Malware Analysis Report

2025-01-22 12:26

Sample ID 240515-2n2p8sgb72
Target 60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9
SHA256 60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9
Tags
aspackv2 bootkit persistence spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9

Threat Level: Likely malicious

The file 60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9 was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit persistence spyware stealer

Detects executables containing base64 encoded User Agent

Blocklisted process makes network request

Deletes itself

Executes dropped EXE

Loads dropped DLL

ASPack v2.12-2.42

Reads user/profile data of web browsers

Enumerates connected drives

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Unsigned PE

Runs ping.exe

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 22:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 22:44

Reported

2024-05-15 22:47

Platform

win7-20240221-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqtsl.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqtsl.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\xgqcq\\gvfdccsyi.vdg\",SHA1" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe C:\Windows\SysWOW64\cmd.exe
PID 1712 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1432 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1432 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1432 wrote to memory of 2836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1432 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eqtsl.exe
PID 1432 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eqtsl.exe
PID 1432 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eqtsl.exe
PID 1432 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eqtsl.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\eqtsl.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\eqtsl.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\eqtsl.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\eqtsl.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\eqtsl.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\eqtsl.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2628 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\eqtsl.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe

"C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\eqtsl.exe "C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\eqtsl.exe

C:\Users\Admin\AppData\Local\Temp\\eqtsl.exe "C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\xgqcq\gvfdccsyi.vdg",SHA1 C:\Users\Admin\AppData\Local\Temp\eqtsl.exe

Network

Country Destination Domain Proto
US 107.163.241.193:16300 tcp
US 107.163.241.193:16300 tcp
US 107.163.241.194:6520 tcp
US 107.163.241.195:12354 tcp
US 107.163.241.195:12354 tcp
US 107.163.241.195:12354 tcp
US 107.163.241.195:12354 tcp
US 107.163.241.194:6520 tcp
US 107.163.241.194:6520 tcp
US 107.163.241.194:6520 tcp

Files

\Users\Admin\AppData\Local\Temp\eqtsl.exe

MD5 17446bd4d88bb0eaa83bcaf231caea86
SHA1 fab620487cea1fe0f1e6a2f1b974d15f4de4d296
SHA256 ac1faa19e86a2e2fe67c1eb7e76d984ea5e70b2b10796b7f77c5fdf5ddb1d140
SHA512 7de1fd9e1cc0b188b4ea2794c4ae5024afbf00b51f60ded6471a1f04107f1bb2f5a3adfa32252118bdebd7ffae2e240d505787bddd9c5eb81bc1c71424529571

\??\c:\xgqcq\gvfdccsyi.vdg

MD5 4993bd7ca91574843d5a608c532151a4
SHA1 72ff0d8e4ccee88738b3ab8bdb52b9474e0ef55e
SHA256 489855558b5a997477f7c95a05e7adcbf6001e06bd80e29b01fdabdb006cdbbb
SHA512 13418193723dace324d5b91a8162a09521640bc6e401c841bb0644de8ec9a762912f2afd588be8845a30b2f59ac10ab2eaa0b356068d1503792a30a826ed075c

memory/2620-8-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2620-10-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2620-9-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2620-12-0x0000000010024000-0x0000000010025000-memory.dmp

memory/2620-11-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2620-13-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2620-17-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2620-19-0x0000000010000000-0x0000000010027000-memory.dmp

memory/2620-20-0x0000000010000000-0x0000000010027000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 22:44

Reported

2024-05-15 22:47

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe"

Signatures

Detects executables containing base64 encoded User Agent

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ilzvai.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ilzvai.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\dzsguz\\iiwwi.iwi\",SHA1" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe C:\Windows\SysWOW64\cmd.exe
PID 3428 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe C:\Windows\SysWOW64\cmd.exe
PID 3428 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1316 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1316 wrote to memory of 2940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1316 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ilzvai.exe
PID 1316 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ilzvai.exe
PID 1316 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ilzvai.exe
PID 3968 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\ilzvai.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\ilzvai.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 3968 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\ilzvai.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe

"C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\ilzvai.exe "C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\ilzvai.exe

C:\Users\Admin\AppData\Local\Temp\\ilzvai.exe "C:\Users\Admin\AppData\Local\Temp\60c16539cb507afa99a81a30dd83227c7dd9ebbafec8be72d9cc00d368f563b9.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\dzsguz\iiwwi.iwi",SHA1 C:\Users\Admin\AppData\Local\Temp\ilzvai.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.208:443 www.bing.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 208.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
BE 88.221.83.208:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 107.163.241.193:16300 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 107.163.241.194:6520 tcp
US 107.163.241.195:12354 tcp
US 107.163.241.195:12354 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 107.163.241.195:12354 tcp
US 107.163.241.194:6520 tcp
US 107.163.241.194:6520 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 107.163.241.194:6520 tcp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\ilzvai.exe

MD5 5a1bdf984f86bdf4a321b67a199fabf9
SHA1 77717ac9d34265315b899b9a354436d402dfd3d6
SHA256 3ce5fc6f7ec90e24c7b8d8340f816a121d9447c9388ad448b4b843cdcb4c141f
SHA512 12d4fa1d3461d8689fd489891f4493c58ca586a342977b7da9f08d545c86d40ce12bb8bd489cea5a9dd5bae2d12d88e1e623b1a788a7f71a6a705c7c91dea323

\??\c:\dzsguz\iiwwi.iwi

MD5 4993bd7ca91574843d5a608c532151a4
SHA1 72ff0d8e4ccee88738b3ab8bdb52b9474e0ef55e
SHA256 489855558b5a997477f7c95a05e7adcbf6001e06bd80e29b01fdabdb006cdbbb
SHA512 13418193723dace324d5b91a8162a09521640bc6e401c841bb0644de8ec9a762912f2afd588be8845a30b2f59ac10ab2eaa0b356068d1503792a30a826ed075c

memory/1052-8-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1052-9-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1052-10-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1052-7-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1052-11-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1052-13-0x0000000010000000-0x0000000010027000-memory.dmp

memory/1052-15-0x0000000010000000-0x0000000010027000-memory.dmp