Malware Analysis Report

2024-11-16 13:11

Sample ID 241103-vmsbvayhmh
Target a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N
SHA256 a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673
Tags
metamorpherrat discovery rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673

Threat Level: Known bad

The file a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N was found to be: Known bad.

Malicious Activity Summary

metamorpherrat discovery rat stealer trojan

MetamorpherRAT

Metamorpherrat family

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Uses the VBS compiler for execution

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 17:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 17:06

Reported

2024-11-03 17:09

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5048 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5048 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5048 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3752 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3752 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3752 wrote to memory of 228 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5048 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.exe
PID 5048 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.exe
PID 5048 wrote to memory of 4648 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ry0yl2yx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFB55C28492374663B38A97A1777F6DB.TMP"

C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 105.84.221.44.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 44.221.84.105:80 bejnz.com tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 8.8.8.8:53 simrat.no-ip.info udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 tcp

Files

memory/5048-0-0x00000000753B2000-0x00000000753B3000-memory.dmp

memory/5048-1-0x00000000753B0000-0x0000000075961000-memory.dmp

memory/5048-2-0x00000000753B0000-0x0000000075961000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ry0yl2yx.cmdline

MD5 a099780193bf1787f187e6b36a120d66
SHA1 51db68700e8b94b69e744944e69ab9ba50ec93cc
SHA256 0028d082e7384e14f39766a3b4ac61e940da7cea767e90b0ac906f265adf9d16
SHA512 0e0ce573361a882d0c3670ca2805e644438cbc728083ab6035e4114808a308481183b9438fe0fc60d37a5de56b58064fe1974d801a2a95150cec4d5b7bcf1efa

C:\Users\Admin\AppData\Local\Temp\ry0yl2yx.0.vb

MD5 ae83766d93bda4dc6b436a6cac123296
SHA1 966462a668cec0fd63718c1cca5d55ab56077233
SHA256 dcd8a4c7ead43b8873365fa6184f224ac0d0f037b4ce59cbf659961bb411183f
SHA512 434027a96ac94e5db944cf3138bdddfdf30206b367dd948983bdd9fd52bde9088cf6c5d9e80af13a4c4493a3dd0fd423a8cfb9638577dd1f5838c7a1c233598d

memory/3752-9-0x00000000753B0000-0x0000000075961000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\vbcFB55C28492374663B38A97A1777F6DB.TMP

MD5 2a1618054b94a66649713adabbb126f2
SHA1 4049d06033266296e06d60ddfef249bd9c27a5d3
SHA256 53b849581aa04008cbf1496b801f4f91b96cdc44a71732e7660fa29a94bf0d0a
SHA512 094db247a853b5c9deea28f5eaee5e5e30953fb5026ef4e41570e2eed519a1051e5c901b8b94bd4deac6b271f08f0c9f723b81a81f8cc4d687c927d688cd39da

C:\Users\Admin\AppData\Local\Temp\RESA5F4.tmp

MD5 f4fdd87f4591f1a0b53efeae18fdcd4b
SHA1 0a67b80f929606c3f026d8ee41893866f09a2387
SHA256 98030a422510808758241510404948d929bb181ca40457c175c1385da7952233
SHA512 30b15f045348e07b6084e599ea0642babeec072d55abf59645962d9163f36191b941703958cc64780ee0cccce5ef98a7aa15fa5115955b2055776489573e8908

memory/3752-18-0x00000000753B0000-0x0000000075961000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA42F.tmp.exe

MD5 aa8fadefdf0ae3f60f1ad556900a938f
SHA1 e646feb474b614b94b8ff5aa631dded4a5aa090c
SHA256 2b828e8badb11eccbdd028e021d28dd69eb04688b82d4933d9fbf39a2a66d94d
SHA512 d9ab3f579442fe2a5ddaa55873234f1f62e4a43b7996ecc3eafc5367a5b3c70787e29db0f0674eb2026b9fc86ec96cb8770d726a8752461e463d077fb6987910

memory/4648-23-0x00000000753B0000-0x0000000075961000-memory.dmp

memory/5048-22-0x00000000753B0000-0x0000000075961000-memory.dmp

memory/4648-24-0x00000000753B0000-0x0000000075961000-memory.dmp

memory/4648-25-0x00000000753B0000-0x0000000075961000-memory.dmp

memory/4648-26-0x00000000753B0000-0x0000000075961000-memory.dmp

memory/4648-27-0x00000000753B0000-0x0000000075961000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 17:06

Reported

2024-11-03 17:09

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Metamorpherrat family

metamorpherrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe N/A

Uses the VBS compiler for execution

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2088 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2088 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2088 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1340 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1340 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1340 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1340 wrote to memory of 1372 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2088 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe
PID 2088 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe
PID 2088 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe
PID 2088 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

"C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ultspese.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB202.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB201.tmp"

C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe" C:\Users\Admin\AppData\Local\Temp\a23f1009db70be25c317012972f20faaece08a380a60e53be9fc5ffb4d161673N.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 simrat.no-ip.info udp
US 8.8.8.8:53 bejnz.com udp
US 8.8.8.8:53 bejnz.com udp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp
US 44.221.84.105:80 bejnz.com tcp

Files

memory/2088-0-0x0000000074031000-0x0000000074032000-memory.dmp

memory/2088-1-0x0000000074030000-0x00000000745DB000-memory.dmp

memory/2088-2-0x0000000074030000-0x00000000745DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ultspese.cmdline

MD5 c967a2f88cea7724af0599d7bcb91198
SHA1 103466b2655afa8b9f3bb78439dfae00a5f5f2c5
SHA256 c033d79f00b24da60ccc7dc57dcaf047ecc120b3bf4079ee36e93651fc681726
SHA512 13fd8475c48e6e84e0cda4a57135f616e0e6dd7d8df715287eaac05e5186396582840ff8ba91e3043554863f6ea1fc93af5b53ca2f86ee1e58ce0989608fc7e3

C:\Users\Admin\AppData\Local\Temp\ultspese.0.vb

MD5 d8e19ec7e82f2695b16ce9868a5a592a
SHA1 bbc75ea93b86287c3e0ae38cbdf64c21ffec951d
SHA256 49f5e492893d4cd17785113a402bd29c74971b25d09ff1206e9b9dc9facbe02b
SHA512 f1262a7c1603b6e316f8169541be652c009e2f1d69200faa8e46c76b305064cad579aa258e463a9ee06dea95741bfdf1afd403f36cc7aedd37b2b993d1481b1f

C:\Users\Admin\AppData\Local\Temp\RESB202.tmp

MD5 f07d40af29083a24ebfe9aa3034fdc0e
SHA1 fdf6cb78286693a31c8aabf67d6fde353d13f543
SHA256 d03c18090e37b57f5f72795a52cb1c568c95e38b5a0240d465c95f8e82e6a891
SHA512 e8ad2fa323cc7feaa36ca3938cba5b05862af7352d186c55981649c3160640a6c9804b5e8a50ab69e57877a2f4d1aa8343b84febbd03f5ddef073739ba49a1ed

C:\Users\Admin\AppData\Local\Temp\vbcB201.tmp

MD5 a78503eba1ec19102be967f8b5c0ebd5
SHA1 388ed713f5e4d05ecd7e9838968352c8c5ffb782
SHA256 708dea019b33986cf352a5cf7b48cad72d7f6e58793cac8392beaee78d1266dc
SHA512 e9015a942638a8c85d40f3466a46c6a7a5f260add78565e78151373c1e8f0ec4ca0200b29f988ef8cbd81a9bf972449a642062ed83ed2b48ec76a754b6de97e8

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 8008b17644b64cea2613d47c30c6e9f4
SHA1 4cd2935358e7a306af6aac6d1c0e495535bd5b32
SHA256 fc343d0c2ee741f89cc4f187d7b6694397765e151dbc737052df4c19d7a36c55
SHA512 0c1161a8ebcc659ffd920f0607cc751ece0a0c918a8d3b8f8ca508ebc03b854c29bd0bdf1518922c4525a825f90ef3bca8c7540975d4ecab9182b9f0ce6880ea

C:\Users\Admin\AppData\Local\Temp\tmpB145.tmp.exe

MD5 4cca22f7aad445be9ff194b6a48048a1
SHA1 68d51678ec8c598cdf1270e93e1bf25a0b3713ba
SHA256 2d14a333272c57dbd37700589f098558bd3948c298982363784c0b5fc23e202d
SHA512 171aa76fc74d552a4e327455804e4f4228fb813b803abdef81826d1523d860b8af5decff55c6b1c82f5c21827d47d9901195ca28b80966f46fc162e18183b808

memory/1340-18-0x0000000074030000-0x00000000745DB000-memory.dmp

memory/1340-8-0x0000000074030000-0x00000000745DB000-memory.dmp

memory/2088-24-0x0000000074030000-0x00000000745DB000-memory.dmp