687c848a2ca |
| SHA256 | 504bf11cc0a8c7ba3675d3d5720da0021950b250bc6fe90fc80cbcc779ecb271 |
| SHA512 | 39dd5e3e4e513337d7f9cec96c4039a5591840a7144b64c0ab3758cf241aa4e2b216dacdc44664d83eb299c745a17d1d26bd66ad15df0beb470bf0bb6a689683 |
\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | f4be2eb3955430d0f6614a60d74c3fd0 |
| SHA1 | c183e55262d97e9ed683dd6fa25d9bd7b75970bb |
| SHA256 | ad316a8c046d8deb5775e675538dcbade24292ef9b81c83e402518cd0f26b0b0 |
| SHA512 | 77c2d7dfecb9115a7b1412830819f09989f11ff05d1e894c29ea1ab78e398c4d47fd5a7c6068527831e09743445713905e10877805598632ac015aecdbce23bc |
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data
| MD5 | 5798b36ca7e199fefc2c0d79ad5999d0 |
| SHA1 | 31a848c69faef08bb5ac8da68268b5df9e149290 |
| SHA256 | 57ecb27c9bb6568856ca0796f0708383e73183ae1a3fe1f71ae531165e349295 |
| SHA512 | a6614cc2ef2dd382df8b52ad9622b7139ff7db01671f69a1fc3e3a9b56924370a4cdc9f7b4cfc9953393ce95962ab20a01371498c2d545bb6e9176cb68811849 |
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd
| MD5 | b8d0fdde29b49c27a22b6d5418505832 |
| SHA1 | 6d7e3ac153bc8d49ec2ae043095fd32cd7c57a69 |
| SHA256 | 87651ba0e7d43c146d25f912afe049fd75ba8f62d32148001caf8c379a4e1002 |
| SHA512 | 42aa76a3c602b1d65f38bf1a16ec83844fd6523f58df24e54f557b9cf07302cb568385ef079fac39c64b28dc6098925532270a74913b1f070b90f36ad46b8eb0 |
memory/704-67-0x0000000074870000-0x0000000074F5E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-13 05:50
Reported
2024-01-13 05:53
Platform
win10v2004-20231215-en
Max time kernel
154s
Max time network
161s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\build.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe
"C:\Users\Admin\AppData\Local\Temp\5824addc5cace9168fb18810a557998d.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e file.zip -p -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\svchost\build.exe
"build.exe"""
C:\Windows\system32\attrib.exe
attrib +H "build.exe"""
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
7z.exe e extracted/file_1.zip -oextracted
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 149.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 45.14.49.109:21295 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| NL | 45.14.49.109:21295 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 45.14.49.109:21295 | tcp | |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| NL | 45.14.49.109:21295 | tcp | |
| NL | 45.14.49.109:21295 | tcp | |
| NL | 45.14.49.109:21295 | tcp | |
| US | 8.8.8.8:53 | 11.73.50.20.in-addr.arpa | udp |
| NL | 45.14.49.109:21295 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\svchost\svchost.cmd
| MD5 | b8d0fdde29b49c27a22b6d5418505832 |
| SHA1 | 6d7e3ac153bc8d49ec2ae043095fd32cd7c57a69 |
| SHA256 | 87651ba0e7d43c146d25f912afe049fd75ba8f62d32148001caf8c379a4e1002 |
| SHA512 | 42aa76a3c602b1d65f38bf1a16ec83844fd6523f58df24e54f557b9cf07302cb568385ef079fac39c64b28dc6098925532270a74913b1f070b90f36ad46b8eb0 |
C:\Users\Admin\AppData\Local\Temp\svchost\payload.data
| MD5 | db146e678cb0230409098475c9e690dd |
| SHA1 | e1823eb225c041963915638eac72934bfb47273b |
| SHA256 | 1fc874d05d430c4dd9561cf9616755f5a1b3ce626cb4bc1cfbbeb8cef2533e85 |
| SHA512 | 06e16cc98c44065a92bbd66fc17b3ee62d9c3235e4099a10f14c3fadeeb1fc86b6f6233d5425fbe2de35fba8c75a9f864999c9c40574e7de4ebf5c03d7c02f41 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 2dcff3a04cb4c1e9cf4d11eb603485cb |
| SHA1 | 50a37bbc50f15714bc69589d1fd263d269d2be75 |
| SHA256 | 9b7dd38d09d05b5c1c92b495e7ef1a10e673998cf8ae6381128e5ce5f35d786e |
| SHA512 | 137628a35593e1011c36e18b3dad4494ec8bdfc6772616534aee31cf2d214c406f3cff8c8c9d53d96dc7ae564a48b96a106c7b491707cb46551583064a9fe5f7 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 3106aead3385431dfb7b721988e170c1 |
| SHA1 | ea118631dd8b39d01436bdab216eb6e6f64cecad |
| SHA256 | 86954c3b19c12b7544524c384c009764625f5f73d93b2ddff7c1874694ec6767 |
| SHA512 | 778d1b5269920211ee093b9091460d9636444d6c724f51ce9f8ab0597a8060c9fcb6868937dbd0409c178cabb192f1612a6f6c7ddbded2b2a6cff7577ad266d8 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 6fc2d66a31dbe7c220740f67b9a78446 |
| SHA1 | a0d99c03e5f7b295f3f9a16bcf4997fe32d8e5b0 |
| SHA256 | 52b789686f4ebd770c5753fa8d3f6a79178189f68bcc0c77b6c94142e1756a8c |
| SHA512 | 7a9eb7301d04f1f3883892f09b1bc2a21a3d830837410cdb612da19beec970fac005cfd7a81d9cc231ae201025c60a08f4f339e5372087a65be9eae62ed82e5d |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | f2fc35f8e523bd7fea8dd5b5e35d065d |
| SHA1 | bec86a0ad6e876603a6e510ae42fc90cfc2c9573 |
| SHA256 | a975a7e8bd95d5a716c7c1a09f7da255b81eaa8c7743fd23e32d1f7c734543d4 |
| SHA512 | 71d045befb79ab1fac6b4e352088d4e7fa60ffd611e226d9ddf7e38c828f833713a78c9e7167fc23d1daa3b96605b1235fa5b8c6f013c47c9aa75c04d1abb91d |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_5.zip
| MD5 | 90a6d11c3707ba1364c5720af0df689b |
| SHA1 | 7fbcf4152aef298c70450157130a42d049289a78 |
| SHA256 | abe99cd56670d3e3f919742bd74edd9d0c67051405293190e03d74408aca1592 |
| SHA512 | 51da79a50b5eb3c7c0e20b2b76659bf703c1ea64b3d126c8a0acea91ee0f42d3c564e63fea8e3d8bbfde5459e89e0f884ef51155c6b42ddba952196bf1b199c5 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 99ad3c8da0219defebec5055eb5156a6 |
| SHA1 | 0acedc3c5239eccb2d370537b30cdd894696126f |
| SHA256 | a94601caec8af183dac7e36d8ea8e81cf2f12f4f2e3b2e4ae6447ca476b6ae6e |
| SHA512 | 3ac3621afac898c4a9630a020e25b342e42c6b050b89f015290fad62928f43a98251c6ca6eb1b594c931b2c779fef5c7e7c6a2dd61b209e2c775a448142a3adf |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 436531a989f0f4f71d680c02afa93bd2 |
| SHA1 | d6c38babc51d5a7823dec7b214adf16c17e902fc |
| SHA256 | 633fadc577209823ab29d3197d0e8442f7a3a695f348652687d10b6cd45e53d4 |
| SHA512 | dff6cc2502318026d8fc1b961ec455ab0dd30d7987270b111f37d2e8868eb05cdd5894eaeae47f24cd23a894f44716d0e7d671979635372a988a7b072b9d9445 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_4.zip
| MD5 | 4551328bc2245d4635af4b457bf0ee61 |
| SHA1 | 21c020d83ed6591496719587f4b8efe471cd1f10 |
| SHA256 | 54fe8a83fc59379b6eb9ea6f5592bee6ac6eb238abdc878f5e526a8f51127522 |
| SHA512 | 59205295b0acd34ea4d23bffe121fe0550f22d7c99e16e1d42989d3adbf3600c7f3dc90fa7283c3ec3c8118a276f1fec8205e8d8553a55459ec36398f99d4293 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 853fe0a01cd4a2c084b994e3de9b5d04 |
| SHA1 | 859582d323692779f28da1adf4b250ef2733a408 |
| SHA256 | 986d8fe9e773b9e103484618bb60d6802c7a9c9192bfc1deccb7e20e69fa265d |
| SHA512 | 9a9489894b9b62ad81029ce8765288e2ea5d0f7ac0cbdffeaab9c089f837ee1a3fcd2be56083d91db5a2db895de9c429fc162f2b0c3777c8ab4e09d95598ed94 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 907a24cca3f4ecdaafdbc44de583e991 |
| SHA1 | 7abcf97404a9f7d88ca98d6c3c3d1cc551ff2c67 |
| SHA256 | 80ed4237c239f81f2e672854047aefe163b0692513fd0c268d703a27f12dabc6 |
| SHA512 | 948505d3f5867f77d2602fb9fd5d4adc2e5dabd02c8315c9b9bfbd623056b9f7918c740134b89714a015efafe403a902aed7af423e07fdc519965662f43c084a |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 2fc87fc7c838b7a1b298248f949af3b4 |
| SHA1 | 8f525685a31195811545b40b2bb65b58db5a144c |
| SHA256 | 5ab69ed126b15337f376dc1a04ab0aa1f47f7d1b52dd0e265b01f917a9b97fa3 |
| SHA512 | b6a1a2abb500abfff3b18c8beca193e22fb61c967f2a1be3e8a3ea3b015ea886e3ec8a7fd4f874a106aa8da34f551b75e70af12d1355edf508b389f6bff56ee6 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_3.zip
| MD5 | 88353e8a3843ec7ea0bb8ede2a66b820 |
| SHA1 | 12ad7b4843c9000a7c6fb3b4f0f7fbb61589cff4 |
| SHA256 | d8126f64b41cd5ea9fd3e5e7b2d11b156006d12c11878be6f9af30ecb0ca70be |
| SHA512 | 86e954104e83a01203dd78b56df0dacccfb2b42f394bef98f2281406ae37729a53ebc91f5b08ea3a86bbeb222c3f72dcaef44a2d31d121ad987564a48c417870 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 5ed0c1872a6c94b31ae3cccbea45dc3e |
| SHA1 | 17b9a252f26b77941b74d6eaf8da94bc1cead204 |
| SHA256 | 7875069172719d2d1ebb2d5d656076b946a058b6a3ee6edce222c638be745ee9 |
| SHA512 | d81ebcda3602b1c2a6e31975f27c1e53cd19ef7bf2c01d5a5e6c78f09b7ffbef0e9c449218ddd84bca60db7beeeebf14407a412c32a28c9782c3d2131cd9925e |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 659736d1295e7bcbf111267c0a522e7e |
| SHA1 | 9027624b3fbde81d8da8b9c6d8bee6ffbfd3b9b9 |
| SHA256 | 508f8dfa3049115a13f19ccdbe5bebd123e700894f0b4bcf2083feacfb296b84 |
| SHA512 | 974ce7c57c094c60541fd23c3a8bb2946fab12c23bcb93fa533e1e3baf376491db0c4e14136a0d1270c8ebf2e8b7da1baf3d96d13683f671e41dd8dee5480cb2 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_1.zip
| MD5 | 580eab814576665d16a0faa6fff2bab6 |
| SHA1 | dca3a9c3936179181c3b5e08926d4d02a43221d7 |
| SHA256 | ee626cc556542301f01b701999b779f7cece5c8f133cdebf9bcd84012e0a0e19 |
| SHA512 | 4e9e02b9b2ff37702e857032065f9672d18325884dfa69fa292a4f74b76dff3b564a0b0fbaf0f6492f10e0e31dc90b8e6ccea46ef635398a24c330e6049d8b5c |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\ANTISC~1.DAT
| MD5 | b6c5464b92816f3c4af70dd3b6ea48bd |
| SHA1 | a0754528f059c9076393438ee0ff1be4b72c71bb |
| SHA256 | 2c9fc7ff57d9289217f339644078f21903d5ec45fea5b00c7023668f76269aae |
| SHA512 | ec6a17aeb4ee780540fca628a0f7fd08fd1ffb6581e36d6a10ca5d6ed6107cb35767318fc4728669443272cfc074bfb2b05f14704f2d70d7213cd482f7aa6b2f |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\build.exe
| MD5 | 840ce01435f45bd7cfb31949c5790443 |
| SHA1 | 8ce20196db0eea2e1b04f575b8de95f1c09fc31e |
| SHA256 | 550d93df062facfe817ff3794e0703ce020c1c18fd21c4d9ebc92a96cba9f991 |
| SHA512 | 117992191ad03e3016429b94d8ad8152527d1643197bdff60d7ec7fb8554d93613b0c3d9d892c64016426133dfefa2f0d14c280074a888b8ad1f9fcfe51b55c1 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | b0e2e6e782fc477e48a2a1ee0acb753b |
| SHA1 | 62fad9e245a7661d89daaf01427cc21b82506921 |
| SHA256 | a83ecdcca5d65497b9d6c53530f29184ced10bdab6bafa97c727433d9e4b7bbf |
| SHA512 | f833376e8876a4d2bca61ce7cbbaff497395cf80ba38d0dc7a5300c3fd8afb34b7e5893cfa42eefe19edb78aaa0fff136b654b4b9592ebc6082dbac14b3ff425 |
C:\Users\Admin\AppData\Local\Temp\svchost\extracted\file_2.zip
| MD5 | 1a1abb9d3c276d49b82533a01e5749de |
| SHA1 | 9afe72a88ef8416d4766765e849e4938db2cc347 |
| SHA256 | 03b5c136ce10551c43bbb8e241481bb14528bc86dd9981b05dcb13f7257043b1 |
| SHA512 | 7670ff5ca9fb150bdfb720b64ddb8b78c9899ea5022935a64de9f8e0e9f684110c347fb361122f20b46ee9c6feeba410f89012488f03d0a95a65748395d67bcd |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.dll
| MD5 | 34e4a8246286929b1c1827358c1b14cf |
| SHA1 | 8a91b6272e68945707e3f307e076c0e736b339b0 |
| SHA256 | 710ffba46739131673867faa35ab6488c39395cb7f254e788ea28ac03b8d362b |
| SHA512 | 0721153762c062e7c45b37440e492a6fdef8ad90ef51d0782ac06f5a5e04ae39a15c869164e39e1698b449e4eef0dc711d0cd0106406cc1188162b71bf4323a4 |
C:\Users\Admin\AppData\Local\Temp\svchost\7z.exe
| MD5 | 109ff78fdae41cc0a02cbb3cdc64ef28 |
| SHA1 | d973c263d8910893f6cac14c77b23343f9c1445b |
| SHA256 | db4eb81bcfeb99b888aa340b9fc3ce1244cf72aa090bf14caf56bf3d49ae87df |
| SHA512 | 3971b1dd7241931c6e94e824e7da0da080b090e9ec4ddfaa9fea0f1dba37e4b0095447aa4b4298daa013416cac270945022d2f37bdca23753fbe19571df38f11 |
memory/2132-53-0x0000000073340000-0x0000000073AF0000-memory.dmp
memory/2132-54-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2132-55-0x0000000005340000-0x0000000005958000-memory.dmp
memory/2132-56-0x0000000004C80000-0x0000000004C92000-memory.dmp
memory/2132-57-0x0000000004D20000-0x0000000004D5C000-memory.dmp
memory/2132-58-0x0000000004D10000-0x0000000004D20000-memory.dmp
memory/2132-59-0x0000000004CA0000-0x0000000004CEC000-memory.dmp
memory/2132-60-0x0000000004F90000-0x000000000509A000-memory.dmp
memory/2132-61-0x0000000073340000-0x0000000073AF0000-memory.dmp
memory/2132-62-0x0000000004D10000-0x0000000004D20000-memory.dmp