Malware Analysis Report

2024-09-11 10:24

Sample ID 240727-cm59latcqf
Target 7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe
SHA256 e36fa70a6012d67d2c14393d1261f99a51683a726f8f0cf2e99cf7d053a930b2
Tags
metamorpherrat discovery persistence rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e36fa70a6012d67d2c14393d1261f99a51683a726f8f0cf2e99cf7d053a930b2

Threat Level: Known bad

The file 7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery persistence rat stealer trojan

MetamorpherRAT

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

Loads dropped DLL

Deletes itself

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-27 02:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-27 02:12

Reported

2024-07-27 04:56

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4196 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4196 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4196 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1776 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1776 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1776 wrote to memory of 2656 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4196 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe
PID 4196 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe
PID 4196 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe

"C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pwdnmriu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FBA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc48AB8E01C23444F79470CFAD0825679.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/4196-0-0x0000000074C02000-0x0000000074C03000-memory.dmp

memory/4196-1-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/4196-2-0x0000000074C00000-0x00000000751B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pwdnmriu.cmdline

MD5 a378c278c6aa712c0cf5754d90c6434d
SHA1 e842f3b899a8ab962b86128eae060facf1ae6ab4
SHA256 9e1f65ddf30f4bf0d699d145faa919bc33165f912a2ea6ed5c5950f956519959
SHA512 ae816d99095c22cf4c7fedebeaa3ce83ceb7005d96421cb43c045664aca75418de6c8aa400d8b37fab5ae38366712ae6bda7406e869e13f98f409c7bda662b4d

memory/1776-8-0x0000000074C00000-0x00000000751B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pwdnmriu.0.vb

MD5 ac9f72f291c03caded6cb38ccc8822f6
SHA1 5086a2d601781ddce0757193433e61bf24b5460f
SHA256 96c2feda235d92d83c1e9849f21a52152f7661fe6b9d05d197196f18c8394499
SHA512 1d7b75af63291c4700aa9d966ce38c6a73ab31ace7fa4cea7c2055fb65624d0c438561f49813709f98083ebe2171d235b172f0f7879e54b1e58debc4836aa63f

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc48AB8E01C23444F79470CFAD0825679.TMP

MD5 ee514356c04c317fdad1c26b0e3c2e6e
SHA1 b079b4f51db3bcf75e04b460a99e8aeb81223935
SHA256 a11137c873cb92e6dd058b858b1247313dacf258445c9636ec4d0781d5f336b9
SHA512 c9c6124c1d1be01994be9f213b2bd25f32651800c90bf23e39166930e1395889827e97e520340d1f7532bbb95bc7e826086f4bd71079185dd194a432040e67ca

C:\Users\Admin\AppData\Local\Temp\RES9FBA.tmp

MD5 b0cb3ab05ba18fac620b1d8b6227bd83
SHA1 c1dc329629c1c8dd2098f4d50a963dcd9d9b9a1f
SHA256 4bf1eab9575c02a34582be36ec9dbf74c1d5fe439a6e6ed2a58354b18d8e4948
SHA512 4d4fe459aadb873b32eddfeb8c89bf13d8fd74924f91ab84ea9f179dd02ee5874fd69c964bd7c5f327a02b3545c9416506fc567b1b60db0d44280aa2bdcab6e9

memory/1776-18-0x0000000074C00000-0x00000000751B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9B07.tmp.exe

MD5 3be1f25f15b248457d2378cacb5fda3a
SHA1 19c4e2bb51fbfb875d624b9a0442c969881fe899
SHA256 3b3715725ad3a1c58f17e523bb469c4230edb46d0c1d0ca04ae1311cad045033
SHA512 c0d76db6a2afa5ee58f4493fac54f534b5532f026fa5b314c4901d5b2b485cc0e456b6559b8324b1f520c3c534ccced09e30859de0d30286d192285dfdbbdeba

memory/4196-22-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/1620-23-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/1620-24-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/1620-25-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/1620-27-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/1620-28-0x0000000074C00000-0x00000000751B1000-memory.dmp

memory/1620-29-0x0000000074C00000-0x00000000751B1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-27 02:12

Reported

2024-07-27 04:57

Platform

win7-20240704-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_state_perf = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\System.Web.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2856 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2856 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2856 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2616 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2616 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2616 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2616 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe
PID 2856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe
PID 2856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe
PID 2856 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe

"C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oxmuw0ku.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES781E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc781D.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\7f8d9f9b10b2dd136c2703db3c2bf6c0N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 rwkeith.no-ip.org udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2856-0-0x0000000074701000-0x0000000074702000-memory.dmp

memory/2856-1-0x0000000074700000-0x0000000074CAB000-memory.dmp

memory/2856-2-0x0000000074700000-0x0000000074CAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oxmuw0ku.cmdline

MD5 b17b5a3591570807496a42ce2f846c7c
SHA1 7885406db7828da190b7252c06621b7fb87c1066
SHA256 f986f3ec24325e786bfb23f8ced9881cebc8ba75f8886415e7724b353cefab65
SHA512 903fdb3440c0745c2f7af7f30ec88a2de096812c0d0483e6cffe9adc9b7629b13ffadceb6f122f14fad0b890b91fb850dcc6a1d544127ee369d921984081c2cb

C:\Users\Admin\AppData\Local\Temp\oxmuw0ku.0.vb

MD5 3fefff7a57c0303a17ebefdd3dc4d58f
SHA1 0d69fccc9ac782e2f043401f86d9ddeb800e7ff4
SHA256 b7d609c11934a0b1f8728384882a26734a48963c2f2ee00315edc256f20d4f69
SHA512 cb826888fb1ebf40b40c04baeb66aa0de1a42940ec9967a868f9fa195d92fd4541d11f6adb93a4f8be954253f2b30448ce20cb47d6e153e175b16d8775bd46b9

memory/2616-9-0x0000000074700000-0x0000000074CAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8fd8e054ba10661e530e54511658ac20
SHA1 72911622012ddf68f95c1e1424894ecb4442e6fd
SHA256 822d92b6f2bd74ba785aa1555b5963c9d7736be1a41241927343dff1caf538d7
SHA512 c14d729a30b055df18cfac5258c30574ca93bd05fb9a86b4be47ed041c7a4ceefa636bf1c2dd0ccd4c922eda785ce80127374fb70f965c1cf7cd323da5c1b24c

C:\Users\Admin\AppData\Local\Temp\vbc781D.tmp

MD5 56c3a360e2852e62cb83dfb3e4a0898f
SHA1 244cfdf53f4ba1aed4191a2aebd586c6d36a7200
SHA256 86a753ddb447fa5ba7766c1fb2748536439c9e03a3db114069576397f7c4d3a2
SHA512 02ded8278ea36cc67fbc0dcd3b97a0bc8acc33841e176202cb2b508d51153d2849b17b5f6ea1567ef81d846f3d49e18c11d882b4b14bf7faca1f205804d47883

C:\Users\Admin\AppData\Local\Temp\RES781E.tmp

MD5 7221d7228f1d169770a220487d1dca65
SHA1 cf71ed2e7f4b74ac872ba45fd3a9735731932dcc
SHA256 bf4cbf3155bf36ecf7c8f91d6952dd15e7676f14c295552b4ea8a3bbe7a0f71d
SHA512 4773801b99fd03bab56c305727a8f1935f45616778d65bef0a91186da323ff35c4c443f836f8b2063673e8fd9c1dbe1e81646594236badbf68f1adc3936e1310

memory/2616-18-0x0000000074700000-0x0000000074CAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp76C5.tmp.exe

MD5 9525851641851bb0c01e9fe0f66ff610
SHA1 2274d171ee72cfaeae93861095ed26e10ce8449d
SHA256 e435a93fca9bae08cd49f87309077f6e2eeea6ac32cd1841e44023aa05c7e0cf
SHA512 23d17ba6020290deb7e742109aa006f753a8c922dc79deabb6ff8813944ba9589d629154f0ea8947bcf5237cc7424841576f447d036b74544513eadb39698daf

memory/2856-24-0x0000000074700000-0x0000000074CAB000-memory.dmp