Analysis Overview
SHA256
8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf
Threat Level: Known bad
The file 8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Event Triggered Execution: Image File Execution Options Injection
Drops file in Drivers directory
Boot or Logon Autostart Execution: Active Setup
Windows security modification
Executes dropped EXE
Loads dropped DLL
Indicator Removal: Clear Persistence
Modifies WinLogon
Drops file in System32 directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 00:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 00:23
Reported
2024-11-14 00:25
Platform
win7-20240729-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58454355-444e-4344-5845-4355444E4344} | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58454355-444e-4344-5845-4355444E4344}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58454355-444e-4344-5845-4355444E4344}\IsInstalled = "1" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58454355-444e-4344-5845-4355444E4344}\StubPath = "C:\\Windows\\system32\\ahuy.exe" | C:\Windows\SysWOW64\rmass.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\rmass.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" | C:\Windows\SysWOW64\rmass.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\rmass.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\rmass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\rmass.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File created | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrnt.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aset32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe | N/A |
| File created | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\rmass.exe | N/A |
| File created | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\idbg32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File created | C:\Windows\SysWOW64\rmass.exe | C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrnt.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\aset32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\idbg32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe
"C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe"
C:\Windows\SysWOW64\rmass.exe
"C:\Windows\SysWOW64\rmass.exe"
C:\Windows\SysWOW64\rmass.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | boawy.nu | udp |
| US | 8.8.8.8:53 | boawy.nu | udp |
Files
\Windows\SysWOW64\rmass.exe
| MD5 | 73eda784f8065b21fffeffc087c32148 |
| SHA1 | 1f37d71590b456a8b02b3af87bad95b15973bba3 |
| SHA256 | 82eaaee47fb940d6bfeb788de2bb2b855a3dfce08333d851a54471ed7ca702f8 |
| SHA512 | 89d06c267826302455e870654d26c5799fc63b80777b588fd47b8048e95606567445afe6f274afae539b1f2ba9e5beb2a18e4556a097b1814b3b7e47b8ffcc93 |
memory/2932-7-0x0000000000400000-0x0000000000403000-memory.dmp
C:\Windows\SysWOW64\RECOVER32.DLL
| MD5 | 2b2c28a7a01f9584fe220ef84003427f |
| SHA1 | 5fc023df0b5064045eb8de7f2dbe26f07f6fec70 |
| SHA256 | 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb |
| SHA512 | 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78 |
C:\Windows\SysWOW64\ntdbg.exe
| MD5 | a3600be6618a3ce8cb2922b9ba01ff77 |
| SHA1 | dc0aae7808414e6dd9d1477b07d582129950bd22 |
| SHA256 | c0c1e4979241f453880514ffe1e6e802bf8fa1cdfa5172af91ea0966194d245e |
| SHA512 | b1d957ef691b98598fa949a06c28c743ee0cb735fc90b26416918c008429fde82a61673825a3acbfd7cf1f5315b13266719d33b965718ba2a9bd9be6c8679c7f |
C:\Windows\SysWOW64\ahuy.exe
| MD5 | b3b3402c87aed92b77ceb7e1f86bd5d4 |
| SHA1 | cc9ebff514b1f03f1888810e2c58d590d959584b |
| SHA256 | de3431ca39b0054ec46107f511786782d0e09413240bb728cb38ae752e012bb7 |
| SHA512 | 91e51a23591610618d90c3ab108a1542b0d3099c374ab992f24baa992ef7d94e2030abe972bebfc744edf102ba9613a0a2c18398aff278fda7419c01430f5a5d |
memory/2640-47-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2696-51-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | b10b13206b0f2cf3968050072f6979bf |
| SHA1 | 699db21ba9cecf3f13ac3d76e22cfa41aa94da80 |
| SHA256 | 0eef3217095cb97b695c434e74d6314bf9e869a013d6e9c88e58c34576a276b4 |
| SHA512 | d33bfd931be6676539507a69101d99fa4c5ef36b12422bd11f063b9b6a47b7444f6c4ad5f35e044714fdb872e96cd9fddf049e8329af1219483887f6ac5f4a5d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 00:23
Reported
2024-11-14 00:25
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45} | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45}\IsInstalled = "1" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45}\StubPath = "C:\\Windows\\system32\\ahuy.exe" | C:\Windows\SysWOW64\rmass.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\rmass.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" | C:\Windows\SysWOW64\rmass.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\rmass.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\rmass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\rmass.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe | N/A |
| File created | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\idbg32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File created | C:\Windows\SysWOW64\rmass.exe | C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File created | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File created | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrnt.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aset32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrnt.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\aset32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\idbg32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe
"C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe"
C:\Windows\SysWOW64\rmass.exe
"C:\Windows\SysWOW64\rmass.exe"
C:\Windows\SysWOW64\rmass.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ufmaswg.st | udp |
| US | 8.8.8.8:53 | ufmaswg.st | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.239.69.13.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\rmass.exe
| MD5 | 73eda784f8065b21fffeffc087c32148 |
| SHA1 | 1f37d71590b456a8b02b3af87bad95b15973bba3 |
| SHA256 | 82eaaee47fb940d6bfeb788de2bb2b855a3dfce08333d851a54471ed7ca702f8 |
| SHA512 | 89d06c267826302455e870654d26c5799fc63b80777b588fd47b8048e95606567445afe6f274afae539b1f2ba9e5beb2a18e4556a097b1814b3b7e47b8ffcc93 |
memory/4676-4-0x0000000000400000-0x0000000000403000-memory.dmp
C:\Windows\SysWOW64\ahuy.exe
| MD5 | 91e5399805db320176e519dcb64c0075 |
| SHA1 | 8d9682867ed7416ef10b593118c82792cf96ac6c |
| SHA256 | d9f01fd4c53e57a7d5d0971662b079f50c7ef2b72e774122709603d11b4e147f |
| SHA512 | e467620ec7f2daad55345c46ee009a6eeb971b3b102a5b062de9a3acd6eda22987086eb5a9f62c57415bf6229d867f4f64d9240c6fefcba5b824e4975d46036f |
C:\Windows\SysWOW64\ntdbg.exe
| MD5 | ef9300a6e8d6065c0d8917ee1e9ec6de |
| SHA1 | a92f4b2ebb001247ee13818a22c5cbf27172911d |
| SHA256 | 489669e9b457dfb8cb09dc7688036fed01862af1c3c80baa8aea3628cff8a099 |
| SHA512 | 1ad8cf0d4f1cacd5884e0ccff5df9e36a319c85788267a3466e22a43b7985bd23d97de9113b804198ba6c47db268ab7fdd1fb7617938b6b66d2439276fac7b43 |
C:\Windows\SysWOW64\RECOVER32.DLL
| MD5 | 2b2c28a7a01f9584fe220ef84003427f |
| SHA1 | 5fc023df0b5064045eb8de7f2dbe26f07f6fec70 |
| SHA256 | 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb |
| SHA512 | 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78 |
memory/3980-44-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4908-45-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 6f47b62de25d1745e296a06b3f98ed19 |
| SHA1 | a688bb35a4c8a5cc198985d624a1b5a6ac5b9f6f |
| SHA256 | 15c7218eb9cef5fa0573db657b15ce3a5f0e0609f1166df8098ca7152df505b4 |
| SHA512 | dea26fff8060f44bf20fe4fff2ecbacf428727f10c0f5886fb4813e28fce9cbc3d088337c84edd9857b18514c83f1bb1cf0f51518aaecef09f30e921f4d758d7 |