Analysis Overview
SHA256
0f675c462e852f2acf43d90eebf8b800b197cc9f4764e40ed497af7cf9a805ef
Threat Level: Known bad
The file 0f675c462e852f2acf43d90eebf8b800b197cc9f4764e40ed497af7cf9a805ef was found to be: Known bad.
Malicious Activity Summary
Stealc
SectopRAT payload
SectopRAT
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Reads data files stored by FTP clients
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-29 12:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-29 12:33
Reported
2024-04-29 12:35
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0f675c462e852f2acf43d90eebf8b800b197cc9f4764e40ed497af7cf9a805ef.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2u0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2u0.2\run.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2u0.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2u0.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2u0.0.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4388 set thread context of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\u2u0.2\run.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2484 set thread context of 4412 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0f675c462e852f2acf43d90eebf8b800b197cc9f4764e40ed497af7cf9a805ef.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u2u0.0.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u2u0.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u2u0.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2u0.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2u0.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2u0.2\run.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f675c462e852f2acf43d90eebf8b800b197cc9f4764e40ed497af7cf9a805ef.exe
"C:\Users\Admin\AppData\Local\Temp\0f675c462e852f2acf43d90eebf8b800b197cc9f4764e40ed497af7cf9a805ef.exe"
C:\Users\Admin\AppData\Local\Temp\u2u0.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2u0.0.exe"
C:\Users\Admin\AppData\Local\Temp\u2u0.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u2u0.2\run.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3672 -ip 3672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1524
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3448 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1804 -ip 1804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 2280
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.203:80 | 185.172.128.203 | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 8.8.8.8:53 | 106.76.97.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| GB | 172.217.169.74:443 | tcp | |
| DE | 185.172.128.151:80 | 185.172.128.151 | tcp |
| US | 8.8.8.8:53 | 151.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 8.8.8.8:53 | 66.85.215.91.in-addr.arpa | udp |
| RU | 91.215.85.66:9000 | 91.215.85.66 | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/3672-1-0x0000000002D90000-0x0000000002E90000-memory.dmp
memory/3672-2-0x0000000003000000-0x000000000306D000-memory.dmp
memory/3672-3-0x0000000000400000-0x0000000002B15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2u0.0.exe
| MD5 | 11c11c214731f0346cb9733eb7f9f0b6 |
| SHA1 | 8cf0db84222c4be556b4fb9e9927454540258eac |
| SHA256 | d75944f20168d0585058bd5b7035c79c4728cda469bf1edee6f62bfd2847ea67 |
| SHA512 | f3eca4e0496f1e017f43bc29ecda5dba11b1b00638bd3538d9995ea49706db66f0e839e5fd8e980bf172561d11da2d1530462b395c89479737fa31fce1bebb42 |
C:\Users\Admin\AppData\Local\Temp\u2u0.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u2u0.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
memory/3672-84-0x0000000000400000-0x0000000002B15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2u0.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u2u0.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u2u0.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/4388-102-0x0000000073310000-0x000000007348B000-memory.dmp
memory/4388-103-0x00007FFC5D0F0000-0x00007FFC5D2E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2u0.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/3672-110-0x0000000003000000-0x000000000306D000-memory.dmp
memory/3672-109-0x0000000000400000-0x0000000002B15000-memory.dmp
memory/4388-111-0x0000000073310000-0x000000007348B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3d1c9f8d
| MD5 | 93adc1057a9bfb307fbf5358a9bc6a4f |
| SHA1 | f4657e319fe45408e40862ed67516e2dbca269f7 |
| SHA256 | 8311b8b136ce5ef1ec88cab61ea42e85280b5cac267b01d453f6b4e44b6254b2 |
| SHA512 | fa88c8038a17e2ef16febcff04ca31991e904e7aaa8d2568290d17c76351e5f730833379985948ee436c1e27f4b5ec7830551398d627680a36dc6f4623fd1e51 |
memory/2484-114-0x00007FFC5D0F0000-0x00007FFC5D2E5000-memory.dmp
memory/1804-116-0x0000000002DE0000-0x0000000002EE0000-memory.dmp
memory/1804-117-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2484-135-0x0000000073310000-0x000000007348B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/4412-187-0x0000000071D20000-0x0000000072F74000-memory.dmp
memory/4412-202-0x0000000000B50000-0x0000000000C16000-memory.dmp
memory/4412-204-0x0000000005280000-0x0000000005312000-memory.dmp
memory/1804-203-0x0000000000400000-0x0000000002AF0000-memory.dmp
memory/4412-205-0x00000000058D0000-0x0000000005E74000-memory.dmp
memory/4412-206-0x00000000055B0000-0x0000000005772000-memory.dmp
memory/4412-207-0x0000000005320000-0x0000000005396000-memory.dmp
memory/4412-208-0x00000000053E0000-0x0000000005430000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
| MD5 | 20d4b8fa017a12a108c87f540836e250 |
| SHA1 | 1ac617fac131262b6d3ce1f52f5907e31d5f6f00 |
| SHA256 | 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d |
| SHA512 | 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856 |
memory/4412-214-0x0000000005220000-0x000000000522A000-memory.dmp
memory/4412-215-0x00000000064B0000-0x00000000069DC000-memory.dmp
memory/4412-216-0x00000000057F0000-0x000000000580E000-memory.dmp
memory/4412-217-0x0000000006020000-0x0000000006086000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp18DE.tmp
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Users\Admin\AppData\Local\Temp\tmp193F.tmp
| MD5 | 91dbaf73c1a8c55254d90272f998e412 |
| SHA1 | 2b86b31c8c00c937291e5ac3b1d134a5df959acf |
| SHA256 | 0628922305d2478ba75a48efadf932d439616eaf1ff908be334793f7bde28107 |
| SHA512 | 109f4f59616cc1d1682b4d9468804f7668c77ce1878afec06a57037193f31a9c1c39f5d269277462936373b129d26488cddcc34d455c27185534e7754baaa988 |
memory/4412-236-0x0000000007980000-0x000000000798A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-29 12:33
Reported
2024-04-29 12:35
Platform
win11-20240419-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3816 set thread context of 4312 | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4312 set thread context of 4740 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\0f675c462e852f2acf43d90eebf8b800b197cc9f4764e40ed497af7cf9a805ef.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f675c462e852f2acf43d90eebf8b800b197cc9f4764e40ed497af7cf9a805ef.exe
"C:\Users\Admin\AppData\Local\Temp\0f675c462e852f2acf43d90eebf8b800b197cc9f4764e40ed497af7cf9a805ef.exe"
C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe"
C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2372 -ip 2372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1160
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1440 -ip 1440
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1440 -s 2088
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.203:80 | 185.172.128.203 | tcp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| DE | 185.172.128.151:80 | 185.172.128.151 | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| RU | 91.215.85.66:9000 | 91.215.85.66 | tcp |
Files
memory/2372-2-0x0000000002D90000-0x0000000002DFD000-memory.dmp
memory/2372-1-0x0000000002E40000-0x0000000002F40000-memory.dmp
memory/2372-3-0x0000000000400000-0x0000000002B15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1tw.0.exe
| MD5 | 11c11c214731f0346cb9733eb7f9f0b6 |
| SHA1 | 8cf0db84222c4be556b4fb9e9927454540258eac |
| SHA256 | d75944f20168d0585058bd5b7035c79c4728cda469bf1edee6f62bfd2847ea67 |
| SHA512 | f3eca4e0496f1e017f43bc29ecda5dba11b1b00638bd3538d9995ea49706db66f0e839e5fd8e980bf172561d11da2d1530462b395c89479737fa31fce1bebb42 |
memory/2372-13-0x0000000000400000-0x0000000002B15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1tw.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u1tw.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
C:\Users\Admin\AppData\Local\Temp\u1tw.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u1tw.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
C:\Users\Admin\AppData\Local\Temp\u1tw.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
memory/3816-99-0x0000000072460000-0x00000000725DD000-memory.dmp
memory/3816-100-0x00007FFCC7220000-0x00007FFCC7429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u1tw.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/2372-107-0x0000000000400000-0x0000000002B15000-memory.dmp
memory/3816-108-0x0000000072460000-0x00000000725DD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dfcda3ba
| MD5 | db300930a5fe63da757472c6cbc06556 |
| SHA1 | c65e8c8cd6701fde384c24256ae5f1ad3e42754f |
| SHA256 | 5051ad5bd986b0f322e9e54c74ef15ce0d2099e200fb2277d2bc7d9e2e33e9b4 |
| SHA512 | e0d8e00b61a160efda8af05284ad5c36030a910efc129a6d6a30df18358822a19587616d37787d5495045b6378326ce1777d63db98acefdb80330b7ddd2f4601 |
memory/1440-111-0x0000000002D10000-0x0000000002E10000-memory.dmp
memory/1440-112-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/4312-154-0x00007FFCC7220000-0x00007FFCC7429000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/1440-192-0x0000000000400000-0x0000000002AF0000-memory.dmp
memory/4312-193-0x0000000072460000-0x00000000725DD000-memory.dmp
memory/4740-195-0x0000000070DD0000-0x00000000720E7000-memory.dmp
memory/4740-198-0x0000000000700000-0x00000000007C6000-memory.dmp
memory/4740-199-0x0000000004ED0000-0x0000000004F62000-memory.dmp
memory/4740-200-0x0000000005520000-0x0000000005AC6000-memory.dmp
memory/4740-201-0x0000000005200000-0x00000000053C2000-memory.dmp
memory/4740-202-0x0000000004F70000-0x0000000004FE6000-memory.dmp
memory/4740-203-0x0000000005030000-0x0000000005080000-memory.dmp
memory/4740-204-0x0000000004E60000-0x0000000004E6A000-memory.dmp
memory/4740-205-0x0000000006100000-0x000000000662C000-memory.dmp
memory/4740-206-0x0000000005C10000-0x0000000005C2E000-memory.dmp
memory/4740-207-0x0000000005CE0000-0x0000000005D46000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp26DD.tmp
| MD5 | a603e09d617fea7517059b4924b1df93 |
| SHA1 | 31d66e1496e0229c6a312f8be05da3f813b3fa9e |
| SHA256 | ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7 |
| SHA512 | eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc |
C:\Users\Admin\AppData\Local\Temp\tmp26FF.tmp
| MD5 | 22be08f683bcc01d7a9799bbd2c10041 |
| SHA1 | 2efb6041cf3d6e67970135e592569c76fc4c41de |
| SHA256 | 451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457 |
| SHA512 | 0eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936 |
memory/4740-231-0x00000000078D0000-0x00000000078DA000-memory.dmp
memory/4740-233-0x00000000050E0000-0x00000000050F2000-memory.dmp
memory/4740-234-0x0000000005140000-0x000000000517C000-memory.dmp