Analysis Overview
SHA256
91dc640360851a1e69261fe72d9fa570a73e6d9465c8ebf971dbe840493b890d
Threat Level: Known bad
The file 27AA8AD8930FA0D076510CFB6573CE74.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-04 22:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-04 22:06
Reported
2024-08-04 22:08
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPI Service = "C:\\Program Files (x86)\\DPI Service\\dpisv.exe" | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3012 set thread context of 4664 | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe |
| PID 4080 set thread context of 3600 | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe |
| PID 2916 set thread context of 1924 | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DPI Service\dpisv.exe | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DPI Service\dpisv.exe | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe
"C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe"
C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe
"C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\microsoft"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe" "C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe"
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
"C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\microsoft"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe" "C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe"
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
"C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\microsoft"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe" "C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blackangel.hopto.org | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| VN | 103.89.91.169:54984 | blackangel.hopto.org | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.91.89.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
memory/3012-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp
memory/3012-1-0x00000000008C0000-0x0000000000926000-memory.dmp
memory/3012-2-0x00000000058A0000-0x0000000005E44000-memory.dmp
memory/3012-3-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/4664-4-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4664-5-0x0000000005670000-0x0000000005702000-memory.dmp
memory/4664-6-0x00000000057B0000-0x000000000584C000-memory.dmp
memory/4664-7-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/4664-8-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/4664-9-0x0000000005720000-0x000000000572A000-memory.dmp
memory/4664-15-0x00000000057A0000-0x00000000057AA000-memory.dmp
memory/4664-16-0x0000000005980000-0x000000000599E000-memory.dmp
memory/3012-18-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/4664-17-0x00000000058D0000-0x00000000058DA000-memory.dmp
memory/4664-21-0x0000000006CA0000-0x0000000006CB2000-memory.dmp
memory/4664-22-0x0000000006CB0000-0x0000000006CCA000-memory.dmp
memory/4664-23-0x0000000006CE0000-0x0000000006CEE000-memory.dmp
memory/4664-24-0x0000000006CF0000-0x0000000006CFE000-memory.dmp
memory/4664-25-0x0000000006D00000-0x0000000006D0C000-memory.dmp
memory/4664-26-0x0000000006D10000-0x0000000006D24000-memory.dmp
memory/4664-27-0x0000000006D20000-0x0000000006D30000-memory.dmp
memory/4664-28-0x0000000006D30000-0x0000000006D44000-memory.dmp
memory/4664-29-0x0000000006D60000-0x0000000006D6E000-memory.dmp
memory/4664-30-0x0000000006D70000-0x0000000006D9E000-memory.dmp
memory/4664-31-0x0000000006DA0000-0x0000000006DB4000-memory.dmp
memory/4664-32-0x0000000006F70000-0x0000000006FD6000-memory.dmp
memory/4664-39-0x0000000074B70000-0x0000000075320000-memory.dmp
memory/4664-40-0x0000000074B70000-0x0000000075320000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\microsoft.exe
| MD5 | 27aa8ad8930fa0d076510cfb6573ce74 |
| SHA1 | 26da6ec9efcd8b95c2d744373532afd12d26bf8f |
| SHA256 | 91dc640360851a1e69261fe72d9fa570a73e6d9465c8ebf971dbe840493b890d |
| SHA512 | bb1af7c9caf9d05e6bf2ebf3ff8fbada74c0e4fbac04759428da3766110b66a8966081b22c0ffc4dc3a141a0914e552a6fc0a766c037c438546e8d4124f5922f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\microsoft.exe.log
| MD5 | 03febbff58da1d3318c31657d89c8542 |
| SHA1 | c9e017bd9d0a4fe533795b227c855935d86c2092 |
| SHA256 | 5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4 |
| SHA512 | 3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-04 22:06
Reported
2024-08-04 22:08
Platform
win7-20240708-en
Max time kernel
118s
Max time network
150s
Command Line
Signatures
NanoCore
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe" | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1576 set thread context of 2544 | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe |
| PID 2232 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe |
| PID 268 set thread context of 692 | N/A | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\UDP Service\udpsv.exe | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| File opened for modification | C:\Program Files (x86)\UDP Service\udpsv.exe | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\schtasks.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe
"C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe"
C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe
"C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\microsoft"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Local\Temp\27AA8AD8930FA0D076510CFB6573CE74.exe" "C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {A836D282-0D6C-4915-A6D3-6F1DBDB40748} S-1-5-21-1506706701-1246725540-2219210854-1000:MUYDDIIS\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
"C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\microsoft"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe" "C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe"
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
"C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C mkdir "C:\Users\Admin\AppData\Roaming\microsoft"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe'" /f
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C copy "C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe" "C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | blackangel.hopto.org | udp |
| VN | 103.89.91.169:54984 | blackangel.hopto.org | tcp |
Files
memory/1576-0-0x000000007473E000-0x000000007473F000-memory.dmp
memory/1576-1-0x0000000000B60000-0x0000000000BC6000-memory.dmp
memory/2544-2-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2544-12-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2544-10-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2544-14-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/2544-8-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2544-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2544-5-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2544-4-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2544-3-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1576-13-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/2544-15-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/1576-20-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/2544-21-0x00000000003E0000-0x00000000003EA000-memory.dmp
memory/2544-22-0x00000000004E0000-0x00000000004FE000-memory.dmp
memory/2544-23-0x00000000003F0000-0x00000000003FA000-memory.dmp
memory/2544-26-0x0000000000660000-0x0000000000672000-memory.dmp
memory/2544-27-0x0000000000670000-0x000000000068A000-memory.dmp
memory/2544-28-0x00000000006E0000-0x00000000006EE000-memory.dmp
memory/2544-29-0x0000000000700000-0x000000000070E000-memory.dmp
memory/2544-30-0x0000000000710000-0x000000000071C000-memory.dmp
memory/2544-31-0x0000000000980000-0x0000000000994000-memory.dmp
memory/2544-32-0x0000000000990000-0x00000000009A0000-memory.dmp
memory/2544-33-0x00000000009A0000-0x00000000009B4000-memory.dmp
memory/2544-34-0x00000000009B0000-0x00000000009BE000-memory.dmp
memory/2544-35-0x0000000000B30000-0x0000000000B5E000-memory.dmp
memory/2544-36-0x00000000009E0000-0x00000000009F4000-memory.dmp
memory/2544-38-0x0000000074730000-0x0000000074E1E000-memory.dmp
memory/2544-39-0x0000000074730000-0x0000000074E1E000-memory.dmp
C:\Users\Admin\AppData\Roaming\microsoft\microsoft.exe
| MD5 | 27aa8ad8930fa0d076510cfb6573ce74 |
| SHA1 | 26da6ec9efcd8b95c2d744373532afd12d26bf8f |
| SHA256 | 91dc640360851a1e69261fe72d9fa570a73e6d9465c8ebf971dbe840493b890d |
| SHA512 | bb1af7c9caf9d05e6bf2ebf3ff8fbada74c0e4fbac04759428da3766110b66a8966081b22c0ffc4dc3a141a0914e552a6fc0a766c037c438546e8d4124f5922f |
memory/2232-42-0x00000000002E0000-0x0000000000346000-memory.dmp
memory/2648-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2648-57-0x0000000000080000-0x00000000000B8000-memory.dmp
memory/2648-53-0x0000000000080000-0x00000000000B8000-memory.dmp
memory/2648-60-0x0000000000080000-0x00000000000B8000-memory.dmp
memory/268-62-0x00000000010E0000-0x0000000001146000-memory.dmp
memory/692-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmp