Malware Analysis Report

2024-10-10 13:01

Sample ID 240619-lwhz4ayapg
Target Telegold Patch.exe
SHA256 cde859e5bd97108d73250f81322ba53b5ac27464a369ea5e2f99affbb8b4cd8a
Tags
pyinstaller dcrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cde859e5bd97108d73250f81322ba53b5ac27464a369ea5e2f99affbb8b4cd8a

Threat Level: Known bad

The file Telegold Patch.exe was found to be: Known bad.

Malicious Activity Summary

pyinstaller dcrat infostealer persistence rat

Process spawned unexpected child process

DcRat

Modifies WinLogon for persistence

DCRat payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Detects Pyinstaller

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 09:52

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 09:52

Reported

2024-06-19 09:55

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe"

C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI20562\python39.dll

MD5 5cd203d356a77646856341a0c9135fc6
SHA1 a1f4ac5cc2f5ecb075b3d0129e620784814a48f7
SHA256 a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a
SHA512 390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 09:52

Reported

2024-06-19 09:57

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

202s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ea9f0e6c9e2dcd C:\hypercommon\Providerhost.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\maeim.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\", \"C:\\hypercommon\\spoolsv.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\", \"C:\\hypercommon\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\", \"C:\\hypercommon\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Providerhost.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\", \"C:\\Recovery\\WindowsRE\\sihost.exe\", \"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\", \"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\", \"C:\\hypercommon\\spoolsv.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\RuntimeBroker.exe\", \"C:\\Recovery\\WindowsRE\\Providerhost.exe\", \"C:\\Recovery\\WindowsRE\\winlogon.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\", \"C:\\hypercommon\\csrss.exe\", \"C:\\hypercommon\\lsass.exe\", \"C:\\Users\\Default\\PrintHood\\wininit.exe\", \"C:\\hypercommon\\wininit.exe\", \"C:\\Program Files\\Windows Portable Devices\\cmd.exe\", \"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\"" C:\hypercommon\Providerhost.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\maeim.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\hypercommon\Providerhost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\maeim.exe N/A
N/A N/A C:\hypercommon\Providerhost.exe N/A
N/A N/A C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\hypercommon\\spoolsv.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\PrintHood\\wininit.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\PrintHood\\wininit.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\hypercommon\\wininit.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\hypercommon\\csrss.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\hypercommon\\lsass.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\hypercommon\\wininit.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Recovery\\WindowsRE\\winlogon.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sihost = "\"C:\\Recovery\\WindowsRE\\sihost.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Providerhost = "\"C:\\Recovery\\WindowsRE\\Providerhost.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhostw = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\taskhostw.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files\\Windows Defender\\es-ES\\RuntimeBroker.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Portable Devices\\cmd.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files\\Internet Explorer\\en-US\\fontdrvhost.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OfficeClickToRun = "\"C:\\Users\\Public\\Downloads\\OfficeClickToRun.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\appcompat\\appraiser\\Telemetry\\SppExtComObj.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\hypercommon\\spoolsv.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Providerhost = "\"C:\\Recovery\\WindowsRE\\Providerhost.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\hypercommon\\csrss.exe\"" C:\hypercommon\Providerhost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\hypercommon\\lsass.exe\"" C:\hypercommon\Providerhost.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe C:\hypercommon\Providerhost.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\ea9f0e6c9e2dcd C:\hypercommon\Providerhost.exe N/A
File created C:\Program Files\Internet Explorer\en-US\5b884080fd4f94 C:\hypercommon\Providerhost.exe N/A
File created C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe C:\hypercommon\Providerhost.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe C:\hypercommon\Providerhost.exe N/A
File created C:\Program Files\Windows Portable Devices\cmd.exe C:\hypercommon\Providerhost.exe N/A
File created C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d C:\hypercommon\Providerhost.exe N/A
File created C:\Program Files\Internet Explorer\en-US\fontdrvhost.exe C:\hypercommon\Providerhost.exe N/A
File created C:\Program Files\Windows Defender\es-ES\9e8d7a4ca61bd9 C:\hypercommon\Providerhost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe C:\hypercommon\Providerhost.exe N/A
File created C:\Windows\appcompat\appraiser\Telemetry\e1ef82546f0b02 C:\hypercommon\Providerhost.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\hypercommon\Providerhost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\maeim.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\hypercommon\Providerhost.exe N/A
N/A N/A C:\hypercommon\Providerhost.exe N/A
N/A N/A C:\hypercommon\Providerhost.exe N/A
N/A N/A C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\hypercommon\Providerhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe
PID 4656 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe
PID 3788 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe C:\Windows\system32\cmd.exe
PID 3788 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe C:\Windows\system32\cmd.exe
PID 3732 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\maeim.exe
PID 3732 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\maeim.exe
PID 3732 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\maeim.exe
PID 2932 wrote to memory of 5052 N/A C:\maeim.exe C:\Windows\SysWOW64\WScript.exe
PID 2932 wrote to memory of 5052 N/A C:\maeim.exe C:\Windows\SysWOW64\WScript.exe
PID 2932 wrote to memory of 5052 N/A C:\maeim.exe C:\Windows\SysWOW64\WScript.exe
PID 5052 wrote to memory of 4228 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 4228 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 5052 wrote to memory of 4228 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4228 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\hypercommon\Providerhost.exe
PID 4228 wrote to memory of 2340 N/A C:\Windows\SysWOW64\cmd.exe C:\hypercommon\Providerhost.exe
PID 2340 wrote to memory of 4368 N/A C:\hypercommon\Providerhost.exe C:\Windows\System32\cmd.exe
PID 2340 wrote to memory of 4368 N/A C:\hypercommon\Providerhost.exe C:\Windows\System32\cmd.exe
PID 4368 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4368 wrote to memory of 2932 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4368 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe
PID 4368 wrote to memory of 1500 N/A C:\Windows\System32\cmd.exe C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe"

C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Telegold Patch.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\\maeim.exe

C:\maeim.exe

C:\\maeim.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\hypercommon\UMAnfH3ti4CBNtJLBUGw.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\hypercommon\NNV9hmidRTdTt57.bat" "

C:\hypercommon\Providerhost.exe

"C:\hypercommon\Providerhost.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\taskhostw.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\hypercommon\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\hypercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\hypercommon\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\hypercommon\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\hypercommon\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\hypercommon\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\hypercommon\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\hypercommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\hypercommon\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\en-US\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\hypercommon\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\hypercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\hypercommon\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Defender\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ProviderhostP" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Providerhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Providerhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Providerhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ProviderhostP" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Providerhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7yoMSbkWHX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe

"C:\Windows\appcompat\appraiser\Telemetry\SppExtComObj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
BE 88.221.83.227:443 www.bing.com tcp
US 8.8.8.8:53 227.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 cb89285.tmweb.ru udp
RU 5.23.50.26:80 cb89285.tmweb.ru tcp
US 8.8.8.8:53 vh332.timeweb.ru udp
RU 5.23.50.26:443 vh332.timeweb.ru tcp
US 8.8.8.8:53 26.50.23.5.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 209.80.50.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI46562\python39.dll

MD5 5cd203d356a77646856341a0c9135fc6
SHA1 a1f4ac5cc2f5ecb075b3d0129e620784814a48f7
SHA256 a56afcf5f3a72769c77c3bc43c9b84197180a8b3380b6258073223bfd72ed47a
SHA512 390008d57fa711d7c88b77937bf16fdb230e7c1e7182faea6d7c206e9f65ced6f2e835f9da9befb941e80624abe45875602e0e7ad485d9a009d2450a2a0e0f1f

C:\Users\Admin\AppData\Local\Temp\_MEI46562\VCRUNTIME140.dll

MD5 4a365ffdbde27954e768358f4a4ce82e
SHA1 a1b31102eee1d2a4ed1290da2038b7b9f6a104a3
SHA256 6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c
SHA512 54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

C:\Users\Admin\AppData\Local\Temp\_MEI46562\base_library.zip

MD5 0c91d55b32b79db23559e4d0da3507da
SHA1 5ff421ee955dbfb00e07cedb1e37acc46e0c7e82
SHA256 ce2b8fa01c465909e1ac3a27c7e0aebfaa8656f3ebb266a998e02d2c444991cb
SHA512 d0d11ffc65898f738ee891245177a03d7fb7b2501cec08d6d3edb8b2636c321422c8fab1f9263f608923713fe344b479e832d704ffccf9e9fb1686fb07dae940

C:\Users\Admin\AppData\Local\Temp\_MEI46562\_bz2.pyd

MD5 e91b4f8e1592da26bacaceb542a220a8
SHA1 5459d4c2147fa6db75211c3ec6166b869738bd38
SHA256 20895fa331712701ebfdbb9ab87e394309e910f1d782929fd65b59ed76d9c90f
SHA512 cb797fa758c65358e5b0fef739181f6b39e0629758a6f8d5c4bd7dc6422001769a19df0c746724fb2567a58708b18bbd098327bfbdf3378426049b113eb848e9

C:\Users\Admin\AppData\Local\Temp\_MEI46562\_lzma.pyd

MD5 493c33ddf375b394b648c4283b326481
SHA1 59c87ee582ba550f064429cb26ad79622c594f08
SHA256 6384ded31408788d35a89dc3f7705ea2928f6bbdeb8b627f0d1b2d7b1ea13e16
SHA512 a4a83f04c7fc321796ce6a932d572dca1ad6ecefd31002320aeaa2453701ed49ef9f0d9ba91c969737565a6512b94fbb0311aee53d355345a03e98f43e6f98b2

C:\Users\Admin\AppData\Local\Temp\_MEI46562\resourses.zip

MD5 45d73734651395bdbfd6c2736dff7367
SHA1 50393907446db059d2f5aaf88bc63f635824f7bb
SHA256 99c3dd42cc18918061a74a39df8bcfba1bf030b906c1e24b00b96ffa06b9c223
SHA512 c33983bef954fd62171cd0ac1cd965a4628eb6f1bd1cfa74d25e904b0d1edbe8f6d83ec41d85c34105cac616560c57bd912b90c805e65d4de4647877d79a97e3

C:\maeim.exe

MD5 16acf1b93833e037e2030bce0493092e
SHA1 ebf65f1ee50ec0b4e4427c18d3a8fe81c0737030
SHA256 5c770c3f813366523f26e4531e685ab544716a86662c5af1d704340913ec1a6c
SHA512 50da0736524723d744e8b36d88929868c7a7b668dfeeca1fd6dacbb46c7ce4200e3e06d786fd989b33ddf7b7fd01e7f8220d14f129ba2c504b5e876c3012ceb1

C:\hypercommon\UMAnfH3ti4CBNtJLBUGw.vbe

MD5 ded95a68dfd80882a5cd56a7e4077eff
SHA1 e9b766a23514f35abed066a91da6f0f7873aebd4
SHA256 3061e2379470b9704e762eed8ab871c0a07d2a61fa986689bb44180710561599
SHA512 3f8d2d916ce639449fb4f77dc0a37e9b5b7c5fc1abf88acc859aae3eb2c60c1a15f7fd8484a24b2d0e9feb1357282571d80a83e14997b6e0974fadafb3a6e2a0

C:\hypercommon\NNV9hmidRTdTt57.bat

MD5 da93b79620172e12ea588a05d8c2f41f
SHA1 264efd76c18f8180047854840389a1d2019e2476
SHA256 39ae6fba8ec734f750fc9b7362eff48158c6e14e87f873b349dcb95d6a1efeeb
SHA512 d1b5a84de2b9c3c01f592bbb832f27e8aac8c4a2aafee4c5b872de0776aeea76d1b8e30e583f3d25ed16a9315e73b3446128a98028e763d661a7603406b0349f

C:\hypercommon\Providerhost.exe

MD5 8ad56bbbbb918e4f2090ee62036ea1af
SHA1 b143b1f99a66997d07a15fb438f815a846a87d05
SHA256 71d7d6776f02c7f990a1d257276556179c883ced08e43f8278c447d81b807050
SHA512 1d6004c0608b85d8e465e2a3791a0b1950ce3ca7d31ace9c34c4dceef1ef951d6fb1c2a4a02610d7c652fc3537e7fccd08572e65dc87e6b777c4333ccc40a1e3

memory/2340-48-0x00000000002E0000-0x000000000041E000-memory.dmp

memory/2340-49-0x0000000000C40000-0x0000000000C5C000-memory.dmp

memory/2340-50-0x000000001B5D0000-0x000000001B620000-memory.dmp

memory/2340-51-0x000000001AFF0000-0x000000001B006000-memory.dmp

memory/2340-52-0x000000001B010000-0x000000001B022000-memory.dmp

memory/2340-53-0x000000001BC70000-0x000000001C198000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7yoMSbkWHX.bat

MD5 4e5684535aa2b80af5eea197ecd59380
SHA1 7dfb1881316a016579d18af9190400af04a4cab9
SHA256 be09695e281333db9020a436cb9baee675e1f9287950fdbfdc8d8de4a5da7d47
SHA512 1819ec2eea6f5a900a4f13fe890a2368288430bd16c124b23e469a23bd857175466b2707014130b61747c848044aface00cc99b4dd414890c2df5b7faf205d19

memory/1500-91-0x0000000003130000-0x0000000003142000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 09:52

Reported

2024-06-19 09:55

Platform

win7-20240221-en

Max time kernel

119s

Max time network

119s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.pyc\ = "pyc_auto_file" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 0f26144265d34c5bda7f6bb7ce621f38
SHA1 68eca362dd931b2ac9da8dcecfae90e9c63611a0
SHA256 31552448a2530039fbfb6ddd36461c521bdb46e9a3621d0a3d37b3adaff0ac6b
SHA512 0d9bfc133edafd90bebe1fafc28113118d8ec537beedbdd714d1c14d973a7f31244865ec48fa9f7e6a979aa58f5a69cde6e022b2adde44f048a8cf38bbcbdeb1

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-19 09:52

Reported

2024-06-19 09:55

Platform

win10v2004-20240508-en

Max time kernel

102s

Max time network

102s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 146.177.190.20.in-addr.arpa udp

Files

N/A