Malware Analysis Report

2024-08-06 12:59

Sample ID 240604-by89ysgf8y
Target 829fcf481eccee4d91cffb6e6c1eef3048cab4a9ac10a6c65397bc8b70f06f66.tar
SHA256 829fcf481eccee4d91cffb6e6c1eef3048cab4a9ac10a6c65397bc8b70f06f66
Tags
asyncrat execution rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

829fcf481eccee4d91cffb6e6c1eef3048cab4a9ac10a6c65397bc8b70f06f66

Threat Level: Known bad

The file 829fcf481eccee4d91cffb6e6c1eef3048cab4a9ac10a6c65397bc8b70f06f66.tar was found to be: Known bad.

Malicious Activity Summary

asyncrat execution rat

AsyncRat

Async RAT payload

Detects executables packed with ConfuserEx Mod

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Suspicious use of SetThreadContext

Command and Scripting Interpreter: JavaScript

Enumerates physical storage devices

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
JavaScript
T1059.007
Scheduled Task/Job
T1053
Persistence
TA0003
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:34

Reported

2024-06-04 01:38

Platform

win7-20240508-en

Max time kernel

0s

Max time network

137s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-24603909AF.js

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Downloads MZ/PE file

Command and Scripting Interpreter: JavaScript

execution

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-24603909AF.js

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe

"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe

"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp24CF.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\audio.exe

"C:\Users\Admin\AppData\Local\Temp\audio.exe"

C:\Users\Admin\AppData\Local\Temp\audio.exe

"C:\Users\Admin\AppData\Local\Temp\audio.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 electrikar.com.mx udp
US 157.230.6.220:443 electrikar.com.mx tcp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.12.5:2703 chongmei33.publicvm.com tcp
SE 46.246.12.5:2703 chongmei33.publicvm.com tcp
SE 46.246.12.5:2703 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chonglee575.duckdns.org udp
LV 141.101.134.51:49746 chonglee575.duckdns.org tcp
LV 141.101.134.51:6974 chonglee575.duckdns.org tcp
SE 46.246.12.5:49746 chongmei33.publicvm.com tcp
SE 46.246.12.5:49746 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chonglee575.duckdns.org udp
LV 141.101.134.51:6974 chonglee575.duckdns.org tcp
LV 141.101.134.51:6974 chonglee575.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe

MD5 f672108901b809c33d38bb6801c9b273
SHA1 b5d45949ba7d38b92c20d31cfcae6d437dea8c18
SHA256 90e5d1dba754723f6b34acbc974c65467495605f197857569a7ff211aeffca7f
SHA512 6f0cae9ca529b197fd5464c6d929437fadfc5c6c36aee5fc7fce1425d5e94cd8a90573c486c339df79ca75b532ef21d9105981eb7650c652db1abc6401c73c25

memory/2584-20-0x0000000000C90000-0x0000000000D46000-memory.dmp

memory/2584-19-0x00000000743BE000-0x00000000743BF000-memory.dmp

memory/2584-21-0x0000000000370000-0x0000000000384000-memory.dmp

memory/2584-22-0x0000000000390000-0x0000000000398000-memory.dmp

memory/2584-35-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2400-37-0x00000000002D0000-0x00000000002F8000-memory.dmp

memory/2400-39-0x0000000000330000-0x0000000000356000-memory.dmp

memory/2400-40-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2400-38-0x00000000743BE000-0x00000000743BF000-memory.dmp

memory/2400-70-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-94-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-92-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-90-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-88-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-86-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-84-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-82-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-80-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-78-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-76-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-74-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-72-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-68-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-66-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-64-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-62-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-60-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-58-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-56-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-54-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-52-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-50-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-48-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-46-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-44-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-42-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-41-0x0000000000330000-0x0000000000350000-memory.dmp

memory/2400-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2400-36-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2400-34-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2400-31-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2400-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2400-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2400-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2400-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2400-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2400-355-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2400-364-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2400-365-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp24CF.tmp.bat

MD5 23f474e404a298072777cd46249d97b6
SHA1 8e64cd61ff89b69f11a5b1e5f80080362f05494d
SHA256 60e3784f46bb06277343552c35867107cbfe460f5eb1c2f1ce216d15c3cf0f24
SHA512 464a204c03067721f31fa20c7652b0a87d2821acd334ac5abc1990db59fc4c2938db7e9378f443429b46a02818e6aaed7d5b4a46ebf838c53e2aca0f94f68665

memory/2664-370-0x0000000000B20000-0x0000000000BD6000-memory.dmp

memory/2584-700-0x00000000743B0000-0x0000000074A9E000-memory.dmp

memory/2584-701-0x00000000743BE000-0x00000000743BF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:34

Reported

2024-06-04 01:38

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-24603909AF.js

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with ConfuserEx Mod

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A
N/A N/A C:\Windows\system32\wscript.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\audio.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4360 set thread context of 2388 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 3636 set thread context of 2772 N/A C:\Users\Admin\AppData\Local\Temp\audio.exe C:\Users\Admin\AppData\Local\Temp\audio.exe

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\audio.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4252 wrote to memory of 4360 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4252 wrote to memory of 4360 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4252 wrote to memory of 4360 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 4360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe
PID 2388 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe C:\Windows\SysWOW64\cmd.exe
PID 4068 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4068 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4068 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4444 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4444 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4444 wrote to memory of 2328 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4444 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 4444 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 4444 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 3636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\audio.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 3636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\audio.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 3636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\audio.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 3636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\audio.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 3636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\audio.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 3636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\audio.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 3636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\audio.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 3636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\audio.exe C:\Users\Admin\AppData\Local\Temp\audio.exe
PID 3636 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\audio.exe C:\Users\Admin\AppData\Local\Temp\audio.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-24603909AF.js

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe

"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe

"C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp851E.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "audio" /tr '"C:\Users\Admin\AppData\Local\Temp\audio.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Local\Temp\audio.exe

"C:\Users\Admin\AppData\Local\Temp\audio.exe"

C:\Users\Admin\AppData\Local\Temp\audio.exe

"C:\Users\Admin\AppData\Local\Temp\audio.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 electrikar.com.mx udp
US 157.230.6.220:443 electrikar.com.mx tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 220.6.230.157.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 chonglee575.duckdns.org udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
LV 141.101.134.51:6974 chonglee575.duckdns.org tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 chongmei33.publicvm.com udp
SE 46.246.12.5:2703 chongmei33.publicvm.com tcp
LV 141.101.134.51:6974 chonglee575.duckdns.org tcp
SE 46.246.12.5:2703 chongmei33.publicvm.com tcp
SE 46.246.12.5:2703 chongmei33.publicvm.com tcp
US 8.8.8.8:53 chonglee575.duckdns.org udp
LV 141.101.134.51:6974 chonglee575.duckdns.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
SE 46.246.12.5:2703 chongmei33.publicvm.com tcp
LV 141.101.134.51:49746 chonglee575.duckdns.org tcp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\SGUDBQ.exe

MD5 f672108901b809c33d38bb6801c9b273
SHA1 b5d45949ba7d38b92c20d31cfcae6d437dea8c18
SHA256 90e5d1dba754723f6b34acbc974c65467495605f197857569a7ff211aeffca7f
SHA512 6f0cae9ca529b197fd5464c6d929437fadfc5c6c36aee5fc7fce1425d5e94cd8a90573c486c339df79ca75b532ef21d9105981eb7650c652db1abc6401c73c25

memory/4360-17-0x000000007476E000-0x000000007476F000-memory.dmp

memory/4360-18-0x0000000000800000-0x00000000008B6000-memory.dmp

memory/4360-19-0x0000000005880000-0x0000000005E24000-memory.dmp

memory/4360-20-0x00000000052D0000-0x0000000005362000-memory.dmp

memory/4360-22-0x00000000052A0000-0x00000000052A8000-memory.dmp

memory/4360-27-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/2388-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2388-30-0x000000007476E000-0x000000007476F000-memory.dmp

memory/2388-31-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/2388-29-0x0000000002740000-0x0000000002768000-memory.dmp

memory/2388-28-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2388-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2388-23-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2388-49-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-82-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-55-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-94-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-92-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-90-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-88-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-86-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-84-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-80-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-78-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-76-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-74-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-72-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-70-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-68-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-66-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-64-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-62-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-60-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-57-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-53-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-51-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-47-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-45-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-44-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-41-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-39-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-37-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-35-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-58-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/2388-34-0x0000000002AD0000-0x0000000002AF0000-memory.dmp

memory/2388-32-0x0000000002AD0000-0x0000000002AF6000-memory.dmp

memory/2388-33-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/4360-21-0x0000000005210000-0x0000000005224000-memory.dmp

memory/2388-349-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/2388-350-0x0000000005130000-0x00000000051CC000-memory.dmp

memory/2388-355-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2388-356-0x0000000074760000-0x0000000074F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp851E.tmp.bat

MD5 270a7aebcf360b448ffbdc7526687c27
SHA1 3e120a6a1f6e2c0e0ffab247953f15dfe6c47d83
SHA256 ca8c64079d120176f6357aaf6c8a618f5c21b26aa30c15bb887b9d913b8db996
SHA512 1ec04ea9f722e839ae6fd7be4f3a95e967de759239a6520f576ede044d3b8e50060812b3f304fbc11abf96d151d9d0222af12a89b2d8a519b9abccbe2f189eca

memory/4360-678-0x0000000074760000-0x0000000074F10000-memory.dmp

memory/4360-679-0x000000007476E000-0x000000007476F000-memory.dmp