Malware Analysis Report

2024-12-07 16:48

Sample ID 241114-ammfda1lg1
Target c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe
SHA256 c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16
Tags
defense_evasion discovery evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16

Threat Level: Known bad

The file c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence trojan

Windows security bypass

Drops file in Drivers directory

Boot or Logon Autostart Execution: Active Setup

Event Triggered Execution: Image File Execution Options Injection

Loads dropped DLL

Executes dropped EXE

Windows security modification

Modifies WinLogon

Indicator Removal: Clear Persistence

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 00:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 00:19

Reported

2024-11-14 00:21

Platform

win7-20240903-en

Max time kernel

119s

Max time network

16s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564F5248-5042-4142-564F-524850424142} C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564F5248-5042-4142-564F-524850424142}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564F5248-5042-4142-564F-524850424142}\IsInstalled = "1" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{564F5248-5042-4142-564F-524850424142}\StubPath = "C:\\Windows\\system32\\ahuy.exe" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rmass.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" C:\Windows\SysWOW64\rmass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\rmass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe N/A
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rmass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rmass.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe

"C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe"

C:\Windows\SysWOW64\rmass.exe

"C:\Windows\system32\rmass.exe"

C:\Windows\SysWOW64\rmass.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 monow.st udp
US 8.8.8.8:53 monow.st udp

Files

\Windows\SysWOW64\rmass.exe

MD5 67430bebdb5b6d851d431d8a1e7146d9
SHA1 d8f95702ca2aef6c38c84303cf14d10dcd7e7004
SHA256 c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16
SHA512 02815a0daf40163d28d77fdaa3b206b0df379e3757fb72645206c8a6135a264f66b8dd522b7fc3f741d3833369d07ce5a0a15e8929cae3a74a281c223d1e26da

memory/2280-9-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\SysWOW64\RECOVER32.DLL

MD5 2b2c28a7a01f9584fe220ef84003427f
SHA1 5fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA256 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA512 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

C:\Windows\SysWOW64\ntdbg.exe

MD5 b9e8626f1ab4b5ada7588fe39c4daebc
SHA1 6cf95789306e6ff39151ead0ead31110f1291656
SHA256 20c4772174463a66981209f3870eba5ed0a70e02d36d6b2202ab5f698984fbee
SHA512 6366092f90e05299b08fd6e5fb96e92c2d50f11cd75dc81d0fc39a44b989d8482ac7e7e3f5d97a98abcf927918c08ed84bfb1a50ff47da31f2ff0330e25a5011

C:\Windows\SysWOW64\ahuy.exe

MD5 de9592f56dbcdde8b152bb9e5574eb95
SHA1 0a598c2aea85ac788e60027a75783eb39e9fff43
SHA256 6283c6524b126de8c8361cfe98a107da6c710c9b870ed5e39c07a6a35f0fc57f
SHA512 e4a058aa377025fdd8025bfef883ceb61caef2c409b0f5eee8060500ffb55f6c3ae8f34ba9ab53cac839d658f9b451965ad469d4e3a5d73665b62eb361a811b6

memory/2352-52-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2844-53-0x0000000000400000-0x000000000040E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 00:19

Reported

2024-11-14 00:21

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645}\StubPath = "C:\\Windows\\system32\\ahuy.exe" C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645} C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47554D4C-4e4c-4645-4755-4D4C4E4C4645}\IsInstalled = "1" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rmass.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\rmass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\rmass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe N/A
File created C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe N/A
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rmass.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rmass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rmass.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe

"C:\Users\Admin\AppData\Local\Temp\c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16.exe"

C:\Windows\SysWOW64\rmass.exe

"C:\Windows\system32\rmass.exe"

C:\Windows\SysWOW64\rmass.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 fgplg.museum udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 fgplg.museum udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\rmass.exe

MD5 67430bebdb5b6d851d431d8a1e7146d9
SHA1 d8f95702ca2aef6c38c84303cf14d10dcd7e7004
SHA256 c8fc82d22ba226991bc3ca792d1efae3ea18cd0be37df0a43ebd1b2a06b92b16
SHA512 02815a0daf40163d28d77fdaa3b206b0df379e3757fb72645206c8a6135a264f66b8dd522b7fc3f741d3833369d07ce5a0a15e8929cae3a74a281c223d1e26da

memory/1364-5-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\SysWOW64\RECOVER32.DLL

MD5 2b2c28a7a01f9584fe220ef84003427f
SHA1 5fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA256 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA512 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

C:\Windows\SysWOW64\ntdbg.exe

MD5 d20ca7f7d9e441a0206f437de77bc4da
SHA1 fc187cb8b2caefd71c58daea3b6b55a9961d0dd6
SHA256 ccde42c7b05e9265301ce8eef949ff20e483d8ada107288e142e3de0ac13a5aa
SHA512 e0f3bcbe41b9d8eb4f32659389b73de66a38b4e1480870951d395e3aa99f82d8578017b0a1baf5e4341c381e73eeb259f97c9d380de0ca0c42071522f13377d4

C:\Windows\SysWOW64\ahuy.exe

MD5 6d50e44696a84a23daa16958106f653b
SHA1 4315c2a880092578a33fe4dab505cefa8d8299e4
SHA256 9705c06b9a5f4d8a757ed02c0664b07af0db36db495889891b80b459b3b92d72
SHA512 8899878fe0c82662b5ef2a61d2171dd4bf235b58f693c3b62207b31679cfd744735decfad34857d7ebf3c7a817f6ac9e57db95b1b89e960f9fb89aee57e39578

memory/4200-47-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2088-46-0x0000000000400000-0x000000000040E000-memory.dmp