Malware Analysis Report

2024-12-07 03:17

Sample ID 241114-cr3dhatbml
Target 39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe
SHA256 39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129
Tags
remcos slaves discovery persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129

Threat Level: Known bad

The file 39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe was found to be: Known bad.

Malicious Activity Summary

remcos slaves discovery persistence rat

Remcos

Remcos family

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 02:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 02:19

Reported

2024-11-14 02:22

Platform

win7-20241010-en

Max time kernel

139s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Videoss = "C:\\Users\\Admin\\AppData\\Roaming\\Images.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2580 set thread context of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Images.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 2688 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2296 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 2296 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2136 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2136 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2136 wrote to memory of 2876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2688 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2688 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2136 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2136 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2136 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 2136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 2136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 2136 wrote to memory of 2580 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2580 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe

"C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 15

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 21 > nul && copy "C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe" "C:\Users\Admin\AppData\Roaming\Images.exe" && ping 127.0.0.1 -n 21 > nul && "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 21

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 21

C:\Users\Admin\AppData\Roaming\Images.exe

"C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 windowslavesclient.duckdns.org udp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp

Files

memory/2296-0-0x000000007445E000-0x000000007445F000-memory.dmp

memory/2296-1-0x0000000000D50000-0x0000000000E96000-memory.dmp

memory/2296-2-0x0000000000A80000-0x0000000000AC4000-memory.dmp

memory/2296-3-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2296-4-0x000000007445E000-0x000000007445F000-memory.dmp

memory/2296-5-0x0000000074450000-0x0000000074B3E000-memory.dmp

memory/2296-6-0x0000000074450000-0x0000000074B3E000-memory.dmp

\Users\Admin\AppData\Roaming\Images.exe

MD5 5c44a72a49fe4fbc94f1c1aa8cbf0ab6
SHA1 d0d0903f73b4aa11ee580fb6fd8d80775e6e88de
SHA256 39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129
SHA512 d92503e2ebbaa4e8728098cf6d0079de711a4f92663ad9db8583d848721818e4ecf3790a65253a0cd850c23eed8a46f98049a11f77b9f106344e501d124fbb97

memory/2580-17-0x0000000000260000-0x00000000003A6000-memory.dmp

memory/2580-18-0x0000000000680000-0x000000000069A000-memory.dmp

memory/2580-19-0x00000000006A0000-0x00000000006A6000-memory.dmp

memory/1672-21-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-22-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1672-30-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-28-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-26-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-24-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-33-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-35-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-34-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-36-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-37-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-38-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-40-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-41-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-42-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-43-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-44-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-45-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-46-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-47-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-48-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-49-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-50-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-51-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-52-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-53-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-54-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-55-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-56-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-58-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-59-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-60-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-61-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-62-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-63-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-64-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-65-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-66-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1672-67-0x0000000000400000-0x000000000047F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 02:19

Reported

2024-11-14 02:22

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe"

Signatures

Remcos

rat remcos

Remcos family

remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Videoss = "C:\\Users\\Admin\\AppData\\Roaming\\Images.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1576 set thread context of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Images.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Images.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 2120 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2120 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2120 wrote to memory of 5080 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1068 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 1068 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2832 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2832 wrote to memory of 536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2120 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2120 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2832 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2832 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2832 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 2832 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 2832 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Images.exe
PID 1576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1576 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Roaming\Images.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe

"C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 19 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 19

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 23 > nul && copy "C:\Users\Admin\AppData\Local\Temp\39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129.exe" "C:\Users\Admin\AppData\Roaming\Images.exe" && ping 127.0.0.1 -n 23 > nul && "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 23

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Videoss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 23

C:\Users\Admin\AppData\Roaming\Images.exe

"C:\Users\Admin\AppData\Roaming\Images.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 windowslavesclient.duckdns.org udp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 192.169.69.26:1604 windowslavesclient.duckdns.org tcp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/1068-0-0x000000007487E000-0x000000007487F000-memory.dmp

memory/1068-1-0x0000000000640000-0x0000000000786000-memory.dmp

memory/1068-2-0x00000000054D0000-0x000000000556C000-memory.dmp

memory/1068-3-0x0000000005B20000-0x00000000060C4000-memory.dmp

memory/1068-4-0x0000000005570000-0x0000000005602000-memory.dmp

memory/1068-5-0x0000000005430000-0x0000000005474000-memory.dmp

memory/1068-6-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1068-7-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

memory/1068-8-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1068-9-0x000000007487E000-0x000000007487F000-memory.dmp

memory/1068-10-0x0000000074870000-0x0000000075020000-memory.dmp

memory/1068-12-0x0000000074870000-0x0000000075020000-memory.dmp

C:\Users\Admin\AppData\Roaming\Images.exe

MD5 5c44a72a49fe4fbc94f1c1aa8cbf0ab6
SHA1 d0d0903f73b4aa11ee580fb6fd8d80775e6e88de
SHA256 39fe045b17ab2fcdb512758a431845409c29ca9341090ac81878658423c39129
SHA512 d92503e2ebbaa4e8728098cf6d0079de711a4f92663ad9db8583d848721818e4ecf3790a65253a0cd850c23eed8a46f98049a11f77b9f106344e501d124fbb97

memory/1576-19-0x0000000000800000-0x0000000000946000-memory.dmp

memory/1576-18-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1576-20-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1576-21-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1576-22-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1576-23-0x00000000069C0000-0x00000000069DA000-memory.dmp

memory/1576-24-0x0000000009630000-0x0000000009636000-memory.dmp

memory/1176-25-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-27-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-28-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1576-29-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1176-30-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-31-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-32-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-33-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-34-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-35-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-36-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-37-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-38-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-39-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-40-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-41-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-42-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-43-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-44-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-45-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-46-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-47-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-48-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-49-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-50-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-51-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-52-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-53-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-54-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-55-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-56-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-57-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-58-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-59-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-60-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-61-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-62-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-63-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-64-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-65-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-66-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-67-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-68-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-69-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-70-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-71-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-72-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-73-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-74-0x0000000000400000-0x000000000047F000-memory.dmp

memory/1176-75-0x0000000000400000-0x000000000047F000-memory.dmp