Malware Analysis Report

2024-10-19 07:11

Sample ID 240511-kbelhabd79
Target 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
SHA256 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
Tags
nanocore execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c

Threat Level: Known bad

The file 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c was found to be: Known bad.

Malicious Activity Summary

nanocore execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 08:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 08:25

Reported

2024-05-11 08:28

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Service = "C:\\Program Files (x86)\\AGP Service\\agpsv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1876 set thread context of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AGP Service\agpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\AGP Service\agpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1876 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1876 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1876 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1876 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1876 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1876 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1876 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1876 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1876 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1876 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4364 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4364 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4364 wrote to memory of 3040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4364 wrote to memory of 4924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4364 wrote to memory of 4924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 4364 wrote to memory of 4924 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB66F.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "AGP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpBF59.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp

Files

memory/1876-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/1876-1-0x0000000000D40000-0x0000000000E32000-memory.dmp

memory/1876-2-0x0000000005DF0000-0x0000000006394000-memory.dmp

memory/1876-3-0x0000000005840000-0x00000000058D2000-memory.dmp

memory/1876-4-0x00000000058E0000-0x00000000058EA000-memory.dmp

memory/1876-5-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/1876-6-0x0000000005A30000-0x0000000005A4E000-memory.dmp

memory/1876-7-0x0000000005D70000-0x0000000005D80000-memory.dmp

memory/1876-8-0x0000000005DA0000-0x0000000005DB6000-memory.dmp

memory/1876-9-0x0000000007230000-0x00000000072AC000-memory.dmp

memory/1876-10-0x0000000009800000-0x000000000989C000-memory.dmp

memory/1876-15-0x00000000746FE000-0x00000000746FF000-memory.dmp

memory/4688-16-0x0000000002350000-0x0000000002386000-memory.dmp

memory/4688-18-0x0000000004F20000-0x0000000005548000-memory.dmp

memory/1876-17-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4688-19-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4688-20-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4688-21-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

memory/4688-25-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4688-24-0x0000000005630000-0x0000000005696000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3fz4xswk.pgc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4688-35-0x00000000056A0000-0x00000000059F4000-memory.dmp

memory/688-36-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4364-38-0x0000000000400000-0x000000000043A000-memory.dmp

memory/688-37-0x00000000746F0000-0x0000000074EA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB66F.tmp

MD5 b196f968b0d5cf29b66132ec32c43639
SHA1 6eb793678b3b221b49641476a3e2424767a02787
SHA256 f8f0cb8d6b1e45a9527cd1ab597546e81901020bcc03da82ea9036ba17078010
SHA512 3d124b1418014e8765e0bf320f7c9a96c67b0265ad855ebf782e2b5dd17d3be28f022e408ccce8a7d9f44f5681eff3676f3117ce25348b5266c80104e4eee816

memory/688-49-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4688-22-0x00000000055C0000-0x0000000005626000-memory.dmp

memory/1876-50-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4688-51-0x0000000005C90000-0x0000000005CAE000-memory.dmp

memory/4688-52-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBD35.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmpBF59.tmp

MD5 7a81ae69c04c8d95261eb5f490b7f869
SHA1 9f4f484d306fea15b2e7f9f16db660833bb1f8ce
SHA256 ce3933e772f663a834335cc2071e5e7b2d49a065b51d84a259054b8ef663e785
SHA512 8260ab83106752a488e164bbed63ef334d34399bc9a5c09a0cfceba6aef48eafe5c64e4dfbd353ac3edfff2523b16c2b0287d34833a293c4436e068fae656de8

memory/4364-60-0x0000000005650000-0x000000000565A000-memory.dmp

memory/4364-62-0x00000000059E0000-0x00000000059FE000-memory.dmp

memory/4364-63-0x00000000067D0000-0x00000000067DA000-memory.dmp

memory/4364-61-0x0000000005660000-0x000000000566C000-memory.dmp

memory/688-65-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

memory/688-75-0x0000000006A10000-0x0000000006A2E000-memory.dmp

memory/688-76-0x0000000007480000-0x0000000007523000-memory.dmp

memory/688-64-0x0000000007440000-0x0000000007472000-memory.dmp

memory/4688-77-0x0000000070EE0000-0x0000000070F2C000-memory.dmp

memory/688-88-0x0000000007790000-0x00000000077AA000-memory.dmp

memory/688-87-0x0000000007DD0000-0x000000000844A000-memory.dmp

memory/688-89-0x0000000007800000-0x000000000780A000-memory.dmp

memory/688-90-0x0000000007A10000-0x0000000007AA6000-memory.dmp

memory/688-91-0x0000000007990000-0x00000000079A1000-memory.dmp

memory/4688-92-0x00000000071E0000-0x00000000071EE000-memory.dmp

memory/688-93-0x00000000079D0000-0x00000000079E4000-memory.dmp

memory/688-94-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

memory/4688-95-0x00000000072D0000-0x00000000072D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2cf72967c6e4b738a87c6d9cab5a225e
SHA1 a067c24a4e9f18e93cdf70c658920e2b64f4d89d
SHA256 73038a372dd758c43ec5dc4855b978dbd51413ae68f5c1fa0f970bbda1d74dae
SHA512 fe9c6bb2ed4a5b119a1f0467ff5d95c41bdb34be5fa01812d91044d39a19a9af691cafb958d796a562fd6483c145e42ee5afb74df3a10c7d3a578d56e9781c50

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/688-102-0x00000000746F0000-0x0000000074EA0000-memory.dmp

memory/4688-103-0x00000000746F0000-0x0000000074EA0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 08:25

Reported

2024-05-11 08:28

Platform

win7-20240221-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2244 set thread context of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2244 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2444 wrote to memory of 2316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 2316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 2316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 2316 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 2444 wrote to memory of 1968 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF24B.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF660.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF74B.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp

Files

memory/2244-3-0x0000000000530000-0x000000000054E000-memory.dmp

memory/2244-2-0x0000000074230000-0x000000007491E000-memory.dmp

memory/2244-1-0x0000000000A60000-0x0000000000B52000-memory.dmp

memory/2244-0-0x000000007423E000-0x000000007423F000-memory.dmp

memory/2244-4-0x00000000005B0000-0x00000000005C0000-memory.dmp

memory/2244-5-0x00000000005C0000-0x00000000005D6000-memory.dmp

memory/2244-6-0x0000000005500000-0x000000000557C000-memory.dmp

memory/2244-7-0x000000007423E000-0x000000007423F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF24B.tmp

MD5 0ea57fac1e498dc52d4f7de9746e640c
SHA1 56c3f317642663b7b95e79390c4d0ba983d1198b
SHA256 7bd39ca5926b8596affff53c3665792a6000af71aa959a15d0700d0c7bc6c36b
SHA512 754f1352576f3a1e779871cf632a2d8251dfa75e838fc189b2ea27f69140bb013a690edba67509fbce60459be90da7296456e2e0a8240652f6786eadc5a4e249

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 09902859ffaefe4765e6b44f6c480eaf
SHA1 11ced24adb8810fc3270c0835d76d2921134cdae
SHA256 3fe1f0341b1e7dd585bc3b0d80c03b4c565333622f3c4dcb03906fdea572629f
SHA512 6c343e9ad066199e5dab1c6008c93165876ec5073ef05e2a07ef09cff8f6ebff55341c7b06fd9e2825b66ba91d43aba1ddcc6a78d5285b5e459079dc9da0b5fc

memory/2444-20-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2444-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2444-31-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2444-30-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2444-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2444-26-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2444-24-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2444-22-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2244-32-0x0000000074230000-0x000000007491E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF660.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmpF74B.tmp

MD5 93d357e6194c8eb8d0616a9f592cc4bf
SHA1 5cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256 a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA512 4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f

memory/2444-40-0x00000000003E0000-0x00000000003EA000-memory.dmp

memory/2444-42-0x0000000000530000-0x000000000054E000-memory.dmp

memory/2444-41-0x00000000003F0000-0x00000000003FC000-memory.dmp

memory/2444-43-0x00000000005D0000-0x00000000005DA000-memory.dmp