Malware Analysis Report

2024-12-07 14:17

Sample ID 241114-lej6tsxbnl
Target add4512a49cdf9c7b9f7a234a556860049775056871d0116182170f2ed786b56
SHA256 add4512a49cdf9c7b9f7a234a556860049775056871d0116182170f2ed786b56
Tags
nanocore discovery evasion execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

add4512a49cdf9c7b9f7a234a556860049775056871d0116182170f2ed786b56

Threat Level: Known bad

The file add4512a49cdf9c7b9f7a234a556860049775056871d0116182170f2ed786b56 was found to be: Known bad.

Malicious Activity Summary

nanocore discovery evasion execution keylogger persistence spyware stealer trojan

NanoCore

Nanocore family

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Scheduled Task/Job: Scheduled Task

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 09:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 09:26

Reported

2024-11-14 09:29

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Service = "C:\\Program Files (x86)\\LAN Service\\lansv.exe" C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4432 set thread context of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\LAN Service\lansv.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A
File created C:\Program Files (x86)\LAN Service\lansv.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4432 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4432 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 4432 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 4432 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 4432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 4432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 4432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 4432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 4432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 4432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 4432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 4432 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 2084 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2084 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2084 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2084 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2084 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2084 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe

"C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UNubJR.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNubJR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A3A.tmp"

C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe

"C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1F2B.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp24E9.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 aye2mar280502016.ddns.net udp
NL 185.235.138.103:20251 aye2mar280502016.ddns.net tcp
US 8.8.8.8:53 103.138.235.185.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4432-0-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

memory/4432-1-0x0000000000C30000-0x0000000000CEE000-memory.dmp

memory/4432-2-0x0000000005CC0000-0x0000000006264000-memory.dmp

memory/4432-3-0x0000000005710000-0x00000000057A2000-memory.dmp

memory/4432-4-0x00000000057B0000-0x000000000584C000-memory.dmp

memory/4432-5-0x00000000056F0000-0x00000000056FA000-memory.dmp

memory/4432-6-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/4432-7-0x0000000006C40000-0x0000000006C52000-memory.dmp

memory/4432-8-0x0000000074F0E000-0x0000000074F0F000-memory.dmp

memory/4432-9-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/4432-10-0x00000000081F0000-0x0000000008270000-memory.dmp

memory/64-15-0x0000000000CA0000-0x0000000000CD6000-memory.dmp

memory/1512-16-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/64-18-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/1512-17-0x0000000005270000-0x0000000005898000-memory.dmp

memory/64-19-0x0000000074F00000-0x00000000756B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1A3A.tmp

MD5 25c131fa053fcdbf98c7053f4adafc28
SHA1 7e5d116e884c3426a784f06bd0b377a00f706709
SHA256 519d427f694d4471f104039b49452f26f0b2d52d3c4ae405fedefbf0c916295d
SHA512 3c12f785bce5c3f012b0fd90d40f70697da2178d2df908773a772772a0230f83733f9fdb600d322a1c37d6b6b384858ae36eb6f3d35f34653ae1335fb776f42d

memory/64-24-0x0000000005430000-0x0000000005496000-memory.dmp

memory/64-23-0x0000000004C80000-0x0000000004CE6000-memory.dmp

memory/64-22-0x0000000004BE0000-0x0000000004C02000-memory.dmp

memory/64-21-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/1512-25-0x0000000074F00000-0x00000000756B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bsm3wna3.raf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1512-35-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/1512-45-0x0000000005B50000-0x0000000005EA4000-memory.dmp

memory/2084-46-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4432-48-0x0000000074F00000-0x00000000756B0000-memory.dmp

memory/1512-49-0x0000000005F10000-0x0000000005F2E000-memory.dmp

memory/1512-50-0x0000000005FD0000-0x000000000601C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1F2B.tmp

MD5 5ed0190396216c37074c42639bbe1729
SHA1 c4b783f59e08a8f5edaf50c9b36db8a812739c53
SHA256 a9d70f3a16208bd3890b03faffa0d2d7f0fc5e7b99f62d13ea7381a61d3b467d
SHA512 fc8df5242c89b65d52727c82b2690fb7e33c6dab4261662b5da072e2f36370dec0699ec6b0278c24f54cb6851a4d2fb72818e649b4da8047dba1156d0b1450c5

C:\Users\Admin\AppData\Local\Temp\tmp24E9.tmp

MD5 6b30dba7972c92c9a1b881e88c108b15
SHA1 f76207985cc5a1f70edb2fb5bd45678f195a4564
SHA256 578f5b0ff051f02f8e0a67fc3424dad554fa9489875475ea624fbb63eabfcbf7
SHA512 e3dd368937f863cb07453de12173580fb63b8d3983db7119c24860f227c89ded76401c47607f5b1134d215d46fe2b40d4bc3d7299374f1e8abecdeaefc7b9099

memory/2084-60-0x0000000006A20000-0x0000000006A3E000-memory.dmp

memory/2084-59-0x0000000005DB0000-0x0000000005DBC000-memory.dmp

memory/2084-61-0x0000000006B70000-0x0000000006B7A000-memory.dmp

memory/2084-58-0x0000000005C90000-0x0000000005C9A000-memory.dmp

memory/1512-63-0x00000000757B0000-0x00000000757FC000-memory.dmp

memory/1512-62-0x0000000006ED0000-0x0000000006F02000-memory.dmp

memory/1512-83-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/64-73-0x00000000757B0000-0x00000000757FC000-memory.dmp

memory/64-84-0x0000000006AA0000-0x0000000006B43000-memory.dmp

memory/1512-86-0x0000000007880000-0x0000000007EFA000-memory.dmp

memory/64-87-0x0000000006DE0000-0x0000000006DFA000-memory.dmp

memory/64-88-0x0000000006E50000-0x0000000006E5A000-memory.dmp

memory/64-89-0x0000000007060000-0x00000000070F6000-memory.dmp

memory/1512-90-0x0000000007440000-0x0000000007451000-memory.dmp

memory/2084-92-0x0000000007400000-0x0000000007412000-memory.dmp

memory/2084-99-0x0000000007490000-0x00000000074A0000-memory.dmp

memory/2084-98-0x0000000007480000-0x0000000007494000-memory.dmp

memory/2084-103-0x0000000007520000-0x0000000007534000-memory.dmp

memory/2084-102-0x00000000074E0000-0x000000000750E000-memory.dmp

memory/2084-101-0x00000000074D0000-0x00000000074DE000-memory.dmp

memory/2084-100-0x00000000074C0000-0x00000000074D4000-memory.dmp

memory/2084-97-0x0000000007470000-0x000000000747C000-memory.dmp

memory/2084-96-0x0000000007460000-0x000000000746E000-memory.dmp

memory/2084-95-0x0000000007450000-0x0000000007462000-memory.dmp

memory/2084-94-0x0000000007440000-0x000000000744E000-memory.dmp

memory/2084-93-0x0000000007410000-0x000000000742A000-memory.dmp

memory/1512-104-0x0000000007470000-0x000000000747E000-memory.dmp

memory/1512-105-0x0000000007480000-0x0000000007494000-memory.dmp

memory/1512-106-0x0000000007580000-0x000000000759A000-memory.dmp

memory/1512-107-0x0000000007560000-0x0000000007568000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1512-113-0x0000000074F00000-0x00000000756B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 81c99f1c70a5449f58d2ec76302f162a
SHA1 57b4618d770070791e91e520d75d9ef35dbb524e
SHA256 e4ccb9b230973e360c49fde7406946ebe50eb2b76ade9e18fea1cf3948234b13
SHA512 77ecff6f3962d7c797719cf8c797fa7da6fb98562641e8ac57c1a867a2d4d20357f1be9f6f13231e5ff205cf8cd13e82aa54797e12161731630a072e686998e3

memory/64-114-0x0000000074F00000-0x00000000756B0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 09:26

Reported

2024-11-14 09:29

Platform

win7-20241010-en

Max time kernel

43s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WPA Service = "C:\\Program Files (x86)\\WPA Service\\wpasv.exe" C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2344 set thread context of 2888 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WPA Service\wpasv.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A
File opened for modification C:\Program Files (x86)\WPA Service\wpasv.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2344 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2344 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2344 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 2344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 2344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 2344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 2344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 2344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 2344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 2344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 2344 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe
PID 2888 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe
PID 2888 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe

"C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UNubJR.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UNubJR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFBBD.tmp"

C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe

"C:\Users\Admin\AppData\Local\Temp\SUGFTEY6.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "WPA Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2C0.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 aye2mar280502016.ddns.net udp
NL 185.235.138.103:20251 aye2mar280502016.ddns.net tcp

Files

memory/2344-0-0x000000007447E000-0x000000007447F000-memory.dmp

memory/2344-1-0x0000000001040000-0x00000000010FE000-memory.dmp

memory/2344-2-0x0000000074470000-0x0000000074B5E000-memory.dmp

memory/2344-3-0x0000000000460000-0x0000000000472000-memory.dmp

memory/2344-4-0x000000007447E000-0x000000007447F000-memory.dmp

memory/2344-5-0x0000000074470000-0x0000000074B5E000-memory.dmp

memory/2344-6-0x0000000005C50000-0x0000000005CD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFBBD.tmp

MD5 6dd16a8f69cd8cfed4d32bb090113844
SHA1 c023f7634f42572f5d2f5b3395fcb789bf6634f6
SHA256 26aa463058f02603fa29b9557215bf8a4b4ea39c5fa9e363432df60132f63c99
SHA512 1b2c5cf06682b31341bbd5b3a3cef36332adeef348e5fae285bd9ba8e65f04b233c94a34af27c6fbe3b2b62a73a3ec876489e0a473f6df743d7f03ecfdac7628

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 7cec4c961dc0a8c4b4bb441d74e7f58d
SHA1 9f10871f8492846f844d6f1ed5c4ad44fe6aee91
SHA256 aa9ba1256663f9504a48338764918f2871f987e2147f210c44f3f038e27c59a5
SHA512 310e22bf7b5d5d17a548eca15d594052e2f393faebbee1ad689f85a16272d9bf95171e6630dcce7c503a9fb82db4da53090ef3788bc37f2b63b3971d4bc9d9aa

memory/2888-19-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2888-28-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2888-30-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2888-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2888-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2888-25-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2888-23-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2888-21-0x0000000000400000-0x000000000043A000-memory.dmp

memory/2344-31-0x0000000074470000-0x0000000074B5E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1C5.tmp

MD5 5ed0190396216c37074c42639bbe1729
SHA1 c4b783f59e08a8f5edaf50c9b36db8a812739c53
SHA256 a9d70f3a16208bd3890b03faffa0d2d7f0fc5e7b99f62d13ea7381a61d3b467d
SHA512 fc8df5242c89b65d52727c82b2690fb7e33c6dab4261662b5da072e2f36370dec0699ec6b0278c24f54cb6851a4d2fb72818e649b4da8047dba1156d0b1450c5

C:\Users\Admin\AppData\Local\Temp\tmp2C0.tmp

MD5 21de6c3a6440d917bdbb4b491191d9b2
SHA1 c63c300affe7147910dc4544d2d5f3029bf321a6
SHA256 23af17733a3882cdd82a5bbc321d896b2430dc1bb4b4ac034d129cde5027afc4
SHA512 dcd1c464ed36593b990e072940ab415804ef8076743015fff4939211e30e436beb7ce6af3072769abe0214f737cedb210d2b45e6e90da20dac54c3945b11575f

memory/2888-39-0x00000000003D0000-0x00000000003DA000-memory.dmp

memory/2888-40-0x00000000003F0000-0x00000000003FC000-memory.dmp

memory/2888-41-0x00000000004E0000-0x00000000004FE000-memory.dmp

memory/2888-42-0x0000000000610000-0x000000000061A000-memory.dmp

memory/2888-46-0x0000000000680000-0x000000000069A000-memory.dmp

memory/2888-45-0x0000000000670000-0x0000000000682000-memory.dmp

memory/2888-47-0x00000000006B0000-0x00000000006BE000-memory.dmp

memory/2888-49-0x0000000000730000-0x000000000073E000-memory.dmp

memory/2888-48-0x0000000000720000-0x0000000000732000-memory.dmp

memory/2888-50-0x0000000000740000-0x000000000074C000-memory.dmp

memory/2888-52-0x0000000000760000-0x0000000000770000-memory.dmp

memory/2888-51-0x0000000000750000-0x0000000000764000-memory.dmp

memory/2888-53-0x0000000000770000-0x0000000000784000-memory.dmp

memory/2888-54-0x00000000007D0000-0x00000000007DE000-memory.dmp

memory/2888-55-0x00000000007E0000-0x000000000080E000-memory.dmp

memory/2888-56-0x0000000000C30000-0x0000000000C44000-memory.dmp