Malware Analysis Report

2024-08-06 14:49

Sample ID 240618-wybc5steph
Target b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
SHA256 b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c
Tags
nanocore evasion execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c

Threat Level: Known bad

The file b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe was found to be: Known bad.

Malicious Activity Summary

nanocore evasion execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Scheduled Task/Job
T1053
Scheduled Task
T1053.005
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-18 18:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 18:19

Reported

2024-06-18 18:21

Platform

win7-20240508-en

Max time kernel

121s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2156 set thread context of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A
File opened for modification C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2156 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2156 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2156 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2156 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2156 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2156 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2156 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2156 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2156 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2156 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2684 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2684 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe

"C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dsiayzgxX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dsiayzgxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4EDB.tmp"

C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe

"C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmp50A0.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp512D.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2023endofyear.duckdns.org udp
NL 94.156.68.149:15170 2023endofyear.duckdns.org tcp

Files

memory/2156-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

memory/2156-1-0x0000000000DB0000-0x0000000000E48000-memory.dmp

memory/2156-2-0x0000000074D00000-0x00000000753EE000-memory.dmp

memory/2156-3-0x00000000004B0000-0x00000000004C4000-memory.dmp

memory/2156-4-0x00000000004E0000-0x00000000004E8000-memory.dmp

memory/2156-5-0x0000000000540000-0x000000000054C000-memory.dmp

memory/2156-6-0x0000000000B50000-0x0000000000BCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp4EDB.tmp

MD5 451694b44e16d20ee1f298da96dd0f58
SHA1 f308d663153469403ce358febf4cbf6f408acccc
SHA256 99646a20b2de3494907c71a8d2b2c616af68513bade2e0cafc6af49869d8b8b1
SHA512 4e61a15db53137ea569aff1472dd6747b208ef383f0c8c87610351708efd5a452e48a939a96ce16d287ab5fc7de14123a163fc3807a0a0983ee8858365221566

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 679eefca1a23f2ab37681d9c1766c9ba
SHA1 cf4c7a3f5b378f8d41d05369321efd2e1105966c
SHA256 6f9ff78ed3442016976e11e1ec80b8692cb390f781da50e8acffef28e5a2c627
SHA512 813d699220721b1132d141faa93ceb9f5567d45db40336448d392d5ba7392a1f14b159fec0c6119144fd0107e5122bac05a348745aeb7ea1bab0b66b4967a9f2

memory/2684-19-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2684-21-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2684-30-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2684-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2684-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2684-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2684-25-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2684-23-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2156-31-0x0000000074D00000-0x00000000753EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp50A0.tmp

MD5 cabdc89a33b52830601190421a4838a9
SHA1 94fc2d24b510c8f19ad2cda8f391e5893666ae68
SHA256 273dd05dea08a08008bbcc67b4fc726817a87c270fdccb97319a990869905b99
SHA512 b3273af6953c6e01a327faa305478f54c3a0528c1853d8e7c517ba6d616f8850ee9d9ecaaaa5896ce8584d63e911a59af5e24df94e0b2f4ee100b12f3b2de965

C:\Users\Admin\AppData\Local\Temp\tmp512D.tmp

MD5 981e126601526eaa5b0ad45c496c4465
SHA1 d610d6a21a8420cc73fcd3e54ddae75a5897b28b
SHA256 11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527
SHA512 a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb

memory/2684-39-0x0000000000460000-0x000000000046A000-memory.dmp

memory/2684-40-0x00000000004B0000-0x00000000004BC000-memory.dmp

memory/2684-41-0x00000000006B0000-0x00000000006CE000-memory.dmp

memory/2684-42-0x00000000006E0000-0x00000000006EA000-memory.dmp

memory/2684-45-0x0000000000770000-0x0000000000782000-memory.dmp

memory/2684-46-0x00000000007C0000-0x00000000007DA000-memory.dmp

memory/2684-47-0x0000000000830000-0x000000000083E000-memory.dmp

memory/2684-49-0x0000000000860000-0x000000000086E000-memory.dmp

memory/2684-48-0x0000000000850000-0x0000000000862000-memory.dmp

memory/2684-50-0x0000000000930000-0x000000000093C000-memory.dmp

memory/2684-51-0x0000000000C70000-0x0000000000C84000-memory.dmp

memory/2684-52-0x0000000000C80000-0x0000000000C90000-memory.dmp

memory/2684-53-0x0000000000D90000-0x0000000000DA4000-memory.dmp

memory/2684-54-0x0000000002330000-0x000000000233E000-memory.dmp

memory/2684-55-0x00000000023A0000-0x00000000023CE000-memory.dmp

memory/2684-56-0x0000000002350000-0x0000000002364000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 18:19

Reported

2024-06-18 18:21

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Subsystem = "C:\\Program Files (x86)\\DPI Subsystem\\dpiss.exe" C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2476 set thread context of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A
File opened for modification C:\Program Files (x86)\DPI Subsystem\dpiss.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2476 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2476 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2476 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe
PID 2532 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe
PID 2532 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe

"C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dsiayzgxX.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dsiayzgxX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7EE4.tmp"

C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe

"C:\Users\Admin\AppData\Local\Temp\b4a76ec2287a65963ea978ae7911b8c42c3411a21c995463985599d975e9960c.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp83E5.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DPI Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp852F.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2023endofyear.duckdns.org udp
US 8.8.4.4:53 2023endofyear.duckdns.org udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
US 8.8.4.4:53 2023endofyear.duckdns.org udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
US 8.8.4.4:53 2023endofyear.duckdns.org udp
US 8.8.8.8:53 2023endofyear.duckdns.org udp
N/A 127.0.0.1:15170 tcp
N/A 127.0.0.1:15170 tcp
N/A 127.0.0.1:15170 tcp
US 8.8.8.8:53 2023endofyear.duckdns.org udp

Files

memory/2476-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

memory/2476-1-0x0000000000490000-0x0000000000528000-memory.dmp

memory/2476-2-0x0000000005400000-0x00000000059A4000-memory.dmp

memory/2476-3-0x0000000004E50000-0x0000000004EE2000-memory.dmp

memory/2476-5-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2476-4-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

memory/2476-6-0x0000000004FE0000-0x0000000004FF4000-memory.dmp

memory/2476-7-0x0000000005FC0000-0x0000000005FC8000-memory.dmp

memory/2476-8-0x0000000005FD0000-0x0000000005FDC000-memory.dmp

memory/2476-9-0x0000000006030000-0x00000000060AC000-memory.dmp

memory/2476-10-0x00000000087E0000-0x000000000887C000-memory.dmp

memory/3604-15-0x00000000024A0000-0x00000000024D6000-memory.dmp

memory/3604-16-0x0000000004FE0000-0x0000000005608000-memory.dmp

memory/3604-17-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/3604-18-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/3604-21-0x0000000004F50000-0x0000000004FB6000-memory.dmp

memory/3604-19-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7EE4.tmp

MD5 67f3841530a444959642da8346e17c6a
SHA1 4a0f70a8050d4f3c0f1c06b0513e47d110653605
SHA256 4a923b1b51b4477d9c93e804046eb974c4b160a9a257e85bc5835a2b56c9a73c
SHA512 f882f3b48ca210c5bbf15d8bcc3a43dfd40834850bd92e681249784022d75ca29368613695504702eb4840832a06e3560a277c08583431d1c275c1bb0cca098b

memory/3604-20-0x0000000004EE0000-0x0000000004F46000-memory.dmp

memory/1644-23-0x0000000074A50000-0x0000000075200000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dkv1vrqj.sja.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1644-34-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/1644-33-0x0000000005660000-0x00000000059B4000-memory.dmp

memory/1644-44-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/2532-45-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2476-47-0x0000000074A50000-0x0000000075200000-memory.dmp

memory/3604-48-0x0000000005D80000-0x0000000005D9E000-memory.dmp

memory/3604-49-0x0000000005E60000-0x0000000005EAC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp83E5.tmp

MD5 cabdc89a33b52830601190421a4838a9
SHA1 94fc2d24b510c8f19ad2cda8f391e5893666ae68
SHA256 273dd05dea08a08008bbcc67b4fc726817a87c270fdccb97319a990869905b99
SHA512 b3273af6953c6e01a327faa305478f54c3a0528c1853d8e7c517ba6d616f8850ee9d9ecaaaa5896ce8584d63e911a59af5e24df94e0b2f4ee100b12f3b2de965

C:\Users\Admin\AppData\Local\Temp\tmp852F.tmp

MD5 5fea24e883e06e4df6d240dc72abf2c5
SHA1 d778bf0f436141e02df4b421e8188abdcc9a84a4
SHA256 e858982f4ab3c74f7a8903eea18c0f73501a77273ae38b54d5c9dec997e79a66
SHA512 15afc2ffbbee14d28a5ff8dc8285d01c942147aada36fb33e31045a4e998769b51738bebe199bcad3462f918b535845a893aa2f80c84b9c795cd1fee4a327924

memory/2532-60-0x00000000066A0000-0x00000000066AA000-memory.dmp

memory/2532-57-0x0000000006470000-0x000000000647A000-memory.dmp

memory/2532-59-0x0000000006650000-0x000000000666E000-memory.dmp

memory/2532-58-0x0000000006640000-0x000000000664C000-memory.dmp

memory/1644-62-0x00000000752E0000-0x000000007532C000-memory.dmp

memory/1644-61-0x0000000006C90000-0x0000000006CC2000-memory.dmp

memory/1644-72-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/3604-73-0x00000000752E0000-0x000000007532C000-memory.dmp

memory/3604-83-0x0000000006FA0000-0x0000000007043000-memory.dmp

memory/1644-85-0x0000000007600000-0x0000000007C7A000-memory.dmp

memory/3604-84-0x00000000070B0000-0x00000000070CA000-memory.dmp

memory/3604-86-0x0000000007120000-0x000000000712A000-memory.dmp

memory/1644-87-0x0000000007210000-0x00000000072A6000-memory.dmp

memory/3604-88-0x00000000072B0000-0x00000000072C1000-memory.dmp

memory/1644-89-0x00000000071C0000-0x00000000071CE000-memory.dmp

memory/3604-90-0x00000000072F0000-0x0000000007304000-memory.dmp

memory/3604-91-0x00000000073F0000-0x000000000740A000-memory.dmp

memory/3604-92-0x00000000073D0000-0x00000000073D8000-memory.dmp

memory/1644-95-0x0000000074A50000-0x0000000075200000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3d5d77b27751abd217735d7b930d22dd
SHA1 9ed8f43d9e338dc3dda5e6b9cc169bf7986b7e84
SHA256 398ade8b8491995d66a569bf10ef32a69cc0a386aecd9c1d261f41430c3b053c
SHA512 c1dcc91ffa64c56c6d2915d4da0a28960da1971198f60f4597c293a56b39fc9cb47458a862344da850caebb5efd05b45e4a7e79f2e3d8d04a8c4a2915f0badb9

memory/3604-99-0x0000000074A50000-0x0000000075200000-memory.dmp