Malware Analysis Report

2024-08-06 14:46

Sample ID 240617-gtq6ga1gqj
Target 130e262fc8d5700e44df1213fa857f7f.exe
SHA256 2de9fa092d7c352b538462db3b0a9aa757924ad55383b24a61e797cf3cf08372
Tags
nanocore evasion execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2de9fa092d7c352b538462db3b0a9aa757924ad55383b24a61e797cf3cf08372

Threat Level: Known bad

The file 130e262fc8d5700e44df1213fa857f7f.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 06:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 06:06

Reported

2024-06-17 06:08

Platform

win7-20240221-en

Max time kernel

121s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NAS Host = "C:\\Program Files (x86)\\NAS Host\\nashost.exe" C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1744 set thread context of 2508 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NAS Host\nashost.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
File opened for modification C:\Program Files (x86)\NAS Host\nashost.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1744 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1744 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1744 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1744 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1744 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 1744 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 1744 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 1744 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 1744 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 1744 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 1744 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 1744 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 1744 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 2508 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe

"C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qAUEpTI.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qAUEpTI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5CD0.tmp"

C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe

"C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAS Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5F8E.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NAS Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp5FEC.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15230 2023endofyear.duckdns.org tcp

Files

memory/1744-0-0x000000007466E000-0x000000007466F000-memory.dmp

memory/1744-1-0x0000000000E20000-0x0000000000EF6000-memory.dmp

memory/1744-2-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/1744-3-0x0000000000B70000-0x0000000000B8A000-memory.dmp

memory/1744-4-0x0000000000500000-0x0000000000510000-memory.dmp

memory/1744-5-0x0000000005C60000-0x0000000005CDC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5CD0.tmp

MD5 ede3d4dbfc859d8a6b51c355322444a5
SHA1 fb7298c52c3d0d314421f91b11e1abee362bc999
SHA256 d0f1fa7ff866f53106278c1b19ae76f8fce4f3c9a1d24d4145d7b05592c89328
SHA512 d002c15aa144d4e828c52fd158ec1376ae2673b036659fcd47be9acaacca3a913e286413e4d30e26a8e6ed822d21f074aa59fa5bd0f0d4d054333b882fd6782b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 abda5a392e1440d250d0feb13fcf50be
SHA1 e5a9dfdfd78352798fe77b5ed836e2ac6e69dadc
SHA256 af107c744fb5823a9638de0d20bac09d5ca204f0edb2ead359c808bca58a7bb4
SHA512 6393350f0713cb282284b529c62bb2a082ac3741cd6267788b489faabb0c9d8fe5bca3a54820d681c1ba373e98f86d47c88312c188803178bf27fc3386f0d0ee

memory/2508-18-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2508-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2508-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1744-30-0x0000000074660000-0x0000000074D4E000-memory.dmp

memory/2508-27-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2508-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2508-24-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2508-22-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2508-20-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5F8E.tmp

MD5 7ca5bfa8b1d5d27408930d7f42beb425
SHA1 ef4fb82a20b357e3f678ac4f8988a03fc60db2ed
SHA256 6b4072c53ba8e49354e554299945d7a9adcda2e42a13634b05ae8d9a4b05f0d7
SHA512 0dea5fa64bbd98e1515a01357110926a4a4801a3d188393c6e0630868dfbf0b21a55708d5ca8dfc8f70fb0bfc95fc42b70822f76696d91a11d486e2f1637532a

C:\Users\Admin\AppData\Local\Temp\tmp5FEC.tmp

MD5 9f554f602c22cfc20079e966d177fadb
SHA1 789baa3425849bf239e47c6bcf352e6693a8c337
SHA256 4c760d5fe0c06cf4bf554170870f41181c61a217c37eb826903094dda86dd1f1
SHA512 b83e3e97dbe38ec4c64d9bef65e2521416f2d7434d78d05e66f729a2e0fbfea3f9bc6f6c4abaf76555af89a9565dfc0853d99067be9042dd66ed6246696eecbb

memory/2508-38-0x00000000003F0000-0x00000000003FA000-memory.dmp

memory/2508-39-0x0000000000480000-0x000000000048C000-memory.dmp

memory/2508-40-0x0000000000660000-0x000000000067E000-memory.dmp

memory/2508-41-0x0000000000610000-0x000000000061A000-memory.dmp

memory/2508-44-0x0000000000870000-0x0000000000882000-memory.dmp

memory/2508-45-0x0000000000D90000-0x0000000000DAA000-memory.dmp

memory/2508-46-0x0000000000AA0000-0x0000000000AAE000-memory.dmp

memory/2508-48-0x0000000000E10000-0x0000000000E1E000-memory.dmp

memory/2508-47-0x0000000000E00000-0x0000000000E12000-memory.dmp

memory/2508-50-0x0000000002410000-0x0000000002424000-memory.dmp

memory/2508-51-0x0000000002420000-0x0000000002430000-memory.dmp

memory/2508-49-0x0000000002400000-0x000000000240C000-memory.dmp

memory/2508-52-0x0000000002430000-0x0000000002444000-memory.dmp

memory/2508-53-0x0000000002450000-0x000000000245E000-memory.dmp

memory/2508-55-0x00000000024E0000-0x00000000024F4000-memory.dmp

memory/2508-54-0x00000000024B0000-0x00000000024DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 06:06

Reported

2024-06-17 06:08

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Subsystem = "C:\\Program Files (x86)\\SMTP Subsystem\\smtpss.exe" C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3364 set thread context of 1732 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\SMTP Subsystem\smtpss.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
File opened for modification C:\Program Files (x86)\SMTP Subsystem\smtpss.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3364 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3364 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 3364 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 3364 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 3364 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 3364 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 3364 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 3364 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 3364 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 3364 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 3364 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 3364 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 3364 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 3364 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 3364 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe
PID 1732 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe
PID 1732 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe

"C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qAUEpTI.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qAUEpTI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp556E.tmp"

C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe

"C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"

C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe

"C:\Users\Admin\AppData\Local\Temp\130e262fc8d5700e44df1213fa857f7f.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SMTP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6D9A.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "SMTP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp6EF2.tmp"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4312 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15230 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 172.255.92.91.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.185.138:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 138.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp

Files

memory/3364-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/3364-1-0x0000000000E60000-0x0000000000F36000-memory.dmp

memory/3364-2-0x0000000005F20000-0x00000000064C4000-memory.dmp

memory/3364-3-0x0000000005970000-0x0000000005A02000-memory.dmp

memory/3364-4-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/3364-5-0x0000000005940000-0x000000000594A000-memory.dmp

memory/3364-6-0x00000000086B0000-0x00000000086CA000-memory.dmp

memory/3364-7-0x0000000008680000-0x0000000008690000-memory.dmp

memory/3364-8-0x00000000089F0000-0x0000000008A6C000-memory.dmp

memory/3364-9-0x000000000B180000-0x000000000B21C000-memory.dmp

memory/3364-10-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

memory/1840-13-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1840-14-0x00000000024E0000-0x0000000002516000-memory.dmp

memory/3364-16-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1840-17-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1840-18-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/1840-20-0x0000000004F50000-0x0000000005578000-memory.dmp

memory/4588-21-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4588-22-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4588-23-0x0000000074ED0000-0x0000000075680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp556E.tmp

MD5 03c5a11af6aa464c10cb54c77cc479e1
SHA1 3022051e6103c2bbc7a6cecfdf1cb108ef7d769c
SHA256 6fbce2f772beb643530f5b6331c9c2068f4ac82d4cdbbd37b7282ecbb965aa3f
SHA512 a7a15fa6255eee9173f391175e70a6732730a9ae787893c63f4f497e176980f77ccea6190fd07456344cfe69ce60000d8981b9e21ad9494847dd1cac55b89bc8

memory/1840-25-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

memory/1732-26-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4588-28-0x00000000058B0000-0x0000000005916000-memory.dmp

memory/4588-29-0x0000000005920000-0x0000000005986000-memory.dmp

memory/3364-30-0x0000000074ED0000-0x0000000075680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oswop02t.gsw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1840-41-0x0000000005890000-0x0000000005BE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp6D9A.tmp

MD5 7ca5bfa8b1d5d27408930d7f42beb425
SHA1 ef4fb82a20b357e3f678ac4f8988a03fc60db2ed
SHA256 6b4072c53ba8e49354e554299945d7a9adcda2e42a13634b05ae8d9a4b05f0d7
SHA512 0dea5fa64bbd98e1515a01357110926a4a4801a3d188393c6e0630868dfbf0b21a55708d5ca8dfc8f70fb0bfc95fc42b70822f76696d91a11d486e2f1637532a

C:\Users\Admin\AppData\Local\Temp\tmp6EF2.tmp

MD5 0339b45ef206f4becc88be0d65e24b9e
SHA1 6503a1851f4ccd8c80a31f96bd7ae40d962c9fad
SHA256 3d568a47a8944a47f4aed6982755ac7ff7dda469cc1c81c213ecaa5d89de1f83
SHA512 c98f4513db34d50510dd986e0d812545c442bd5bef26932032b165759627fab4e00c95fe907ab3416a8a1042bfa77aa516c479f1ff7d1ec2f21ae66df8f72551

memory/1732-57-0x00000000055C0000-0x00000000055CA000-memory.dmp

memory/1732-58-0x00000000055D0000-0x00000000055DC000-memory.dmp

memory/1732-59-0x00000000064A0000-0x00000000064BE000-memory.dmp

memory/1840-60-0x0000000005E30000-0x0000000005E4E000-memory.dmp

memory/1732-61-0x00000000065E0000-0x00000000065EA000-memory.dmp

memory/1840-62-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

memory/4588-64-0x0000000006500000-0x0000000006532000-memory.dmp

memory/4588-65-0x0000000070F40000-0x0000000070F8C000-memory.dmp

memory/4588-75-0x00000000064E0000-0x00000000064FE000-memory.dmp

memory/1840-76-0x0000000070F40000-0x0000000070F8C000-memory.dmp

memory/4588-86-0x00000000071C0000-0x0000000007263000-memory.dmp

memory/1732-88-0x0000000006E70000-0x0000000006E82000-memory.dmp

memory/1732-89-0x0000000006E80000-0x0000000006E9A000-memory.dmp

memory/1732-90-0x0000000006EB0000-0x0000000006EBE000-memory.dmp

memory/1732-91-0x0000000006EC0000-0x0000000006ED2000-memory.dmp

memory/1732-92-0x0000000006ED0000-0x0000000006EDE000-memory.dmp

memory/1732-94-0x0000000006EF0000-0x0000000006F04000-memory.dmp

memory/1732-93-0x0000000006EE0000-0x0000000006EEC000-memory.dmp

memory/1732-95-0x0000000006F20000-0x0000000006F30000-memory.dmp

memory/1732-96-0x0000000006F30000-0x0000000006F44000-memory.dmp

memory/1732-98-0x0000000006F60000-0x0000000006F8E000-memory.dmp

memory/1732-99-0x0000000006F90000-0x0000000006FA4000-memory.dmp

memory/1732-97-0x0000000006F50000-0x0000000006F5E000-memory.dmp

memory/4588-100-0x00000000078F0000-0x0000000007F6A000-memory.dmp

memory/1840-101-0x00000000071C0000-0x00000000071DA000-memory.dmp

memory/4588-102-0x00000000072B0000-0x00000000072BA000-memory.dmp

memory/1840-103-0x0000000007440000-0x00000000074D6000-memory.dmp

memory/4588-104-0x0000000007460000-0x0000000007471000-memory.dmp

memory/4588-106-0x00000000075B0000-0x00000000075BE000-memory.dmp

memory/1840-107-0x0000000007400000-0x0000000007414000-memory.dmp

memory/1840-108-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4588-109-0x0000000007620000-0x000000000763A000-memory.dmp

memory/1840-110-0x0000000007500000-0x000000000751A000-memory.dmp

memory/1840-111-0x00000000074E0000-0x00000000074E8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5f8e5179b60b1e1985326521a6072dc2
SHA1 79f9b591d896e30fccf6559dd415b7bd13805a70
SHA256 0033985978062666637739f5f4a1601f11c2a1f030215b8c1aa0608a683537a4
SHA512 f4dbd4a4f9334724f78a30292fd3e79f1e2f39d4270de88d49b415ea5447c98e41883d7d3bde1e1793c528d46e06c06ba44cda1957c999d4e27da805fa08d25f

memory/1840-115-0x0000000074ED0000-0x0000000075680000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1840-120-0x0000000074ED0000-0x0000000075680000-memory.dmp

memory/4588-119-0x0000000074ED0000-0x0000000075680000-memory.dmp