Malware Analysis Report

2024-12-07 01:57

Sample ID 241111-sqdlra1cra
Target aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f
SHA256 aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f
Tags
bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f

Threat Level: Likely malicious

The file aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f was found to be: Likely malicious.

Malicious Activity Summary

bootkit discovery persistence spyware stealer

Blocklisted process makes network request

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 15:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 15:19

Reported

2024-11-11 15:21

Platform

win7-20240903-en

Max time kernel

149s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fojfr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fojfr.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\tfwav\\cnmxgwpwi.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\tfwav C:\Users\Admin\AppData\Local\Temp\fojfr.exe N/A
File created \??\c:\Program Files\tfwav\cnmxgwpwi.dll C:\Users\Admin\AppData\Local\Temp\fojfr.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fojfr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 376 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 376 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 376 wrote to memory of 572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 376 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fojfr.exe
PID 376 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fojfr.exe
PID 376 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fojfr.exe
PID 376 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fojfr.exe
PID 2460 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\fojfr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\fojfr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\fojfr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\fojfr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\fojfr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\fojfr.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 2460 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\fojfr.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe

"C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\fojfr.exe "C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\fojfr.exe

C:\Users\Admin\AppData\Local\Temp\\fojfr.exe "C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\tfwav\cnmxgwpwi.dll",Verify C:\Users\Admin\AppData\Local\Temp\fojfr.exe

Network

Country Destination Domain Proto
US 110.34.196.36:803 tcp
US 110.34.196.36:803 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp
US 110.34.196.34:3204 tcp

Files

memory/1968-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1968-2-0x0000000000400000-0x0000000000464000-memory.dmp

\Users\Admin\AppData\Local\Temp\fojfr.exe

MD5 93c6c404a322db4c5861889224ca76b9
SHA1 29733475676a7d0a971c9fda18ba5cb9595dc86a
SHA256 f799e50397363cf9a5a23a5c73fcf6191293f4f7dfb51e762a5f428d4edd2c15
SHA512 fb010d7330ec46a7a589f3001e804a79b0d5ad2514a3565628bce8193d6e5237f1d411c988f05ebd74861210b233c98fa8f7d89ce456baf972e6ef5d3c3aad27

memory/376-7-0x0000000000170000-0x00000000001D4000-memory.dmp

memory/376-6-0x0000000000170000-0x00000000001D4000-memory.dmp

memory/2460-10-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\tfwav\cnmxgwpwi.dll

MD5 6eab3edc36e1019832deca187e3ac977
SHA1 f2415240335171f1c101851fc349d07e4316029f
SHA256 9e0af6bb94927d2cacbd4d51c0c94f028066cd86c5b84a933ebfbb26e82feeb1
SHA512 fa6bcbd9e18ce80cc4a1aef471bd85b5f6e5147f5db68e7cfd198a0652b230674bd96e4b2f366e6eca116ea96e278fb4931c59dc55a1bcda3e43ede11f11c8ff

memory/1712-13-0x0000000010000000-0x0000000010080000-memory.dmp

memory/1712-17-0x0000000010000000-0x0000000010080000-memory.dmp

memory/1712-18-0x0000000010000000-0x0000000010080000-memory.dmp

memory/1712-20-0x0000000010000000-0x0000000010080000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 15:19

Reported

2024-11-11 15:22

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqmpv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqmpv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\vcnwa\\lwvkc.dll\",Verify" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\vcnwa C:\Users\Admin\AppData\Local\Temp\eqmpv.exe N/A
File created \??\c:\Program Files\vcnwa\lwvkc.dll C:\Users\Admin\AppData\Local\Temp\eqmpv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eqmpv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3452 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe C:\Windows\SysWOW64\cmd.exe
PID 3452 wrote to memory of 4060 N/A C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4060 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4060 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4060 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eqmpv.exe
PID 4060 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eqmpv.exe
PID 4060 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\eqmpv.exe
PID 4844 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\eqmpv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4844 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\eqmpv.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4844 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Local\Temp\eqmpv.exe \??\c:\windows\SysWOW64\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe

"C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\eqmpv.exe "C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

C:\Users\Admin\AppData\Local\Temp\eqmpv.exe

C:\Users\Admin\AppData\Local\Temp\\eqmpv.exe "C:\Users\Admin\AppData\Local\Temp\aabfcd5bd88571e24faeb547f6f860a123c0b2789a716960dcb5ad46702a3a3f.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\Program Files\vcnwa\lwvkc.dll",Verify C:\Users\Admin\AppData\Local\Temp\eqmpv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 110.34.196.36:803 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 110.34.196.35:805 tcp
US 110.34.196.35:805 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 110.34.196.35:805 tcp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 110.34.196.34:3204 tcp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

memory/3452-0-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3452-2-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eqmpv.exe

MD5 0db49679c2497af0c177332e2f33c9d0
SHA1 679cf5d8cc484b685dbe038031fb303cf4c7be92
SHA256 1bee2d31904fb423332071ee852a85c2f6c24ed0011492e318a6fbb5ba103919
SHA512 7084ff0b041a9d7fcaf9f8545944e6da7e48c0d1d82baf23438eeb6873e17870757cbbab797d1a32d3aef2bfdd273f92307dbe67045a9832276a723d9a3faffc

memory/4844-7-0x0000000000400000-0x0000000000464000-memory.dmp

\??\c:\Program Files\vcnwa\lwvkc.dll

MD5 4f0c3c9e47f8fc96e233a8d36d62cc48
SHA1 f8b4f743a442bf2c6a34e23062f6bc408593ddb4
SHA256 0c7fb8f1623d572b2d2065bf1fb0c27a220b2699fe2675e3189410d94c622040
SHA512 81cd7c56de66e1103401dfb9952ba915948afae1600321f4a761bbab969e1ba71112a7802c1b4bd91d4423ddc0110f71c1a77599f971bc2079548d00a0df9149

memory/4040-10-0x0000000010000000-0x0000000010080000-memory.dmp

memory/4040-12-0x0000000010000000-0x0000000010080000-memory.dmp

memory/4040-13-0x0000000010000000-0x0000000010080000-memory.dmp