Malware Analysis Report

2024-09-11 10:24

Sample ID 240724-btv7jazfjn
Target ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8
SHA256 ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8

Threat Level: Known bad

The file ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8 was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Loads dropped DLL

Uses the VBS compiler for execution

Checks computer location settings

Adds Run key to start application

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-24 01:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-24 01:26

Reported

2024-07-24 01:29

Platform

win7-20240705-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2408 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2408 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2408 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1500 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1500 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1500 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1500 wrote to memory of 1956 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2408 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe
PID 2408 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe
PID 2408 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe
PID 2408 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe

"C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qphbdlb1.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA2A6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2A5.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2408-0-0x0000000074611000-0x0000000074612000-memory.dmp

memory/2408-1-0x0000000074610000-0x0000000074BBB000-memory.dmp

memory/2408-3-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qphbdlb1.cmdline

MD5 29e5b543125ddb19db4a803e050bc0ab
SHA1 0ef2d354ea267f49723601e3f32663cbb274c1c0
SHA256 e672d7b662af91056d19dfcea9df05423f9056009457679f5542ceb403558b1e
SHA512 74f277d24157f3db3170efdb13a77a73fa466417cbba4829fb5f17064c5e5bc67a62cb0e48e8824549b8e4de147b5e4159b66dc79a1e14e18dc983dfb5b21ca1

C:\Users\Admin\AppData\Local\Temp\qphbdlb1.0.vb

MD5 b00b51c8c9fd21be4e080c08d2bf4727
SHA1 486ac0eea8f1f3c6d89fce03e82d4773d5518992
SHA256 c5bd3917ebf1437c502b03812f9a75637c86e01cb527c7bf66513dd6fd76ee57
SHA512 bcd475e50fe01fde511d736aefdab3f0504f1f8719008dec702e430183f6bbb24eb5b47749bb28e65a6b857c05ebb050d3361c1d4d5e559a005dd88a1063af43

memory/1500-9-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\RESA2A6.tmp

MD5 836a3f1ff70f4413c8be3f2ad71f0377
SHA1 9f7122b465ca97c45abeb680de16bfff66dc1ddb
SHA256 367a6db4c4aa8fe947564a5576be6cc6abfa1d65e775817a5518b4332cddfa61
SHA512 ce018b6cf5724e70427b5c65bc93ce5e5e0ecf63257808d9cbe7ba4c16895dc259efc06a7461d5326aeff3af8a222acf9a288650f6b40c09893704e9fac41ba8

C:\Users\Admin\AppData\Local\Temp\vbcA2A5.tmp

MD5 654afd80e5e8f65175c20f89dc9f184e
SHA1 d596d363849fc28dc5ef25a31877de31035c84fc
SHA256 5f18382533170794aad22c5521001e7a7dbbe932c005cc2209f81f91658f7b35
SHA512 a6d8e1c51b7837313a0242de9de85d7c7be50090b888d670ed33775445728ce3af9ced094810adcbaf51e41b7a280841a7999b0bcb67b89c05342634ff9971e3

memory/1500-18-0x0000000074610000-0x0000000074BBB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA1AC.tmp.exe

MD5 ae5163ffc61e2bd492dbe5aeb9c3ffcd
SHA1 4c2cb9dadf55bad462e4ba680226d05029910b07
SHA256 8eafac4871f484e76fcd357d8e55fc51e9c6c4f5136b60d14585780b6839f740
SHA512 4e090206c9fc5701a0bed9e5aa9b016da030fad2cdacf2c8851ff3317005ae55db4624011bda79e60c462a52ac1dd83dc39d645b1866a03982a997501e34d4f7

memory/2408-24-0x0000000074610000-0x0000000074BBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-24 01:26

Reported

2024-07-24 01:29

Platform

win10v2004-20240709-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4504 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4504 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4504 wrote to memory of 720 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 720 wrote to memory of 2336 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 720 wrote to memory of 2336 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 720 wrote to memory of 2336 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4504 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe
PID 4504 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe
PID 4504 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe

"C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\74noocda.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAC4D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc53A2E08DE544998AB58A82FE8F2D02D.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe" C:\Users\Admin\AppData\Local\Temp\ab5b71b3b788605bbd6fa0e0176daed18641f237cccd59b835099fa1b93cefa8.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/4504-0-0x0000000074C92000-0x0000000074C93000-memory.dmp

memory/4504-1-0x0000000074C90000-0x0000000075241000-memory.dmp

memory/4504-2-0x0000000074C90000-0x0000000075241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\74noocda.cmdline

MD5 ded79a9f9388551faec8d321742566c0
SHA1 96b82ec164eebdbaf4684a406b860ebfa589f4db
SHA256 d4c33f6dacc609c6ea8698e800efe0573750f3a5e4cc98067fd2b1953a005610
SHA512 a29b81a26228226d809805dea4535c622129f94c253c0f127effba88b6b0150f33b92dde801648d3cc3f0500834affe7fc8b8fc9a94bb16b283937679c13b821

memory/720-9-0x0000000074C90000-0x0000000075241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\74noocda.0.vb

MD5 66136ab15f34fcbf9ca13bcc1bf8bef8
SHA1 ae42312273339095d6ad8bf3c44d02e14226d685
SHA256 f82c54a01c0a29eba27af1f3eec6aad8c6b80076516e4c31f6e998bd8b66c31b
SHA512 4532c5b81d4e0b10596499c70c910fcc8e0e1744d02d4d549fb56f68b3633f181c1b8a38942106c961b0e8219d76da2fb73087857238b94c4461d5ade9002ff3

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc53A2E08DE544998AB58A82FE8F2D02D.TMP

MD5 ddb7089e247f88db00a3c28e8da0405f
SHA1 5218167cbf2042e17292199befadca54d6964a44
SHA256 535b2dd68204128bb9933baed8e5dd5faca833ff695d3e32917921086c8244ae
SHA512 c7992b0a99902413caaa1fe31a2a51c10d0cad04819ef92e8e6afaa6af4957c88a8ff05c72bf6d72e38d2821338fc909e47cc861118543ea72b271479db00abc

C:\Users\Admin\AppData\Local\Temp\RESAC4D.tmp

MD5 d715f7f1d22d8078648f477fb6685734
SHA1 3109993df4ad6b82f14d92324e8597003c35c939
SHA256 19418a34a3334431dd6adc9384330614d1923a610268096f63d7fbf0edb8b406
SHA512 cd92fd502e32fbde17ffa69e1af8bb017b56b1e54cd7cf45ff487e926e1e953cb405d75d828ff514184d738af1cf6ace130335a8bccae704b12539c9554f6785

memory/720-18-0x0000000074C90000-0x0000000075241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAB24.tmp.exe

MD5 08d875ef03048d7d70bd00b05e290e10
SHA1 bfa16dbe2154710c4881c191abf54ad177518ad0
SHA256 0fdd68ba46a102f4e35b1d30796222092ac6bc721270d43e2414bee90430e4e7
SHA512 e5b39101e8a5abd513aad0265dbe7a8be10f311045e71895dc6f5ae7ffe4eb4cec4e8a758bf8240f39b6a9614c65844165e501dee065252d6a5ddf6c8042635d

memory/652-22-0x0000000074C90000-0x0000000075241000-memory.dmp

memory/4504-23-0x0000000074C90000-0x0000000075241000-memory.dmp

memory/652-24-0x0000000074C90000-0x0000000075241000-memory.dmp

memory/652-25-0x0000000074C90000-0x0000000075241000-memory.dmp

memory/652-26-0x0000000074C90000-0x0000000075241000-memory.dmp

memory/652-27-0x0000000074C90000-0x0000000075241000-memory.dmp