Analysis Overview
SHA256
f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b
Threat Level: Known bad
The file f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
SectopRAT
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-09-19 01:54
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-09-19 01:54
Reported
2024-09-19 01:57
Platform
win7-20240903-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1532 set thread context of 1496 | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
C:\Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$40026,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N37AA.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$301D2,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "wrsa.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "opssvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avastui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avgui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "nswscsvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "sophoshealth.exe"
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\Gg2Ofncpo.a3x && del C:\ProgramData\\Gg2Ofncpo.a3x
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
AutoIt3.exe C:\ProgramData\\Gg2Ofncpo.a3x
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| RU | 45.141.86.82:15647 | tcp | |
| RU | 45.141.86.82:9000 | 45.141.86.82 | tcp |
Files
memory/1352-0-0x00000000013C0000-0x0000000001494000-memory.dmp
memory/1352-2-0x00000000013C1000-0x0000000001469000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-2OES6.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
| MD5 | 81636f80b1e7c0b8f946c8ff0081436a |
| SHA1 | 9e7b01f8324e089b925cb9050ce74cd099c58370 |
| SHA256 | ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35 |
| SHA512 | 67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a |
memory/2008-8-0x0000000000480000-0x0000000000481000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-F0KN9.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2380-15-0x00000000013C0000-0x0000000001494000-memory.dmp
memory/2008-17-0x0000000000060000-0x0000000000394000-memory.dmp
memory/1352-24-0x00000000013C0000-0x0000000001494000-memory.dmp
\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x
| MD5 | 647d824a19511783d1a011f8b775c1d4 |
| SHA1 | 46b0213afa55d27a688e9729ac120d4574318cb5 |
| SHA256 | 8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b |
| SHA512 | ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f |
C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx
| MD5 | 0bc6d1c595e440233c6daa45813657a0 |
| SHA1 | 3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3 |
| SHA256 | 1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac |
| SHA512 | 0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f |
memory/2380-182-0x00000000013C0000-0x0000000001494000-memory.dmp
memory/2164-180-0x0000000000260000-0x0000000000594000-memory.dmp
memory/1496-192-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1496-194-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1496-193-0x0000000000400000-0x00000000004C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE967.tmp
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-09-19 01:54
Reported
2024-09-19 01:57
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
140s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-3H7UE.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3H7UE.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKEFR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-3H7UE.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKEFR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\abbkkce = "\"C:\\eegeaeg\\AutoIt3.exe\" C:\\eegeaeg\\abbkkce.a3x" | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1288 set thread context of 1784 | N/A | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\PING.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-3H7UE.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-TKEFR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKEFR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKEFR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-TKEFR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
C:\Users\Admin\AppData\Local\Temp\is-3H7UE.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3H7UE.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$70048,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe"
C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe
"C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
C:\Users\Admin\AppData\Local\Temp\is-TKEFR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
"C:\Users\Admin\AppData\Local\Temp\is-TKEFR.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp" /SL5="$D0044,10740751,812544,C:\Users\Admin\AppData\Local\Temp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.exe" /VERYSILENT /NORESTART
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "wrsa.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "opssvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avastui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "avgui.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "nswscsvc.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
C:\Windows\system32\tasklist.exe
tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
C:\Windows\system32\find.exe
find /I "sophoshealth.exe"
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
"C:\Users\Admin\AppData\Local\acetiam\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\acetiam\\grayhound1..a3x"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\bZmNBr.a3x && del C:\ProgramData\\bZmNBr.a3x
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
AutoIt3.exe C:\ProgramData\\bZmNBr.a3x
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 45.141.86.82:15647 | tcp | |
| US | 8.8.8.8:53 | 82.86.141.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| RU | 45.141.86.82:9000 | 45.141.86.82 | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
memory/1684-1-0x00000000008E0000-0x00000000009B4000-memory.dmp
memory/1684-2-0x00000000008E1000-0x0000000000989000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-3H7UE.tmp\f358dde7b5f896d851677a271b4d20e70cdf36a9eeb9da9b001554d65e02a71b.tmp
| MD5 | 81636f80b1e7c0b8f946c8ff0081436a |
| SHA1 | 9e7b01f8324e089b925cb9050ce74cd099c58370 |
| SHA256 | ca3de247b4d58905e04277ee2386cedaeff38a0fad1f46bfff304ba9f0710f35 |
| SHA512 | 67432e1a56e043573bc67d904f4c735f70333b35fe6efe2bb11ee1137bdd96bdbd3ed2956dbf8314b3a15ea2b2260fb5d3904481efb96c7dbb6661a32b13a85a |
memory/468-6-0x00000000031C0000-0x00000000031C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-49RA2.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/3768-13-0x00000000008E0000-0x00000000009B4000-memory.dmp
memory/468-15-0x0000000000280000-0x00000000005B4000-memory.dmp
memory/1684-17-0x00000000008E0000-0x00000000009B4000-memory.dmp
memory/4844-21-0x0000000002A30000-0x0000000002A31000-memory.dmp
C:\Users\Admin\AppData\Local\acetiam\AutoIt3.exe
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
memory/4844-174-0x0000000000310000-0x0000000000644000-memory.dmp
C:\Users\Admin\AppData\Local\acetiam\grayhound1..a3x
| MD5 | 647d824a19511783d1a011f8b775c1d4 |
| SHA1 | 46b0213afa55d27a688e9729ac120d4574318cb5 |
| SHA256 | 8674025ff9edbf37ad8d7e1af8b93bd63e0fe2e8eaea61ee6e1317c468a0e48b |
| SHA512 | ed57dcb8817d329bf989b642be2244976f7725edecb5565788eb1643b81b58fd22c39dcdec827b3f7067ae844f4b62622bf8d079679df10af4f203f67efe1d1f |
C:\Users\Admin\AppData\Local\acetiam\grayhound.pptx
| MD5 | 0bc6d1c595e440233c6daa45813657a0 |
| SHA1 | 3a04c1fcd93642fe7b0ad47d67c29344ebddc9a3 |
| SHA256 | 1841f77c752744d0054847a13cccc5851408d2e38caafcb153e37c56a01f6bac |
| SHA512 | 0fe0b161095deaa389ca9b81e8d0b5210598d1f750cc849828bca77168a9e7be0d747ac01c0a2f1d338e2562dcad7ca372c346b575ceb481b9cd7a24da10362f |
memory/3768-178-0x00000000008E0000-0x00000000009B4000-memory.dmp
memory/1784-187-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1784-188-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1784-189-0x00000000059A0000-0x0000000005A32000-memory.dmp
memory/1784-190-0x0000000006040000-0x00000000065E4000-memory.dmp
memory/1784-191-0x0000000005DE0000-0x0000000005FA2000-memory.dmp
memory/1784-192-0x0000000005B10000-0x0000000005B86000-memory.dmp
memory/1784-193-0x0000000005B90000-0x0000000005BE0000-memory.dmp
memory/1784-194-0x0000000005980000-0x000000000598A000-memory.dmp
memory/1784-195-0x0000000006C20000-0x000000000714C000-memory.dmp
memory/1784-196-0x0000000006720000-0x000000000673E000-memory.dmp
memory/1784-197-0x0000000006810000-0x0000000006876000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7A.tmp
| MD5 | a603e09d617fea7517059b4924b1df93 |
| SHA1 | 31d66e1496e0229c6a312f8be05da3f813b3fa9e |
| SHA256 | ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7 |
| SHA512 | eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc |
C:\Users\Admin\AppData\Local\Temp\tmp9C.tmp
| MD5 | 49693267e0adbcd119f9f5e02adf3a80 |
| SHA1 | 3ba3d7f89b8ad195ca82c92737e960e1f2b349df |
| SHA256 | d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f |
| SHA512 | b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2 |
memory/1784-221-0x00000000084C0000-0x00000000084CA000-memory.dmp
memory/1784-223-0x0000000005C30000-0x0000000005C42000-memory.dmp
memory/1784-224-0x0000000005CC0000-0x0000000005CFC000-memory.dmp