Malware Analysis Report

2024-10-19 07:11

Sample ID 240511-ka8sysgg6t
Target 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
SHA256 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
Tags
nanocore execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c

Threat Level: Known bad

The file 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c was found to be: Known bad.

Malicious Activity Summary

nanocore execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 08:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 08:24

Reported

2024-05-11 08:27

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem = "C:\\Program Files (x86)\\UDP Subsystem\\udpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3056 set thread context of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UDP Subsystem\udpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\UDP Subsystem\udpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3056 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 3056 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2500 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 1332 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2500 wrote to memory of 3048 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8916.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8D1D.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "UDP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp8EC4.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
BE 88.221.83.178:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 178.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
NL 91.92.253.11:65024 tcp

Files

memory/3056-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/3056-1-0x0000000000F00000-0x0000000000FF2000-memory.dmp

memory/3056-2-0x0000000005F70000-0x0000000006514000-memory.dmp

memory/3056-3-0x0000000005A60000-0x0000000005AF2000-memory.dmp

memory/3056-5-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/3056-4-0x0000000005A10000-0x0000000005A1A000-memory.dmp

memory/3056-6-0x0000000005CE0000-0x0000000005CFE000-memory.dmp

memory/3056-7-0x0000000005D20000-0x0000000005D30000-memory.dmp

memory/3056-8-0x0000000005D50000-0x0000000005D66000-memory.dmp

memory/3056-9-0x0000000006F70000-0x0000000006FEC000-memory.dmp

memory/3056-10-0x0000000006FF0000-0x000000000708C000-memory.dmp

memory/2016-15-0x0000000000D90000-0x0000000000DC6000-memory.dmp

memory/3056-16-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/2016-18-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2016-17-0x0000000005310000-0x0000000005938000-memory.dmp

memory/2016-19-0x00000000746A0000-0x0000000074E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8916.tmp

MD5 2573f6eb52917639dd8dc6a6fd291a60
SHA1 79d9b256bc2fecebf3c3c42a9608ddb2ae761cb8
SHA256 fcd9da72234d9e8ebab22342cc12ff6187a818ff93d923ca85e9fe1444eb05fc
SHA512 6026def83e211c8ff7fcc3b0900914a50fe5d78cf2e5ac9395eb193d82df7368f1d3dc5fc8515534aded7147852732b6badf687ead5ac5a7b26df82f7968e37f

memory/2016-22-0x0000000005290000-0x00000000052F6000-memory.dmp

memory/2016-21-0x0000000005220000-0x0000000005286000-memory.dmp

memory/5060-24-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/3056-25-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2016-20-0x0000000005080000-0x00000000050A2000-memory.dmp

memory/2016-31-0x0000000005970000-0x0000000005CC4000-memory.dmp

memory/5060-36-0x00000000746A0000-0x0000000074E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_erwsivx1.taj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5060-37-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2500-47-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3056-49-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/5060-51-0x00000000064E0000-0x000000000652C000-memory.dmp

memory/5060-50-0x00000000064B0000-0x00000000064CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp8D1D.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp8EC4.tmp

MD5 c4aecdef99eba873119e79616df3f4b0
SHA1 b1b3af52655fb633eed909dfed05b64fbbfac37c
SHA256 24fd0d87bea36a024449a95f808aaa174e4ed9003cb8a427b67c02411b8a2e0b
SHA512 e3f44b07267fccf4f5abd4efe80f2b037ddadc4cb898bdfca9d21ac5d79fcac828950065c2060d3ce125ee971fc3096183afee5287ba9951fbbda7257d8ed8d4

memory/2500-60-0x00000000059B0000-0x00000000059BC000-memory.dmp

memory/2500-62-0x00000000069C0000-0x00000000069CA000-memory.dmp

memory/2500-61-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

memory/2500-59-0x00000000059A0000-0x00000000059AA000-memory.dmp

memory/2016-75-0x0000000074F30000-0x0000000074F7C000-memory.dmp

memory/2016-85-0x0000000007160000-0x0000000007203000-memory.dmp

memory/5060-74-0x0000000006AB0000-0x0000000006ACE000-memory.dmp

memory/5060-64-0x0000000074F30000-0x0000000074F7C000-memory.dmp

memory/5060-63-0x0000000006A70000-0x0000000006AA2000-memory.dmp

memory/2016-87-0x00000000078D0000-0x0000000007F4A000-memory.dmp

memory/5060-86-0x00000000077D0000-0x00000000077EA000-memory.dmp

memory/5060-88-0x0000000007840000-0x000000000784A000-memory.dmp

memory/2016-89-0x0000000007500000-0x0000000007596000-memory.dmp

memory/5060-90-0x00000000079D0000-0x00000000079E1000-memory.dmp

memory/5060-92-0x0000000007A10000-0x0000000007A24000-memory.dmp

memory/5060-94-0x0000000007AF0000-0x0000000007AF8000-memory.dmp

memory/5060-93-0x0000000007B10000-0x0000000007B2A000-memory.dmp

memory/5060-91-0x0000000007A00000-0x0000000007A0E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6b380751bbf64bcc19fc446a863798f2
SHA1 23d7d4aab4ec47eb89f220a689134b64dfe7572d
SHA256 8bb1e76769491b76a8659dfffc7d35b59f0cb5a43621a6a904b09d9a8d5d7c7a
SHA512 59a9ef7e34fe77dd55cd0ed702513b70f36e0cb08373d9c368d7ad932734eefa9d76e0b6082adc291af0fa8c66afe486f90f8c866003331f3d321b8af84f5dc0

memory/5060-101-0x00000000746A0000-0x0000000074E50000-memory.dmp

memory/2016-100-0x00000000746A0000-0x0000000074E50000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 08:24

Reported

2024-05-11 08:27

Platform

win7-20240220-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2604 set thread context of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2604 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2816 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 1560 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2816 wrote to memory of 320 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7A10.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7BA5.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7BF4.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp

Files

memory/2604-0-0x000000007490E000-0x000000007490F000-memory.dmp

memory/2604-1-0x0000000000340000-0x0000000000432000-memory.dmp

memory/2604-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2604-3-0x0000000000440000-0x000000000045E000-memory.dmp

memory/2604-4-0x0000000000460000-0x0000000000470000-memory.dmp

memory/2604-5-0x0000000000470000-0x0000000000486000-memory.dmp

memory/2604-6-0x0000000005170000-0x00000000051EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7A10.tmp

MD5 39342423d1db4a7b342db335a3a4d8cb
SHA1 6e801a19fbd3841f2ee128ec5ea58ef0215fde7c
SHA256 7cd50a22781c280647310895644046e1002fed993869625be028cdcf09fa482e
SHA512 cc91b2570e293e80f349903cf7581d4761cd96865eae770e5ab8d1b0f7113bab842866b14c5724cfe3b528bb57e5ce474d5ae34b7222b00b3a5e644a4204c62d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HHN1MYBGNLV1XQXOZK4R.temp

MD5 c8fd0a640468c5ddb23ae65d015cc658
SHA1 816ce30757d020737b9a2da4e5f3fdebc449913c
SHA256 93353760356795d5573045221ddc2c4c01b363bb25b4152e97186d294d2c73f0
SHA512 f0626e2d3c75af74fa6beb5eb2ae4708a165cde01a335a7bfc18c5770bce7fca7456ce918204a19a9cc2d3982a6ceee6b9e4dbd99ce37a0cbcbaa98c8ab2b8a9

memory/2816-19-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2816-30-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2816-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2816-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2816-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2816-25-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2604-31-0x0000000074900000-0x0000000074FEE000-memory.dmp

memory/2816-23-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2816-21-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7BA5.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmp7BF4.tmp

MD5 4b7ef560289c0f62d0baf6f14f48a57a
SHA1 8331acb90dde588aa3196919f6e847f398fd06d1
SHA256 062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207
SHA512 ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8

memory/2816-39-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/2816-40-0x0000000000440000-0x000000000044C000-memory.dmp

memory/2816-41-0x0000000000450000-0x000000000046E000-memory.dmp

memory/2816-42-0x0000000000580000-0x000000000058A000-memory.dmp