Analysis Overview
SHA256
a8c2d6bf4c101746a89855247e2472a8d4871b4bd75726d41948e802ebaf3e43
Threat Level: Known bad
The file d6fc4895775aafffbd52cb8e9e731824.exe was found to be: Known bad.
Malicious Activity Summary
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys family
Executes dropped EXE
Checks computer location settings
Deletes itself
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Enumerates physical storage devices
Program crash
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-09 18:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-09 18:55
Reported
2024-02-09 18:57
Platform
win7-20231215-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1708 created 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | C:\Windows\Explorer.EXE |
| PID 2068 created 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | C:\Windows\Explorer.EXE |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2648 set thread context of 1708 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif |
| PID 2648 set thread context of 2068 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dialer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dialer.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe
"C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Delays Delays.bat & Delays.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 25883
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Networks + Aberdeen + Temporary + Maps + Aggressive 25883\Structure.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Bowling + Micro + Britney 25883\J
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif
25883\Structure.pif 25883\J
C:\Windows\SysWOW64\PING.EXE
ping -n 15 localhost
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "SwiftSync" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc onlogon /F /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xixUQZpETzAqMgfiwcxAuhVlZeIZY.xixUQZpETzAqMgfiwcxAuhVlZeIZY | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Delays
| MD5 | 60a0a998ac721ce59926c350c1cfa346 |
| SHA1 | 9b69aef9a6d12e0e7f4efab8f7a65329c0d958f2 |
| SHA256 | 0129d157049640ba4a556776946a767b859bcf0503ccaf17c5f8b373fbfbcd38 |
| SHA512 | 86e705176ab1060c29930bdb516dd4bb3d0ae32c7fbf49f5ada56478be067cae7c5be0bbf1abb44c042f9dfa531123d85c45d7ed92e6509562dbf023bce04e30 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Networks
| MD5 | e0ee57b3d753dba0d3a58379968e19c9 |
| SHA1 | 7cb2bd6f3bab50a9836a620610d8e47459445ab0 |
| SHA256 | 4175135f12188ab2c643aeeca361bcd506730de21255b8eabf6cb8f1d4c2ecf5 |
| SHA512 | 3cd236c51634159250317f3a8705a836cb72203184c3ca5313d18c8e15bff9d25dd50e7c6ac7af66c9d107046e0ec09579d630b510a1c22b94d6cfbc02034059 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aberdeen
| MD5 | cadf612984ebd5ecd45906b805ffe46c |
| SHA1 | 1b53b6b2a843e6d05678356664be82b0317a3c1a |
| SHA256 | 696dabffb01c537d4f35dcf5b44cd0b3250a96bf55b5e47f70351cb87d290909 |
| SHA512 | d412fb5f4469463a7e2394b9dc829241ae500ead96178c8da813f8bad6687f46f4ab9378512c55a9fb0025389abb47cdba4546a77b5f601d6f9cb3cac48db51e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aggressive
| MD5 | 029325f8240d37784f57441b3176163c |
| SHA1 | bd61a35e87d9e579e3f14f1912437ac91568e969 |
| SHA256 | 32acea596c43d3a11f1dddd1b50eafa491bb97f4724d7cf193bbf584196889eb |
| SHA512 | 333aca81513e6dd0d49a824c889a945121f4f8343e6c53f47d589be0624c46ba5495fbac37560bec489583638ce03eac0cdab0d2a8273a6e70bedb8799cad85b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Maps
| MD5 | 43819522acece762a7389a5683136c4d |
| SHA1 | b3ff7cf638094690347653f613d5cac9913fbd68 |
| SHA256 | eb08e78f8bb92c71c0fe7b03bd6b9498e2fb7118635f7199b762301653c68c2b |
| SHA512 | 03dda574da87595b7593387d3e575d9c2ef5256d2e9dd4fb163ac9d993a2c7ad747445fd51c4a8b4627bd09c251aecd6fd3b1401a79cf4468f2f8a9f99ac58f4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Temporary
| MD5 | 90114130f88ac2fb224c689998e124ce |
| SHA1 | df94c44b1ceae98749237fae6ac07092fc4c6099 |
| SHA256 | 87b55a91dd04d2377e0eddf641fa5d2325bce6a9025dd3cfddb3cb5ca1192cff |
| SHA512 | 38fd4b234a0358f1fe4a77b0f4c3204768759edd9a626676364081fc90d18cd0bf3dab181e8c928526b38e7f7e959a4f3cb34022a66c74226bf23d6d430d0b44 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bowling
| MD5 | 51269b2f02dba8f71d9fa5a2a7119642 |
| SHA1 | 6502d3e85e61fd6cb03f68525bd92682e0de6198 |
| SHA256 | 526e1f710c86eb4d1f3b05bb5bc981d7fb7fd5daed752992f1f543daadffb89f |
| SHA512 | 2e0ff51926256595c95b636e6a8314cac1763be5cdb0f51a54dc59d7b67b20275d425eec61fe483e65f73f3b58424fd6fc85b9fed4288fc2c5d57b4f49f7fd53 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Micro
| MD5 | 16c7e782af3a480cf58b2f67f47a637c |
| SHA1 | f23178c12ada8993410e8f1a59a1e271879d5977 |
| SHA256 | ce65a1dea48934a61b3e98697659857e466e859d22ed244cbf45e9feded8c8b4 |
| SHA512 | 6d61e15ada0b82668ada59e95d0d2b5f4bf21fa8beed38b66abea401a642f7c974710f30db0cd537d1397e7b0e060e2225e16f1269632578dd0301e0ab30b71b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Britney
| MD5 | afdc4a4520d5dc1c3dd70fda304c9aa9 |
| SHA1 | 914ee920b6e037a42e3b522d89909ae1d899197a |
| SHA256 | c16921f44342ff963f0a6f93e3816c2d9fab7e0382a87a755012fc56422423a7 |
| SHA512 | efc9cb520ad2997ca35c5d521839f9723a665fb162dc3c832ea7d7da3cbe855c1ef75904f5cfe9a608d3e97d268ecfd78730fc39dd01318a5234aa960e91381d |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\Structure.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25883\J
| MD5 | 9e026102dd03937a6464c85c69a2383f |
| SHA1 | 520325a083a63ee251284fa447acb52f8004ce53 |
| SHA256 | 9df3a12e7cc135b26f76b2e967df78b81fd5f505d356e9fc079bf04026931759 |
| SHA512 | 26b989788ff0c2f2d626b59451a7fd6e3a2c11ea898b1066de5fb2f9fa59f87760bd10ba7db4377455ef9cd2368954d272a58a6a10e6b4fb7ca6eb6625f2fe77 |
memory/2648-33-0x0000000077AB0000-0x0000000077B86000-memory.dmp
memory/2648-37-0x0000000000B00000-0x0000000000B01000-memory.dmp
memory/1708-39-0x0000000000080000-0x0000000000108000-memory.dmp
memory/1708-40-0x0000000000080000-0x0000000000108000-memory.dmp
memory/1708-43-0x0000000000080000-0x0000000000108000-memory.dmp
memory/1708-44-0x0000000000080000-0x0000000000108000-memory.dmp
memory/1708-46-0x00000000036F0000-0x0000000003AF0000-memory.dmp
memory/1708-45-0x00000000036F0000-0x0000000003AF0000-memory.dmp
memory/1708-47-0x00000000036F0000-0x0000000003AF0000-memory.dmp
memory/1708-48-0x00000000778C0000-0x0000000077A69000-memory.dmp
memory/1708-49-0x00000000036F0000-0x0000000003AF0000-memory.dmp
memory/1708-51-0x0000000076A60000-0x0000000076AA7000-memory.dmp
memory/2808-52-0x0000000000080000-0x0000000000089000-memory.dmp
memory/1708-54-0x00000000036F0000-0x0000000003AF0000-memory.dmp
memory/2808-56-0x0000000000830000-0x0000000000C30000-memory.dmp
memory/2808-55-0x0000000000830000-0x0000000000C30000-memory.dmp
memory/2808-57-0x00000000778C0000-0x0000000077A69000-memory.dmp
memory/2808-59-0x0000000000830000-0x0000000000C30000-memory.dmp
memory/2808-60-0x0000000076A60000-0x0000000076AA7000-memory.dmp
memory/2808-61-0x00000000778C0000-0x0000000077A69000-memory.dmp
memory/2808-62-0x0000000000830000-0x0000000000C30000-memory.dmp
memory/2068-65-0x0000000000510000-0x0000000000598000-memory.dmp
memory/2068-68-0x0000000000510000-0x0000000000598000-memory.dmp
memory/2068-69-0x0000000000510000-0x0000000000598000-memory.dmp
memory/2068-71-0x00000000031C0000-0x00000000035C0000-memory.dmp
memory/2068-72-0x00000000031C0000-0x00000000035C0000-memory.dmp
memory/2068-73-0x00000000778C0000-0x0000000077A69000-memory.dmp
memory/2068-75-0x00000000031C0000-0x00000000035C0000-memory.dmp
memory/2068-76-0x0000000076A60000-0x0000000076AA7000-memory.dmp
memory/2068-79-0x00000000031C0000-0x00000000035C0000-memory.dmp
memory/1828-81-0x0000000002010000-0x0000000002410000-memory.dmp
memory/1828-80-0x0000000002010000-0x0000000002410000-memory.dmp
memory/1828-82-0x00000000778C0000-0x0000000077A69000-memory.dmp
memory/1828-85-0x0000000002010000-0x0000000002410000-memory.dmp
memory/1828-84-0x0000000076A60000-0x0000000076AA7000-memory.dmp
memory/1828-86-0x00000000778C0000-0x0000000077A69000-memory.dmp
memory/1828-87-0x0000000002010000-0x0000000002410000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-09 18:55
Reported
2024-02-09 18:57
Platform
win10v2004-20231215-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4548 created 2452 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | C:\Windows\system32\sihost.exe |
| PID 2320 created 2452 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | C:\Windows\system32\sihost.exe |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 972 set thread context of 4548 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif |
| PID 972 set thread context of 2320 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dialer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\dialer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe
"C:\Users\Admin\AppData\Local\Temp\d6fc4895775aafffbd52cb8e9e731824.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Delays Delays.bat & Delays.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\cmd.exe
cmd /c md 25912
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Networks + Aberdeen + Temporary + Maps + Aggressive 25912\Structure.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Bowling + Micro + Britney 25912\J
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif
25912\Structure.pif 25912\J
C:\Windows\SysWOW64\PING.EXE
ping -n 15 localhost
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "SwiftSync" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc onlogon /F /RL HIGHEST
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Guess" /tr "wscript 'C:\Users\Admin\AppData\Local\Digital Harmony Technologies\SwiftSync.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4548 -ip 4548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4548 -ip 4548
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 432
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2320 -ip 2320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2320 -s 432
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xixUQZpETzAqMgfiwcxAuhVlZeIZY.xixUQZpETzAqMgfiwcxAuhVlZeIZY | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Delays
| MD5 | 60a0a998ac721ce59926c350c1cfa346 |
| SHA1 | 9b69aef9a6d12e0e7f4efab8f7a65329c0d958f2 |
| SHA256 | 0129d157049640ba4a556776946a767b859bcf0503ccaf17c5f8b373fbfbcd38 |
| SHA512 | 86e705176ab1060c29930bdb516dd4bb3d0ae32c7fbf49f5ada56478be067cae7c5be0bbf1abb44c042f9dfa531123d85c45d7ed92e6509562dbf023bce04e30 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Networks
| MD5 | e0ee57b3d753dba0d3a58379968e19c9 |
| SHA1 | 7cb2bd6f3bab50a9836a620610d8e47459445ab0 |
| SHA256 | 4175135f12188ab2c643aeeca361bcd506730de21255b8eabf6cb8f1d4c2ecf5 |
| SHA512 | 3cd236c51634159250317f3a8705a836cb72203184c3ca5313d18c8e15bff9d25dd50e7c6ac7af66c9d107046e0ec09579d630b510a1c22b94d6cfbc02034059 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aberdeen
| MD5 | cadf612984ebd5ecd45906b805ffe46c |
| SHA1 | 1b53b6b2a843e6d05678356664be82b0317a3c1a |
| SHA256 | 696dabffb01c537d4f35dcf5b44cd0b3250a96bf55b5e47f70351cb87d290909 |
| SHA512 | d412fb5f4469463a7e2394b9dc829241ae500ead96178c8da813f8bad6687f46f4ab9378512c55a9fb0025389abb47cdba4546a77b5f601d6f9cb3cac48db51e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Temporary
| MD5 | 90114130f88ac2fb224c689998e124ce |
| SHA1 | df94c44b1ceae98749237fae6ac07092fc4c6099 |
| SHA256 | 87b55a91dd04d2377e0eddf641fa5d2325bce6a9025dd3cfddb3cb5ca1192cff |
| SHA512 | 38fd4b234a0358f1fe4a77b0f4c3204768759edd9a626676364081fc90d18cd0bf3dab181e8c928526b38e7f7e959a4f3cb34022a66c74226bf23d6d430d0b44 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Maps
| MD5 | 43819522acece762a7389a5683136c4d |
| SHA1 | b3ff7cf638094690347653f613d5cac9913fbd68 |
| SHA256 | eb08e78f8bb92c71c0fe7b03bd6b9498e2fb7118635f7199b762301653c68c2b |
| SHA512 | 03dda574da87595b7593387d3e575d9c2ef5256d2e9dd4fb163ac9d993a2c7ad747445fd51c4a8b4627bd09c251aecd6fd3b1401a79cf4468f2f8a9f99ac58f4 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Aggressive
| MD5 | 029325f8240d37784f57441b3176163c |
| SHA1 | bd61a35e87d9e579e3f14f1912437ac91568e969 |
| SHA256 | 32acea596c43d3a11f1dddd1b50eafa491bb97f4724d7cf193bbf584196889eb |
| SHA512 | 333aca81513e6dd0d49a824c889a945121f4f8343e6c53f47d589be0624c46ba5495fbac37560bec489583638ce03eac0cdab0d2a8273a6e70bedb8799cad85b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bowling
| MD5 | 51269b2f02dba8f71d9fa5a2a7119642 |
| SHA1 | 6502d3e85e61fd6cb03f68525bd92682e0de6198 |
| SHA256 | 526e1f710c86eb4d1f3b05bb5bc981d7fb7fd5daed752992f1f543daadffb89f |
| SHA512 | 2e0ff51926256595c95b636e6a8314cac1763be5cdb0f51a54dc59d7b67b20275d425eec61fe483e65f73f3b58424fd6fc85b9fed4288fc2c5d57b4f49f7fd53 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Britney
| MD5 | afdc4a4520d5dc1c3dd70fda304c9aa9 |
| SHA1 | 914ee920b6e037a42e3b522d89909ae1d899197a |
| SHA256 | c16921f44342ff963f0a6f93e3816c2d9fab7e0382a87a755012fc56422423a7 |
| SHA512 | efc9cb520ad2997ca35c5d521839f9723a665fb162dc3c832ea7d7da3cbe855c1ef75904f5cfe9a608d3e97d268ecfd78730fc39dd01318a5234aa960e91381d |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Micro
| MD5 | 16c7e782af3a480cf58b2f67f47a637c |
| SHA1 | f23178c12ada8993410e8f1a59a1e271879d5977 |
| SHA256 | ce65a1dea48934a61b3e98697659857e466e859d22ed244cbf45e9feded8c8b4 |
| SHA512 | 6d61e15ada0b82668ada59e95d0d2b5f4bf21fa8beed38b66abea401a642f7c974710f30db0cd537d1397e7b0e060e2225e16f1269632578dd0301e0ab30b71b |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\Structure.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\25912\J
| MD5 | 9e026102dd03937a6464c85c69a2383f |
| SHA1 | 520325a083a63ee251284fa447acb52f8004ce53 |
| SHA256 | 9df3a12e7cc135b26f76b2e967df78b81fd5f505d356e9fc079bf04026931759 |
| SHA512 | 26b989788ff0c2f2d626b59451a7fd6e3a2c11ea898b1066de5fb2f9fa59f87760bd10ba7db4377455ef9cd2368954d272a58a6a10e6b4fb7ca6eb6625f2fe77 |
memory/972-32-0x00000000770A1000-0x00000000771C1000-memory.dmp
memory/972-37-0x0000000003E00000-0x0000000003E01000-memory.dmp
memory/4548-38-0x0000000001440000-0x00000000014C8000-memory.dmp
memory/4548-39-0x0000000001440000-0x00000000014C8000-memory.dmp
memory/4548-42-0x0000000001440000-0x00000000014C8000-memory.dmp
memory/4548-43-0x0000000001440000-0x00000000014C8000-memory.dmp
memory/4548-44-0x00000000042A0000-0x00000000046A0000-memory.dmp
memory/4548-45-0x00000000042A0000-0x00000000046A0000-memory.dmp
memory/4548-46-0x00000000042A0000-0x00000000046A0000-memory.dmp
memory/4548-47-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp
memory/4548-48-0x00000000042A0000-0x00000000046A0000-memory.dmp
memory/4548-50-0x0000000076940000-0x0000000076B55000-memory.dmp
memory/2716-51-0x0000000000C90000-0x0000000000C99000-memory.dmp
memory/2716-53-0x00000000028B0000-0x0000000002CB0000-memory.dmp
memory/2716-54-0x00000000028B0000-0x0000000002CB0000-memory.dmp
memory/2716-57-0x00000000028B0000-0x0000000002CB0000-memory.dmp
memory/2716-58-0x0000000076940000-0x0000000076B55000-memory.dmp
memory/2716-55-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp
memory/4548-59-0x00000000042A0000-0x00000000046A0000-memory.dmp
memory/2716-60-0x00000000028B0000-0x0000000002CB0000-memory.dmp
memory/2320-62-0x0000000001650000-0x00000000016D8000-memory.dmp
memory/2320-65-0x0000000001650000-0x00000000016D8000-memory.dmp
memory/2320-66-0x0000000001650000-0x00000000016D8000-memory.dmp
memory/2320-68-0x00000000044F0000-0x00000000048F0000-memory.dmp
memory/2320-69-0x00000000044F0000-0x00000000048F0000-memory.dmp
memory/2320-71-0x00000000044F0000-0x00000000048F0000-memory.dmp
memory/2320-70-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp
memory/2320-73-0x0000000076940000-0x0000000076B55000-memory.dmp
memory/4980-77-0x0000000002D60000-0x0000000003160000-memory.dmp
memory/4980-76-0x0000000002D60000-0x0000000003160000-memory.dmp
memory/4980-78-0x00007FFC64D10000-0x00007FFC64F05000-memory.dmp
memory/4980-80-0x0000000002D60000-0x0000000003160000-memory.dmp
memory/4980-81-0x0000000076940000-0x0000000076B55000-memory.dmp
memory/2320-82-0x00000000044F0000-0x00000000048F0000-memory.dmp
memory/4980-83-0x0000000002D60000-0x0000000003160000-memory.dmp