Malware Analysis Report

2025-01-02 02:15

Sample ID 240129-hvgtvscea6
Target 7f3288ccbcf8a013ab271528d5592fd2
SHA256 52b4760df29374cf59babed736100e689a10ecf9a8ab651d28010f6489fb4e46
Tags
xtremerat persistence rat spyware upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

52b4760df29374cf59babed736100e689a10ecf9a8ab651d28010f6489fb4e46

Threat Level: Known bad

The file 7f3288ccbcf8a013ab271528d5592fd2 was found to be: Known bad.

Malicious Activity Summary

xtremerat persistence rat spyware upx

Detect XtremeRAT payload

XtremeRAT

Modifies Installed Components in the registry

UPX packed file

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-29 07:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-29 07:03

Reported

2024-01-29 07:05

Platform

win7-20231215-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2444 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2744 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2744 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2744 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2744 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2744 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2744 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2744 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2744 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 2784 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe

"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"

C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe

"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"

C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.webserver.com udp
US 199.191.50.166:80 www.webserver.com tcp
US 8.8.8.8:53 exploreinquiry.com udp
US 208.91.196.46:443 exploreinquiry.com tcp
US 8.8.8.8:53 www.afternic.com udp
GB 23.48.165.149:80 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
GB 23.48.165.149:443 www.afternic.com tcp
N/A 127.0.0.1:888 tcp
N/A 127.0.0.1:888 tcp

Files

memory/2444-0-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2444-1-0x0000000000350000-0x00000000003B0000-memory.dmp

memory/2444-2-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2444-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2444-5-0x0000000000300000-0x0000000000301000-memory.dmp

memory/2444-17-0x0000000000510000-0x0000000000511000-memory.dmp

memory/2444-15-0x0000000000550000-0x0000000000551000-memory.dmp

memory/2444-14-0x0000000002580000-0x0000000002581000-memory.dmp

memory/2444-18-0x0000000002590000-0x0000000002591000-memory.dmp

memory/2444-13-0x0000000000520000-0x0000000000521000-memory.dmp

memory/2444-19-0x0000000002740000-0x0000000002741000-memory.dmp

memory/2444-12-0x0000000000530000-0x0000000000531000-memory.dmp

memory/2444-20-0x00000000026F0000-0x00000000026F1000-memory.dmp

memory/2444-11-0x00000000035E0000-0x00000000035E3000-memory.dmp

memory/2444-21-0x0000000002790000-0x0000000002791000-memory.dmp

memory/2444-10-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2444-22-0x00000000026E0000-0x00000000026E1000-memory.dmp

memory/2444-9-0x00000000035F0000-0x00000000035F1000-memory.dmp

memory/2444-23-0x0000000002760000-0x0000000002761000-memory.dmp

memory/2444-8-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2444-24-0x0000000002780000-0x0000000002781000-memory.dmp

memory/2444-7-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2444-25-0x0000000000540000-0x0000000000541000-memory.dmp

memory/2444-6-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/2444-26-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2444-27-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2444-28-0x0000000003620000-0x0000000003621000-memory.dmp

memory/2444-29-0x0000000003610000-0x0000000003611000-memory.dmp

memory/2444-30-0x0000000003600000-0x0000000003601000-memory.dmp

memory/2444-31-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2444-33-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2444-36-0x0000000000350000-0x00000000003B0000-memory.dmp

memory/2444-35-0x00000000036A0000-0x00000000036A1000-memory.dmp

memory/2744-32-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2784-40-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2784-41-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2744-44-0x00000000028D0000-0x00000000029B7000-memory.dmp

memory/2784-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2784-42-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2784-46-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2784-49-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2784-50-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2784-52-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2784-53-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2744-47-0x0000000000400000-0x0000000000419000-memory.dmp

C:\Windows\SysWOW64\InstallDir\Server.exe

MD5 6bd1be293735a234ab9c691598353422
SHA1 9824ef8f18a6a2c35aad8f598cdb4aaf887a54a4
SHA256 42f6aeea5f4771233f06d1d3f05fd51ea5221c494b1828dd2fa3e53ba635ae00
SHA512 5395587c3597db73424a667e0c5d8580c422f3feb1c7eb9b7987c28d8354621668bfdd57786f980ace21e2b1cc7274000a35521cd56e01c3169225db87ca761a

memory/2660-59-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2772-63-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2784-64-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/2772-66-0x0000000000C80000-0x0000000000C96000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-29 07:03

Reported

2024-01-29 07:05

Platform

win10v2004-20231215-en

Max time kernel

148s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"

Signatures

Detect XtremeRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XtremeRAT

persistence spyware rat xtremerat

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\system32\\InstallDir\\Server.exe restart" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2} C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\InstallDir\\Server.exe" C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A
File created C:\Windows\SysWOW64\InstallDir\Server.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2228 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2228 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2228 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2228 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2228 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2228 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2228 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 2228 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 1148 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 1148 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 1148 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 1148 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 1148 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 1148 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 1148 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 1148 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe
PID 1204 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 1204 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 1204 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 1204 wrote to memory of 5632 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 1204 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 1204 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 1204 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe
PID 1204 wrote to memory of 6056 N/A C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe

"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"

C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe

"C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe"

C:\Users\Admin\AppData\Local\Temp\7f3288ccbcf8a013ab271528d5592fd2.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.webserver.com udp
US 199.191.50.166:80 www.webserver.com tcp
US 8.8.8.8:53 exploreinquiry.com udp
US 208.91.196.46:443 exploreinquiry.com tcp
US 8.8.8.8:53 166.50.191.199.in-addr.arpa udp
US 8.8.8.8:53 46.196.91.208.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 201.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 www.afternic.com udp
GB 23.48.165.138:80 www.afternic.com tcp
GB 23.48.165.138:443 www.afternic.com tcp
US 8.8.8.8:53 138.165.48.23.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2228-0-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2228-1-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/2228-2-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/2228-3-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2228-6-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/2228-4-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/2228-7-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/2228-8-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/2228-9-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/2228-13-0x0000000003B60000-0x0000000003B63000-memory.dmp

memory/2228-14-0x0000000002B40000-0x0000000002B41000-memory.dmp

memory/2228-12-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

memory/2228-10-0x0000000003B70000-0x0000000003B71000-memory.dmp

memory/2228-15-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/2228-17-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/2228-16-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

memory/2228-18-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/2228-20-0x0000000002D00000-0x0000000002D01000-memory.dmp

memory/2228-19-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/2228-22-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/2228-21-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

memory/2228-23-0x0000000002D20000-0x0000000002D21000-memory.dmp

memory/2228-24-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/2228-25-0x0000000002B50000-0x0000000002B51000-memory.dmp

memory/2228-26-0x0000000002240000-0x0000000002241000-memory.dmp

memory/2228-28-0x0000000003BA0000-0x0000000003BA1000-memory.dmp

memory/2228-27-0x0000000002250000-0x0000000002251000-memory.dmp

memory/2228-29-0x0000000003B90000-0x0000000003B91000-memory.dmp

memory/2228-30-0x0000000003B80000-0x0000000003B81000-memory.dmp

memory/2228-31-0x0000000003C20000-0x0000000003C21000-memory.dmp

memory/2228-32-0x0000000003C10000-0x0000000003C11000-memory.dmp

memory/2228-34-0x0000000003C50000-0x0000000003C51000-memory.dmp

memory/2228-33-0x0000000003C60000-0x0000000003C61000-memory.dmp

memory/1148-35-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2228-36-0x0000000003C80000-0x0000000003C81000-memory.dmp

memory/2228-37-0x0000000003C70000-0x0000000003C71000-memory.dmp

memory/2228-38-0x0000000003CA0000-0x0000000003CA1000-memory.dmp

memory/2228-40-0x0000000003C90000-0x0000000003C91000-memory.dmp

memory/1148-41-0x0000000000400000-0x0000000000419000-memory.dmp

memory/2228-42-0x0000000000400000-0x00000000004E7000-memory.dmp

memory/2228-44-0x0000000002A60000-0x0000000002AC0000-memory.dmp

memory/1204-46-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1148-48-0x0000000000400000-0x0000000000419000-memory.dmp

memory/1204-49-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1204-51-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1204-52-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/5632-56-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\Windows\SysWOW64\InstallDir\Server.exe

MD5 7f3288ccbcf8a013ab271528d5592fd2
SHA1 ae67dc40bfa75756af5d6b63168bdba9f9fc3d63
SHA256 52b4760df29374cf59babed736100e689a10ecf9a8ab651d28010f6489fb4e46
SHA512 7a31e4d5ad204ef70803ad6e9aa2ab80eb2d4bcf04f11a24033c171b9820742edc8fa79b2e4dacc4f5103369067baa303b77722613509319c2e35e54da57731a

memory/6056-58-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/1204-59-0x0000000000C80000-0x0000000000C96000-memory.dmp

memory/6056-61-0x0000000000C80000-0x0000000000C96000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Gy7rQ.xtr

MD5 ee68d9b3b9f4332079680c4544405475
SHA1 e4f1e83b54b09333daca10659d86fbc8a265ac1a
SHA256 f64ea01ec8f45635701f8c42a225462eca8b3188f66bd55c9150b44254e7a32e
SHA512 a0c6488c80703d71f05c0a5498fe5d347468722d6be0619f3d8d424172219c88ed057b2f27793126e5c2275696d5bd2019bce1630bcf96d0a26f91e7f41a5787