Malware Analysis Report

2025-01-02 05:46

Sample ID 240918-t9yxgascrp
Target SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe
SHA256 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
Tags
sectoprat credential_access discovery persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b

Threat Level: Known bad

The file SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe was found to be: Known bad.

Malicious Activity Summary

sectoprat credential_access discovery persistence rat spyware stealer trojan

SectopRAT

SectopRAT payload

Credentials from Password Stores: Credentials from Web Browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates processes with tasklist

Suspicious use of SetThreadContext

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Runs ping.exe

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-18 16:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-18 16:46

Reported

2024-09-18 16:48

Platform

win7-20240704-en

Max time kernel

117s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 344 set thread context of 1948 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2176 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2176 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2176 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2176 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2176 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2176 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2884 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe
PID 2884 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe
PID 2884 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe
PID 2884 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2844 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2628 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2940 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2940 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2940 wrote to memory of 2972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2940 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2940 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2940 wrote to memory of 2988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2628 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1992 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1992 wrote to memory of 584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1992 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1992 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1992 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2628 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 1988 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1988 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1988 wrote to memory of 1276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1988 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1988 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1988 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2628 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2304 wrote to memory of 484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2304 wrote to memory of 484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2304 wrote to memory of 484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2304 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2304 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2304 wrote to memory of 320 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2628 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2492 wrote to memory of 2216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe"

C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp

"C:\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp" /SL5="$30144,10740751,812544,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe" /VERYSILENT /NORESTART

C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TQS4V.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp" /SL5="$80198,10740751,812544,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe" /VERYSILENT /NORESTART

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "wrsa.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "opssvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avastui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avgui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "nswscsvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "sophoshealth.exe"

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\VlKUgz.a3x && del C:\ProgramData\\VlKUgz.a3x

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

AutoIt3.exe C:\ProgramData\\VlKUgz.a3x

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
RU 45.141.86.82:15647 tcp
RU 45.141.86.82:9000 45.141.86.82 tcp

Files

memory/2176-0-0x0000000001320000-0x00000000013F4000-memory.dmp

memory/2176-2-0x0000000001321000-0x00000000013C9000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-L4TUV.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp

MD5 81636f80b1e7c0b8f946c8ff0081436a
SHA1 9e7b01f8324e089b925cb9050ce74cd099c58370
SHA256 ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35
SHA512 67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a

\Users\Admin\AppData\Local\Temp\is-58UUB.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2884-12-0x0000000001070000-0x00000000013A4000-memory.dmp

memory/2884-18-0x0000000001070000-0x00000000013A4000-memory.dmp

memory/2844-16-0x0000000001320000-0x00000000013F4000-memory.dmp

memory/2176-21-0x0000000001320000-0x00000000013F4000-memory.dmp

\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

MD5 3f58a517f1f4796225137e7659ad2adb
SHA1 e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA256 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512 acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x

MD5 647d824a19511783d1a011f8b775c1d4
SHA1 46b0213afa55d27a688e9729ac120d4574318cb5
SHA256 8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b
SHA512 ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f

memory/2844-183-0x0000000001320000-0x00000000013F4000-memory.dmp

memory/2628-181-0x00000000013E0000-0x0000000001714000-memory.dmp

C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx

MD5 0bc6d1c595e440233c6daa45813657a0
SHA1 3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3
SHA256 1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac
SHA512 0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f

memory/1948-193-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1948-195-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1948-194-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEBF6.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-18 16:46

Reported

2024-09-18 16:48

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2248 set thread context of 2160 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 3908 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 3908 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 2436 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe
PID 2436 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe
PID 2436 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe
PID 932 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 932 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 932 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp
PID 1376 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 1376 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 4048 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4048 wrote to memory of 1216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4048 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4048 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1376 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 1376 wrote to memory of 3124 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 3124 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3124 wrote to memory of 2952 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3124 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3124 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1376 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 1376 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 3340 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3340 wrote to memory of 1756 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3340 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3340 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1376 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 1376 wrote to memory of 3720 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 3720 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3720 wrote to memory of 4992 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3720 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 3720 wrote to memory of 2588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1376 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 1376 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 4020 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4020 wrote to memory of 3400 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4020 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4020 wrote to memory of 2080 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1376 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 1376 wrote to memory of 4912 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Windows\system32\cmd.exe
PID 4912 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4912 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4912 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4912 wrote to memory of 2808 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1376 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 1376 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 1376 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 3484 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\SysWOW64\cmd.exe
PID 3348 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3348 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3348 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3348 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 3348 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 3348 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 2248 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2248 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe"

C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp" /SL5="$70246,10740751,812544,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe"

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe" /VERYSILENT /NORESTART

C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp

"C:\Users\Admin\AppData\Local\Temp\is-V4317.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp" /SL5="$80246,10740751,812544,C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.exe" /VERYSILENT /NORESTART

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "wrsa.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "opssvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avastui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avgui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "nswscsvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "sophoshealth.exe"

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\WVc1bYF.a3x && del C:\ProgramData\\WVc1bYF.a3x

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

AutoIt3.exe C:\ProgramData\\WVc1bYF.a3x

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 121.170.16.2.in-addr.arpa udp
RU 45.141.86.82:15647 tcp
US 8.8.8.8:53 82.86.141.45.in-addr.arpa udp
RU 45.141.86.82:9000 45.141.86.82 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3908-1-0x0000000000130000-0x0000000000204000-memory.dmp

memory/3908-2-0x0000000000131000-0x00000000001D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R16JD.tmp\SecuriteInfo.com.Win32.Malware-gen.6717.12233.tmp

MD5 81636f80b1e7c0b8f946c8ff0081436a
SHA1 9e7b01f8324e089b925cb9050ce74cd099c58370
SHA256 ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35
SHA512 67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a

memory/2436-6-0x0000000001700000-0x0000000001701000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KMO8B.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/932-13-0x0000000000130000-0x0000000000204000-memory.dmp

memory/2436-15-0x0000000000900000-0x0000000000C34000-memory.dmp

memory/3908-18-0x0000000000130000-0x0000000000204000-memory.dmp

memory/1376-21-0x0000000001790000-0x0000000001791000-memory.dmp

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

MD5 3f58a517f1f4796225137e7659ad2adb
SHA1 e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA256 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512 acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x

MD5 647d824a19511783d1a011f8b775c1d4
SHA1 46b0213afa55d27a688e9729ac120d4574318cb5
SHA256 8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b
SHA512 ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f

memory/1376-175-0x00000000007B0000-0x0000000000AE4000-memory.dmp

memory/932-177-0x0000000000130000-0x0000000000204000-memory.dmp

C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx

MD5 0bc6d1c595e440233c6daa45813657a0
SHA1 3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3
SHA256 1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac
SHA512 0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f

memory/2160-187-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2160-188-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2160-189-0x0000000005080000-0x0000000005112000-memory.dmp

memory/2160-190-0x00000000056E0000-0x0000000005C84000-memory.dmp

memory/2160-191-0x0000000005330000-0x00000000054F2000-memory.dmp

memory/2160-192-0x00000000051E0000-0x0000000005256000-memory.dmp

memory/2160-193-0x0000000005260000-0x00000000052B0000-memory.dmp

memory/2160-194-0x0000000005160000-0x000000000516A000-memory.dmp

memory/2160-195-0x00000000062C0000-0x00000000067EC000-memory.dmp

memory/2160-196-0x0000000005E40000-0x0000000005E5E000-memory.dmp

memory/2160-197-0x0000000005F30000-0x0000000005F96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp123D.tmp

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Local\Temp\tmp126F.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

memory/2160-216-0x0000000007800000-0x000000000780A000-memory.dmp