Malware Analysis Report

2024-12-08 01:31

Sample ID 240918-v848javcmj
Target f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
SHA256 f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
Tags
sectoprat credential_access discovery persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b

Threat Level: Known bad

The file f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe was found to be: Known bad.

Malicious Activity Summary

sectoprat credential_access discovery persistence rat spyware stealer trojan

SectopRAT

SectopRAT payload

Credentials from Password Stores: Credentials from Web Browsers

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Enumerates processes with tasklist

Suspicious use of SetThreadContext

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-18 17:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-18 17:40

Reported

2024-09-18 17:43

Platform

win10v2004-20240802-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4732 set thread context of 5084 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2928 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2928 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 3692 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
PID 3692 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
PID 3692 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
PID 4340 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 4340 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 4340 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2996 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1164 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1164 wrote to memory of 4364 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1164 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1164 wrote to memory of 3284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2996 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1248 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1248 wrote to memory of 1168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1248 wrote to memory of 5016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1248 wrote to memory of 5016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2996 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 4300 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4300 wrote to memory of 4912 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4300 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4300 wrote to memory of 4704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2996 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1264 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1264 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1264 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1264 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2996 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 4248 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4248 wrote to memory of 3596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4248 wrote to memory of 908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4248 wrote to memory of 908 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2996 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 2996 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1996 wrote to memory of 1256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1996 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1996 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2996 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 2996 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 2996 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 1804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\SysWOW64\cmd.exe
PID 1804 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 2484 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3064 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 3064 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 3064 wrote to memory of 4732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
PID 4732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4732 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4732 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4732 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4732 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 4732 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe

"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"

C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$120052,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"

C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe

"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART

C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OUBH0.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$9004C,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "wrsa.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "opssvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avastui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avgui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "nswscsvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "sophoshealth.exe"

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\X78XPKeS.a3x && del C:\ProgramData\\X78XPKeS.a3x

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

AutoIt3.exe C:\ProgramData\\X78XPKeS.a3x

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 45.141.86.82:15647 tcp
US 8.8.8.8:53 82.86.141.45.in-addr.arpa udp
US 8.8.8.8:53 121.170.16.2.in-addr.arpa udp
RU 45.141.86.82:9000 45.141.86.82 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2928-0-0x0000000000C00000-0x0000000000CD4000-memory.dmp

memory/2928-2-0x0000000000C01000-0x0000000000CA9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-US226.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp

MD5 81636f80b1e7c0b8f946c8ff0081436a
SHA1 9e7b01f8324e089b925cb9050ce74cd099c58370
SHA256 ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35
SHA512 67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a

memory/3692-6-0x0000000000B40000-0x0000000000E74000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SOGR0.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4340-13-0x0000000000C00000-0x0000000000CD4000-memory.dmp

memory/3692-17-0x0000000000B40000-0x0000000000E74000-memory.dmp

memory/2928-19-0x0000000000C00000-0x0000000000CD4000-memory.dmp

memory/2996-22-0x0000000003360000-0x0000000003361000-memory.dmp

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

MD5 3f58a517f1f4796225137e7659ad2adb
SHA1 e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA256 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512 acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x

MD5 647d824a19511783d1a011f8b775c1d4
SHA1 46b0213afa55d27a688e9729ac120d4574318cb5
SHA256 8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b
SHA512 ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f

memory/2996-176-0x0000000000CA0000-0x0000000000FD4000-memory.dmp

C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx

MD5 0bc6d1c595e440233c6daa45813657a0
SHA1 3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3
SHA256 1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac
SHA512 0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f

memory/4340-179-0x0000000000C00000-0x0000000000CD4000-memory.dmp

memory/5084-188-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/5084-189-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/5084-190-0x0000000005740000-0x00000000057D2000-memory.dmp

memory/5084-191-0x0000000005D90000-0x0000000006334000-memory.dmp

memory/5084-192-0x0000000005A80000-0x0000000005C42000-memory.dmp

memory/5084-193-0x00000000057E0000-0x0000000005856000-memory.dmp

memory/5084-194-0x00000000058B0000-0x0000000005900000-memory.dmp

memory/5084-195-0x00000000056D0000-0x00000000056DA000-memory.dmp

memory/5084-196-0x0000000006970000-0x0000000006E9C000-memory.dmp

memory/5084-197-0x0000000006470000-0x000000000648E000-memory.dmp

memory/5084-198-0x0000000006560000-0x00000000065C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF20.tmp

MD5 a603e09d617fea7517059b4924b1df93
SHA1 31d66e1496e0229c6a312f8be05da3f813b3fa9e
SHA256 ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7
SHA512 eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

C:\Users\Admin\AppData\Local\Temp\tmpF52.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

memory/5084-222-0x0000000007C90000-0x0000000007C9A000-memory.dmp

memory/5084-224-0x0000000005920000-0x0000000005932000-memory.dmp

memory/5084-225-0x00000000059C0000-0x00000000059FC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-18 17:40

Reported

2024-09-18 17:43

Platform

win7-20240903-en

Max time kernel

120s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1932 set thread context of 2252 N/A C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2596 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2596 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2596 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2596 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2596 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2596 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2596 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2324 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
PID 2324 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
PID 2324 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
PID 2324 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 2444 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
PID 1920 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1848 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1848 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1848 wrote to memory of 1508 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1848 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1848 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1848 wrote to memory of 1884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1452 wrote to memory of 1164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1452 wrote to memory of 1164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1452 wrote to memory of 1164 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1452 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1452 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1452 wrote to memory of 1748 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1968 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1968 wrote to memory of 2904 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1968 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1968 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1968 wrote to memory of 2868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1920 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 2856 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2856 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2856 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2856 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2856 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2856 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1920 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 1920 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp C:\Windows\system32\cmd.exe
PID 872 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 872 wrote to memory of 2408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe

"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"

C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$30148,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"

C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe

"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART

C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp

"C:\Users\Admin\AppData\Local\Temp\is-O0VVR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$40148,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "wrsa.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "opssvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avastui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "avgui.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "nswscsvc.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"

C:\Windows\system32\tasklist.exe

tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH

C:\Windows\system32\find.exe

find /I "sophoshealth.exe"

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\8ixt1ToWa.a3x && del C:\ProgramData\\8ixt1ToWa.a3x

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

AutoIt3.exe C:\ProgramData\\8ixt1ToWa.a3x

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Network

Country Destination Domain Proto
RU 45.141.86.82:15647 tcp
RU 45.141.86.82:9000 45.141.86.82 tcp

Files

memory/2596-0-0x0000000000FE0000-0x00000000010B4000-memory.dmp

memory/2596-2-0x0000000000FE1000-0x0000000001089000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-RCNM3.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp

MD5 81636f80b1e7c0b8f946c8ff0081436a
SHA1 9e7b01f8324e089b925cb9050ce74cd099c58370
SHA256 ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35
SHA512 67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a

memory/2324-8-0x0000000000110000-0x0000000000111000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ERUDI.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2444-16-0x0000000000FE0000-0x00000000010B4000-memory.dmp

memory/2324-15-0x0000000000C00000-0x0000000000F34000-memory.dmp

memory/2596-19-0x0000000000FE0000-0x00000000010B4000-memory.dmp

\Users\Admin\AppData\Local\acetiam\AutoIt3.exe

MD5 3f58a517f1f4796225137e7659ad2adb
SHA1 e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA256 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512 acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

memory/1920-179-0x0000000000230000-0x0000000000564000-memory.dmp

C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x

MD5 647d824a19511783d1a011f8b775c1d4
SHA1 46b0213afa55d27a688e9729ac120d4574318cb5
SHA256 8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b
SHA512 ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f

memory/2444-181-0x0000000000FE0000-0x00000000010B4000-memory.dmp

C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx

MD5 0bc6d1c595e440233c6daa45813657a0
SHA1 3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3
SHA256 1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac
SHA512 0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f

memory/2252-192-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2252-194-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2252-193-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp13F0.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73