Malware Analysis Report

2024-10-23 19:44

Sample ID 240426-bxcvcsgh9t
Target c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
SHA256 c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85
Tags
nanocore evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85

Threat Level: Known bad

The file c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-26 01:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-26 01:31

Reported

2024-04-26 01:33

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

Signatures

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 836 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\schtasks.exe
PID 836 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\schtasks.exe
PID 836 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\schtasks.exe
PID 836 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\schtasks.exe
PID 836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 940 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 836 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hXGmUcb.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4569.tmp"

C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

Network

N/A

Files

memory/836-0-0x00000000003C0000-0x000000000046C000-memory.dmp

memory/836-1-0x0000000074440000-0x0000000074B2E000-memory.dmp

memory/836-2-0x0000000004E20000-0x0000000004E60000-memory.dmp

memory/836-3-0x00000000004E0000-0x0000000000500000-memory.dmp

memory/836-4-0x0000000000600000-0x0000000000614000-memory.dmp

memory/836-5-0x0000000004E60000-0x0000000004EDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4569.tmp

MD5 99ee79ef1ec914dcdbf76c7b64dd1ba6
SHA1 c0c68a6030256df83f1e943336e63f5c832ec264
SHA256 c8fa8b7f11520d0e79a57f657863ea8ba6b23ec6249451c27a3513767663b8cd
SHA512 e9df4a99f08191d6eb55f71b4626e3e8d6b7833d01b9247cb13b693157934731034b03de555257952ae4595ecc8007cc095b433ef72ff5db144607cb5e81b008

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2OSMZA05435Z85187S9K.temp

MD5 a52659ae706be263ea6cd69e1fe8a4b5
SHA1 9767469ab470ae99c8501b9ca858b1e56198a7b2
SHA256 93fa93359a7f6504a1d2c5c240c34a3fe340d8c0738da4678acea82bf51651ab
SHA512 c91c9134ba261a534a4838400bcbc2f9de9abd464222becf8d0487ec885f3be454fbe8156df83dfa5cf571d3a3033a2c61958af57335cf7bd74332d7d70ec989

memory/1468-19-0x000000006F2F0000-0x000000006F89B000-memory.dmp

memory/836-18-0x0000000074440000-0x0000000074B2E000-memory.dmp

memory/1468-22-0x00000000028F0000-0x0000000002930000-memory.dmp

memory/2600-21-0x0000000002A70000-0x0000000002AB0000-memory.dmp

memory/2600-20-0x000000006F2F0000-0x000000006F89B000-memory.dmp

memory/2600-23-0x000000006F2F0000-0x000000006F89B000-memory.dmp

memory/1468-24-0x000000006F2F0000-0x000000006F89B000-memory.dmp

memory/2600-26-0x0000000002A70000-0x0000000002AB0000-memory.dmp

memory/1468-25-0x00000000028F0000-0x0000000002930000-memory.dmp

memory/2600-28-0x000000006F2F0000-0x000000006F89B000-memory.dmp

memory/1468-27-0x000000006F2F0000-0x000000006F89B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-26 01:31

Reported

2024-04-26 01:33

Platform

win10v2004-20240412-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2976 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2976 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Windows\SysWOW64\schtasks.exe
PID 2976 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 2976 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 2976 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 2976 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 2976 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 2976 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 2976 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe
PID 2976 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hXGmUcb.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXGmUcb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp782D.tmp"

C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe

"C:\Users\Admin\AppData\Local\Temp\c03858657307a20f2da776ba010c76495276e80306c19b70f44342c8bcaece85.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 amechi.duckdns.org udp
US 8.8.8.8:53 198.32.209.4.in-addr.arpa udp
US 8.8.4.4:53 amechi.duckdns.org udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 amechi.duckdns.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 48.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 amechi.duckdns.org udp
HR 45.95.169.113:3190 amechi.duckdns.org tcp

Files

memory/2976-1-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/2976-0-0x0000000000FC0000-0x000000000106C000-memory.dmp

memory/2976-2-0x0000000005F40000-0x00000000064E4000-memory.dmp

memory/2976-3-0x0000000005A30000-0x0000000005AC2000-memory.dmp

memory/2976-4-0x0000000005B40000-0x0000000005B50000-memory.dmp

memory/2976-5-0x0000000005AF0000-0x0000000005AFA000-memory.dmp

memory/2976-6-0x0000000005E80000-0x0000000005EA0000-memory.dmp

memory/2976-7-0x0000000005EA0000-0x0000000005EB4000-memory.dmp

memory/2976-8-0x00000000098D0000-0x000000000994A000-memory.dmp

memory/2976-9-0x000000000C9F0000-0x000000000CA8C000-memory.dmp

memory/2704-14-0x00000000046D0000-0x0000000004706000-memory.dmp

memory/2704-16-0x0000000004E60000-0x0000000005488000-memory.dmp

memory/2704-15-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/2704-17-0x0000000004820000-0x0000000004830000-memory.dmp

memory/2704-19-0x0000000004D50000-0x0000000004D72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp782D.tmp

MD5 aa5711747b1e7854f7ce5480f089fbbd
SHA1 44ce2a5a354f3c736b3e0a2f74d6b4fea4add924
SHA256 fd1b347261f0d59df8608f20a696788e5e6fcd9c03bc4470be77ad73a0916cc0
SHA512 140f4f08f2548fb82d42728c1dcd01edf3b90daaf34b970825847cfe0a65fbf5de5ae6aa5479553e304c7400ee1a8e4bb7a34d04b081159fe3df3cd9c0744629

memory/1268-21-0x0000000005E30000-0x0000000005E96000-memory.dmp

memory/1268-20-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/1528-22-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1268-24-0x0000000005F10000-0x0000000005F76000-memory.dmp

memory/1268-23-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45coj1wy.i2x.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2704-25-0x0000000004820000-0x0000000004830000-memory.dmp

memory/2976-37-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/1268-36-0x0000000005F80000-0x00000000062D4000-memory.dmp

memory/1528-47-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/1268-48-0x0000000006500000-0x000000000651E000-memory.dmp

memory/1528-52-0x0000000005990000-0x000000000599A000-memory.dmp

memory/1268-51-0x0000000006590000-0x00000000065DC000-memory.dmp

memory/1528-53-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/1528-54-0x00000000061C0000-0x00000000061CA000-memory.dmp

memory/1268-56-0x0000000075A90000-0x0000000075ADC000-memory.dmp

memory/2704-55-0x0000000006B80000-0x0000000006BB2000-memory.dmp

memory/1268-69-0x000000007F1B0000-0x000000007F1C0000-memory.dmp

memory/2704-68-0x0000000075A90000-0x0000000075ADC000-memory.dmp

memory/1268-67-0x0000000007470000-0x000000000748E000-memory.dmp

memory/2704-57-0x000000007FB90000-0x000000007FBA0000-memory.dmp

memory/1268-80-0x00000000076F0000-0x0000000007793000-memory.dmp

memory/2704-79-0x0000000004820000-0x0000000004830000-memory.dmp

memory/2704-81-0x0000000004820000-0x0000000004830000-memory.dmp

memory/1268-82-0x0000000007E60000-0x00000000084DA000-memory.dmp

memory/2704-83-0x0000000006F40000-0x0000000006F5A000-memory.dmp

memory/2704-84-0x0000000006FB0000-0x0000000006FBA000-memory.dmp

memory/2704-85-0x00000000071C0000-0x0000000007256000-memory.dmp

memory/2704-86-0x0000000007140000-0x0000000007151000-memory.dmp

memory/2704-88-0x0000000007180000-0x0000000007194000-memory.dmp

memory/1268-87-0x0000000007A50000-0x0000000007A5E000-memory.dmp

memory/2704-89-0x0000000007280000-0x000000000729A000-memory.dmp

memory/2704-90-0x0000000007260000-0x0000000007268000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7e5852742733964cb07919dfd1488e76
SHA1 5e88e778de84069656ba4e82ddec08bb0d23fbef
SHA256 0670bcc1b3fef8d3a42b468e66b3ddb993f9f369444be638c85b3c1150654cd7
SHA512 15ab1ce83ea8339aa1e758bfa3df341a99cdc805ef79a52a6497e0190c149dadbe0d7ace43b4d533f99638a0fbb857235e0df1ac082d143b97e7d79c1f4590ce

memory/1268-97-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/2704-96-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/1528-98-0x0000000075230000-0x00000000759E0000-memory.dmp

memory/1528-99-0x00000000053C0000-0x00000000053D0000-memory.dmp