Analysis Overview
SHA256
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
Threat Level: Known bad
The file f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT
SectopRAT payload
Credentials from Password Stores: Credentials from Web Browsers
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-18 17:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-18 17:40
Reported
2024-09-18 17:43
Platform
win7-20240903-en
Max time kernel
120s
Max time network
132s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1932 set thread context of 2252 | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$30148,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$40148,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "wrsa.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "opssvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avastui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avgui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "nswscsvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "sophoshealth.exe"
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\8ixt1ToWa.a3x && del C:\ProgramData\\8ixt1ToWa.a3x
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
AutoIt3.exe C:\ProgramData\\8ixt1ToWa.a3x
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| RU | 45.141.86.82:15647 | tcp | |
| RU | 45.141.86.82:9000 | 45.141.86.82 | tcp |
Files
memory/2596-0-0x0000000000FE0000-0x00000000010B4000-memory.dmp
memory/2596-2-0x0000000000FE1000-0x0000000001089000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
| MD5 | 81636f80b1e7c0b8f946c8ff0081436a |
| SHA1 | 9e7b01f8324e089b925cb9050ce74cd099c58370 |
| SHA256 | ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35 |
| SHA512 | 67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a |
memory/2324-8-0x0000000000110000-0x0000000000111000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-ERUDI.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2444-16-0x0000000000FE0000-0x00000000010B4000-memory.dmp
memory/2324-15-0x0000000000C00000-0x0000000000F34000-memory.dmp
memory/2596-19-0x0000000000FE0000-0x00000000010B4000-memory.dmp
\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
memory/1920-179-0x0000000000230000-0x0000000000564000-memory.dmp
C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x
| MD5 | 647d824a19511783d1a011f8b775c1d4 |
| SHA1 | 46b0213afa55d27a688e9729ac120d4574318cb5 |
| SHA256 | 8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b |
| SHA512 | ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f |
memory/2444-181-0x0000000000FE0000-0x00000000010B4000-memory.dmp
C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx
| MD5 | 0bc6d1c595e440233c6daa45813657a0 |
| SHA1 | 3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3 |
| SHA256 | 1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac |
| SHA512 | 0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f |
memory/2252-192-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2252-194-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2252-193-0x0000000000400000-0x00000000004C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp13F0.tmp
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-18 17:40
Reported
2024-09-18 17:43
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4732 set thread context of 5084 | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$120052,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$9004C,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "wrsa.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "opssvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avastui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avgui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "nswscsvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "sophoshealth.exe"
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\X78XPKeS.a3x && del C:\ProgramData\\X78XPKeS.a3x
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
AutoIt3.exe C:\ProgramData\\X78XPKeS.a3x
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| RU | 45.141.86.82:15647 | tcp | |
| US | 8.8.8.8:53 | 82.86.141.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.170.16.2.in-addr.arpa | udp |
| RU | 45.141.86.82:9000 | 45.141.86.82 | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2928-0-0x0000000000C00000-0x0000000000CD4000-memory.dmp
memory/2928-2-0x0000000000C01000-0x0000000000CA9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
| MD5 | 81636f80b1e7c0b8f946c8ff0081436a |
| SHA1 | 9e7b01f8324e089b925cb9050ce74cd099c58370 |
| SHA256 | ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35 |
| SHA512 | 67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a |
memory/3692-6-0x0000000000B40000-0x0000000000E74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SOGR0.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/4340-13-0x0000000000C00000-0x0000000000CD4000-memory.dmp
memory/3692-17-0x0000000000B40000-0x0000000000E74000-memory.dmp
memory/2928-19-0x0000000000C00000-0x0000000000CD4000-memory.dmp
memory/2996-22-0x0000000003360000-0x0000000003361000-memory.dmp
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x
| MD5 | 647d824a19511783d1a011f8b775c1d4 |
| SHA1 | 46b0213afa55d27a688e9729ac120d4574318cb5 |
| SHA256 | 8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b |
| SHA512 | ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f |
memory/2996-176-0x0000000000CA0000-0x0000000000FD4000-memory.dmp
C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx
| MD5 | 0bc6d1c595e440233c6daa45813657a0 |
| SHA1 | 3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3 |
| SHA256 | 1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac |
| SHA512 | 0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f |
memory/4340-179-0x0000000000C00000-0x0000000000CD4000-memory.dmp
memory/5084-188-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/5084-189-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/5084-190-0x0000000005740000-0x00000000057D2000-memory.dmp
memory/5084-191-0x0000000005D90000-0x0000000006334000-memory.dmp
memory/5084-192-0x0000000005A80000-0x0000000005C42000-memory.dmp
memory/5084-193-0x00000000057E0000-0x0000000005856000-memory.dmp
memory/5084-194-0x00000000058B0000-0x0000000005900000-memory.dmp
memory/5084-195-0x00000000056D0000-0x00000000056DA000-memory.dmp
memory/5084-196-0x0000000006970000-0x0000000006E9C000-memory.dmp
memory/5084-197-0x0000000006470000-0x000000000648E000-memory.dmp
memory/5084-198-0x0000000006560000-0x00000000065C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpF20.tmp
| MD5 | a603e09d617fea7517059b4924b1df93 |
| SHA1 | 31d66e1496e0229c6a312f8be05da3f813b3fa9e |
| SHA256 | ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7 |
| SHA512 | eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc |
C:\Users\Admin\AppData\Local\Temp\tmpF52.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
memory/5084-222-0x0000000007C90000-0x0000000007C9A000-memory.dmp
memory/5084-224-0x0000000005920000-0x0000000005932000-memory.dmp
memory/5084-225-0x00000000059C0000-0x00000000059FC000-memory.dmp