Analysis Overview
SHA256
9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88
Threat Level: Known bad
The file 9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe was found to be: Known bad.
Malicious Activity Summary
Detect BunnyLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
BunnyLoader
Checks computer location settings
Loads dropped DLL
Drops startup file
Executes dropped EXE
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-12 15:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-12 15:32
Reported
2024-04-12 15:35
Platform
win7-20231129-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
BunnyLoader
Detect BunnyLoader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2692 created 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | C:\Windows\Explorer.EXE |
| PID 2692 created 1368 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | C:\Windows\Explorer.EXE |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe
"C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Azerbaijan Azerbaijan.bat & Azerbaijan.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 1109
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Ap + Friend + County + Laws + Plant 1109\Memo.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Bring 1109\g
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif
1109\Memo.pif 1109\g
C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url" & echo URL="C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url" & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Hotmail" /tr "wscript 'C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js'" /sc minute /mo 3 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Hotmail" /tr "wscript 'C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js'" /sc minute /mo 3 /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | nmEzzlyrGgODBPtUEHNyuabD.nmEzzlyrGgODBPtUEHNyuabD | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 172.67.74.152:80 | api.ipify.org | tcp |
| PL | 185.241.208.73:80 | tcp | |
| PL | 185.241.208.73:80 | tcp | |
| PL | 185.241.208.73:80 | tcp | |
| PL | 185.241.208.73:80 | tcp | |
| PL | 185.241.208.73:80 | tcp | |
| PL | 185.241.208.73:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Azerbaijan
| MD5 | 44c71397920468dddf7bb1dc8933259f |
| SHA1 | fdf205c1c85f3b59dc4cf66523172fa3f37efce8 |
| SHA256 | 75978ba45715cad18f1dc9acc0eec4a1e6194cda6cfcb44daaeb851be665f52e |
| SHA512 | bf8b7e54ae65e4691a7981d6af792797be90bd55554f3f3d9316d0993e421a426046ced50cc91eac0bedaadbc315326201da640190192c1d6ff2d50a3c32369a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ap
| MD5 | a745de26cccd7229f9b3083e0e657c51 |
| SHA1 | ee6792f27d4d5e07f0d41dbd95b0fec772a94abf |
| SHA256 | 61e6fb53b7c6b26fdfbee29d63bb36c8dd33ed7fb8ed97ca488d107fbc1ba3c3 |
| SHA512 | 9f1701d197b8e0fb1cd929404bfd9440c7ba5c724493a9a4831d9a885d1b6b169b67f344e73facefe18a753ebe22d78c61ea551a4820b7fb471d4b6670d9cc00 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Friend
| MD5 | 8a0bdcea077716b3eefce44a2de444ab |
| SHA1 | 3724020a71d0f9cc13e5f7bd4d079c92fdb01bed |
| SHA256 | f70978891348d7b742c8012d05be109c5d93e05207dd0ac4d16484e496973552 |
| SHA512 | 5ea039830291f78baabc13e00cae55532cf4aa77aca03955fb080e7da1b79f55334b22198238e85f090c3f76898cacf3a476704acd53672181d349d7a624cca7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\County
| MD5 | 23bfb44f90ecf7e147b21aeb638be0e8 |
| SHA1 | 0764403645568683a776ef34bf4eb7c7f8775e6e |
| SHA256 | 70c40c9ca3ccfe1176875a073e911e8deb3e015b6ef2fd0051223a335dd76033 |
| SHA512 | d8e8caccff81bee0f30b2c12c40a976b9d1df94c50208647959bce2ea3dd4a2989ba4bec0918a0ff8a9456f5dad217acfb03b46f3c97eebb7139ff9760e29278 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Laws
| MD5 | cadb4ef1a35122c6bff9f2e1774ebbe9 |
| SHA1 | b711c1429a69a8922da301606b2e19648a0fe537 |
| SHA256 | c522ac485cfbdb75bb3f35bfe62263fb17cb64464e111d2e287b9084a85ff670 |
| SHA512 | 6000f5511240431a9e320c5e2351a8518642786fe1aa0a59a5d523eb7899b88bf6e3ab5629d6cbf34866974b41511fdc55a83923c56da0caa92f20f360641f7e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Plant
| MD5 | 29d98b6cbc770d518dfbf5fd2f4fa178 |
| SHA1 | 1d030e6fd228895d071c28f8e5f70676646f3734 |
| SHA256 | 7d270a6900ef6385133b30e462bd157aa925543abaaf248cffe263fae0c33f4b |
| SHA512 | 8e3e890523a31c0ab4ac80400215fdd860dacedd45baf25e02a61b3f52b7fad8424c632ce2996f6f0a6e69f8a29db838febdab7636e7204b50790ae0adf0e0f6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bring
| MD5 | b833ca1c2478a60371622ef394d6867d |
| SHA1 | 4278d7af0744ed090c541563cbc2792988d00cd6 |
| SHA256 | cd82e9442c7643b70b267a68f2bbe271298e7474b8310cd50e4b6e586b7d9f44 |
| SHA512 | 973dac96f9ecdf43b2bee02ffbc06583375c3fa6d2abe3541e8bb3697a6bee49f824954abb37b3385ddaf2c3447d8cea83e063349a8d5971ae0908f5430cfb0a |
\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1109\Memo.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/2692-28-0x0000000077E00000-0x0000000077ED6000-memory.dmp
memory/2692-34-0x0000000003C90000-0x0000000003CED000-memory.dmp
memory/2692-36-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2692-37-0x0000000003C90000-0x0000000003CED000-memory.dmp
memory/2692-38-0x0000000003C90000-0x0000000003CED000-memory.dmp
memory/2692-39-0x0000000003C90000-0x0000000003CED000-memory.dmp
memory/2692-40-0x0000000003C90000-0x0000000003CED000-memory.dmp
memory/2692-41-0x0000000003C90000-0x0000000003CED000-memory.dmp
memory/2692-42-0x0000000003C90000-0x0000000003CED000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-12 15:32
Reported
2024-04-12 15:35
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
BunnyLoader
Detect BunnyLoader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2216 created 3436 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif | C:\Windows\Explorer.EXE |
| PID 2216 created 3436 | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif | C:\Windows\Explorer.EXE |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1230272463-3683322193-511842230-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.EXE | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe
"C:\Users\Admin\AppData\Local\Temp\9b95dc37744055c1d9cec9f4383ddb52bf0436a3ae88112b782211a02533fa88.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Azerbaijan Azerbaijan.bat & Azerbaijan.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 1131
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Ap + Friend + County + Laws + Plant 1131\Memo.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Bring 1131\g
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif
1131\Memo.pif 1131\g
C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url" & echo URL="C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZenPulse.url" & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Hotmail" /tr "wscript 'C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js'" /sc minute /mo 3 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Hotmail" /tr "wscript 'C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js'" /sc minute /mo 3 /F
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3836,i,7064649017625232947,17746804975634116675,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayName /value
C:\Windows\system32\wscript.EXE
C:\Windows\system32\wscript.EXE "C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js"
C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif
"C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.pif" "C:\Users\Admin\AppData\Local\MindWave Technologies LLC\Y"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nmEzzlyrGgODBPtUEHNyuabD.nmEzzlyrGgODBPtUEHNyuabD | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:80 | api.ipify.org | tcp |
| PL | 185.241.208.73:80 | tcp | |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| PL | 185.241.208.73:80 | tcp | |
| PL | 185.241.208.73:80 | tcp | |
| US | 8.8.8.8:53 | 8.167.79.40.in-addr.arpa | udp |
| PL | 185.241.208.73:80 | tcp | |
| PL | 185.241.208.73:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Azerbaijan
| MD5 | 44c71397920468dddf7bb1dc8933259f |
| SHA1 | fdf205c1c85f3b59dc4cf66523172fa3f37efce8 |
| SHA256 | 75978ba45715cad18f1dc9acc0eec4a1e6194cda6cfcb44daaeb851be665f52e |
| SHA512 | bf8b7e54ae65e4691a7981d6af792797be90bd55554f3f3d9316d0993e421a426046ced50cc91eac0bedaadbc315326201da640190192c1d6ff2d50a3c32369a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Ap
| MD5 | a745de26cccd7229f9b3083e0e657c51 |
| SHA1 | ee6792f27d4d5e07f0d41dbd95b0fec772a94abf |
| SHA256 | 61e6fb53b7c6b26fdfbee29d63bb36c8dd33ed7fb8ed97ca488d107fbc1ba3c3 |
| SHA512 | 9f1701d197b8e0fb1cd929404bfd9440c7ba5c724493a9a4831d9a885d1b6b169b67f344e73facefe18a753ebe22d78c61ea551a4820b7fb471d4b6670d9cc00 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Friend
| MD5 | 8a0bdcea077716b3eefce44a2de444ab |
| SHA1 | 3724020a71d0f9cc13e5f7bd4d079c92fdb01bed |
| SHA256 | f70978891348d7b742c8012d05be109c5d93e05207dd0ac4d16484e496973552 |
| SHA512 | 5ea039830291f78baabc13e00cae55532cf4aa77aca03955fb080e7da1b79f55334b22198238e85f090c3f76898cacf3a476704acd53672181d349d7a624cca7 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\County
| MD5 | 23bfb44f90ecf7e147b21aeb638be0e8 |
| SHA1 | 0764403645568683a776ef34bf4eb7c7f8775e6e |
| SHA256 | 70c40c9ca3ccfe1176875a073e911e8deb3e015b6ef2fd0051223a335dd76033 |
| SHA512 | d8e8caccff81bee0f30b2c12c40a976b9d1df94c50208647959bce2ea3dd4a2989ba4bec0918a0ff8a9456f5dad217acfb03b46f3c97eebb7139ff9760e29278 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Laws
| MD5 | cadb4ef1a35122c6bff9f2e1774ebbe9 |
| SHA1 | b711c1429a69a8922da301606b2e19648a0fe537 |
| SHA256 | c522ac485cfbdb75bb3f35bfe62263fb17cb64464e111d2e287b9084a85ff670 |
| SHA512 | 6000f5511240431a9e320c5e2351a8518642786fe1aa0a59a5d523eb7899b88bf6e3ab5629d6cbf34866974b41511fdc55a83923c56da0caa92f20f360641f7e |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Plant
| MD5 | 29d98b6cbc770d518dfbf5fd2f4fa178 |
| SHA1 | 1d030e6fd228895d071c28f8e5f70676646f3734 |
| SHA256 | 7d270a6900ef6385133b30e462bd157aa925543abaaf248cffe263fae0c33f4b |
| SHA512 | 8e3e890523a31c0ab4ac80400215fdd860dacedd45baf25e02a61b3f52b7fad8424c632ce2996f6f0a6e69f8a29db838febdab7636e7204b50790ae0adf0e0f6 |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Bring
| MD5 | b833ca1c2478a60371622ef394d6867d |
| SHA1 | 4278d7af0744ed090c541563cbc2792988d00cd6 |
| SHA256 | cd82e9442c7643b70b267a68f2bbe271298e7474b8310cd50e4b6e586b7d9f44 |
| SHA512 | 973dac96f9ecdf43b2bee02ffbc06583375c3fa6d2abe3541e8bb3697a6bee49f824954abb37b3385ddaf2c3447d8cea83e063349a8d5971ae0908f5430cfb0a |
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\1131\Memo.pif
| MD5 | 848164d084384c49937f99d5b894253e |
| SHA1 | 3055ef803eeec4f175ebf120f94125717ee12444 |
| SHA256 | f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3 |
| SHA512 | aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a |
memory/2216-27-0x0000000077401000-0x0000000077521000-memory.dmp
memory/2216-34-0x0000000001FA0000-0x0000000001FA1000-memory.dmp
memory/2216-35-0x0000000004B40000-0x0000000004B9D000-memory.dmp
memory/2216-36-0x0000000004B40000-0x0000000004B9D000-memory.dmp
memory/2216-37-0x0000000004B40000-0x0000000004B9D000-memory.dmp
memory/2216-38-0x0000000004B40000-0x0000000004B9D000-memory.dmp
memory/2216-39-0x0000000004B40000-0x0000000004B9D000-memory.dmp
memory/2216-40-0x0000000004B40000-0x0000000004B9D000-memory.dmp
memory/2216-41-0x0000000004B40000-0x0000000004B9D000-memory.dmp
memory/2216-43-0x0000000004B40000-0x0000000004B9D000-memory.dmp
C:\Users\Admin\AppData\Local\MindWave Technologies LLC\ZenPulse.js
| MD5 | 9e4fea19021e58c034eb119400077790 |
| SHA1 | b2a08bf0392273c044ce889f4091260822bf8f7c |
| SHA256 | 585d69bad9df943444bc2b787af11a0d4641a6a9a50bc08d937eebad986498c3 |
| SHA512 | 6e008662340d43cfec8184c7e4f5493b15318b73eb46ec1a0da0d0501933394ed9db5f706845b097bbabe10a6f2742a2d70deb65a16e1fa9df742cc2d09d7aee |