Malware Analysis Report

2024-09-11 10:24

Sample ID 240728-etvgsaxekp
Target cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873
SHA256 cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873
Tags
discovery persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873

Threat Level: Known bad

The file cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873 was found to be: Known bad.

Malicious Activity Summary

discovery persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Uses the VBS compiler for execution

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Scripting
T1064
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Scripting
T1064
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
System Location Discovery
T1614
System Language Discovery
T1614.001
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-28 04:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-28 04:14

Reported

2024-07-28 04:17

Platform

win7-20240704-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2796 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2796 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2796 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2208 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2208 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2208 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2208 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2796 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe
PID 2796 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe
PID 2796 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe
PID 2796 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe

"C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zvdo3gdb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1018.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1008.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/2796-0-0x00000000740B1000-0x00000000740B2000-memory.dmp

memory/2796-1-0x00000000740B0000-0x000000007465B000-memory.dmp

memory/2796-2-0x00000000740B0000-0x000000007465B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zvdo3gdb.cmdline

MD5 85ee33509da986e2ed3403cafa2a9944
SHA1 6d0d8baaf22d6db98b537205cadb72e042b6d7a8
SHA256 1f7507a26d886794f173fa49aea4ee5ab169fb8a3bc40490c0f4b34988706dea
SHA512 d464d976e6a88bf521e5a78293eb9eeb6db647d9dcc9f66a9040f50ad5cc8cce673a094bd5462f8b6ffad18ed88f1347f0e1dc09efc20f3d5e8f2d76eeb947f2

memory/2208-8-0x00000000740B0000-0x000000007465B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zvdo3gdb.0.vb

MD5 66e2fc97f5c97d3000d708d79986abc6
SHA1 a87ea075f938d295a49e1de5e741c7b0fad55298
SHA256 e67e88bbf59d595158a7b2e1ac05cd10b04290532f4b32c3feaec94666edfc54
SHA512 0435d5860ab2a58fed8af2e8eb023c610048ec8291ec1cf119d5a7babb3be7e0a041982222d60789fa1497f0f5bcb70f21e56b52da8d9cbb763ef3fab6817b4f

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc1008.tmp

MD5 042227c8cc415c5f5f48d6eb6b2185c9
SHA1 dc4945a3ce1691d3cc60042cfdf352955c93dbda
SHA256 0ebdc42d9878ec5f89d40604cc9fc7cf2443b98c8e9d68699f5c5e3333133f37
SHA512 a0d6a9dce2ba024325f63fd9cc22b1300e732496ad19b99f544300563981c53e15d412f15d62ff8c0614fb2fde859cfc0e0e58c72f97691ab26f287598d76483

C:\Users\Admin\AppData\Local\Temp\RES1018.tmp

MD5 9e2b6e83261a92dc8823f14f6870ec30
SHA1 19b164017136a22c8de603e0ec829a818347e5c5
SHA256 4a62cc29662540d68b486ba11dc19f17dd3893c91c28c328e0dc7b26bad95237
SHA512 df3f9aa6ccc556698ed66a28524d0da3f608aecbad14f229d59852eb4870c4000a1ac4dc886f144a084a70eb9a57f70b50c8655b4e86b9ea7ac3041040f1c85a

memory/2208-18-0x00000000740B0000-0x000000007465B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.exe

MD5 4ce72d69af00daaf7740a5401f8fab59
SHA1 7901b33ccc63a1f5d08296019fb535cbaaddc445
SHA256 460d1ac042cd15522c638101ab41f3aaf090a11b541f20b6f9a70314b37672e0
SHA512 d23b588937c61bf970205bd6a69fde2ddece0972d4350b22a63b3dd3af9cd905842b1579f309a6265226909ee54aebc0142508b98029d2c7c2cec46f568f32f8

memory/2796-24-0x00000000740B0000-0x000000007465B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-28 04:14

Reported

2024-07-28 04:17

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System.XML = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AppLaunch.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4288 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4288 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4288 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 448 wrote to memory of 3420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 448 wrote to memory of 3420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 448 wrote to memory of 3420 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4288 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe
PID 4288 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe
PID 4288 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe

"C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\9chtngop.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C90.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc26BED73C93B24B448A8585971C8E4BC.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\cc1b6df29a77888c596538d30d214c15f3d9f1c17d707b4a99e2894db2cc8873.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 hackorchronix.no-ip.biz udp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/4288-0-0x0000000074EF2000-0x0000000074EF3000-memory.dmp

memory/4288-1-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/4288-2-0x0000000074EF0000-0x00000000754A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9chtngop.cmdline

MD5 c9e66ff8a1b8b9ca87a3b3b2c4ad9a35
SHA1 4ac0a4aef9b455f813349aceb2ce7060e8328604
SHA256 4781a24fdcb8e4a084bb06a3cb3e32d639f7d87e92e7b584b31c2c9e250e4761
SHA512 432fc595f4ebfdfa905f1193fd52703f865235fea33ac6a91697a07dbc1fd00723de4435f4cd5401d733e352dfb2a809e3a0b9d7d86b892013c0ac99ee58d5bd

memory/448-8-0x0000000074EF0000-0x00000000754A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9chtngop.0.vb

MD5 75b0ab4737bc86853db81ec96a956f7d
SHA1 e21ba688cce82bf9091074d70d3693d5d5197ac1
SHA256 3ea9c0d8ab3ea999a3d2143a53e64c026d5c2a477def941a15544abadb6710a2
SHA512 3e159ae6e9f979e38defc29d5f1f027cc20a3e63af93b388ce70d215450956faea254dc3337c0f4518ddec5c3cfb58c7e3b2bc688e32e90f9f181f359b1e3c07

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 aa4bdac8c4e0538ec2bb4b7574c94192
SHA1 ef76d834232b67b27ebd75708922adea97aeacce
SHA256 d7dbe167a7b64a4d11e76d172c8c880020fe7e4bc9cae977ac06982584a6b430
SHA512 0ec342286c9dbe78dd7a371afaf405232ff6242f7e024c6640b265ba2288771297edbb5a6482848daad5007aef503e92508f1a7e1a8b8ff3fe20343b21421a65

C:\Users\Admin\AppData\Local\Temp\vbc26BED73C93B24B448A8585971C8E4BC.TMP

MD5 b94b8d58c3f51de04e77b683b67ac039
SHA1 027cb73d63c718c1335261b01dec1b6e0092030a
SHA256 cc29d0887b6894057b1f63a45caecb46bbf3a12b9d78ce5cbd2aece32d4cd444
SHA512 a7c477d81028f43b36d76f8df0d2d7edee5d26b35f44365a859d7e38ad2aad69d51e89ba9f98ca1530b6f06bfb57f345445c6af328e0e9e580941351c5e79767

C:\Users\Admin\AppData\Local\Temp\RES8C90.tmp

MD5 1d3e72b1af9dd2dd50276d91776af7ba
SHA1 bfbce64a859ae678fad4723c03b25b2d1224954b
SHA256 ccff87870740b673ca1b47948f23fdac4b221e8ed208d31417648c4b1f9078dd
SHA512 2143fa3f098df0aacbc504de6c068f690a4d55d5f97eebf60f0949ae057fadbf1db01e233e764e0d40f2de0b240285dc529ade89093fd65981dbcd53b58d7bb0

memory/448-18-0x0000000074EF0000-0x00000000754A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp84DF.tmp.exe

MD5 bf28f6ce2d96606d106d5374818dddaa
SHA1 50676a6d8a58663c6f978512f769aa443d326b0f
SHA256 3ee794340553f5b251b34a080aef8f6bc58b2a5eb86d7789de4fecc4e649e01f
SHA512 22ef123e08a5993e9d3cedc496cba61f662ac9da36c36918553df30f3c3a47db5e82215274e35cb979ffccffdea40c11b1fac921dcbeedd6a2ff33b7310a1b33

memory/4288-22-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/2156-23-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/2156-24-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/2156-25-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/2156-27-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/2156-28-0x0000000074EF0000-0x00000000754A1000-memory.dmp

memory/2156-29-0x0000000074EF0000-0x00000000754A1000-memory.dmp