Malware Analysis Report

2024-10-18 22:07

Sample ID 240611-szdm4ssdnq
Target fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa
SHA256 fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa
Tags
bootkit persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa

Threat Level: Likely malicious

The file fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa was found to be: Likely malicious.

Malicious Activity Summary

bootkit persistence spyware stealer

Blocklisted process makes network request

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Loads dropped DLL

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 15:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 15:33

Reported

2024-06-11 15:35

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fqesq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fqesq.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\dsnwf\\upgov.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\dsnwf C:\Users\Admin\AppData\Local\Temp\fqesq.exe N/A
File created \??\c:\Program Files\dsnwf\upgov.dll C:\Users\Admin\AppData\Local\Temp\fqesq.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2956 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fqesq.exe
PID 2688 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fqesq.exe
PID 2688 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fqesq.exe
PID 2688 wrote to memory of 2648 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fqesq.exe
PID 2648 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fqesq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fqesq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fqesq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fqesq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fqesq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fqesq.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\fqesq.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe

"C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\fqesq.exe "C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\fqesq.exe

C:\Users\Admin\AppData\Local\Temp\\fqesq.exe "C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\dsnwf\upgov.dll",Verify C:\Users\Admin\AppData\Local\Temp\fqesq.exe

Network

Country Destination Domain Proto
US 110.34.196.36:803 tcp
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp

Files

memory/2156-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2156-2-0x0000000000400000-0x0000000000464000-memory.dmp

\Users\Admin\AppData\Local\Temp\fqesq.exe

MD5 394e0d95883086120268a880eedac5c0
SHA1 9f388baa601aaa35fee7eea68fe6d8388b386076
SHA256 b252ffcfff610fc419b4b8b0b9b88376f0f0d69c89947100b8af858bdc858cc0
SHA512 97c7a719941faf2a1bc1e8facbc99bd7333da987c9f7eb15105c032efcd39a681b7bd988f37f8f384231dbf33c34b949a198b80c18c687aacd12ea0d17a3e782

memory/2648-9-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2688-7-0x00000000002C0000-0x0000000000324000-memory.dmp

memory/2688-6-0x00000000002C0000-0x0000000000324000-memory.dmp

memory/2648-11-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\dsnwf\upgov.dll

MD5 2ebfd94526353117741976fa41b2eb9c
SHA1 508a1a69e1f8d2e76a520ba487b6ec62abf0a0c6
SHA256 825f12192fabc68e76900605a304da44417a08dff82a8f9b02a9ccead56a1521
SHA512 4cdcc3fa153c8cb8f1e64cd75e25bd593ceb30af84d5dc919dc5f8217ec556e9b346e3d14fab5e6029657bede36f9440c073240803b75997c8c5b2db45cea256

memory/2496-19-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2496-18-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2496-16-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2496-20-0x0000000010000000-0x0000000010080000-memory.dmp

memory/2496-22-0x0000000010000000-0x0000000010080000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 15:33

Reported

2024-06-11 15:36

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lkcpc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lkcpc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\nfjbtb\\ohmmy.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\nfjbtb C:\Users\Admin\AppData\Local\Temp\lkcpc.exe N/A
File created \??\c:\Program Files\nfjbtb\ohmmy.dll C:\Users\Admin\AppData\Local\Temp\lkcpc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1580 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4856 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4856 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4856 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\lkcpc.exe
PID 4856 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\lkcpc.exe
PID 4856 wrote to memory of 4816 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\lkcpc.exe
PID 4816 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\lkcpc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4816 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\lkcpc.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4816 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\lkcpc.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe

"C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\lkcpc.exe "C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\lkcpc.exe

C:\Users\Admin\AppData\Local\Temp\\lkcpc.exe "C:\Users\Admin\AppData\Local\Temp\fc60f1ead466b76c91aadd1f78c4fcb2c1b4dfc99ac9b93e45a5efdd62ce7caa.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\nfjbtb\ohmmy.dll",Verify C:\Users\Admin\AppData\Local\Temp\lkcpc.exe

Network

Country Destination Domain Proto
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp

Files

memory/1580-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1580-2-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\lkcpc.exe

MD5 91811aeb971dc80606734b16447f071c
SHA1 4c2e86986cab4509cb28dda07fdc842957c939aa
SHA256 08d9bdb4ce922dca35ca8802c1542ef08e29dd75515dcf7b7727b027238453aa
SHA512 ed8efe6d05c4d9250799e7c5b39fdf78cce79dd45ba8b1326234ac8f7146a0fe25c2e45890650b994910216cdeb82b3df758ffc35429b9a858ac9466355c84cc

memory/4816-6-0x0000000000400000-0x0000000000464000-memory.dmp

memory/4816-8-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\nfjbtb\ohmmy.dll

MD5 7714c6ef582fe8164e7ba84dd83cdaf5
SHA1 24e147cf93d5a2c3446a178b7dabff8610a10d30
SHA256 fec53849b1122f00824df194904cf2eea31d3af2a37a6f7e715ed79535afd691
SHA512 67a0039669e572c692d4ed1b91b1d51f4989a7cb87c33a518d94c774942ef22debdbf9f1e35769e72d393d3ad5f95882621af6bd5e25661a8837ed2d9d25e01c

memory/3628-11-0x0000000010000000-0x0000000010080000-memory.dmp

memory/3628-12-0x0000000010000000-0x0000000010080000-memory.dmp

memory/3628-14-0x0000000010000000-0x0000000010080000-memory.dmp