Malware Analysis Report

2024-09-11 10:23

Sample ID 240725-ysv7ga1glp
Target f1d01ea6044cb2a122fa7915b1ec8ad0N.exe
SHA256 b8f64d354e9100cdf85f344baa8419d7b8aa03a6596766098807466b9aa451bd
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b8f64d354e9100cdf85f344baa8419d7b8aa03a6596766098807466b9aa451bd

Threat Level: Known bad

The file f1d01ea6044cb2a122fa7915b1ec8ad0N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-25 20:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 20:03

Reported

2024-07-25 20:05

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4112 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4112 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4112 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3340 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3340 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3340 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4112 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp.exe
PID 4112 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp.exe
PID 4112 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe

"C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1f6fvsod.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAF89.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4F3FB41D50249E081FE5E44F5D9083.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 8.8.8.8:53 142.144.22.2.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 34.58.20.217.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/4112-0-0x0000000074EB2000-0x0000000074EB3000-memory.dmp

memory/4112-1-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/4112-2-0x0000000074EB0000-0x0000000075461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1f6fvsod.cmdline

MD5 db132060627ae9ab03940e43ce2988ed
SHA1 e6457d8252676afacd4f48d1aabde714108ccf2e
SHA256 b728bb80cf476e043cdf8cf53952945e56e2a5681d1c98b620e5592f3a154639
SHA512 c7ada1bc52d0912ca54f69a2738ca8acf97172842b1f36c8788362aa70656bfca702a495674c4b5b0267c673f78860389e8b9716c93d2c92d66c36d62f77b0f9

C:\Users\Admin\AppData\Local\Temp\1f6fvsod.0.vb

MD5 0c77a075d146049ba55474f8ccc76d26
SHA1 7da48d50b8624efe3c192cfe0c7eb62a7fa02d95
SHA256 4d8a701ca21cf9f28cecd4eccb44eefb84b91355400f53b922eba0abce071a38
SHA512 859230294484a8ea44e84061167e520bd4523dd931d43e61ccb8aaff68ee6eaf831b7447ef1cd0311fce00b0cd63aa5d079f41e1ddfb9ea89e929936917f8565

memory/3340-9-0x0000000074EB0000-0x0000000075461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbc4F3FB41D50249E081FE5E44F5D9083.TMP

MD5 d173419edc388409fce8487c20bdf04c
SHA1 46ed3560d0943ef4cef626d9dd0b4aabd90431ef
SHA256 17c13162cf74b76852bbd0ed371bcef541446ef79bc8d27156660f5a6f87069c
SHA512 2659e89b7d96f5750686c538f7530c34d505c75d741e71b9049915caabb7fe4a1340f15ae7e640d16cc281e29ba2613ecc76fa7e1cf596866b5436f7ce42b522

C:\Users\Admin\AppData\Local\Temp\RESAF89.tmp

MD5 24c1a44d8155b8f572beb4a7699e2521
SHA1 e665d0a23049bbb73e227451e131540336ba5088
SHA256 07ebdc250532806656f65be5aab62e2b6d0afb752e8e43d48aecfc4922e0678f
SHA512 f54592d088d20d524e75b48d985db0adbac415904ff3f569c6f2032da7ea9f0906e71fe9281c2f1c673ef8763bfb52d57012fd81a62a9e76ae88ae8eea3c7c23

memory/3340-18-0x0000000074EB0000-0x0000000075461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAE41.tmp.exe

MD5 f38b25684524db771c85da53e3cfab44
SHA1 c611b039c81cfdf7e9b5e30dd6e9bbd6b35ae22e
SHA256 765dd81b80c2988ebf8b00a2627ce3320d896b8ee923a2da76381e7cca346cf5
SHA512 748df7db1cd908a44d912d6db0be0684e6f93a07f467e73f0b065949eade3b762fbaa37994c491b4ca64f85fff9daa31842164af2c4a85efb00b55f31b97c941

memory/4112-22-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/3372-23-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/3372-24-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/3372-25-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/3372-26-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/3372-27-0x0000000074EB0000-0x0000000075461000-memory.dmp

memory/3372-28-0x0000000074EB0000-0x0000000075461000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 20:03

Reported

2024-07-25 20:05

Platform

win7-20240705-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660163958-4080398480-1122754539-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2492 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1148 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1148 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1148 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1148 wrote to memory of 2124 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2492 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe
PID 2492 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe
PID 2492 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe
PID 2492 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe

"C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pxp4ab-b.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5B5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5B4.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe" C:\Users\Admin\AppData\Local\Temp\f1d01ea6044cb2a122fa7915b1ec8ad0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 t5tmike.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2492-0-0x00000000748E1000-0x00000000748E2000-memory.dmp

memory/2492-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp

memory/2492-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pxp4ab-b.cmdline

MD5 e3d4884fd00e1cb6e38124203a26f74b
SHA1 acd4c462bee1196f3c8c7846f5fa900c123c01a7
SHA256 f035adf17c1eb8b943ab2b327690a9095857a76a63cd008642602a504abe1c9e
SHA512 6b282adf79d683da8fdea9fc055edbf745d98e285176d4d6cc909b6eea805df7605d363f1303ef763c9475040b781b797e7e6faae40e6a723413dc7cbea61fd0

memory/1148-8-0x00000000748E0000-0x0000000074E8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pxp4ab-b.0.vb

MD5 a42c864395a0a1e42cd74e99d884c8d4
SHA1 6525906700777e41a9c7812a93a8fea9975d86ac
SHA256 7d87b165afb67426ce1c7835c31785570cd41c16b176d7939096cdcfb0f1d4f2
SHA512 0b82d6431b9201a3f38320c4e89428df2890c92aa72e8ae73f04c88a51028d8c39b655f35ebab711da6e01ad924ff7c8a279e4273746cd5f26dda3b93fb4adb0

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 a26b0f78faa3881bb6307a944b096e91
SHA1 42b01830723bf07d14f3086fa83c4f74f5649368
SHA256 b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5
SHA512 a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

C:\Users\Admin\AppData\Local\Temp\vbcF5B4.tmp

MD5 9288a05682d4e49441547829a4072839
SHA1 869c6a30af3505462c43a9cd9a91f13d240d435f
SHA256 a80c679b9e13e4dc0862706d47e4b7f4ff21638c99e14a513ae3a713aef9b4f2
SHA512 1f21f571da56752f45506e9f145c8f16a192e797987c52851d6ec1b34fc192c5a6d7d3b29b749e3bedcfb48fb484a91baa0559e2133191e4e34dbcdb641772ab

C:\Users\Admin\AppData\Local\Temp\RESF5B5.tmp

MD5 ed4f2c5572546f398a66126b7c92d44a
SHA1 b9a0aeb2127a755cb5b2bd875a22a583b21496e8
SHA256 ff1fd7f887849a249b7435c228097061d020eaa5580519b15e51190653774a4d
SHA512 0b87b966aae1b188e37c41898eb522e8c56e3d4d83695dedeb8e44b9f172063b31ac6457199fc811d3ece3e54ba0d67b2d34ad0cc95783b9971ff3568f4bbeea

memory/1148-18-0x00000000748E0000-0x0000000074E8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF45D.tmp.exe

MD5 d6d36022cc972dd706c2b5787301c4ee
SHA1 c2f2c4e11083f57605c556174bfa24c8a9556f5c
SHA256 c44f83eb31458dfcdb825ae9ae95261ec836ee5b35aed28a0acab83b4d4226b4
SHA512 e18bb0608230a0399ec556a28525e0719e253b2371baede6fa8332f94fc857fe664a0f5b7b1c4d57704559e20e2b565726557b326d3acec22bf502b1f9a32c08

memory/2492-24-0x00000000748E0000-0x0000000074E8B000-memory.dmp