Malware Analysis Report

2024-09-11 13:30

Sample ID 240613-3h2zgsygqm
Target 62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b
SHA256 62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b
Tags
upx evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b

Threat Level: Known bad

The file 62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence trojan

Windows security bypass

Drops file in Drivers directory

Sets file execution options in registry

Modifies Installed Components in the registry

Windows security modification

UPX packed file

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 23:31

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 23:31

Reported

2024-06-13 23:34

Platform

win7-20240611-en

Max time kernel

149s

Max time network

117s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rmass.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A414654-5556-524a-4A41-46545556524a}\IsInstalled = "1" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A414654-5556-524a-4A41-46545556524a}\StubPath = "C:\\Windows\\system32\\ahuy.exe" C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A414654-5556-524a-4A41-46545556524a} C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A414654-5556-524a-4A41-46545556524a}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\rmass.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" C:\Windows\SysWOW64\rmass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe N/A
File created C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe N/A
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe C:\Windows\SysWOW64\rmass.exe
PID 2220 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe C:\Windows\SysWOW64\rmass.exe
PID 2220 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe C:\Windows\SysWOW64\rmass.exe
PID 2220 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe C:\Windows\SysWOW64\rmass.exe
PID 1848 wrote to memory of 428 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\system32\winlogon.exe
PID 1848 wrote to memory of 1200 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\Explorer.EXE
PID 1848 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 1848 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 1848 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 1848 wrote to memory of 2292 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe

"C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe"

C:\Windows\SysWOW64\rmass.exe

"C:\Windows\system32\rmass.exe"

C:\Windows\SysWOW64\rmass.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 ksmfaqy.cd udp
US 8.8.8.8:53 ksmfaqy.cd udp

Files

\Windows\SysWOW64\rmass.exe

MD5 a946637af622031e12bee2c0c151d009
SHA1 ef321a817edd30d903110c55f2603a8b6ef6863b
SHA256 62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b
SHA512 22112eb5d01aac42e658ca7d61b22f4db434c3e54c7ff6ae9d264aa0a4da6d15123589b3955ec1008c0d89967e0b1316d19876316e67f428cf5b044878b4e6f9

memory/2220-3-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1848-13-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2220-5-0x0000000000320000-0x0000000000331000-memory.dmp

memory/2292-26-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1848-25-0x0000000000370000-0x0000000000381000-memory.dmp

C:\Windows\SysWOW64\ahuy.exe

MD5 649b1f3cfc4a43e3253c88ec9b1aed27
SHA1 b533cbc9024eaaf3a6cbb4df0218e71a4db9fd7b
SHA256 3e172df81a614610f68b7ee6c46700c100dbb06bc8bd9d837b0d187098cc9e5d
SHA512 30e573a9a8cbf2e0a80a61fb66d02a8abd1cd7852dff3b96e2d9cfc5ace3a57cefb211c75373f33d9bf7b55894059cbd8b1460556a81caa326799d2132316a17

C:\Windows\SysWOW64\RECOVER32.DLL

MD5 2b2c28a7a01f9584fe220ef84003427f
SHA1 5fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA256 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA512 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

C:\Windows\SysWOW64\ntdbg.exe

MD5 24ef1eee988344da15bf9a249e9aaa67
SHA1 687cfb9eae0fef720bc2fe99216b3d2fcb67e5a2
SHA256 98f8566ddd12ac3183f2a3c83983d9264cf8b588c567893850218aea3c3e8d75
SHA512 0dccba0bc16de96edb7afc9f858cfcf30981d7d74a27b235df4b2524bbaa1d48bc4e2efe5f8bfe3d531b67f5e3dfb75c7e9123ecff754e30593bf4acbfb9bb1a

memory/1848-60-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1848-100-0x0000000000370000-0x0000000000381000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 b10b13206b0f2cf3968050072f6979bf
SHA1 699db21ba9cecf3f13ac3d76e22cfa41aa94da80
SHA256 0eef3217095cb97b695c434e74d6314bf9e869a013d6e9c88e58c34576a276b4
SHA512 d33bfd931be6676539507a69101d99fa4c5ef36b12422bd11f063b9b6a47b7444f6c4ad5f35e044714fdb872e96cd9fddf049e8329af1219483887f6ac5f4a5d

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 23:31

Reported

2024-06-13 23:34

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

93s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rmass.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50565759-4e4d-4454-5056-57594E4D4454} C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50565759-4e4d-4454-5056-57594E4D4454}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50565759-4e4d-4454-5056-57594E4D4454}\IsInstalled = "1" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{50565759-4e4d-4454-5056-57594E4D4454}\StubPath = "C:\\Windows\\system32\\ahuy.exe" C:\Windows\SysWOW64\rmass.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" C:\Windows\SysWOW64\rmass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe N/A
File created C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe N/A
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4292 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe C:\Windows\SysWOW64\rmass.exe
PID 4292 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe C:\Windows\SysWOW64\rmass.exe
PID 4292 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe C:\Windows\SysWOW64\rmass.exe
PID 4068 wrote to memory of 624 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\system32\winlogon.exe
PID 4068 wrote to memory of 1144 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 4068 wrote to memory of 1144 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 4068 wrote to memory of 1144 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe
PID 4068 wrote to memory of 3444 N/A C:\Windows\SysWOW64\rmass.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe

"C:\Users\Admin\AppData\Local\Temp\62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b.exe"

C:\Windows\SysWOW64\rmass.exe

"C:\Windows\system32\rmass.exe"

C:\Windows\SysWOW64\rmass.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 rguoz.pw udp
US 8.8.8.8:53 rguoz.pw udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp

Files

memory/4292-0-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\rmass.exe

MD5 a946637af622031e12bee2c0c151d009
SHA1 ef321a817edd30d903110c55f2603a8b6ef6863b
SHA256 62ee575af4f5e7ef5694857b657c06151d9db1f6e7a1bdfdb4511ab7ba4c8d8b
SHA512 22112eb5d01aac42e658ca7d61b22f4db434c3e54c7ff6ae9d264aa0a4da6d15123589b3955ec1008c0d89967e0b1316d19876316e67f428cf5b044878b4e6f9

memory/4068-13-0x0000000000400000-0x0000000000411000-memory.dmp

memory/4292-12-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1144-19-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\SysWOW64\ntdbg.exe

MD5 3d0f9a7b2061837a389f387ef4fcea4e
SHA1 6e5fde6a90b9064d3c2636323200a2b1d489d3fa
SHA256 db39ebda65b6bf63644d6b5d1a2aed0b7ab60b3b7e7fbc0110166cc3c754a99e
SHA512 b2e85231eec36f0717f307a8fe6dc3ce53defe7cf748be44f66f690633bd5b3cac9c377e12abe74861c086048bdb9288c2e49dbca0b496b0b92d86bf7f104435

C:\Windows\SysWOW64\ahuy.exe

MD5 a7279db853d026eb3d0ebdbb10dcae6e
SHA1 be8b36b113879ad01bfce71304e057c704e6580c
SHA256 b509fedd9dd1f65cc277e8d9a1fb90c452587192a71fb0c7d29a9dbc0cc00d82
SHA512 7b8da0c2e6ad23ff2a2e4673bd98589a4766c803637fb2a77f38225fdd828a86759e8be4c6d4b59e58c1a647354008811eda899a67be18881f8e0541463d4747

C:\Windows\SysWOW64\RECOVER32.DLL

MD5 2b2c28a7a01f9584fe220ef84003427f
SHA1 5fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA256 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA512 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

memory/4068-53-0x0000000000400000-0x0000000000411000-memory.dmp

memory/1144-54-0x0000000000400000-0x0000000000411000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 6f47b62de25d1745e296a06b3f98ed19
SHA1 a688bb35a4c8a5cc198985d624a1b5a6ac5b9f6f
SHA256 15c7218eb9cef5fa0573db657b15ce3a5f0e0609f1166df8098ca7152df505b4
SHA512 dea26fff8060f44bf20fe4fff2ecbacf428727f10c0f5886fb4813e28fce9cbc3d088337c84edd9857b18514c83f1bb1cf0f51518aaecef09f30e921f4d758d7