Malware Analysis Report

2025-03-14 23:46

Sample ID 240603-gc9aqade2t
Target f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123
SHA256 f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123

Threat Level: Shows suspicious behavior

The file f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 05:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 05:40

Reported

2024-06-03 05:43

Platform

win7-20240419-en

Max time kernel

149s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123.dll,#1

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mwyjnbrrs = "\"C:\\Users\\Admin\\AppData\\Roaming\\VmmGdw\\lpksetup.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\6224\Netplwiz.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\6224\Netplwiz.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile N/A N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\MqtAy46.cmd" N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000_CLASSES\MSCFile\shell N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2704 N/A N/A C:\Windows\system32\LocationNotifications.exe
PID 1204 wrote to memory of 2704 N/A N/A C:\Windows\system32\LocationNotifications.exe
PID 1204 wrote to memory of 2704 N/A N/A C:\Windows\system32\LocationNotifications.exe
PID 1204 wrote to memory of 2528 N/A N/A C:\Windows\system32\RunLegacyCPLElevated.exe
PID 1204 wrote to memory of 2528 N/A N/A C:\Windows\system32\RunLegacyCPLElevated.exe
PID 1204 wrote to memory of 2528 N/A N/A C:\Windows\system32\RunLegacyCPLElevated.exe
PID 1204 wrote to memory of 2524 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1204 wrote to memory of 2524 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1204 wrote to memory of 2524 N/A N/A C:\Windows\system32\lpksetup.exe
PID 1204 wrote to memory of 2548 N/A N/A C:\Windows\System32\cmd.exe
PID 1204 wrote to memory of 2548 N/A N/A C:\Windows\System32\cmd.exe
PID 1204 wrote to memory of 2548 N/A N/A C:\Windows\System32\cmd.exe
PID 1204 wrote to memory of 2224 N/A N/A C:\Windows\System32\cmd.exe
PID 1204 wrote to memory of 2224 N/A N/A C:\Windows\System32\cmd.exe
PID 1204 wrote to memory of 2224 N/A N/A C:\Windows\System32\cmd.exe
PID 2224 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2224 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2224 wrote to memory of 2300 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1204 wrote to memory of 2236 N/A N/A C:\Windows\system32\CompMgmtLauncher.exe
PID 1204 wrote to memory of 2236 N/A N/A C:\Windows\system32\CompMgmtLauncher.exe
PID 1204 wrote to memory of 2236 N/A N/A C:\Windows\system32\CompMgmtLauncher.exe
PID 1204 wrote to memory of 352 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1204 wrote to memory of 352 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1204 wrote to memory of 352 N/A N/A C:\Windows\system32\Netplwiz.exe
PID 1204 wrote to memory of 2744 N/A N/A C:\Windows\System32\cmd.exe
PID 1204 wrote to memory of 2744 N/A N/A C:\Windows\System32\cmd.exe
PID 1204 wrote to memory of 2744 N/A N/A C:\Windows\System32\cmd.exe
PID 1204 wrote to memory of 2896 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1204 wrote to memory of 2896 N/A N/A C:\Windows\System32\eventvwr.exe
PID 1204 wrote to memory of 2896 N/A N/A C:\Windows\System32\eventvwr.exe
PID 2896 wrote to memory of 2168 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2168 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 2168 N/A C:\Windows\System32\eventvwr.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2168 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2168 wrote to memory of 2180 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123.dll,#1

C:\Windows\system32\LocationNotifications.exe

C:\Windows\system32\LocationNotifications.exe

C:\Windows\system32\RunLegacyCPLElevated.exe

C:\Windows\system32\RunLegacyCPLElevated.exe

C:\Windows\system32\lpksetup.exe

C:\Windows\system32\lpksetup.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\7wJFHp.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{62baf7d1-2421-76c3-d64f-48bbd6001acb}"

C:\Windows\system32\CompMgmtLauncher.exe

C:\Windows\system32\CompMgmtLauncher.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\system32\Netplwiz.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\QcY.cmd

C:\Windows\System32\eventvwr.exe

"C:\Windows\System32\eventvwr.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\MqtAy46.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Bygyxkyzdvxj" /SC minute /MO 60 /TR "C:\Windows\system32\6224\Netplwiz.exe" /RL highest

Network

N/A

Files

memory/1936-0-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1936-2-0x0000000000200000-0x0000000000207000-memory.dmp

memory/1204-3-0x0000000077566000-0x0000000077567000-memory.dmp

memory/1204-4-0x0000000002610000-0x0000000002611000-memory.dmp

memory/1936-6-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-14-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-13-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-12-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-15-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-11-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-10-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-9-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-16-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-8-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-7-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-17-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-18-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-27-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-35-0x00000000025F0000-0x00000000025F7000-memory.dmp

memory/1204-34-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-26-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-25-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-24-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-23-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-22-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-21-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-20-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-19-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-39-0x0000000077771000-0x0000000077772000-memory.dmp

memory/1204-45-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-47-0x00000000778D0000-0x00000000778D2000-memory.dmp

memory/1204-50-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/1204-51-0x0000000140000000-0x00000001400B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7wJFHp.cmd

MD5 c349f007e391cc23e2d626c2d61c369f
SHA1 4a903a0f6a1208346cfa70c19feb9f8df700a176
SHA256 ad2c975bf830cb6b21296f4c53fbf606fa47842f2afa2fc3dfcfd8e0f5719b70
SHA512 94910124d79ed9b1b81678cbba45f887f2a90a3537e370ee6aa3da6e958a1b24e1dec930a582d17b54ef8e8c175545eb3d107a803ea01d414d77cd9eb373df08

C:\Users\Admin\AppData\Local\Temp\2dy2B26.tmp

MD5 cbb581b640a949a06d69737474f84fa5
SHA1 c88fa2959e916684313fceaaa4f11ceb3f00f9c8
SHA256 1e6eb192f9419523f15760fa3597b69f6c8c9ff0aad6c3f991daf90b910a9012
SHA512 0da9889677fcef05a09f0031785299e68ceb5fd8fb3f8f5e379312e78992364edc280c547ed5d137e924693fffc43f5a660f7553b684b38053b6e309de621020

C:\Users\Admin\AppData\Roaming\VmmGdw\lpksetup.exe

MD5 50d28f3f8b7c17056520c80a29efe17c
SHA1 1b1e62be0a0bdc9aec2e91842c35381297d8f01e
SHA256 71613ea48467d1a0b00f8bcaed270b7527fc5771f540a8eb0515b3a5fdc8604f
SHA512 92bc60402aacf1a62e47335adf8696a5c0d31637e624628d82b6ec1f17e1ee65ae8edf7e8dcd10933f59c892a4a74d8e461945df0991b706a4a53927c5fd3861

C:\Users\Admin\AppData\Local\Temp\QcY.cmd

MD5 4516fcbb6d7c53886ef5f7b72bcb4841
SHA1 a3efa1554d71b1eb4aee1ff817a58b7445a6c377
SHA256 c429218f573bf89d8bbb15f6319293f469dd785dbc3a9e97c73334c0bd69655b
SHA512 47d4a75e5bff86f190f4a72e6465aa29ddd2dfe60d1efbbc6ec309e0fd37351c3ea4f90ee3adb46f1603655b268ef6db9430007fa80c15c74bf7b32a45e9abd5

C:\Users\Admin\AppData\Local\Temp\EFK2C7E.tmp

MD5 a1d499b485905e4d8cbd83e30c6d16a8
SHA1 27049ccc4ff9a425c17de85d1ad7e6f155d90630
SHA256 e7f587fe7ae2b081edf3bb5b24779af9706fb9ec1087b39da5c9d74f04c30c25
SHA512 634b72ec5c7cc0c5f993140aeb59b63fe0fc78c541756f660d2721ec075bce97dd0391caf79ead547c94268b06c2651af328c940ffc76d1f7334daa9c351089a

C:\Users\Admin\AppData\Local\Temp\MqtAy46.cmd

MD5 0899e5bda26a9679b9297bc08c4c8f12
SHA1 1841f535435137bd346e7e6215b5c40cfb3b7765
SHA256 8eb9efede90b0b22e0ded4e0a87d52ab9059013521f63e1d32b178770450401b
SHA512 1f7bd7948f49e625a5f89e5e43dfd6876ac5f670fda36c2ec0653a7e3ae9a16c6488f5d10c207f725a794db4f3bcd5c8c234a041a894c690418445dd86e18bf2

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Mwyjnbrrs.lnk

MD5 8a6024338575b710fffbabaea531cf45
SHA1 6a32f1ee83068682bcc950ffa074cf0c0e720c9b
SHA256 765ed973550e4c415ab1169dacdc656e60c0053d933c0a7c323afca8d49e83a2
SHA512 d96c18b1fe442791bc6195b83b9cadf4140c13503bf5fc2ac94f42baef0d8e091ad2f20bc40324211c14671da96f28f104eb1402b9ea49fa591f7f6cab49d67d

memory/1204-100-0x0000000077566000-0x0000000077567000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 05:40

Reported

2024-06-03 05:43

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123.dll,#1

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eeaxmqtu = "\"C:\\Users\\Admin\\AppData\\Roaming\\maNgzN\\msdt.exe\"" N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\7786\Narrator.exe C:\Windows\System32\cmd.exe N/A
File opened for modification C:\Windows\system32\7786\Narrator.exe C:\Windows\System32\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\cmd.exe /c C:\\Users\\Admin\\AppData\\Local\\Temp\\NIzJXm.cmd" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command\DelegateExecute N/A N/A
Key deleted \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\ms-settings\shell\open\command N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3460 wrote to memory of 3400 N/A N/A C:\Windows\system32\msdt.exe
PID 3460 wrote to memory of 3400 N/A N/A C:\Windows\system32\msdt.exe
PID 3460 wrote to memory of 1060 N/A N/A C:\Windows\System32\cmd.exe
PID 3460 wrote to memory of 1060 N/A N/A C:\Windows\System32\cmd.exe
PID 3460 wrote to memory of 1124 N/A N/A C:\Windows\System32\cmd.exe
PID 3460 wrote to memory of 1124 N/A N/A C:\Windows\System32\cmd.exe
PID 1124 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1124 wrote to memory of 1288 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3460 wrote to memory of 1872 N/A N/A C:\Windows\system32\Narrator.exe
PID 3460 wrote to memory of 1872 N/A N/A C:\Windows\system32\Narrator.exe
PID 3460 wrote to memory of 2272 N/A N/A C:\Windows\System32\cmd.exe
PID 3460 wrote to memory of 2272 N/A N/A C:\Windows\System32\cmd.exe
PID 3460 wrote to memory of 3012 N/A N/A C:\Windows\System32\fodhelper.exe
PID 3460 wrote to memory of 3012 N/A N/A C:\Windows\System32\fodhelper.exe
PID 3012 wrote to memory of 2624 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2624 N/A C:\Windows\System32\fodhelper.exe C:\Windows\system32\cmd.exe
PID 2624 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2624 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\f858ac5589a19f84a4e97fba9511e95a187464374daa00d8e83ffcb810ed6123.dll,#1

C:\Windows\system32\msdt.exe

C:\Windows\system32\msdt.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\hJgcfMY.cmd

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{35f320fa-3d67-9dff-e346-2c697e2fb343}"

C:\Windows\system32\schtasks.exe

schtasks.exe /Delete /F /TN "User_Feed_Synchronization-{35f320fa-3d67-9dff-e346-2c697e2fb343}"

C:\Windows\system32\Narrator.exe

C:\Windows\system32\Narrator.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\q0a.cmd

C:\Windows\System32\fodhelper.exe

"C:\Windows\System32\fodhelper.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\NIzJXm.cmd

C:\Windows\system32\schtasks.exe

schtasks.exe /Create /F /TN "Jactb" /SC minute /MO 60 /TR "C:\Windows\system32\7786\Narrator.exe" /RL highest

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/4384-0-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/4384-2-0x0000015599840000-0x0000015599847000-memory.dmp

memory/3460-6-0x00007FFB4077A000-0x00007FFB4077B000-memory.dmp

memory/4384-5-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-3-0x00000000032E0000-0x00000000032E1000-memory.dmp

memory/3460-26-0x0000000140000000-0x00000001400B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\X1685F.tmp

MD5 a79aa64d301877c47c596fe5cd52a609
SHA1 fdea3202ab65b711296cda5d69f0a13b687b8ce6
SHA256 d3b7571f1d53e858c47f2d900fd24ef7b84dde5564c86549333cdcccaaab4b56
SHA512 b0b33466de2b0cb3558ef202052842778d090d4e2ef730400d57f9eadb4ae6a05dae0c443e7898980ea86a7d3f0857e48158ca6da067b445d004b9adf7f8273f

memory/3460-55-0x0000000140000000-0x00000001400B5000-memory.dmp

C:\Users\Admin\AppData\Roaming\maNgzN\msdt.exe

MD5 992c3f0cc8180f2f51156671e027ae75
SHA1 942ec8c2ccfcacd75a1cd86cbe8873aee5115e29
SHA256 6859d1b5d1beaa2985b298f3fcee67f0aac747687a9dec2b4376585e99e9756f
SHA512 1f1b8d39e29274cfc87a9ef1510adb9c530086a421c121523376731c8933c6e234e9146310d3767ce888a8dce7a5713221f4d25e5b7b6398d06ae2be2b99eadf

C:\Users\Admin\AppData\Local\Temp\hJgcfMY.cmd

MD5 49db0fc2cf50ea906754cebdf22c94cd
SHA1 c406373a93abc9e8f5ca4bf549bedb9b6e6afce8
SHA256 5868be921c3986481e9c9f313492ed9c27091a1432b078f36e425f9bfe7057e4
SHA512 722a75cd72184213013d26e3ed3177c641f1cb2b9f6c63b7b99f211fb661d9079a536e1f2b382c818b64681f087eb1bd44c13432ff25659943f732eda19491e1

memory/3460-48-0x00007FFB40B60000-0x00007FFB40B70000-memory.dmp

memory/3460-47-0x0000000001260000-0x0000000001267000-memory.dmp

memory/3460-34-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-27-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-25-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-24-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-23-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-22-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-21-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-18-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-20-0x0000000140000000-0x00000001400B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BuN6C96.tmp

MD5 889e6f11ce581c93942d45a6025ae09e
SHA1 bc8614c8cb346b53f663bad5e702bd4e1c616f10
SHA256 88424ef21db2c0a1690f2682937db6863a97558f1c1113c0a0f9b6dbeffc0c37
SHA512 5aadb8f48899c64670d968ce78d456e0fcc941f291e7be1354f8855d127f7cf3f562c7fb825b01a5aa561d69ed0dba6670d7293cefce1483bbaa343b1920d662

C:\Users\Admin\AppData\Local\Temp\q0a.cmd

MD5 3e24ed3b80af5d6fb758c5d1c601bfee
SHA1 75a7fab7d4512e2047e0922813ea7cce50214914
SHA256 f0ad91d5acfa6dfb1a38cf54e396e772fd147a3bbda31fa6f4a72749342b457e
SHA512 d409961883ad16a38bbd988baf3c4bab010bda4000fae7cfd8bde7b3f9f65478bcf3afab18217b131c11bb01b16334136cea0c1cff2adb42624329a6ed97b49c

C:\Users\Admin\AppData\Local\Temp\NIzJXm.cmd

MD5 5d90258de0a0de4b6729459a0fc78014
SHA1 2df34635db3692f970033e878fecf03410228350
SHA256 8e5e3b8a2843f85130e9afe383e38936218b3a154d42e328edd52c9cb156600c
SHA512 ee129c1118c714cc9faa53932c67aa236597f7a4311802df80a5c156753320fcd9ff4d58b60cdcc443c9f314c1f4b961c131c3e0fcf92adaee1ae3fdbfee879d

memory/3460-44-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-19-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-17-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-12-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-16-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-15-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-14-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-13-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-8-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-7-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-11-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-9-0x0000000140000000-0x00000001400B5000-memory.dmp

memory/3460-10-0x0000000140000000-0x00000001400B5000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Eeaxmqtu.lnk

MD5 b098bcf57c2d99718f8e6fe8cdfefbb6
SHA1 720041580f52141e984f2ee9e93ac3b6167831b6
SHA256 b8448ddd57e0332577e3e205b4a034404515f06340d9662b44cea0263f48fa94
SHA512 7f5b836376e0d3d858e8590ee8e0b510bce92b7522e870eeaabfecba89c08f9aefafbdb4178448c711386839707ddf151135e29b462190f073150a1a36ae2676