Malware Analysis Report

2024-12-07 16:24

Sample ID 241114-apn2zs1may
Target 8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf
SHA256 8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf
Tags
defense_evasion discovery evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf

Threat Level: Known bad

The file 8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence trojan

Windows security bypass

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Boot or Logon Autostart Execution: Active Setup

Windows security modification

Executes dropped EXE

Loads dropped DLL

Indicator Removal: Clear Persistence

Modifies WinLogon

Drops file in System32 directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 00:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 00:23

Reported

2024-11-14 00:25

Platform

win7-20240729-en

Max time kernel

149s

Max time network

120s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58454355-444e-4344-5845-4355444E4344} C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58454355-444e-4344-5845-4355444E4344}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58454355-444e-4344-5845-4355444E4344}\IsInstalled = "1" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{58454355-444e-4344-5845-4355444E4344}\StubPath = "C:\\Windows\\system32\\ahuy.exe" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rmass.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" C:\Windows\SysWOW64\rmass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\rmass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe N/A
File created C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rmass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rmass.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe

"C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe"

C:\Windows\SysWOW64\rmass.exe

"C:\Windows\SysWOW64\rmass.exe"

C:\Windows\SysWOW64\rmass.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 boawy.nu udp
US 8.8.8.8:53 boawy.nu udp

Files

\Windows\SysWOW64\rmass.exe

MD5 73eda784f8065b21fffeffc087c32148
SHA1 1f37d71590b456a8b02b3af87bad95b15973bba3
SHA256 82eaaee47fb940d6bfeb788de2bb2b855a3dfce08333d851a54471ed7ca702f8
SHA512 89d06c267826302455e870654d26c5799fc63b80777b588fd47b8048e95606567445afe6f274afae539b1f2ba9e5beb2a18e4556a097b1814b3b7e47b8ffcc93

memory/2932-7-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\RECOVER32.DLL

MD5 2b2c28a7a01f9584fe220ef84003427f
SHA1 5fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA256 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA512 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

C:\Windows\SysWOW64\ntdbg.exe

MD5 a3600be6618a3ce8cb2922b9ba01ff77
SHA1 dc0aae7808414e6dd9d1477b07d582129950bd22
SHA256 c0c1e4979241f453880514ffe1e6e802bf8fa1cdfa5172af91ea0966194d245e
SHA512 b1d957ef691b98598fa949a06c28c743ee0cb735fc90b26416918c008429fde82a61673825a3acbfd7cf1f5315b13266719d33b965718ba2a9bd9be6c8679c7f

C:\Windows\SysWOW64\ahuy.exe

MD5 b3b3402c87aed92b77ceb7e1f86bd5d4
SHA1 cc9ebff514b1f03f1888810e2c58d590d959584b
SHA256 de3431ca39b0054ec46107f511786782d0e09413240bb728cb38ae752e012bb7
SHA512 91e51a23591610618d90c3ab108a1542b0d3099c374ab992f24baa992ef7d94e2030abe972bebfc744edf102ba9613a0a2c18398aff278fda7419c01430f5a5d

memory/2640-47-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2696-51-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 b10b13206b0f2cf3968050072f6979bf
SHA1 699db21ba9cecf3f13ac3d76e22cfa41aa94da80
SHA256 0eef3217095cb97b695c434e74d6314bf9e869a013d6e9c88e58c34576a276b4
SHA512 d33bfd931be6676539507a69101d99fa4c5ef36b12422bd11f063b9b6a47b7444f6c4ad5f35e044714fdb872e96cd9fddf049e8329af1219483887f6ac5f4a5d

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 00:23

Reported

2024-11-14 00:25

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45} C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45}\IsInstalled = "1" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594C464F-4749-4f45-594C-464F47494f45}\StubPath = "C:\\Windows\\system32\\ahuy.exe" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rmass.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" C:\Windows\SysWOW64\rmass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\rmass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\rmass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe N/A
File created C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe N/A
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rmass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rmass.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe

"C:\Users\Admin\AppData\Local\Temp\8ff77d45e797ea1b4164c199febd6277a85bd627c42211ba537ae8c247f2bebf.exe"

C:\Windows\SysWOW64\rmass.exe

"C:\Windows\SysWOW64\rmass.exe"

C:\Windows\SysWOW64\rmass.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 ufmaswg.st udp
US 8.8.8.8:53 ufmaswg.st udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 72.239.69.13.in-addr.arpa udp

Files

C:\Windows\SysWOW64\rmass.exe

MD5 73eda784f8065b21fffeffc087c32148
SHA1 1f37d71590b456a8b02b3af87bad95b15973bba3
SHA256 82eaaee47fb940d6bfeb788de2bb2b855a3dfce08333d851a54471ed7ca702f8
SHA512 89d06c267826302455e870654d26c5799fc63b80777b588fd47b8048e95606567445afe6f274afae539b1f2ba9e5beb2a18e4556a097b1814b3b7e47b8ffcc93

memory/4676-4-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\ahuy.exe

MD5 91e5399805db320176e519dcb64c0075
SHA1 8d9682867ed7416ef10b593118c82792cf96ac6c
SHA256 d9f01fd4c53e57a7d5d0971662b079f50c7ef2b72e774122709603d11b4e147f
SHA512 e467620ec7f2daad55345c46ee009a6eeb971b3b102a5b062de9a3acd6eda22987086eb5a9f62c57415bf6229d867f4f64d9240c6fefcba5b824e4975d46036f

C:\Windows\SysWOW64\ntdbg.exe

MD5 ef9300a6e8d6065c0d8917ee1e9ec6de
SHA1 a92f4b2ebb001247ee13818a22c5cbf27172911d
SHA256 489669e9b457dfb8cb09dc7688036fed01862af1c3c80baa8aea3628cff8a099
SHA512 1ad8cf0d4f1cacd5884e0ccff5df9e36a319c85788267a3466e22a43b7985bd23d97de9113b804198ba6c47db268ab7fdd1fb7617938b6b66d2439276fac7b43

C:\Windows\SysWOW64\RECOVER32.DLL

MD5 2b2c28a7a01f9584fe220ef84003427f
SHA1 5fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA256 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA512 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

memory/3980-44-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4908-45-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 6f47b62de25d1745e296a06b3f98ed19
SHA1 a688bb35a4c8a5cc198985d624a1b5a6ac5b9f6f
SHA256 15c7218eb9cef5fa0573db657b15ce3a5f0e0609f1166df8098ca7152df505b4
SHA512 dea26fff8060f44bf20fe4fff2ecbacf428727f10c0f5886fb4813e28fce9cbc3d088337c84edd9857b18514c83f1bb1cf0f51518aaecef09f30e921f4d758d7