Malware Analysis Report

2025-04-13 21:10

Sample ID 240127-n7jrwadear
Target 7a31a2743fd46eaac57e0facfa4cc550
SHA256 f67ef0bea71caf8b6cb8b570304051aacce30cb42c51eec9d5bc10365b057430
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f67ef0bea71caf8b6cb8b570304051aacce30cb42c51eec9d5bc10365b057430

Threat Level: Known bad

The file 7a31a2743fd46eaac57e0facfa4cc550 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Unexpected DNS network traffic destination

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-27 12:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-27 12:02

Reported

2024-01-27 12:04

Platform

win10v2004-20231222-en

Max time kernel

144s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 37.235.1.177 N/A N/A
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.177 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5052 set thread context of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\SCSI Service\scsisvc.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A
File created C:\Program Files (x86)\SCSI Service\scsisvc.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5052 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\schtasks.exe
PID 5052 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\schtasks.exe
PID 5052 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\schtasks.exe
PID 5052 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5052 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 5052 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 5052 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 5052 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 5052 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 5052 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 5052 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 5052 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 5052 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 5052 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 5052 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe

"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GoJyWEU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GoJyWEU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE77D.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GoJyWEU.exe"

C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe

"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"

C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe

"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
AT 37.235.1.174:53 judge777.ddns.net udp
US 8.8.8.8:53 174.1.235.37.in-addr.arpa udp
AT 37.235.1.177:53 judge777.ddns.net udp
US 8.8.8.8:53 177.1.235.37.in-addr.arpa udp
US 8.8.8.8:53 judge777.ddns.net udp
AT 37.235.1.174:53 judge777.ddns.net udp
AT 37.235.1.177:53 judge777.ddns.net udp

Files

memory/5052-0-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/5052-1-0x00000000011E0000-0x00000000011F0000-memory.dmp

memory/5052-2-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/5052-3-0x0000000075580000-0x0000000075B31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE77D.tmp

MD5 7b934c582ccc0210a00e4f5612cdffcc
SHA1 ec8b4afcd423da8f5d9d68f6125f152b7b54c5e2
SHA256 1f7c4c6035780c8160c279e0eff918b65a0b543bcb282a0495fa3d5316519c4c
SHA512 3f6eee58818f1e17a7bf4efc5d1d9c3165a0e566889cbb213ce8d62d1514af8ce65cd2fcc075b4c310d37d5d85a6243489cdafd17b6d3beef111b85755c20e14

memory/4832-9-0x00000000048D0000-0x0000000004906000-memory.dmp

memory/4832-10-0x0000000072410000-0x0000000072BC0000-memory.dmp

memory/1928-12-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/4832-11-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/1928-14-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/4744-15-0x0000000000400000-0x0000000000438000-memory.dmp

memory/4832-13-0x0000000005070000-0x0000000005698000-memory.dmp

memory/1928-17-0x0000000072410000-0x0000000072BC0000-memory.dmp

memory/5052-18-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/4744-21-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/4744-22-0x0000000075580000-0x0000000075B31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4m2gb2c0.o00.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1928-34-0x0000000006150000-0x00000000061B6000-memory.dmp

memory/4424-33-0x0000000002300000-0x0000000002310000-memory.dmp

memory/4424-35-0x0000000002300000-0x0000000002310000-memory.dmp

memory/1928-36-0x00000000061C0000-0x0000000006226000-memory.dmp

memory/4832-28-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

memory/4744-39-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/4832-38-0x00000000059E0000-0x0000000005D34000-memory.dmp

memory/4424-37-0x0000000072410000-0x0000000072BC0000-memory.dmp

memory/4832-58-0x0000000005E40000-0x0000000005E5E000-memory.dmp

memory/4832-59-0x0000000006430000-0x000000000647C000-memory.dmp

memory/4832-60-0x0000000006E50000-0x0000000006E82000-memory.dmp

memory/4832-62-0x000000006F5D0000-0x000000006F61C000-memory.dmp

memory/1928-64-0x000000007F310000-0x000000007F320000-memory.dmp

memory/4832-74-0x0000000006390000-0x00000000063AE000-memory.dmp

memory/1928-85-0x0000000007A80000-0x0000000007B23000-memory.dmp

memory/4832-86-0x0000000004A30000-0x0000000004A40000-memory.dmp

memory/1928-75-0x00000000053F0000-0x0000000005400000-memory.dmp

memory/4832-61-0x000000007F980000-0x000000007F990000-memory.dmp

memory/4424-88-0x000000006F5D0000-0x000000006F61C000-memory.dmp

memory/1928-98-0x0000000007B50000-0x0000000007B6A000-memory.dmp

memory/4424-99-0x0000000002300000-0x0000000002310000-memory.dmp

memory/4832-100-0x0000000007200000-0x000000000720A000-memory.dmp

memory/4832-87-0x00000000077D0000-0x0000000007E4A000-memory.dmp

memory/1928-63-0x000000006F5D0000-0x000000006F61C000-memory.dmp

memory/4832-101-0x0000000007410000-0x00000000074A6000-memory.dmp

memory/4832-102-0x0000000007390000-0x00000000073A1000-memory.dmp

memory/4832-103-0x00000000073C0000-0x00000000073CE000-memory.dmp

memory/4832-104-0x00000000073D0000-0x00000000073E4000-memory.dmp

memory/1928-106-0x0000000007E70000-0x0000000007E78000-memory.dmp

memory/4832-105-0x00000000074D0000-0x00000000074EA000-memory.dmp

memory/4832-109-0x0000000072410000-0x0000000072BC0000-memory.dmp

memory/1928-113-0x0000000072410000-0x0000000072BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d02ff7b5a3a592daf90946a04e5be1e6
SHA1 6535fa21ffade9221ed95804076719e7c752087b
SHA256 f8f04fd070dd4010b537c325a4a7750c5d51170588518ac1682701b9d7a2dfd4
SHA512 6ab0a97de931dca6d7596cfa94e0db56e095ef2f743cc9de64ada8bcfe7e217f3aaf0891e6437ba6995ca91c6c45cc02b28457d45bc44812e0be2890e1efe516

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2649ceefa4f3d470754d711356a6b198
SHA1 1d693f204cc3e3505c232733363597b4fb0a63d4
SHA256 cb8855f20083c5fcf564e7be4c0298c98c2db286d358b2564410cca1c66b879f
SHA512 3f18ff84438e21ea5b55f175c8825c42d328d69afe729dc2bdaf4ee40bc108c74241bf03dd4655575774e911f84835778387140dd1ece57692a65374e3d3ec79

memory/4424-116-0x0000000072410000-0x0000000072BC0000-memory.dmp

memory/4744-118-0x0000000075580000-0x0000000075B31000-memory.dmp

memory/4744-117-0x00000000012A0000-0x00000000012B0000-memory.dmp

memory/4744-119-0x00000000012A0000-0x00000000012B0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-27 12:02

Reported

2024-01-27 12:04

Platform

win7-20231215-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 37.235.1.177 N/A N/A
Destination IP 37.235.1.174 N/A N/A
Destination IP 37.235.1.177 N/A N/A
Destination IP 37.235.1.174 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Host = "C:\\Program Files (x86)\\WPA Host\\wpahost.exe" C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1196 set thread context of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WPA Host\wpahost.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A
File opened for modification C:\Program Files (x86)\WPA Host\wpahost.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\schtasks.exe
PID 1196 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\schtasks.exe
PID 1196 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\schtasks.exe
PID 1196 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\schtasks.exe
PID 1196 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1196 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 1196 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 1196 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 1196 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 1196 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 1196 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 1196 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 1196 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe
PID 1196 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe

"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GoJyWEU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GoJyWEU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF142.tmp"

C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe

"C:\Users\Admin\AppData\Local\Temp\7a31a2743fd46eaac57e0facfa4cc550.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GoJyWEU.exe"

Network

Country Destination Domain Proto
AT 37.235.1.174:53 judge777.ddns.net udp
AT 37.235.1.177:53 judge777.ddns.net udp
US 8.8.8.8:53 judge777.ddns.net udp
AT 37.235.1.174:53 judge777.ddns.net udp
AT 37.235.1.177:53 judge777.ddns.net udp

Files

memory/1196-0-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/1196-1-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/1196-2-0x0000000000550000-0x0000000000590000-memory.dmp

memory/1196-3-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/1196-4-0x0000000000550000-0x0000000000590000-memory.dmp

memory/1196-5-0x0000000000550000-0x0000000000590000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7NTW3KQ1POW5X0MIY6FJ.temp

MD5 105fe2f5733f6514679a087518afe7db
SHA1 02a095af81cd7d3b3cba23f3847c5c1f8fe58832
SHA256 fcd263f841ba3a4d4656b2fb59785db9bf9382bf52188aea842ed642425da0ab
SHA512 df1dce1c306d747dbfb6fcdc45d2376a683fff90347840ad16ab2623c14971849387ffb3a5b1f4f9902c326d0288c32c3fa3fd94797aaf2b187d5f41708a4ae8

memory/3000-17-0x00000000742D0000-0x000000007487B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF142.tmp

MD5 61efd0bcf0eed06c8eb1607cd208d7b6
SHA1 38a2bb2b8d8330a788521efac9acd1c3b3cf356a
SHA256 5fe328b118f91490ad7dadb8b015863e46c619a0bc918f03d5b3093e6d6ce3b7
SHA512 3f500156d0edf50e25fbbf344769643fa190f882b25610459cd43222ff4ee1f952cb5792b51cf43951ffa096ce2a2f13f72d717421684c9770c62c5582c2f34f

memory/3000-19-0x0000000002650000-0x0000000002690000-memory.dmp

memory/3000-20-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/3000-21-0x0000000002650000-0x0000000002690000-memory.dmp

memory/2600-22-0x0000000002770000-0x00000000027B0000-memory.dmp

memory/2600-23-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2900-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2600-27-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2900-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2900-29-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2900-31-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2900-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2900-35-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2900-42-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2884-45-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2884-46-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2884-48-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2884-50-0x0000000002750000-0x0000000002790000-memory.dmp

memory/2884-49-0x0000000002750000-0x0000000002790000-memory.dmp

memory/1196-47-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2900-51-0x00000000022B0000-0x00000000022F0000-memory.dmp

memory/2900-44-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2900-54-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2900-55-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/3000-56-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2884-58-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2600-57-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2900-59-0x00000000022B0000-0x00000000022F0000-memory.dmp

memory/2900-60-0x00000000742D0000-0x000000007487B000-memory.dmp

memory/2900-61-0x00000000742D0000-0x000000007487B000-memory.dmp