Malware Analysis Report

2024-12-07 16:36

Sample ID 241114-cvq5mswqhn
Target 40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe
SHA256 40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8
Tags
defense_evasion discovery evasion persistence trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8

Threat Level: Known bad

The file 40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence trojan upx

Windows security bypass

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Boot or Logon Autostart Execution: Active Setup

Windows security modification

Executes dropped EXE

Loads dropped DLL

Modifies WinLogon

Indicator Removal: Clear Persistence

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 02:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 02:24

Reported

2024-11-14 02:26

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

94s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345}\StubPath = "C:\\Windows\\system32\\ahuy.exe" C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345} C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345}\IsInstalled = "1" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rmass.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\rmass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\rmass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe N/A
File created C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe N/A
File created C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rmass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rmass.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe

"C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe"

C:\Windows\SysWOW64\rmass.exe

"C:\Windows\SysWOW64\rmass.exe"

C:\Windows\SysWOW64\rmass.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 mksilbelujngk.museum udp
US 8.8.8.8:53 mksilbelujngk.museum udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

C:\Windows\SysWOW64\rmass.exe

MD5 bcc593790f24b746c7c5d31125939353
SHA1 fe83202147da98d84ab0691412eb0fac75846b87
SHA256 b76d0b2eb575eaa9d330f4405ed7f22704f3057b20aa60a2a09e4e5ef65a6bd4
SHA512 191a3e7fb76022940208e174445aec508fa1e4bd03b6a01eebc7ab6b37401458d6dd140663bdc5bcee256a7eca45997c945949c7d4e4357615e2c9382ecc8bcb

memory/2208-4-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2216-3-0x0000000000400000-0x0000000000403000-memory.dmp

C:\Windows\SysWOW64\ahuy.exe

MD5 dab3f5982ee7cb3cb8968be3f6410480
SHA1 0bf64e0f871677449aadffb2b5cce1c25a358446
SHA256 75da74940d9a60fd6641afceb333e79abd26a27718df65389e8a9c4fbe12c5e5
SHA512 33755908e64297b6369be25eb2588e8e9b1cf56e256ebbd2b0ef6f41791cfac26b3312dc39fb8998a1ceb1ee82240e104dd06cc442f3aaf34a574896be04b084

C:\Windows\SysWOW64\RECOVER32.DLL

MD5 2b2c28a7a01f9584fe220ef84003427f
SHA1 5fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA256 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA512 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

C:\Windows\SysWOW64\ntdbg.exe

MD5 0c16f85595938a294031c1073a1184a6
SHA1 1946ade461b693a2075851bfbf87e6fa9676f6ec
SHA256 11f6f8109a24ea74e68236ab226e9e2f26f2ae4d82f5f7cbf9a5a9d19207afd5
SHA512 7de3ccb40e79a3b7433873b30562e29b30c2703920f862e7584b3911496a79f4feee79c181a82559e989f42e1ceaf396fdda5023cc3469c62b4ad69f0287d1d6

memory/2208-39-0x0000000000400000-0x0000000000411000-memory.dmp

memory/5012-44-0x0000000000400000-0x0000000000411000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 02:24

Reported

2024-11-14 02:26

Platform

win7-20240708-en

Max time kernel

119s

Max time network

119s

Command Line

winlogon.exe

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850} C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\IsInstalled = "1" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\StubPath = "C:\\Windows\\system32\\ahuy.exe" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\rmass.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" C:\Windows\SysWOW64\rmass.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" C:\Windows\SysWOW64\rmass.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" C:\Windows\SysWOW64\rmass.exe N/A

Indicator Removal: Clear Persistence

defense_evasion
Description Indicator Process Target
Delete value \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger C:\Windows\SysWOW64\rmass.exe N/A

Modifies WinLogon

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} C:\Windows\SysWOW64\rmass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" C:\Windows\SysWOW64\rmass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" C:\Windows\SysWOW64\rmass.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe N/A
File created C:\Windows\SysWOW64\rmass.exe C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe N/A
File created C:\Windows\SysWOW64\ntdbg.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\ahuy.exe C:\Windows\SysWOW64\rmass.exe N/A
File created C:\Windows\SysWOW64\RECOVER32.DLL C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Windows\SysWOW64\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\System\idbg32.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\winrnt.exe C:\Windows\SysWOW64\rmass.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\System\aset32.exe C:\Windows\SysWOW64\rmass.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rmass.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A
N/A N/A C:\Windows\SysWOW64\rmass.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rmass.exe N/A

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe

"C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe"

C:\Windows\SysWOW64\rmass.exe

"C:\Windows\SysWOW64\rmass.exe"

C:\Windows\SysWOW64\rmass.exe

--k33p

Network

Country Destination Domain Proto
US 8.8.8.8:53 gwxehgmbc.museum udp
US 8.8.8.8:53 gwxehgmbc.museum udp

Files

\Windows\SysWOW64\rmass.exe

MD5 bcc593790f24b746c7c5d31125939353
SHA1 fe83202147da98d84ab0691412eb0fac75846b87
SHA256 b76d0b2eb575eaa9d330f4405ed7f22704f3057b20aa60a2a09e4e5ef65a6bd4
SHA512 191a3e7fb76022940208e174445aec508fa1e4bd03b6a01eebc7ab6b37401458d6dd140663bdc5bcee256a7eca45997c945949c7d4e4357615e2c9382ecc8bcb

memory/388-9-0x0000000000400000-0x0000000000403000-memory.dmp

memory/2944-10-0x0000000000400000-0x0000000000411000-memory.dmp

memory/388-5-0x0000000000020000-0x0000000000031000-memory.dmp

C:\Windows\SysWOW64\ahuy.exe

MD5 6c62a33c27a1571fe1ea04e263f32757
SHA1 d4359fd04943443944939995a596454886a9dede
SHA256 e9503d5a0b1af0edb56eaf38f3b4646c7b7e26aafd658598527b5dfa1eb9c954
SHA512 7527b0e973d7992494d1037ee8b49ab53762c4cc7bb279602a59ccbbf4d6a2aad155398c1295cfc7ad2d063589d5f466f56e8db275b4e5e3fadaa20075cbf137

C:\Windows\SysWOW64\RECOVER32.DLL

MD5 2b2c28a7a01f9584fe220ef84003427f
SHA1 5fc023df0b5064045eb8de7f2dbe26f07f6fec70
SHA256 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb
SHA512 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78

C:\Windows\SysWOW64\ntdbg.exe

MD5 93a56dda12efeded55b893dfe89dab47
SHA1 f328c3b1d6884f50b7e8625409ffcf7df1a4648d
SHA256 7111fbb073a89d1607488b211011d6d9e011017871b901377d9a545537bb2c44
SHA512 b1c77901bd5761fc2183ee9add60cee2a6237ded1246445b0309b3ab501322145e1968fe8f49eab7137ef142bccac6869d2d1795a73dca0128d8514674818eec

memory/2944-46-0x0000000000400000-0x0000000000411000-memory.dmp

memory/2628-54-0x0000000000400000-0x0000000000411000-memory.dmp