Malware Analysis Report

2024-08-06 14:50

Sample ID 240617-lg2hwsvcpg
Target 41d27d71597c9d1163fb58a816223962.exe
SHA256 b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c
Tags
nanocore evasion execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c

Threat Level: Known bad

The file 41d27d71597c9d1163fb58a816223962.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 09:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 09:31

Reported

2024-06-17 09:33

Platform

win7-20231129-en

Max time kernel

122s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Service = "C:\\Program Files (x86)\\TCP Service\\tcpsv.exe" C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3040 set thread context of 2592 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Service\tcpsv.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
File opened for modification C:\Program Files (x86)\TCP Service\tcpsv.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3040 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 3040 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 3040 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 3040 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 3040 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 3040 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 3040 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 3040 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 3040 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 3040 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 2592 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2592 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe

"C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dsiayzgxX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dsiayzgxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4366.tmp"

C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe

"C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "TCP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp45F7.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15170 2023endofyear.duckdns.org tcp

Files

memory/3040-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/3040-1-0x0000000000BA0000-0x0000000000C38000-memory.dmp

memory/3040-2-0x0000000074BF0000-0x00000000752DE000-memory.dmp

memory/3040-3-0x0000000000430000-0x0000000000444000-memory.dmp

memory/3040-4-0x0000000000530000-0x0000000000538000-memory.dmp

memory/3040-5-0x0000000000580000-0x000000000058C000-memory.dmp

memory/3040-6-0x0000000004650000-0x00000000046CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4366.tmp

MD5 dd41a55e91d30abaebed8fb7813de17f
SHA1 80e80df50fde261dcad2ad1c538c40a3356b6839
SHA256 7b7e970d4e04fa4812cf034406b8510e63296758f82bc24ec5c0a0c60bfd3376
SHA512 b2ffb984220e4b6c93a714c9c1fb7d9ed6e707f7b4485d8042666edcec8a0f6310e1008155220781426fb9f03ad71a35921fa3f36583e01ec4d3a62a310f1afb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e4e55e4e894caaaed4bd81b513b97086
SHA1 709af8c3741ea24328bdc0fbd982d073f80f96d3
SHA256 c953aa3ae83c48bd5f0752020f9100bc95d28f7d44d9bf0c0a09355e0f4c8eb2
SHA512 45e46a5249699fbbbd1773da34933386ced437ef39da6e5c19771ee2c097a513add674405cb473421b5244ead920ed9dafff168bd997bb9bcfe6b6f0c229b5ab

memory/2592-19-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2592-25-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2592-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2592-30-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2592-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3040-31-0x0000000074BF0000-0x00000000752DE000-memory.dmp

memory/2592-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2592-21-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2592-23-0x0000000000400000-0x000000000043A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp

MD5 05589205dc8e59621292cc8574379849
SHA1 560d6d90ca08f886d81f591e737aa7e8e8dd0b78
SHA256 183ea387a9a8ff41d986ee844f36508ff674eaf86e287ea81ee4725454dde0fd
SHA512 0ec8548b36e548c395797d96777a935c2ab1824dd0327a5eec04c0c118e444aff735b76579940685b09bbf69469bea9fc08c07aef3b6b63f1b72da446ca3d394

C:\Users\Admin\AppData\Local\Temp\tmp45F7.tmp

MD5 93fc3117767507c9889abd12dc667d22
SHA1 1096e4cfa0c35756e3c3fb866c1e4c1e59115df9
SHA256 684997dd4ce15031cec8f2f93933b1d41d7bf5cbbff655dd64377b07055c449a
SHA512 e403348ee77bd3e7c45245dd5dae81c3ea130d5cf342f630982772ce5f75548b292013480e2831d68cf51349b64afde4589d4eec94b567d20f0a01e3b9549bdc

memory/2592-39-0x0000000000490000-0x000000000049A000-memory.dmp

memory/2592-40-0x00000000004A0000-0x00000000004AC000-memory.dmp

memory/2592-41-0x0000000000710000-0x000000000072E000-memory.dmp

memory/2592-42-0x0000000000B30000-0x0000000000B3A000-memory.dmp

memory/2592-45-0x0000000000B90000-0x0000000000BA2000-memory.dmp

memory/2592-46-0x0000000002160000-0x000000000217A000-memory.dmp

memory/2592-47-0x0000000002210000-0x000000000221E000-memory.dmp

memory/2592-48-0x0000000002230000-0x0000000002242000-memory.dmp

memory/2592-49-0x0000000002240000-0x000000000224E000-memory.dmp

memory/2592-50-0x0000000002250000-0x000000000225C000-memory.dmp

memory/2592-51-0x0000000002260000-0x0000000002274000-memory.dmp

memory/2592-52-0x0000000004370000-0x0000000004380000-memory.dmp

memory/2592-53-0x0000000004380000-0x0000000004394000-memory.dmp

memory/2592-54-0x00000000043A0000-0x00000000043AE000-memory.dmp

memory/2592-55-0x0000000004ED0000-0x0000000004EFE000-memory.dmp

memory/2592-56-0x00000000043C0000-0x00000000043D4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 09:31

Reported

2024-06-17 09:33

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PCI Service = "C:\\Program Files (x86)\\PCI Service\\pcisv.exe" C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1696 set thread context of 2604 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PCI Service\pcisv.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
File opened for modification C:\Program Files (x86)\PCI Service\pcisv.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1696 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 1696 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 1696 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 1696 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 1696 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 1696 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 1696 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 1696 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 1696 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 1696 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 1696 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe
PID 2604 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe
PID 2604 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe

"C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dsiayzgxX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dsiayzgxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7223.tmp"

C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe

"C:\Users\Admin\AppData\Local\Temp\41d27d71597c9d1163fb58a816223962.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "PCI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp7639.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "PCI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp785D.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 91.92.255.172:15170 2023endofyear.duckdns.org tcp
US 8.8.8.8:53 172.255.92.91.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/1696-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

memory/1696-1-0x0000000000A90000-0x0000000000B28000-memory.dmp

memory/1696-2-0x00000000059C0000-0x0000000005F64000-memory.dmp

memory/1696-3-0x0000000005510000-0x00000000055A2000-memory.dmp

memory/1696-4-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1696-5-0x00000000055D0000-0x00000000055DA000-memory.dmp

memory/1696-6-0x0000000005680000-0x0000000005694000-memory.dmp

memory/1696-7-0x00000000059B0000-0x00000000059B8000-memory.dmp

memory/1696-8-0x00000000060E0000-0x00000000060EC000-memory.dmp

memory/1696-9-0x00000000068E0000-0x000000000695C000-memory.dmp

memory/1696-10-0x0000000008F00000-0x0000000008F9C000-memory.dmp

memory/1708-15-0x0000000002BB0000-0x0000000002BE6000-memory.dmp

memory/1708-16-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1708-18-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2244-17-0x0000000004E80000-0x00000000054A8000-memory.dmp

memory/2244-19-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1708-22-0x0000000005BA0000-0x0000000005C06000-memory.dmp

memory/1708-21-0x00000000054B0000-0x00000000054D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7223.tmp

MD5 0fcb737f0a674e5f11567a7e3ab19375
SHA1 dd11b9beae7758652a487505cb235955068568f2
SHA256 b90e700e86cba0bfedb58b049ced41ba348164f3f5be093927667d3f46de8e56
SHA512 c52879fbcf1a14b2266b493183dd719845042b167b69efe1712edd9d16d9f2cfc51426650c95ec47bba7dddb0aac987111a98a22c18c498ab029eb54e7bc553a

memory/1708-33-0x0000000005E40000-0x0000000006194000-memory.dmp

memory/1708-34-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2604-36-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2244-35-0x0000000074BE0000-0x0000000075390000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kte2e2me.wxl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1708-23-0x0000000005D10000-0x0000000005D76000-memory.dmp

memory/2244-37-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1696-48-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/1708-49-0x0000000006480000-0x000000000649E000-memory.dmp

memory/1708-50-0x0000000006A10000-0x0000000006A5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7639.tmp

MD5 05589205dc8e59621292cc8574379849
SHA1 560d6d90ca08f886d81f591e737aa7e8e8dd0b78
SHA256 183ea387a9a8ff41d986ee844f36508ff674eaf86e287ea81ee4725454dde0fd
SHA512 0ec8548b36e548c395797d96777a935c2ab1824dd0327a5eec04c0c118e444aff735b76579940685b09bbf69469bea9fc08c07aef3b6b63f1b72da446ca3d394

C:\Users\Admin\AppData\Local\Temp\tmp785D.tmp

MD5 bbb0d424bb7cb3b0e6aeb68cf82b8f5f
SHA1 7e95dcd21a27ee53e5c23ed5a163df56a43d572a
SHA256 08d6bee474edf0151a0d8ff942ba9e6a1efe069585c63477abd1c7bd8046e130
SHA512 0dc790a415f9717f6e7633c1d5f2749a2eca5582c5bbe114119c3ddba6d4e4d0df48029622e2fe07f94d8ae97c334b88691b7721da50ada261449769ae31d466

memory/2604-58-0x00000000057F0000-0x00000000057FA000-memory.dmp

memory/2604-61-0x0000000006480000-0x000000000648A000-memory.dmp

memory/2604-60-0x0000000006430000-0x000000000644E000-memory.dmp

memory/2604-59-0x0000000005800000-0x000000000580C000-memory.dmp

memory/2244-73-0x0000000075490000-0x00000000754DC000-memory.dmp

memory/1708-82-0x00000000069E0000-0x00000000069FE000-memory.dmp

memory/1708-63-0x0000000075490000-0x00000000754DC000-memory.dmp

memory/1708-62-0x0000000006A60000-0x0000000006A92000-memory.dmp

memory/1708-84-0x0000000007460000-0x0000000007503000-memory.dmp

memory/2244-85-0x0000000007750000-0x0000000007DCA000-memory.dmp

memory/1708-86-0x00000000075A0000-0x00000000075BA000-memory.dmp

memory/2244-87-0x0000000007180000-0x000000000718A000-memory.dmp

memory/2244-88-0x0000000007380000-0x0000000007416000-memory.dmp

memory/1708-89-0x00000000079B0000-0x00000000079C1000-memory.dmp

memory/2244-90-0x0000000007330000-0x000000000733E000-memory.dmp

memory/1708-91-0x00000000079F0000-0x0000000007A04000-memory.dmp

memory/1708-92-0x0000000007AF0000-0x0000000007B0A000-memory.dmp

memory/2244-93-0x0000000007420000-0x0000000007428000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fdc18685ffd5140a2e2fe5e2819c27d9
SHA1 ecd8ddeace6b0d744a329becde68018cddbec9dd
SHA256 63e6ca7f145af428d2538933ae1d03f93f3504615c1a166e96b7fd131184fbe9
SHA512 2734cec8bc629c9f8fc8f7676c76c203473cdb957f0a237c2ceb3e93c08d4d6a7b45b8ab8423d2a4289b460ee92ac953f7a09562f7abea21777f7ae8093dca3a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1708-101-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2244-100-0x0000000074BE0000-0x0000000075390000-memory.dmp

memory/2604-104-0x0000000006CD0000-0x0000000006CE2000-memory.dmp

memory/2604-105-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

memory/2604-106-0x0000000006D10000-0x0000000006D1E000-memory.dmp

memory/2604-107-0x0000000006D20000-0x0000000006D32000-memory.dmp

memory/2604-108-0x0000000006D30000-0x0000000006D3E000-memory.dmp

memory/2604-115-0x0000000006DF0000-0x0000000006E04000-memory.dmp

memory/2604-114-0x0000000006DB0000-0x0000000006DDE000-memory.dmp

memory/2604-113-0x0000000006DA0000-0x0000000006DAE000-memory.dmp

memory/2604-112-0x0000000006D90000-0x0000000006DA4000-memory.dmp

memory/2604-111-0x0000000006D60000-0x0000000006D70000-memory.dmp

memory/2604-110-0x0000000006D50000-0x0000000006D64000-memory.dmp

memory/2604-109-0x0000000006D40000-0x0000000006D4C000-memory.dmp