Analysis Overview
SHA256
3eac7021a3fd361916c68f6cfd399bd40cf194822bac151a204366b920b240fa
Threat Level: Known bad
The file b579d3f20b566a0dadb01be496fefbb5.exe was found to be: Known bad.
Malicious Activity Summary
Detect Poverty Stealer Payload
Poverty Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Enumerates connected drives
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
GoLang User-Agent
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-15 08:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-15 08:08
Reported
2024-03-15 08:10
Platform
win7-20240220-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1580 created 1132 | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | C:\Windows\Explorer.EXE |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1580 set thread context of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b579d3f20b566a0dadb01be496fefbb5.exe
"C:\Users\Admin\AppData\Local\Temp\b579d3f20b566a0dadb01be496fefbb5.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Broke Broke.bat & Broke.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 9351
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 9351\Thick.pif + Slave + Lens + Imagine + Reasoning + Gloves + Trivia + Published 9351\Thick.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Production + With + Cognitive + Injection + Expenditures + Fog + Reviewer + Vatican + Factor + Assisted + Bind + Idaho 9351\Q
C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif
9351\Thick.pif 9351\Q
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif
C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ynJPNDfdFUcjAmQm.ynJPNDfdFUcjAmQm | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Broke
| MD5 | 27c3f756e3a72033d024ec71fc43f076 |
| SHA1 | 9c57caeed8712ade53fc0459a2e1fed58cb1d0f3 |
| SHA256 | 7886d1739b5fda883880ea492c5392c710dc07850f8dffcdd73164d07414b8df |
| SHA512 | 999e0293c270fcffb4b20811fd77502cab9da1460f5ff10a3a5ab71d066d176cb384a9ca25ac21d4106c4833597f198f5e6990ba91e54d2c900aec4418f35d2b |
C:\Users\Admin\AppData\Local\Temp\9351\Thick.pif
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\Slave
| MD5 | e0336ac22a857113dda2889f8bb3c409 |
| SHA1 | b6d2c689cdcc2b7a45b2cb60d50ddad7b06c6d55 |
| SHA256 | c10a233765bdc12913765ee35dd7ec545e41ebef43c48551d8c448f498908a73 |
| SHA512 | 102bf16b24e1c02c0a1723cfa239822aab85429d31e86edac92211eaf70caf8674ee0ae4d97c499ba67b11eab2b87c0764a60fd7babec4d0fce89b5b93573216 |
C:\Users\Admin\AppData\Local\Temp\Lens
| MD5 | c5fd0522ace7ddbba48aadb97ce387ef |
| SHA1 | 6170dff7fda6fb94be868aa8d9acbfc522220bc7 |
| SHA256 | d639d35f9c58c821aa582c41545c5cfd7ec80deb0d4f0f2573f3837f62381c80 |
| SHA512 | 995381892a6cc38a4dbf47495a76a88451bf9d9c62c6bb2b12812556febd8e32b4eb8f00f343a4cc1cf48d53746990d8ff808f03386c73ec1533f9267e94663b |
C:\Users\Admin\AppData\Local\Temp\Imagine
| MD5 | a53104ea25667d7279abdd0c80d7ad9f |
| SHA1 | 784858f4486c69b799f929c861dc647b39de76b6 |
| SHA256 | 5dcc5955e3abfba16c951139f3544d8a6855e8a558867277c8ef030c9c09575e |
| SHA512 | d91cb360178af8095c60ecd6325ffbf7bfbc56f440ddc8b1e2d3d56f106143330ec4ea8ac77320cd63332bb40a849b3690e919fea0e100d95a589650bbd9c758 |
C:\Users\Admin\AppData\Local\Temp\Reasoning
| MD5 | b16e584b33b095c459ddb58f5a5f0a7f |
| SHA1 | 6ef4f525f17889b5413c67457bfedee1f6e6ee06 |
| SHA256 | 69dfc8caf7ed1b37a4517246e1afba532dba5e32284810240083e1214f64fd44 |
| SHA512 | de8d8c0c9fa3b11848d1d6d7dfa67d991a7f8cc2f4346286bbc756e22c0aa49b38554bea19ede1cef8ce924b71a38be8cb0f8b5eaa5e663f751db0e055c6abf4 |
C:\Users\Admin\AppData\Local\Temp\Gloves
| MD5 | b48cf59f6caca58e37f392e60ad92bed |
| SHA1 | c080347107b8980e213af4640652d052f75cea8c |
| SHA256 | 9ebc1d3631fbaaa65576d7c9fe34b9e164455225ed2f2e3413609c52370b9dff |
| SHA512 | 0a424303d0e723207bd8b31bccca6a4492ee723d6e069a10f75206364587715e35e5fba2a3fdebd4bcb8e43d6bbd4f1584113cc4917781fe42b192a19c145c8e |
C:\Users\Admin\AppData\Local\Temp\Trivia
| MD5 | 7efeb34649e1493ef313a9e0c72aee0a |
| SHA1 | 598efa5f4eb540a463e1e9ec57ffdd962f5448c6 |
| SHA256 | 7871ff9abc7ff3debd7ae4bdea9c236d666273becd24c929886a91ed3cfdbf3b |
| SHA512 | cf1ea0ce4ea840c4d2bf59010049e37913dacd5c9d58f622a5f949ae5eee5b6ad468a14f5784bdd1f1400679891c48c5e0783a00c23046b43d2644e25cdfab0e |
C:\Users\Admin\AppData\Local\Temp\Published
| MD5 | eebbe9e1b98c15530fbf6c43af7f2c0d |
| SHA1 | 5f252ce9b88bf90add7f8afc34069f3b9f69ecb9 |
| SHA256 | 182c7c63737c7943979d2d8170d2a0456810617cf74632dce0261131748b5bad |
| SHA512 | 7ac0d1375201782c4a042db66ad3aa950085fdde1f9995a086d72e2caa7b16c2f3f7f515e58efb0f22139f775af594a92d69998b9497b070d9e7bde0beda5b44 |
C:\Users\Admin\AppData\Local\Temp\Production
| MD5 | aa3e99150f69205bfd78614da336de11 |
| SHA1 | 6d6ab6b46f363c91a5b9f02a055f86331bda277d |
| SHA256 | 1d6d6a85ad3b5589593a6ce0387e6fabeae43df990c28902835f966536e3ea42 |
| SHA512 | ec69f164fcde8d2cda2a9dfdc9e9e325b601d37923eee609cd9f329e4320ebd62fe8d8159f05912750a7c3dbe315ffef550b1fad1345b8224edadf63a29e5ffd |
C:\Users\Admin\AppData\Local\Temp\With
| MD5 | bcaf009e5bc9c6352fb04b9cec015e4f |
| SHA1 | 1be02565593bc43e6ae783d50e3a23966691a927 |
| SHA256 | 9c66a0c2f56b84aff34d1b87274331effb5cfeb87be3b5a75ca6a1c6e28c207e |
| SHA512 | 6bde0bd71344375ac25084da10c04958df35c0015c94d4a2c168fb96a7b53c9289dcf41f58ea2566dc092157e3b401603f34ebe16683392e966daae047f39326 |
C:\Users\Admin\AppData\Local\Temp\Cognitive
| MD5 | 3392c08e28d207e359dc077593b23a9f |
| SHA1 | c30ae8c64011339c06f7a6d12c1358e962d6a7e8 |
| SHA256 | 59131a08ddc6d16fb52eff8c39967b4b79fc76d1d78a74d631b03832909d1f39 |
| SHA512 | deace558965555b6bc9de3a2dbfe3edcbe10242519dae0ff95455abbbb50d80cba782faf9875f0742112ff1da547c9b55150403a141aafc8d7438bb8e1b886fe |
C:\Users\Admin\AppData\Local\Temp\Injection
| MD5 | 8c3d2a19eb8d84c9affcc8fbf5f6a05d |
| SHA1 | d37d3b019166d91d8a92d5c31cf1adc478ef7cfb |
| SHA256 | fe15baa11fc431bacfb2159905398df008bf3f43dfad27087213428052640135 |
| SHA512 | d49abdc241c77e16985ebe78161f9b126c1fb6bd5974c1a5664592fd4d6d004a0a52ccbcd53043e44dd9e9e141d68d53e8577fb5e1289d8e4a342eff05a1ce39 |
C:\Users\Admin\AppData\Local\Temp\Expenditures
| MD5 | 1493b7d4446e697b31e8114a292f149f |
| SHA1 | 54226821033c836f8fd31d65bcd31db08eb9a755 |
| SHA256 | c9282cea4f45972a642d74e417642ad29f4907879ff2ff3dd61cc99f1944c75d |
| SHA512 | a31eeed0fd658322302ad09997bb9f784833cc0a9b7a84fc30f50ad029232b65ef7d108e68af81d672614969b92eac868b771a7dc80e177eeff9a302b7a53baa |
C:\Users\Admin\AppData\Local\Temp\Fog
| MD5 | a3e7c9e4df993b4c7d86ce86dc85769d |
| SHA1 | 9a66306613524c2b926c4bda65f476268a9f6537 |
| SHA256 | 68597722de33c61d9ae225424cde7a05de84a50d1aba19e3b9cb5253b19f9f9a |
| SHA512 | c7b7e3d20eb879d4da6f29ff9837735e000ead32601cbb37d4e705aac663698dd8cbc90e4bab913ca1da8826d56dad7cc663cbe7220c9b561909c8d02d1b4802 |
C:\Users\Admin\AppData\Local\Temp\Reviewer
| MD5 | 6d7acfd7141f20365df49374ae882397 |
| SHA1 | 9161d8e36d246a31160b5f9a372298848a9d050a |
| SHA256 | 0947ddbd41d1374fb261a0fcd7b43e7d2213f124e2f83e1590a48f463307bb41 |
| SHA512 | 65a30168f725ab8787712ca58f3a9cfffba18d0eaf3127f662f90345598da562181abbda5c629f44268798cdbf7787b7c28f1368edc328efeab8dd7e65faf457 |
C:\Users\Admin\AppData\Local\Temp\Vatican
| MD5 | 1634bce137a0cfc4f5ab57159cbe6004 |
| SHA1 | 6f8ed62cbc4c4aa00262cf2a1bd1a9c66adf01a3 |
| SHA256 | ee9a688893abd912cd6559b34029c44de6b954094fae5e43bfbd15c7cdfefcbd |
| SHA512 | ff93f494120d7e6777a248a59f89fb3744e186ef39bb52b337217ed7f143fbb6e9a7ef395595261975ccb6d83a5e2b39270b4e33f6b020aa4fcc4265803cc955 |
C:\Users\Admin\AppData\Local\Temp\Factor
| MD5 | 73682a58e11c7817a9b7714c040706bf |
| SHA1 | a0ad7c38837099f21c15592a8a3ef8bd5df9c2c3 |
| SHA256 | d8f972f0789de58eabe51fa35d0a36150b6a7928c9deda8a8be58c0a406c1a55 |
| SHA512 | 830b30a2309d982f55063e658de278b395ee7ad85d29ee4b740040245d896553f2d1d5c4d19bff1cdaf8c7ebe8cab75c7b1ab511b072c053c6cf7d88dd7834df |
C:\Users\Admin\AppData\Local\Temp\Assisted
| MD5 | 30070892755e82c18e97a8101aeeebe8 |
| SHA1 | f87b3c6c608e682cf70d19127952a18eb3dee3a6 |
| SHA256 | ca3c29995177c45876cb4f5ec9a4b36be010b7c220c3f1e0184f5b4c8428af91 |
| SHA512 | c0a1429b989c19385554d27c499be8b5404f7dc59187cb80a08b61a388b3bec2486ee4cf498a5d3a4e556f7289ddbc3f0584ab7e73c7d2206e89df5680fe0c17 |
C:\Users\Admin\AppData\Local\Temp\Idaho
| MD5 | a899d54a59f583a25d66a4e6ad2cccaf |
| SHA1 | cbfe400c2bc08c8048eadfb90018dcf2dec625f0 |
| SHA256 | 403fb144c3a4b5c42fc52a0342f55ceca3d4146ce4f93050d75cad908cb11df3 |
| SHA512 | ee52cf433b104ba2737e63514f3f41017d5d27ffb7166aed1b417887e25dc54eb8a5a7be2be418cf5e53b6ce18ab85301bd7aff2a0418b53d8ccec4fe0d76dfd |
C:\Users\Admin\AppData\Local\Temp\Bind
| MD5 | d8b42df3623b4213f6456e5afb5e5b68 |
| SHA1 | 979e5dffbb01f547caa628cbd305ec6ee9d9082d |
| SHA256 | bee1837ce4229533f4cef01a10e6cfe20f181247a5624d7fc29bd9d6ff418a8a |
| SHA512 | 1cc5bd1575e51d5931a71663847ad94b210ddc21c81fa2ed896abf47de12015e9c6187078c47348a5eead27b38ca402fbfb4b3847c55a782574420aee3cf1b03 |
\Users\Admin\AppData\Local\Temp\9351\Thick.pif
| MD5 | bfa84dbde0df8f1cad3e179bd46a6e34 |
| SHA1 | 06ae3c38d4b2f8125656268925ebde9eca6a1f9e |
| SHA256 | 6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314 |
| SHA512 | edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a |
C:\Users\Admin\AppData\Local\Temp\9351\Q
| MD5 | a6c1dc61c97a0d8e91154ef816cb73f0 |
| SHA1 | b96acd664261083dad4e8ebcc47c0c3c0f5d341d |
| SHA256 | a086fab2dcb7d4ff2fc105cccb1bedaba248a4c0e9831bd135f26a1e53cec817 |
| SHA512 | 95ac3641d7ea4c980ceec6b35f4adcadb8f0a1d3d07c50340192d1af747f6f01db2ceb31fcb8081943677236030621020ec9fbb5d9951ca84dcc90a265b7301a |
memory/1580-48-0x0000000000510000-0x0000000000511000-memory.dmp
memory/1672-51-0x0000000000470000-0x000000000061C000-memory.dmp
memory/1672-52-0x0000000000470000-0x000000000061C000-memory.dmp
memory/1672-55-0x0000000000470000-0x000000000061C000-memory.dmp
memory/1672-56-0x0000000000470000-0x000000000061C000-memory.dmp
memory/1672-57-0x0000000000470000-0x000000000061C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-15 08:08
Reported
2024-03-15 08:10
Platform
win10v2004-20231215-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Detect Poverty Stealer Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Poverty Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 540 created 3448 | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b579d3f20b566a0dadb01be496fefbb5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | N/A |
| N/A | N/A | C:\Windows\SysWoW64\calc.exe | N/A |
| N/A | N/A | C:\Windows\SysWoW64\calc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\App = "C:\\Windows\\SysWoW64\\calc.exe" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 540 set thread context of 3020 | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif |
| PID 3020 set thread context of 1400 | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | C:\Windows\SysWoW64\calc.exe |
| PID 3020 set thread context of 4840 | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | C:\Windows\SysWoW64\calc.exe |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\b579d3f20b566a0dadb01be496fefbb5.exe
"C:\Users\Admin\AppData\Local\Temp\b579d3f20b566a0dadb01be496fefbb5.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Broke Broke.bat & Broke.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 9354
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 9354\Thick.pif + Slave + Lens + Imagine + Reasoning + Gloves + Trivia + Published 9354\Thick.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Production + With + Cognitive + Injection + Expenditures + Fog + Reviewer + Vatican + Factor + Assisted + Bind + Idaho 9354\Q
C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif
9354\Thick.pif 9354\Q
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif
C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif
C:\Windows\SysWoW64\calc.exe
C:\Windows\SysWoW64\calc.exe
C:\Windows\SysWoW64\calc.exe
C:\Windows\SysWoW64\calc.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle hidden -Command "if (-Not (Test-Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\App\")) { Set-ItemProperty -Path \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" -Name \"App\" -Value \"C:\Windows\SysWoW64\calc.exe\" }"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ynJPNDfdFUcjAmQm.ynJPNDfdFUcjAmQm | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hostregister.info | udp |
| US | 104.21.42.126:443 | hostregister.info | tcp |
| US | 8.8.8.8:53 | 126.42.21.104.in-addr.arpa | udp |
| US | 104.21.42.126:443 | hostregister.info | tcp |
| US | 104.21.42.126:443 | hostregister.info | tcp |
| US | 104.21.42.126:443 | hostregister.info | tcp |
| US | 104.21.42.126:443 | hostregister.info | tcp |
| US | 104.21.42.126:443 | hostregister.info | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| DE | 146.70.169.164:2227 | tcp | |
| US | 8.8.8.8:53 | 164.169.70.146.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| RU | 195.2.70.38:30001 | 195.2.70.38 | tcp |
| RU | 91.142.74.28:30001 | 91.142.74.28 | tcp |
| US | 8.8.8.8:53 | 38.70.2.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.74.142.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 138.91.171.81:80 | tcp | |
| RU | 195.2.70.38:30001 | 195.2.70.38 | tcp |
| RU | 91.142.74.28:30001 | 91.142.74.28 | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 104.21.42.126:443 | hostregister.info | tcp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| RU | 195.2.70.38:30001 | 195.2.70.38 | tcp |
| RU | 91.142.74.28:30001 | 91.142.74.28 | tcp |
| RU | 195.2.70.38:30001 | 195.2.70.38 | tcp |
| RU | 94.103.90.9:27103 | tcp | |
| US | 8.8.8.8:53 | 9.90.103.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Broke
| MD5 | 27c3f756e3a72033d024ec71fc43f076 |
| SHA1 | 9c57caeed8712ade53fc0459a2e1fed58cb1d0f3 |
| SHA256 | 7886d1739b5fda883880ea492c5392c710dc07850f8dffcdd73164d07414b8df |
| SHA512 | 999e0293c270fcffb4b20811fd77502cab9da1460f5ff10a3a5ab71d066d176cb384a9ca25ac21d4106c4833597f198f5e6990ba91e54d2c900aec4418f35d2b |
C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif
| MD5 | ac6ad5d9b99757c3a878f2d275ace198 |
| SHA1 | 439baa1b33514fb81632aaf44d16a9378c5664fc |
| SHA256 | 9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d |
| SHA512 | bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b |
C:\Users\Admin\AppData\Local\Temp\Slave
| MD5 | e0336ac22a857113dda2889f8bb3c409 |
| SHA1 | b6d2c689cdcc2b7a45b2cb60d50ddad7b06c6d55 |
| SHA256 | c10a233765bdc12913765ee35dd7ec545e41ebef43c48551d8c448f498908a73 |
| SHA512 | 102bf16b24e1c02c0a1723cfa239822aab85429d31e86edac92211eaf70caf8674ee0ae4d97c499ba67b11eab2b87c0764a60fd7babec4d0fce89b5b93573216 |
C:\Users\Admin\AppData\Local\Temp\Imagine
| MD5 | a53104ea25667d7279abdd0c80d7ad9f |
| SHA1 | 784858f4486c69b799f929c861dc647b39de76b6 |
| SHA256 | 5dcc5955e3abfba16c951139f3544d8a6855e8a558867277c8ef030c9c09575e |
| SHA512 | d91cb360178af8095c60ecd6325ffbf7bfbc56f440ddc8b1e2d3d56f106143330ec4ea8ac77320cd63332bb40a849b3690e919fea0e100d95a589650bbd9c758 |
C:\Users\Admin\AppData\Local\Temp\Reasoning
| MD5 | b16e584b33b095c459ddb58f5a5f0a7f |
| SHA1 | 6ef4f525f17889b5413c67457bfedee1f6e6ee06 |
| SHA256 | 69dfc8caf7ed1b37a4517246e1afba532dba5e32284810240083e1214f64fd44 |
| SHA512 | de8d8c0c9fa3b11848d1d6d7dfa67d991a7f8cc2f4346286bbc756e22c0aa49b38554bea19ede1cef8ce924b71a38be8cb0f8b5eaa5e663f751db0e055c6abf4 |
C:\Users\Admin\AppData\Local\Temp\Lens
| MD5 | c5fd0522ace7ddbba48aadb97ce387ef |
| SHA1 | 6170dff7fda6fb94be868aa8d9acbfc522220bc7 |
| SHA256 | d639d35f9c58c821aa582c41545c5cfd7ec80deb0d4f0f2573f3837f62381c80 |
| SHA512 | 995381892a6cc38a4dbf47495a76a88451bf9d9c62c6bb2b12812556febd8e32b4eb8f00f343a4cc1cf48d53746990d8ff808f03386c73ec1533f9267e94663b |
C:\Users\Admin\AppData\Local\Temp\Gloves
| MD5 | b48cf59f6caca58e37f392e60ad92bed |
| SHA1 | c080347107b8980e213af4640652d052f75cea8c |
| SHA256 | 9ebc1d3631fbaaa65576d7c9fe34b9e164455225ed2f2e3413609c52370b9dff |
| SHA512 | 0a424303d0e723207bd8b31bccca6a4492ee723d6e069a10f75206364587715e35e5fba2a3fdebd4bcb8e43d6bbd4f1584113cc4917781fe42b192a19c145c8e |
C:\Users\Admin\AppData\Local\Temp\Trivia
| MD5 | 7efeb34649e1493ef313a9e0c72aee0a |
| SHA1 | 598efa5f4eb540a463e1e9ec57ffdd962f5448c6 |
| SHA256 | 7871ff9abc7ff3debd7ae4bdea9c236d666273becd24c929886a91ed3cfdbf3b |
| SHA512 | cf1ea0ce4ea840c4d2bf59010049e37913dacd5c9d58f622a5f949ae5eee5b6ad468a14f5784bdd1f1400679891c48c5e0783a00c23046b43d2644e25cdfab0e |
C:\Users\Admin\AppData\Local\Temp\Published
| MD5 | eebbe9e1b98c15530fbf6c43af7f2c0d |
| SHA1 | 5f252ce9b88bf90add7f8afc34069f3b9f69ecb9 |
| SHA256 | 182c7c63737c7943979d2d8170d2a0456810617cf74632dce0261131748b5bad |
| SHA512 | 7ac0d1375201782c4a042db66ad3aa950085fdde1f9995a086d72e2caa7b16c2f3f7f515e58efb0f22139f775af594a92d69998b9497b070d9e7bde0beda5b44 |
C:\Users\Admin\AppData\Local\Temp\Production
| MD5 | aa3e99150f69205bfd78614da336de11 |
| SHA1 | 6d6ab6b46f363c91a5b9f02a055f86331bda277d |
| SHA256 | 1d6d6a85ad3b5589593a6ce0387e6fabeae43df990c28902835f966536e3ea42 |
| SHA512 | ec69f164fcde8d2cda2a9dfdc9e9e325b601d37923eee609cd9f329e4320ebd62fe8d8159f05912750a7c3dbe315ffef550b1fad1345b8224edadf63a29e5ffd |
C:\Users\Admin\AppData\Local\Temp\With
| MD5 | bcaf009e5bc9c6352fb04b9cec015e4f |
| SHA1 | 1be02565593bc43e6ae783d50e3a23966691a927 |
| SHA256 | 9c66a0c2f56b84aff34d1b87274331effb5cfeb87be3b5a75ca6a1c6e28c207e |
| SHA512 | 6bde0bd71344375ac25084da10c04958df35c0015c94d4a2c168fb96a7b53c9289dcf41f58ea2566dc092157e3b401603f34ebe16683392e966daae047f39326 |
C:\Users\Admin\AppData\Local\Temp\Reviewer
| MD5 | 6d7acfd7141f20365df49374ae882397 |
| SHA1 | 9161d8e36d246a31160b5f9a372298848a9d050a |
| SHA256 | 0947ddbd41d1374fb261a0fcd7b43e7d2213f124e2f83e1590a48f463307bb41 |
| SHA512 | 65a30168f725ab8787712ca58f3a9cfffba18d0eaf3127f662f90345598da562181abbda5c629f44268798cdbf7787b7c28f1368edc328efeab8dd7e65faf457 |
C:\Users\Admin\AppData\Local\Temp\Fog
| MD5 | a3e7c9e4df993b4c7d86ce86dc85769d |
| SHA1 | 9a66306613524c2b926c4bda65f476268a9f6537 |
| SHA256 | 68597722de33c61d9ae225424cde7a05de84a50d1aba19e3b9cb5253b19f9f9a |
| SHA512 | c7b7e3d20eb879d4da6f29ff9837735e000ead32601cbb37d4e705aac663698dd8cbc90e4bab913ca1da8826d56dad7cc663cbe7220c9b561909c8d02d1b4802 |
C:\Users\Admin\AppData\Local\Temp\Expenditures
| MD5 | 1493b7d4446e697b31e8114a292f149f |
| SHA1 | 54226821033c836f8fd31d65bcd31db08eb9a755 |
| SHA256 | c9282cea4f45972a642d74e417642ad29f4907879ff2ff3dd61cc99f1944c75d |
| SHA512 | a31eeed0fd658322302ad09997bb9f784833cc0a9b7a84fc30f50ad029232b65ef7d108e68af81d672614969b92eac868b771a7dc80e177eeff9a302b7a53baa |
C:\Users\Admin\AppData\Local\Temp\Injection
| MD5 | 8c3d2a19eb8d84c9affcc8fbf5f6a05d |
| SHA1 | d37d3b019166d91d8a92d5c31cf1adc478ef7cfb |
| SHA256 | fe15baa11fc431bacfb2159905398df008bf3f43dfad27087213428052640135 |
| SHA512 | d49abdc241c77e16985ebe78161f9b126c1fb6bd5974c1a5664592fd4d6d004a0a52ccbcd53043e44dd9e9e141d68d53e8577fb5e1289d8e4a342eff05a1ce39 |
C:\Users\Admin\AppData\Local\Temp\Cognitive
| MD5 | 3392c08e28d207e359dc077593b23a9f |
| SHA1 | c30ae8c64011339c06f7a6d12c1358e962d6a7e8 |
| SHA256 | 59131a08ddc6d16fb52eff8c39967b4b79fc76d1d78a74d631b03832909d1f39 |
| SHA512 | deace558965555b6bc9de3a2dbfe3edcbe10242519dae0ff95455abbbb50d80cba782faf9875f0742112ff1da547c9b55150403a141aafc8d7438bb8e1b886fe |
C:\Users\Admin\AppData\Local\Temp\Vatican
| MD5 | 1634bce137a0cfc4f5ab57159cbe6004 |
| SHA1 | 6f8ed62cbc4c4aa00262cf2a1bd1a9c66adf01a3 |
| SHA256 | ee9a688893abd912cd6559b34029c44de6b954094fae5e43bfbd15c7cdfefcbd |
| SHA512 | ff93f494120d7e6777a248a59f89fb3744e186ef39bb52b337217ed7f143fbb6e9a7ef395595261975ccb6d83a5e2b39270b4e33f6b020aa4fcc4265803cc955 |
C:\Users\Admin\AppData\Local\Temp\Factor
| MD5 | 73682a58e11c7817a9b7714c040706bf |
| SHA1 | a0ad7c38837099f21c15592a8a3ef8bd5df9c2c3 |
| SHA256 | d8f972f0789de58eabe51fa35d0a36150b6a7928c9deda8a8be58c0a406c1a55 |
| SHA512 | 830b30a2309d982f55063e658de278b395ee7ad85d29ee4b740040245d896553f2d1d5c4d19bff1cdaf8c7ebe8cab75c7b1ab511b072c053c6cf7d88dd7834df |
C:\Users\Admin\AppData\Local\Temp\Assisted
| MD5 | 30070892755e82c18e97a8101aeeebe8 |
| SHA1 | f87b3c6c608e682cf70d19127952a18eb3dee3a6 |
| SHA256 | ca3c29995177c45876cb4f5ec9a4b36be010b7c220c3f1e0184f5b4c8428af91 |
| SHA512 | c0a1429b989c19385554d27c499be8b5404f7dc59187cb80a08b61a388b3bec2486ee4cf498a5d3a4e556f7289ddbc3f0584ab7e73c7d2206e89df5680fe0c17 |
C:\Users\Admin\AppData\Local\Temp\Idaho
| MD5 | a899d54a59f583a25d66a4e6ad2cccaf |
| SHA1 | cbfe400c2bc08c8048eadfb90018dcf2dec625f0 |
| SHA256 | 403fb144c3a4b5c42fc52a0342f55ceca3d4146ce4f93050d75cad908cb11df3 |
| SHA512 | ee52cf433b104ba2737e63514f3f41017d5d27ffb7166aed1b417887e25dc54eb8a5a7be2be418cf5e53b6ce18ab85301bd7aff2a0418b53d8ccec4fe0d76dfd |
C:\Users\Admin\AppData\Local\Temp\Bind
| MD5 | d8b42df3623b4213f6456e5afb5e5b68 |
| SHA1 | 979e5dffbb01f547caa628cbd305ec6ee9d9082d |
| SHA256 | bee1837ce4229533f4cef01a10e6cfe20f181247a5624d7fc29bd9d6ff418a8a |
| SHA512 | 1cc5bd1575e51d5931a71663847ad94b210ddc21c81fa2ed896abf47de12015e9c6187078c47348a5eead27b38ca402fbfb4b3847c55a782574420aee3cf1b03 |
C:\Users\Admin\AppData\Local\Temp\9354\Thick.pif
| MD5 | bfa84dbde0df8f1cad3e179bd46a6e34 |
| SHA1 | 06ae3c38d4b2f8125656268925ebde9eca6a1f9e |
| SHA256 | 6de412b8674ffba5d78ff9d36abffbe2cf86fd08b2231592fca2fcf41f1f2314 |
| SHA512 | edd4c839437570003e1cc4a04e6cb7bf8c70c0ebdae741e69782e9bdf47c42441cd8d709170898859b94b3248cccf0e9dfa5e183c110b93ded935ce69a0ff82a |
C:\Users\Admin\AppData\Local\Temp\9354\Q
| MD5 | a6c1dc61c97a0d8e91154ef816cb73f0 |
| SHA1 | b96acd664261083dad4e8ebcc47c0c3c0f5d341d |
| SHA256 | a086fab2dcb7d4ff2fc105cccb1bedaba248a4c0e9831bd135f26a1e53cec817 |
| SHA512 | 95ac3641d7ea4c980ceec6b35f4adcadb8f0a1d3d07c50340192d1af747f6f01db2ceb31fcb8081943677236030621020ec9fbb5d9951ca84dcc90a265b7301a |
memory/540-47-0x0000013780FA0000-0x0000013780FA1000-memory.dmp
memory/3020-49-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-50-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-52-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-53-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-54-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-58-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-57-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-59-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-55-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-56-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-60-0x000001D4B3150000-0x000001D4B32FC000-memory.dmp
memory/3020-63-0x000001D4B35A0000-0x000001D4B35A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\THCAF1C.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1400-65-0x00000000011D0000-0x00000000011D1000-memory.dmp
memory/2164-68-0x0000000003260000-0x0000000003296000-memory.dmp
memory/2164-69-0x0000000074070000-0x0000000074820000-memory.dmp
memory/1400-70-0x0000000000CF0000-0x0000000000CFA000-memory.dmp
memory/2164-71-0x0000000005400000-0x0000000005410000-memory.dmp
memory/2164-72-0x0000000005400000-0x0000000005410000-memory.dmp
memory/2164-73-0x0000000005A40000-0x0000000006068000-memory.dmp
memory/2164-74-0x0000000005990000-0x00000000059B2000-memory.dmp
memory/2164-75-0x0000000006160000-0x00000000061C6000-memory.dmp
memory/2164-76-0x00000000061D0000-0x0000000006236000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rr4cld3.rdr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2164-86-0x0000000006380000-0x00000000066D4000-memory.dmp
memory/2164-87-0x0000000006850000-0x000000000686E000-memory.dmp
memory/2164-88-0x0000000006890000-0x00000000068DC000-memory.dmp
memory/2164-89-0x0000000007A20000-0x0000000007AB6000-memory.dmp
memory/2164-90-0x0000000006D20000-0x0000000006D3A000-memory.dmp
memory/2164-91-0x0000000006D70000-0x0000000006D92000-memory.dmp
memory/2164-92-0x0000000008070000-0x0000000008614000-memory.dmp
memory/2164-95-0x0000000074070000-0x0000000074820000-memory.dmp
memory/4840-96-0x0000000000EF0000-0x000000000170C000-memory.dmp
memory/4840-99-0x0000000000EF0000-0x000000000170C000-memory.dmp
memory/4840-103-0x0000000000EF0000-0x000000000170C000-memory.dmp
memory/4840-104-0x0000000000EF0000-0x000000000170C000-memory.dmp
memory/4840-107-0x0000000000EF0000-0x000000000170C000-memory.dmp