Malware Analysis Report

2024-09-23 03:17

Sample ID 240702-bvbjhs1fmf
Target 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe
SHA256 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
Tags
asyncrat njrat stormkitty default hacked evasion persistence privilege_escalation rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

Threat Level: Known bad

The file 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat njrat stormkitty default hacked evasion persistence privilege_escalation rat stealer trojan

StormKitty payload

AsyncRat

njRAT/Bladabindi

StormKitty

Modifies Windows Firewall

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops startup file

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-07-02 01:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 01:27

Reported

2024-07-02 01:30

Platform

win7-20240221-en

Max time kernel

147s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\windows defender (2).exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\windows defender (2).exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
File created C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2740 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2740 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2740 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2740 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2740 wrote to memory of 2420 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2420 wrote to memory of 1544 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 2420 wrote to memory of 1544 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 2420 wrote to memory of 1544 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 2420 wrote to memory of 1544 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 1544 wrote to memory of 2252 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 1544 wrote to memory of 2252 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 1544 wrote to memory of 2252 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 1544 wrote to memory of 2252 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2420 wrote to memory of 2324 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 37 > nul && copy "C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 37 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 37

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 37

C:\Program Files (x86)\Google Chrome sandbox.exe.exe

"C:\Program Files (x86)\Google Chrome sandbox.exe.exe"

C:\Program Files (x86)\windows defender (2).exe

"C:\Program Files (x86)\windows defender (2).exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Program Files (x86)\windows defender (2).exe" "windows defender (2).exe" ENABLE

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
NL 194.26.192.92:5552 tcp

Files

memory/2016-0-0x000000007480E000-0x000000007480F000-memory.dmp

memory/2016-1-0x00000000003F0000-0x0000000000548000-memory.dmp

memory/2016-2-0x0000000074800000-0x0000000074EEE000-memory.dmp

memory/2016-3-0x00000000054D0000-0x0000000005514000-memory.dmp

memory/2016-5-0x000000007480E000-0x000000007480F000-memory.dmp

memory/2016-6-0x0000000074800000-0x0000000074EEE000-memory.dmp

memory/2016-7-0x0000000074800000-0x0000000074EEE000-memory.dmp

\Program Files (x86)\Google Chrome sandbox.exe.exe

MD5 b7ca45674c6b8a24a6a71315e0e51397
SHA1 79516b1bd2227f08ff333b950dafb29707916828
SHA256 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
SHA512 f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f

memory/2420-18-0x0000000000C90000-0x0000000000DE8000-memory.dmp

memory/2420-19-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2420-20-0x00000000747B0000-0x0000000074E9E000-memory.dmp

\Program Files (x86)\windows defender (2).exe

MD5 71185c6ea449b6062eae832f6c5589ae
SHA1 94e783519f5a2011bb7ed000b8a9a038ce0ed675
SHA256 23e1e6534d9494648fd798356f5c16e223f3c8c1d5b1f33ce47757d54d4eac57
SHA512 972ac1fe01dd0963cb03d1379d845377ef2f5de777baf7b2ae97b98292293a96c519cbe8bd89c5a7797d0480bf6251955f9709d5ef7cd4490968af22a679f8cb

memory/2420-28-0x00000000747B0000-0x0000000074E9E000-memory.dmp

memory/2420-29-0x00000000047F0000-0x000000000480A000-memory.dmp

memory/2420-30-0x0000000004290000-0x0000000004296000-memory.dmp

memory/2324-33-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2324-32-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2324-35-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2324-37-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2324-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 01:27

Reported

2024-07-02 01:30

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\windows defender (2).exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files (x86)\windows defender (2).exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 1720 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 1640 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 2304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2656 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2656 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 2656 wrote to memory of 1724 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 1724 wrote to memory of 4508 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 1724 wrote to memory of 4508 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 1724 wrote to memory of 4508 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 4508 wrote to memory of 3384 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 4508 wrote to memory of 3384 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 4508 wrote to memory of 3384 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 47 > nul && copy "C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 47 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 47

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 47

C:\Program Files (x86)\Google Chrome sandbox.exe.exe

"C:\Program Files (x86)\Google Chrome sandbox.exe.exe"

C:\Program Files (x86)\windows defender (2).exe

"C:\Program Files (x86)\windows defender (2).exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Program Files (x86)\windows defender (2).exe" "windows defender (2).exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
NL 194.26.192.92:5552 tcp
US 8.8.8.8:53 92.192.26.194.in-addr.arpa udp

Files

memory/1720-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/1720-1-0x0000000000B40000-0x0000000000C98000-memory.dmp

memory/1720-2-0x00000000053D0000-0x0000000005462000-memory.dmp

memory/1720-3-0x0000000005490000-0x000000000552C000-memory.dmp

memory/1720-4-0x0000000005C80000-0x0000000006224000-memory.dmp

memory/1720-5-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1720-6-0x0000000006570000-0x00000000065B4000-memory.dmp

memory/1720-7-0x0000000006850000-0x000000000685A000-memory.dmp

memory/1720-9-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1720-10-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/1720-11-0x00000000745B0000-0x0000000074D60000-memory.dmp

memory/1720-13-0x00000000745B0000-0x0000000074D60000-memory.dmp

C:\Program Files (x86)\Google Chrome sandbox.exe.exe

MD5 b7ca45674c6b8a24a6a71315e0e51397
SHA1 79516b1bd2227f08ff333b950dafb29707916828
SHA256 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
SHA512 f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f

memory/1724-20-0x0000000001000000-0x0000000001158000-memory.dmp

memory/1724-19-0x0000000074580000-0x0000000074D30000-memory.dmp

memory/1724-21-0x0000000074580000-0x0000000074D30000-memory.dmp

C:\Program Files (x86)\windows defender (2).exe

MD5 71185c6ea449b6062eae832f6c5589ae
SHA1 94e783519f5a2011bb7ed000b8a9a038ce0ed675
SHA256 23e1e6534d9494648fd798356f5c16e223f3c8c1d5b1f33ce47757d54d4eac57
SHA512 972ac1fe01dd0963cb03d1379d845377ef2f5de777baf7b2ae97b98292293a96c519cbe8bd89c5a7797d0480bf6251955f9709d5ef7cd4490968af22a679f8cb

memory/1724-30-0x0000000074580000-0x0000000074D30000-memory.dmp