Analysis Overview
SHA256
40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8
Threat Level: Known bad
The file 40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Event Triggered Execution: Image File Execution Options Injection
Drops file in Drivers directory
Boot or Logon Autostart Execution: Active Setup
Windows security modification
Executes dropped EXE
Loads dropped DLL
Modifies WinLogon
Indicator Removal: Clear Persistence
UPX packed file
Drops file in System32 directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 02:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 02:24
Reported
2024-11-14 02:26
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
94s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345}\StubPath = "C:\\Windows\\system32\\ahuy.exe" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345} | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F464741-4455-5345-4F46-474144555345}\IsInstalled = "1" | C:\Windows\SysWOW64\rmass.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\rmass.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\rmass.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\rmass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File created | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aset32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe | N/A |
| File created | C:\Windows\SysWOW64\rmass.exe | C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe | N/A |
| File created | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\idbg32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File created | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrnt.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\idbg32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrnt.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\aset32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe
"C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe"
C:\Windows\SysWOW64\rmass.exe
"C:\Windows\SysWOW64\rmass.exe"
C:\Windows\SysWOW64\rmass.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mksilbelujngk.museum | udp |
| US | 8.8.8.8:53 | mksilbelujngk.museum | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
C:\Windows\SysWOW64\rmass.exe
| MD5 | bcc593790f24b746c7c5d31125939353 |
| SHA1 | fe83202147da98d84ab0691412eb0fac75846b87 |
| SHA256 | b76d0b2eb575eaa9d330f4405ed7f22704f3057b20aa60a2a09e4e5ef65a6bd4 |
| SHA512 | 191a3e7fb76022940208e174445aec508fa1e4bd03b6a01eebc7ab6b37401458d6dd140663bdc5bcee256a7eca45997c945949c7d4e4357615e2c9382ecc8bcb |
memory/2208-4-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2216-3-0x0000000000400000-0x0000000000403000-memory.dmp
C:\Windows\SysWOW64\ahuy.exe
| MD5 | dab3f5982ee7cb3cb8968be3f6410480 |
| SHA1 | 0bf64e0f871677449aadffb2b5cce1c25a358446 |
| SHA256 | 75da74940d9a60fd6641afceb333e79abd26a27718df65389e8a9c4fbe12c5e5 |
| SHA512 | 33755908e64297b6369be25eb2588e8e9b1cf56e256ebbd2b0ef6f41791cfac26b3312dc39fb8998a1ceb1ee82240e104dd06cc442f3aaf34a574896be04b084 |
C:\Windows\SysWOW64\RECOVER32.DLL
| MD5 | 2b2c28a7a01f9584fe220ef84003427f |
| SHA1 | 5fc023df0b5064045eb8de7f2dbe26f07f6fec70 |
| SHA256 | 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb |
| SHA512 | 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78 |
C:\Windows\SysWOW64\ntdbg.exe
| MD5 | 0c16f85595938a294031c1073a1184a6 |
| SHA1 | 1946ade461b693a2075851bfbf87e6fa9676f6ec |
| SHA256 | 11f6f8109a24ea74e68236ab226e9e2f26f2ae4d82f5f7cbf9a5a9d19207afd5 |
| SHA512 | 7de3ccb40e79a3b7433873b30562e29b30c2703920f862e7584b3911496a79f4feee79c181a82559e989f42e1ceaf396fdda5023cc3469c62b4ad69f0287d1d6 |
memory/2208-39-0x0000000000400000-0x0000000000411000-memory.dmp
memory/5012-44-0x0000000000400000-0x0000000000411000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 02:24
Reported
2024-11-14 02:26
Platform
win7-20240708-en
Max time kernel
119s
Max time network
119s
Command Line
Signatures
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
Boot or Logon Autostart Execution: Active Setup
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850} | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\01234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\IsInstalled = "1" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E4E594A-5a41-4850-4E4E-594A5A414850}\StubPath = "C:\\Windows\\system32\\ahuy.exe" | C:\Windows\SysWOW64\rmass.exe | N/A |
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\rmass.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\0123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "C:\\Windows\\system32\\ntdbg.exe" | C:\Windows\SysWOW64\rmass.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "5120" | C:\Windows\SysWOW64\rmass.exe | N/A |
Indicator Removal: Clear Persistence
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger | C:\Windows\SysWOW64\rmass.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B} | C:\Windows\SysWOW64\rmass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345 = "a" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\DLLName = "C:\\Windows\\system32\\RECOVER32.DLL" | C:\Windows\SysWOW64\rmass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\{BC84DF00-BC38-9902-8082-6FCBF2D87A0B}\Startup = "Startup" | C:\Windows\SysWOW64\rmass.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\winrnt.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aset32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmass.exe | C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe | N/A |
| File created | C:\Windows\SysWOW64\rmass.exe | C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe | N/A |
| File created | C:\Windows\SysWOW64\ntdbg.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File created | C:\Windows\SysWOW64\ahuy.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File created | C:\Windows\SysWOW64\RECOVER32.DLL | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\idbg32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Common Files\System\idbg32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\winrnt.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\System\aset32.exe | C:\Windows\SysWOW64\rmass.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rmass.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe
"C:\Users\Admin\AppData\Local\Temp\40d218c3f19e478ed585f89ee2e3e67fa09945f90c4df0150cca37a261201bb8N.exe"
C:\Windows\SysWOW64\rmass.exe
"C:\Windows\SysWOW64\rmass.exe"
C:\Windows\SysWOW64\rmass.exe
--k33p
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gwxehgmbc.museum | udp |
| US | 8.8.8.8:53 | gwxehgmbc.museum | udp |
Files
\Windows\SysWOW64\rmass.exe
| MD5 | bcc593790f24b746c7c5d31125939353 |
| SHA1 | fe83202147da98d84ab0691412eb0fac75846b87 |
| SHA256 | b76d0b2eb575eaa9d330f4405ed7f22704f3057b20aa60a2a09e4e5ef65a6bd4 |
| SHA512 | 191a3e7fb76022940208e174445aec508fa1e4bd03b6a01eebc7ab6b37401458d6dd140663bdc5bcee256a7eca45997c945949c7d4e4357615e2c9382ecc8bcb |
memory/388-9-0x0000000000400000-0x0000000000403000-memory.dmp
memory/2944-10-0x0000000000400000-0x0000000000411000-memory.dmp
memory/388-5-0x0000000000020000-0x0000000000031000-memory.dmp
C:\Windows\SysWOW64\ahuy.exe
| MD5 | 6c62a33c27a1571fe1ea04e263f32757 |
| SHA1 | d4359fd04943443944939995a596454886a9dede |
| SHA256 | e9503d5a0b1af0edb56eaf38f3b4646c7b7e26aafd658598527b5dfa1eb9c954 |
| SHA512 | 7527b0e973d7992494d1037ee8b49ab53762c4cc7bb279602a59ccbbf4d6a2aad155398c1295cfc7ad2d063589d5f466f56e8db275b4e5e3fadaa20075cbf137 |
C:\Windows\SysWOW64\RECOVER32.DLL
| MD5 | 2b2c28a7a01f9584fe220ef84003427f |
| SHA1 | 5fc023df0b5064045eb8de7f2dbe26f07f6fec70 |
| SHA256 | 9e00af53b1d0c0f5270d94a666d95aa7b4dcb9fea49487c210c055c9dcfcc9eb |
| SHA512 | 39192a8a91dec1abff25af8dac0cf39da4dfd51b3fb4f1ef0b4e776185d4280fbe8387c2ea778da7bbf2ce288b0bce4d23cbe8d9e87bbd250159044f5adbac78 |
C:\Windows\SysWOW64\ntdbg.exe
| MD5 | 93a56dda12efeded55b893dfe89dab47 |
| SHA1 | f328c3b1d6884f50b7e8625409ffcf7df1a4648d |
| SHA256 | 7111fbb073a89d1607488b211011d6d9e011017871b901377d9a545537bb2c44 |
| SHA512 | b1c77901bd5761fc2183ee9add60cee2a6237ded1246445b0309b3ab501322145e1968fe8f49eab7137ef142bccac6869d2d1795a73dca0128d8514674818eec |
memory/2944-46-0x0000000000400000-0x0000000000411000-memory.dmp
memory/2628-54-0x0000000000400000-0x0000000000411000-memory.dmp