Malware Analysis Report

2024-11-13 16:39

Sample ID 241108-b85phs1qgw
Target 71a0508bf75b1b3f84606026ca9dd764
SHA256 1df95ebb57c93ce4374ff3ba6fcdad3662af67015abade8925c242a04e1b6b6c
Tags
purecrypter redline notepad_2 discovery downloader infostealer loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1df95ebb57c93ce4374ff3ba6fcdad3662af67015abade8925c242a04e1b6b6c

Threat Level: Known bad

The file 71a0508bf75b1b3f84606026ca9dd764 was found to be: Known bad.

Malicious Activity Summary

purecrypter redline notepad_2 discovery downloader infostealer loader persistence

Redline family

Detect PureCrypter injector

RedLine

Purecrypter family

PureCrypter

RedLine payload

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 01:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 01:49

Reported

2024-11-08 01:53

Platform

win7-20240708-en

Max time kernel

118s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DATA PROTECTION\combase.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DATA PROTECTION\combase.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 01:49

Reported

2024-11-08 01:53

Platform

win10v2004-20241007-en

Max time kernel

91s

Max time network

152s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DATA PROTECTION\combase.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DATA PROTECTION\combase.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-08 01:49

Reported

2024-11-08 01:53

Platform

win7-20241010-en

Max time kernel

9s

Max time network

20s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DATA PROTECTION\freebl3.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DATA PROTECTION\freebl3.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-08 01:49

Reported

2024-11-08 01:53

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DATA PROTECTION\freebl3.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\DATA PROTECTION\freebl3.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-08 01:49

Reported

2024-11-08 01:53

Platform

win7-20240729-en

Max time kernel

137s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Purecrypter family

purecrypter

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2692 set thread context of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
PID 2088 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
PID 2088 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
PID 2088 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2588 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2588 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2588 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2692 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
PID 2692 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
PID 2692 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
PID 2692 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
PID 2692 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
PID 2692 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
PID 2692 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2692 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe

"C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 10

C:\Windows\SysWOW64\timeout.exe

timeout 10

C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe

"C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

Country Destination Domain Proto
DE 194.36.177.124:39456 tcp
DE 194.36.177.124:39456 tcp
DE 194.36.177.124:39456 tcp
DE 194.36.177.124:39456 tcp
DE 194.36.177.124:39456 tcp

Files

memory/2692-9-0x0000000074210000-0x00000000748FE000-memory.dmp

memory/2692-8-0x0000000004FF0000-0x0000000005478000-memory.dmp

memory/2692-7-0x0000000000B70000-0x000000000101E000-memory.dmp

memory/2692-6-0x000000007421E000-0x000000007421F000-memory.dmp

memory/2692-10-0x000000007421E000-0x000000007421F000-memory.dmp

memory/2692-11-0x0000000074210000-0x00000000748FE000-memory.dmp

memory/2692-12-0x0000000006360000-0x00000000067EA000-memory.dmp

memory/2692-13-0x0000000000580000-0x00000000005CC000-memory.dmp

\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe

MD5 542c0f910db312aa76c75d5cdbf76844
SHA1 18f608b6220c392ddde0194352b3faf7a10608d1
SHA256 6d80dcfdb5a979eb11de1ebbf5733a101fbe4cd8f7c1ac10f651e71fadf52e4a
SHA512 087f415c20d485cc322be24ae43f730ae7edfa6f64fe78828727a8cf47a0207d18a9b45769f9f3228cd5012c7d34244ccc7edb3e93ba0cc263c4370153fe4a0d

\Users\Admin\AppData\Local\Temp\nsoB2AE.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

\Users\Admin\AppData\Local\Temp\nsoB2AE.tmp\LangDLL.dll

MD5 68b287f4067ba013e34a1339afdb1ea8
SHA1 45ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA256 18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA512 06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

memory/2524-35-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2524-37-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2524-42-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2524-41-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2524-40-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2524-39-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2524-33-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2524-31-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2692-43-0x0000000074210000-0x00000000748FE000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsoB2AE.tmp\InstallOptions.dll

MD5 ece25721125d55aa26cdfe019c871476
SHA1 b87685ae482553823bf95e73e790de48dc0c11ba
SHA256 c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA512 4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

C:\Users\Admin\AppData\Local\Temp\nsoB2AE.tmp\ioSpecial.ini

MD5 72ac8bc7f8abd3817d7b7e8eb0dca090
SHA1 392d6220e9f2857409d768863495da2bdf7769f5
SHA256 7119bc73938abfe698eab6e883986113da5916659f94642a876f77ce8da47d9a
SHA512 fb5cfbd0b2e6d28cdae63a09065c0f2937cf7ca324133fc45081e15210f1afc06549c52603d7818dfc026a93d7bb4fdb014c87397fb28a07e20fe279ecc6c601

C:\Users\Admin\AppData\Local\Temp\nsoB2AE.tmp\ioSpecial.ini

MD5 b5c82aa7a66ed698be050dc8c08943c6
SHA1 660bb1401a5bca1a2e8c165fb9274eda4d65a41c
SHA256 6805f2fb1f799b9ecf63ed7acf2cd4b9f822eac74df8b50bdf753373cda0a4b2
SHA512 3f7ab8d3380ab253697af279028c0bffd95babe2667317423f8ebf83eb436194903c53fe51ed3f175cb580fc246d2bdf3a0c58de485e233d1fbe89830aa025b0

\Users\Admin\AppData\Local\Temp\nsoB2AE.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-08 01:49

Reported

2024-11-08 01:53

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Purecrypter family

purecrypter

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2704 set thread context of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3872 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
PID 3872 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
PID 3872 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE
PID 2704 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 3556 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3556 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3556 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2704 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
PID 2704 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
PID 2704 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe
PID 2704 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2704 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2704 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2704 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2704 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2704 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2704 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2704 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2704 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2704 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2704 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe

"C:\Users\Admin\AppData\Local\Temp\npp.8.4.1.Installer.x64.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DRIVER~1.EXE

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout 10

C:\Windows\SysWOW64\timeout.exe

timeout 10

C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe

"C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 74.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
DE 194.36.177.124:39456 tcp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
DE 194.36.177.124:39456 tcp
DE 194.36.177.124:39456 tcp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
DE 194.36.177.124:39456 tcp
DE 194.36.177.124:39456 tcp

Files

memory/2704-5-0x000000007455E000-0x000000007455F000-memory.dmp

memory/2704-6-0x0000000000F60000-0x000000000140E000-memory.dmp

memory/2704-7-0x0000000005DE0000-0x0000000006268000-memory.dmp

memory/2704-8-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/2704-9-0x000000007455E000-0x000000007455F000-memory.dmp

memory/2704-10-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/2704-11-0x0000000006C80000-0x000000000710A000-memory.dmp

memory/2704-12-0x0000000005840000-0x000000000588C000-memory.dmp

memory/2704-13-0x0000000009180000-0x00000000091E6000-memory.dmp

memory/2704-14-0x0000000009E00000-0x0000000009E92000-memory.dmp

memory/2704-15-0x000000000A450000-0x000000000A9F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mppzqonpp.8.4.1.installer.x64.exe

MD5 542c0f910db312aa76c75d5cdbf76844
SHA1 18f608b6220c392ddde0194352b3faf7a10608d1
SHA256 6d80dcfdb5a979eb11de1ebbf5733a101fbe4cd8f7c1ac10f651e71fadf52e4a
SHA512 087f415c20d485cc322be24ae43f730ae7edfa6f64fe78828727a8cf47a0207d18a9b45769f9f3228cd5012c7d34244ccc7edb3e93ba0cc263c4370153fe4a0d

memory/2716-26-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz4ED9.tmp\LangDLL.dll

MD5 68b287f4067ba013e34a1339afdb1ea8
SHA1 45ad585b3cc8e5a6af7b68f5d8269c97992130b3
SHA256 18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026
SHA512 06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

C:\Users\Admin\AppData\Local\Temp\nsz4ED9.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

memory/2704-37-0x0000000074550000-0x0000000074D00000-memory.dmp

memory/2716-38-0x0000000005C60000-0x0000000006278000-memory.dmp

memory/2716-39-0x00000000056E0000-0x00000000056F2000-memory.dmp

memory/2716-40-0x0000000005810000-0x000000000591A000-memory.dmp

memory/2716-41-0x0000000005740000-0x000000000577C000-memory.dmp

memory/2716-42-0x0000000005780000-0x00000000057CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz4ED9.tmp\InstallOptions.dll

MD5 ece25721125d55aa26cdfe019c871476
SHA1 b87685ae482553823bf95e73e790de48dc0c11ba
SHA256 c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf
SHA512 4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

C:\Users\Admin\AppData\Local\Temp\nsz4ED9.tmp\ioSpecial.ini

MD5 d45c3964f48382af848d800049044dad
SHA1 009c0b7440e9118caf045ea97e9173d28d271b4e
SHA256 b4b2582f0a28d4e76fe85b776dcc50f567362ea12995cd43c32c2030d2dfbc58
SHA512 bbd8ded0020c1236b6e62353c6af868d3e1c6fcc5363b37f15711dff2ec4c6ee2cfd45432a87fec9f6172c2d1804b1345963ebfb0108ce0879f9ce31bfddce2a

C:\Users\Admin\AppData\Local\Temp\nsz4ED9.tmp\nsDialogs.dll

MD5 6c3f8c94d0727894d706940a8a980543
SHA1 0d1bcad901be377f38d579aafc0c41c0ef8dcefd
SHA256 56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2
SHA512 2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355