Malware Analysis Report

2025-01-23 13:20

Sample ID 241204-nybd5szkdq
Target 241105-dtxrgatbpg_pw_infected.zip
SHA256 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66
Tags
main 26.02.2020 upx stealer xdsddd victime 25/03 samay cryptone packer 09/04 07/04 305419896 insert-coin yt system hacked hack zloader revengerat cobaltstrike zeppelin njrat xred modiloader smokeloader backdoor trojan discovery persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Threat Level: Known bad

The file 241105-dtxrgatbpg_pw_infected.zip was found to be: Known bad.

Malicious Activity Summary

main 26.02.2020 upx stealer xdsddd victime 25/03 samay cryptone packer 09/04 07/04 305419896 insert-coin yt system hacked hack zloader revengerat cobaltstrike zeppelin njrat xred modiloader smokeloader backdoor trojan discovery persistence

Detects Zeppelin payload

Zloader family

RevengeRat Executable

ModiLoader Second Stage

Zeppelin family

Smokeloader family

Xred family

Cobaltstrike family

Modiloader family

Njrat family

Revengerat family

SmokeLoader

CryptOne packer

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops startup file

Adds Run key to start application

Maps connected drives based on registry

AutoIT Executable

Drops file in System32 directory

UPX packed file

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-04 11:48

Signatures

Cobaltstrike family

cobaltstrike

Detects Zeppelin payload

Description Indicator Process Target
N/A N/A N/A N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A

Modiloader family

modiloader

Njrat family

njrat

RevengeRat Executable

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Revengerat family

revengerat

Xred family

xred

Zeppelin family

zeppelin

Zloader family

zloader

CryptOne packer

cryptone packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-04 11:47

Reported

2024-12-04 11:51

Platform

win7-20240903-en

Max time kernel

16s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0di3x.exe

"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"

Network

N/A

Files

memory/2940-1-0x00000000030E0000-0x00000000031E0000-memory.dmp

memory/2940-2-0x0000000000220000-0x000000000022A000-memory.dmp

memory/2940-3-0x0000000000400000-0x000000000040A000-memory.dmp

\Users\Admin\AppData\Local\Temp\2F6.tmp

MD5 d124f55b9393c976963407dff51ffa79
SHA1 2c7bbedd79791bfb866898c85b504186db610b5d
SHA256 ea1e16247c848c8c171c4cd1fa17bc5a018a1fcb0c0dac25009066b6667b8eef
SHA512 278fe3a4b1fbbe700e4f4483b610133e975e36e101455661d5197bd892a68839b9d555499040d200c92aefa9e3819380e395c0cd85d5fc845c6364d128a8cf06

memory/2940-9-0x0000000000400000-0x000000000040A000-memory.dmp

memory/2940-8-0x0000000000220000-0x000000000022A000-memory.dmp

memory/2940-7-0x0000000000400000-0x0000000002FA6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-04 11:47

Reported

2024-12-04 11:52

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\0di3x.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0di3x.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0di3x.exe

"C:\Users\Admin\AppData\Local\Temp\0di3x.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 768 -ip 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 768 -s 376

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.238.56.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

memory/768-1-0x0000000003050000-0x0000000003150000-memory.dmp

memory/768-2-0x0000000003040000-0x000000000304A000-memory.dmp

memory/768-3-0x0000000000400000-0x000000000040A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F6.tmp

MD5 4f3387277ccbd6d1f21ac5c07fe4ca68
SHA1 e16506f662dc92023bf82def1d621497c8ab5890
SHA256 767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac
SHA512 9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

memory/768-10-0x0000000000400000-0x000000000040A000-memory.dmp

memory/768-9-0x0000000003040000-0x000000000304A000-memory.dmp

memory/768-8-0x0000000000400000-0x0000000002FA6000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-12-04 11:47

Reported

2024-12-04 11:52

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\ufx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\yaya.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\power.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs C:\Users\Admin\AppData\Roaming\va.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Netscape = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\sswgiggh\\suasjrgr.exe" C:\Windows\SysWOW64\explorer.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\sant.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Roaming\sant.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\yaya.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\sant.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SCHTASKS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HYDRA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ufx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\power.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ucp\usc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\va.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\ucp\usc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1440 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\yaya.exe
PID 1440 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\yaya.exe
PID 1440 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\yaya.exe
PID 1440 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\va.exe
PID 1440 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\va.exe
PID 1440 wrote to memory of 4340 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\va.exe
PID 1440 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 1440 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 1440 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 1440 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\sant.exe
PID 1440 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\sant.exe
PID 1440 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\sant.exe
PID 1440 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\power.exe
PID 1440 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\power.exe
PID 1440 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\power.exe
PID 1704 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Roaming\yaya.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
PID 1704 wrote to memory of 3236 N/A C:\Users\Admin\AppData\Roaming\yaya.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
PID 2208 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 2208 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 2208 wrote to memory of 868 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 868 wrote to memory of 1376 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 868 wrote to memory of 1376 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 868 wrote to memory of 1376 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 3236 wrote to memory of 2296 N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3236 wrote to memory of 2296 N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2296 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2296 wrote to memory of 1612 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3552 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\sant.exe C:\Windows\SysWOW64\explorer.exe
PID 3552 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\sant.exe C:\Windows\SysWOW64\explorer.exe
PID 3552 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Roaming\sant.exe C:\Windows\SysWOW64\explorer.exe
PID 3928 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Roaming\power.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Roaming\power.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3928 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Roaming\power.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HYDRA.exe

"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"

C:\Users\Admin\AppData\Roaming\yaya.exe

C:\Users\Admin\AppData\Roaming\yaya.exe

C:\Users\Admin\AppData\Roaming\va.exe

C:\Users\Admin\AppData\Roaming\va.exe

C:\Users\Admin\AppData\Roaming\ufx.exe

C:\Users\Admin\AppData\Roaming\ufx.exe

C:\Users\Admin\AppData\Roaming\sant.exe

C:\Users\Admin\AppData\Roaming\sant.exe

C:\Users\Admin\AppData\Roaming\power.exe

C:\Users\Admin\AppData\Roaming\power.exe

C:\ProgramData\ucp\usc.exe

"C:\ProgramData\ucp\usc.exe" /ucp/usc.exe

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

"C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"

C:\Windows\SysWOW64\SCHTASKS.exe

SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\luxedrav.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC45.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEC35.tmp"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 psix.tk udp
US 8.8.8.8:53 minercoinbox.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
GB 95.101.143.183:80 www.bing.com tcp
US 8.8.8.8:53 183.143.101.95.in-addr.arpa udp
US 8.8.8.8:53 visualstudio.microsoft.com udp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
US 8.8.8.8:53 3.22.192.23.in-addr.arpa udp
US 8.8.8.8:53 153.136.214.23.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.238.56.23.in-addr.arpa udp
RU 92.53.105.14:80 tcp
US 8.8.8.8:53 java.com udp
GB 95.101.143.183:443 java.com tcp
GB 95.101.143.183:443 java.com tcp
US 8.8.8.8:53 www.mozilla.org udp
US 151.101.3.19:443 www.mozilla.org tcp
US 8.8.8.8:53 19.3.101.151.in-addr.arpa udp
GB 95.101.143.183:443 java.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 92.53.105.14:80 tcp
US 8.8.8.8:53 java.com udp
GB 88.221.135.48:443 java.com tcp
US 8.8.8.8:53 48.135.221.88.in-addr.arpa udp
GB 88.221.135.48:443 java.com tcp
GB 88.221.135.48:443 java.com tcp
GB 88.221.135.48:443 java.com tcp
US 8.8.8.8:53 java.com udp
GB 95.101.143.183:443 java.com tcp
US 8.8.8.8:53 www.mozilla.org udp
US 151.101.195.19:443 www.mozilla.org tcp
US 8.8.8.8:53 19.195.101.151.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\yaya.exe

MD5 7d05ab95cfe93d84bc5db006c789a47f
SHA1 aa4aa0189140670c618348f1baad877b8eca04a4
SHA256 5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f
SHA512 40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

C:\Users\Admin\AppData\Roaming\va.exe

MD5 c084e736931c9e6656362b0ba971a628
SHA1 ef83b95fc645ad3a161a19ccef3224c72e5472bd
SHA256 3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1
SHA512 cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

C:\Users\Admin\AppData\Roaming\ufx.exe

MD5 22e088012519e1013c39a3828bda7498
SHA1 3a8a87cce3f6aff415ee39cf21738663c0610016
SHA256 9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973
SHA512 5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

C:\Users\Admin\AppData\Roaming\sant.exe

MD5 5effca91c3f1e9c87d364460097f8048
SHA1 28387c043ab6857aaa51865346046cf5dc4c7b49
SHA256 3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907
SHA512 b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

memory/3552-21-0x0000000000110000-0x000000000011A000-memory.dmp

C:\Users\Admin\AppData\Roaming\power.exe

MD5 743f47ae7d09fce22d0a7c724461f7e3
SHA1 8e98dd1efb70749af72c57344aab409fb927394e
SHA256 1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465
SHA512 567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

memory/3552-22-0x0000000000110000-0x000000000011A000-memory.dmp

memory/4340-18-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3552-17-0x0000000000400000-0x0000000000404000-memory.dmp

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

MD5 51bf85f3bf56e628b52d61614192359d
SHA1 c1bc90be6a4beb67fb7b195707798106114ec332
SHA256 990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446
SHA512 131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

C:\ProgramData\ucp\usc.exe

MD5 b100b373d645bf59b0487dbbda6c426d
SHA1 44a4ad2913f5f35408b8c16459dcce3f101bdcc7
SHA256 84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7
SHA512 69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

memory/1704-55-0x0000000000400000-0x000000000047B000-memory.dmp

memory/3236-58-0x000000001BBC0000-0x000000001C08E000-memory.dmp

memory/3236-59-0x000000001C090000-0x000000001C12C000-memory.dmp

memory/3236-60-0x0000000001030000-0x0000000001038000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\luxedrav.cmdline

MD5 eada88fecaa89339e2798d661fd86374
SHA1 96d3757f11c6e0e8dc97aacdb71c1e1a541e027a
SHA256 fe1af86aee5498b90fb5f7c9980f109866e5c51fb02bf425977f0ba25820c59f
SHA512 27e3024098f0596272e0a46d3250a2cdf741b8562ed3492ada99aad0402175f2831e1e78ae6310b5ea34acf4ef177b5bfce92149332f2b611949830a5199e473

\??\c:\Users\Admin\AppData\Local\Temp\luxedrav.0.cs

MD5 a0d1b6f34f315b4d81d384b8ebcdeaa5
SHA1 794c1ff4f2a28e0c631a783846ecfffdd4c7ae09
SHA256 0b3a3f8f11eb6f50fe67943f2b73c5824614f31c2e0352cc234927d7cb1a52e0
SHA512 0a89293d731c5bca05e73148f85a740b324fc877f2fb05cde1f68e2098329fbca552d78249a46f4a1da15a450c8e754c73be20c652f7089d5cfec445ce950a0e

\??\c:\Users\Admin\AppData\Local\Temp\CSCEC35.tmp

MD5 131813a4fe5b9b26b1e3f1aff6e92266
SHA1 61319d8be507b5d4049c8015a66fe8ede9ee1504
SHA256 2edfe781d37ef0fc39fe746e9a2aed716782ac3e5f35af49be1a135286e604ff
SHA512 bb6dff7aaa01400101622c15360405840acc3b60add495e7d74d83915f5b366c78c6048e790820a91adb5369f909543aae143cc391daf105d7580950a058654e

C:\Users\Admin\AppData\Local\Temp\RESEC45.tmp

MD5 3297daa79fc486f368fb89912a1e86f5
SHA1 66a00e3171ed65d26a05a27e7aa34550687003e6
SHA256 699a778cb099e0231a9542a2378aa8f319d59568054dcaf2c56f539df5631fec
SHA512 cec993e2313488b73696bb20eb26e4e3b0b79a2e291726a729162e7f24bad3985a2aa4c0a60c59be1681bfc0388b8d38fc24b73cda810ba73556c5a3698e7b51

C:\Users\Admin\AppData\Local\Temp\luxedrav.dll

MD5 b76f2eb770519b2b1c90d3b3c768a678
SHA1 0f54359c2f074040a280d29c42007ebb6a0d8962
SHA256 ed11144e23975ec9041502332ae856d407cfde169620cbd40f8ae787c0fff61a
SHA512 1c1f80d4d794dd7df099f3af1bd2db1387786bee7f44b8ef7ef42c10ba5c7e98465aebd135a1320ae53c0bc5b06eb28c6de344c00c2682f81c34cc3717cdbf43

memory/3236-74-0x0000000001200000-0x0000000001208000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\luxedrav.pdb

MD5 81697e3e698ceac6cce9bf36999019b6
SHA1 010e61ad4d5f0ab24eafb3441ec4904dc9d58bc2
SHA256 5f91f712426fe592d4e3155fb8dc04057da3a0726ea7f535b44b758aa951fdc1
SHA512 ad2221f99054003fe3f0774e0bfee3f6c1a400fdec38a34cd7b357b6a5cc14b624f98164d2da862bfde07f75a8f106393cbc56bd7c581cfe1bae2fc995771324

memory/3928-78-0x0000000000400000-0x0000000000485000-memory.dmp

memory/3552-79-0x0000000000110000-0x000000000011A000-memory.dmp

memory/4752-80-0x0000000000D20000-0x0000000001153000-memory.dmp

memory/4752-81-0x0000000000D20000-0x0000000001153000-memory.dmp

memory/4752-82-0x0000000000810000-0x000000000081A000-memory.dmp

memory/4752-89-0x0000000000810000-0x000000000081A000-memory.dmp

memory/4752-91-0x0000000000810000-0x000000000081A000-memory.dmp

memory/3552-92-0x0000000000110000-0x000000000011A000-memory.dmp

memory/3552-94-0x0000000000400000-0x0000000000404000-memory.dmp

memory/3928-97-0x0000000000400000-0x0000000000485000-memory.dmp

memory/3440-98-0x0000000002BA0000-0x0000000002BD6000-memory.dmp

memory/3440-99-0x00000000056D0000-0x0000000005CF8000-memory.dmp

memory/3440-100-0x0000000005610000-0x0000000005632000-memory.dmp

memory/3440-101-0x0000000005DF0000-0x0000000005E56000-memory.dmp

memory/3440-102-0x0000000005E60000-0x0000000005EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mplzpawn.nuu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3440-112-0x0000000006050000-0x00000000063A4000-memory.dmp

memory/3440-113-0x00000000064D0000-0x00000000064EE000-memory.dmp

memory/3440-114-0x0000000006510000-0x000000000655C000-memory.dmp

memory/3440-115-0x0000000007640000-0x0000000007684000-memory.dmp

memory/3440-117-0x00000000077D0000-0x0000000007846000-memory.dmp

memory/3440-118-0x0000000007ED0000-0x000000000854A000-memory.dmp

memory/3440-119-0x0000000007870000-0x000000000788A000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-12-04 11:47

Reported

2024-12-04 11:52

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe

"C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.238.56.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-12-04 11:47

Reported

2024-12-04 11:52

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

152s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Malware

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Malware

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-04 11:47

Reported

2024-12-04 11:52

Platform

win7-20240708-en

Max time kernel

150s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDAudo.vbs C:\Users\Admin\AppData\Roaming\va.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\ODBC = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\dtricesd\\jstsfadf.exe" C:\Windows\SysWOW64\explorer.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Roaming\sant.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Roaming\sant.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT C:\Windows\TEMP\foxcon.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\GDIPFONTCACHEV1.DAT C:\Windows\TEMP\foxcon.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\sant.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HYDRA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ufx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ucp\usc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SCHTASKS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\yaya.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\power.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\FoxCond\{1945BBS40-8571-3DA1-BB29-HYDRA7A11A1E} = "C:\\Windows\\Temp\\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\\services.exe" C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\FoxCond\{1945BBS40-8571-3DA1-BB29-HYDRA7A11A1E} = "C:\\Windows\\Temp\\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\\services.exe" C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus C:\Windows\TEMP\foxcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\FoxCond C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\GDIPlus\FontCachePath = "C:\\Windows\\system32\\config\\systemprofile\\AppData\\Local" C:\Windows\TEMP\foxcon.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Foxcon Service Control = "C:\\Windows\\TEMP\\foxcon.exe" C:\Windows\TEMP\foxcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run C:\Windows\TEMP\foxcon.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\SCHTASKS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Windows\TEMP\foxcon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Windows\TEMP\foxcon.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\sant.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\ProgramData\ucp\usc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\TEMP\foxcon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\yaya.exe
PID 2404 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\yaya.exe
PID 2404 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\yaya.exe
PID 2404 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\yaya.exe
PID 2404 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\va.exe
PID 2404 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\va.exe
PID 2404 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\va.exe
PID 2404 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\va.exe
PID 2404 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 2404 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 2404 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 2404 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 2404 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 2404 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 2404 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\ufx.exe
PID 2404 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\sant.exe
PID 2404 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\sant.exe
PID 2404 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\sant.exe
PID 2404 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\sant.exe
PID 2404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\power.exe
PID 2404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\power.exe
PID 2404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\power.exe
PID 2404 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\HYDRA.exe C:\Users\Admin\AppData\Roaming\power.exe
PID 2612 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\yaya.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
PID 2612 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\yaya.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
PID 2612 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\yaya.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
PID 2612 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Roaming\yaya.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe
PID 2968 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 2968 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 2968 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 2968 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 2968 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 2968 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 2968 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\ufx.exe C:\ProgramData\ucp\usc.exe
PID 2412 wrote to memory of 2132 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2412 wrote to memory of 2132 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2412 wrote to memory of 2132 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2412 wrote to memory of 2132 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2412 wrote to memory of 2132 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2412 wrote to memory of 2132 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2412 wrote to memory of 2132 N/A C:\ProgramData\ucp\usc.exe C:\Windows\SysWOW64\SCHTASKS.exe
PID 2268 wrote to memory of 2240 N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2268 wrote to memory of 2240 N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2268 wrote to memory of 2240 N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2240 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2240 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2240 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 1356 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
PID 1356 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
PID 1356 wrote to memory of 1036 N/A C:\Windows\System32\cmd.exe C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe
PID 1720 wrote to memory of 1832 N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe C:\Windows\TEMP\foxcon.exe
PID 1720 wrote to memory of 1832 N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe C:\Windows\TEMP\foxcon.exe
PID 1720 wrote to memory of 1832 N/A C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe C:\Windows\TEMP\foxcon.exe
PID 2524 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\sant.exe C:\Windows\SysWOW64\explorer.exe
PID 2524 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\sant.exe C:\Windows\SysWOW64\explorer.exe
PID 2524 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\sant.exe C:\Windows\SysWOW64\explorer.exe
PID 2524 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\sant.exe C:\Windows\SysWOW64\explorer.exe
PID 2740 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\power.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\power.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\power.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2740 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Roaming\power.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HYDRA.exe

"C:\Users\Admin\AppData\Local\Temp\HYDRA.exe"

C:\Users\Admin\AppData\Roaming\yaya.exe

C:\Users\Admin\AppData\Roaming\yaya.exe

C:\Users\Admin\AppData\Roaming\va.exe

C:\Users\Admin\AppData\Roaming\va.exe

C:\Users\Admin\AppData\Roaming\ufx.exe

C:\Users\Admin\AppData\Roaming\ufx.exe

C:\Users\Admin\AppData\Roaming\sant.exe

C:\Users\Admin\AppData\Roaming\sant.exe

C:\Users\Admin\AppData\Roaming\power.exe

C:\Users\Admin\AppData\Roaming\power.exe

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

"C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe"

C:\ProgramData\ucp\usc.exe

"C:\ProgramData\ucp\usc.exe" /ucp/usc.exe

C:\Windows\SysWOW64\SCHTASKS.exe

SCHTASKS /Create /SC MINUTE /MO 10 /F /TN SystemOptimize /TR C:\ProgramData\ucp\usc.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\amdt1ql_.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CDB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2CDA.tmp"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\System32\cmd.exe

/K services.exe && clear

C:\Windows\System32\cmd.exe

/K services.exe && clear

C:\Windows\System32\cmd.exe

/K services.exe && clear

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe

services.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe

C:\Windows\System32\cmd.exe

net localgroup administrators %username% /add

C:\Windows\TEMP\foxcon.exe

"C:\Windows\TEMP\foxcon.exe"

C:\Windows\SysWOW64\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 psix.tk udp
US 8.8.8.8:53 minercoinbox.com udp
RU 188.225.34.245:3000 tcp
GB 88.221.135.11:80 www.bing.com tcp
US 8.8.8.8:53 java.com udp
GB 88.221.135.48:80 java.com tcp
US 8.8.8.8:53 www.videolan.org udp
FR 213.36.253.2:443 www.videolan.org tcp
US 8.8.8.8:53 support.microsoft.com udp
US 13.107.246.64:443 support.microsoft.com tcp
US 13.107.246.64:443 support.microsoft.com tcp
US 8.8.8.8:53 visualstudio.microsoft.com udp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
RU 92.53.105.14:80 tcp
RU 188.225.34.245:3000 tcp
US 8.8.8.8:53 visualstudio.microsoft.com udp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
US 8.8.8.8:53 support.microsoft.com udp
US 13.107.246.64:443 support.microsoft.com tcp
US 13.107.246.64:443 support.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:443 www.microsoft.com tcp
GB 95.100.245.144:443 www.microsoft.com tcp
US 13.107.246.64:443 support.microsoft.com tcp
US 13.107.246.64:443 support.microsoft.com tcp
US 8.8.8.8:53 java.com udp
GB 95.101.143.183:80 java.com tcp
RU 188.225.34.245:3000 tcp
GB 95.101.143.183:80 java.com tcp
GB 95.101.143.183:80 java.com tcp
RU 92.53.105.14:80 tcp
RU 188.225.34.245:3000 tcp
US 8.8.8.8:53 visualstudio.microsoft.com udp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
US 8.8.8.8:53 java.com udp
GB 88.221.135.48:80 java.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:443 www.microsoft.com tcp
GB 95.100.245.144:443 www.microsoft.com tcp
GB 88.221.135.48:80 java.com tcp
US 8.8.8.8:53 visualstudio.microsoft.com udp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
GB 23.214.136.153:443 visualstudio.microsoft.com tcp
RU 92.53.105.14:80 tcp
RU 188.225.34.245:3000 tcp

Files

\Users\Admin\AppData\Roaming\yaya.exe

MD5 7d05ab95cfe93d84bc5db006c789a47f
SHA1 aa4aa0189140670c618348f1baad877b8eca04a4
SHA256 5c32e0d2a69fd77e85f2eecaabeb677b6f816de0d82bf7c29c9d124a818f424f
SHA512 40d1461e68994df56f19d9f7b2d96ffdc5300ca933e10dc53f7953471df8dea3aabeb178c3432c6819175475cadcbdb698384e3df57b3606c6fce3173a31fe84

\Users\Admin\AppData\Roaming\va.exe

MD5 c084e736931c9e6656362b0ba971a628
SHA1 ef83b95fc645ad3a161a19ccef3224c72e5472bd
SHA256 3139bf3c4b958c3a019af512aecdb8161b9d6d7432d2c404abda3f42b63f34f1
SHA512 cbd6485840a117b52e24586da536cefa94ca087b41eb460d27bc2bd320217957c9e0e96b0daf74343efde2e23a5242e7a99075aabf5f9e18e03b52eb7151ae1f

memory/2256-16-0x0000000000400000-0x000000000041C000-memory.dmp

C:\Users\Admin\AppData\Roaming\ufx.exe

MD5 22e088012519e1013c39a3828bda7498
SHA1 3a8a87cce3f6aff415ee39cf21738663c0610016
SHA256 9e3826138bacac89845c26278f52854117db1652174c1c76dbb2bd24f00f4973
SHA512 5559e279dd3d72b2c9062d88e99212bbc67639fe5a42076efd24ae890cfce72cfe2235adb20bf5ed1f547b6da9e69effa4ccb80c0407b7524f134a24603ea5a8

\Users\Admin\AppData\Roaming\sant.exe

MD5 5effca91c3f1e9c87d364460097f8048
SHA1 28387c043ab6857aaa51865346046cf5dc4c7b49
SHA256 3fd826fc0c032721466b94ab3ec7dcfe006cc284e16132af6b91dfbc064b0907
SHA512 b0dba30fde295d3f7858db9d1463239b30cd84921971032b2afb96f811a53ac12c1e6f72013d2eff397b0b89c371e7c023c951cd2102f94157cba9918cd2c3e0

memory/2524-45-0x0000000000400000-0x0000000000404000-memory.dmp

\Users\Admin\AppData\Roaming\power.exe

MD5 743f47ae7d09fce22d0a7c724461f7e3
SHA1 8e98dd1efb70749af72c57344aab409fb927394e
SHA256 1bee45423044b5a6bf0ad0dd2870117824b000784ce81c5f8a1b930bb8bc0465
SHA512 567993c3b798365efa07b7a46fda98494bfe540647f27654764e78b7f60f093d403b77b9abb889cfb09b44f13515ce3c041fc5db05882418313c3b3409dd77bf

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\starter.exe

MD5 51bf85f3bf56e628b52d61614192359d
SHA1 c1bc90be6a4beb67fb7b195707798106114ec332
SHA256 990dffdc0694858514d6d7ff7fff5dc9f48fab3aa35a4d9301d94fc57e346446
SHA512 131173f3aabcfba484e972424c54201ec4b1facfb2df1efe08df0d43a816d4df03908b006884564c56a6245badd4f9ed442a295f1db2c0c970a8f80985d35474

memory/2524-49-0x0000000000030000-0x000000000003A000-memory.dmp

memory/2404-43-0x0000000000310000-0x0000000000314000-memory.dmp

memory/2404-42-0x0000000000310000-0x0000000000314000-memory.dmp

memory/2612-60-0x0000000000400000-0x000000000047B000-memory.dmp

\ProgramData\ucp\usc.exe

MD5 b100b373d645bf59b0487dbbda6c426d
SHA1 44a4ad2913f5f35408b8c16459dcce3f101bdcc7
SHA256 84d7fd0a93d963e9808212917f79fe2d485bb7fbc94ee374a141bbd15da725b7
SHA512 69483fed79f33da065b1cc65a2576ba268c78990545070f6f76fca8f48aaec8274faecdc9bcf92bf84a87809a318b159d1a3c835f848a6eea6c163f41612bf9b

\??\c:\Users\Admin\AppData\Local\Temp\amdt1ql_.cmdline

MD5 89d5d03585d8e32115b7d283c7dbf9ce
SHA1 c08d89a1e2662a7f941cc3b83ff4796ff3176887
SHA256 8629ae58fea9d3bcc2397b6acbd0c0f31d038f40d454cb6efef64defa3132cf2
SHA512 c3cc3276061cf162266f58d453d4de78507ccf7b96e35e5925fe92ced7af9e7022fb5d2585343516b8ff5f11eeac533002e368b29e523b0ff908688e4ae0dd88

\??\c:\Users\Admin\AppData\Local\Temp\amdt1ql_.0.cs

MD5 a0d1b6f34f315b4d81d384b8ebcdeaa5
SHA1 794c1ff4f2a28e0c631a783846ecfffdd4c7ae09
SHA256 0b3a3f8f11eb6f50fe67943f2b73c5824614f31c2e0352cc234927d7cb1a52e0
SHA512 0a89293d731c5bca05e73148f85a740b324fc877f2fb05cde1f68e2098329fbca552d78249a46f4a1da15a450c8e754c73be20c652f7089d5cfec445ce950a0e

\??\c:\Users\Admin\AppData\Local\Temp\CSC2CDA.tmp

MD5 20ca9632f3c8e21330b71057cf350cb3
SHA1 fb97e3942d21bf344478518a250edd181f3ae4ee
SHA256 18b41da1dba325cf14440bf3134ba0f39fd65fa991a938263396b9a155a1198b
SHA512 b604fae3cabf6c0385b0be1181a328016295840502f4622a9450a9e2f26a5096023e2db86b8ae478ef127a7805001444c5e761b70064fea52390e604ecc84415

C:\Users\Admin\AppData\Local\Temp\RES2CDB.tmp

MD5 a8d620bcf866b5a473abdcb18b30c769
SHA1 e5bde9fcffea77be0d005b3e2296a27ff946bb95
SHA256 fb0868b9f0d5b96a39c730152bcb87d1713e3501a004b536ebdaaacffec519e6
SHA512 110efbec6ac714f880a81c34b670319e77b373f2c25bf1139d92b3c559de9ee654a96cbde9a0f4020c9a0cab96c6fbced229bb7370e72291be88f76b6ea2517e

C:\Users\Admin\AppData\Local\Temp\amdt1ql_.dll

MD5 d7d412546c39a0e3e7a7bbbbb59ebf51
SHA1 28932fa100c4d4ab466fbf145cf184da77be05ef
SHA256 fe01f60083953daaaac3b8e95ed57c24feae91ef859a1aad2c69fa82901a90d5
SHA512 a0be4d94dcbff60c73b2270bfc8de43601b00e4b5f7c5583a63c4a0bb7dd092e40876e6f0cce68e182fdca534171734ad352eea98d239868381186b5a5f584c2

memory/2268-87-0x00000000007C0000-0x00000000007C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\amdt1ql_.pdb

MD5 ffa390d33696133a400e5cfe2962550a
SHA1 138c1debac8899ea516252226846d8a6c717a91e
SHA256 8ab47fbab29711f9c60b152367ba6c138d2b77d6a93790e9a492a90d7647552c
SHA512 012d011e0d162563ca963d9ecd12bed69371e974f44fa36fffde9eba63bd94fa76e2fc4ec4890699cad94e60a9e069629a67b6a6705adc3ababa2e1ea16d2834

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\services.exe

MD5 63602f11993c01a4b36f42187a797128
SHA1 d6c761942dcb32190f924ea7490acc38865f7300
SHA256 2c926cd6c980ff89ced8de49a8d0e7fb7247f58b1face21a1e9883a58b822b84
SHA512 1a13649d6d5917d132f85cae9af206b1959578134db392afd6fec0c68ff1828c87daa2a537678ad1a83c0e273fed7f154f6f6f6f72102733fa6626bcd57ded0e

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\foxcon.exe

MD5 7b07728b813d26228f10f6cdb7ac8471
SHA1 48418d83ac372c1398753f7a766076750a03a725
SHA256 7e5a9baf4d9ead35e1d9a3b3dda6ee05e670bd721500d82fbf08e1e8091fa911
SHA512 f8a1070d4a0297151c6d55e60bc953a985b82159920e5a6a3a40270f0ad7e06edb1815b6fed1313076f7f6bbf32155d22a5a0e605378525aa3a9055a2c7128aa

C:\Windows\Temp\{1945BBS40-8571-3DA1-BB29-HYDRA7A13A1E}\Newtonsoft.Json.dll

MD5 0c33e2f116aaa66d0012a8376d82ce29
SHA1 81cd6b87a9f7b4a174138312986d682f464067f4
SHA256 9a19ef049430af9ac49ff719cbfb73dc6c6b0d0ef53914479dd282260771518b
SHA512 b19dceb47d943bcb40f185e232eb1a0f665f6b6107e6c83c0f0a1aa80013b2756c5a831f3413a4c57ca37f7ec4a95a173e1f3d67e49f1fff2071273acc538317

memory/1720-101-0x0000000019A20000-0x0000000019AA0000-memory.dmp

memory/2740-102-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2960-103-0x0000000000270000-0x00000000004F1000-memory.dmp

memory/2960-104-0x0000000000080000-0x000000000008A000-memory.dmp

memory/2524-108-0x0000000000030000-0x000000000003A000-memory.dmp

memory/2524-110-0x0000000000400000-0x0000000000404000-memory.dmp

memory/2960-117-0x0000000000080000-0x000000000008A000-memory.dmp

memory/2960-116-0x0000000000080000-0x000000000008A000-memory.dmp

memory/2740-122-0x0000000000400000-0x0000000000485000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-12-04 11:47

Reported

2024-12-04 11:52

Platform

win7-20241023-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe

"C:\Users\Admin\AppData\Local\Temp\Lonelyscreen.1.2.9.keygen.by.Paradox.exe"

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-12-04 11:47

Reported

2024-12-04 11:52

Platform

win7-20240903-en

Max time kernel

119s

Max time network

127s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Malware

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Malware

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-12-04 11:47

Reported

2024-12-04 11:52

Platform

win7-20240708-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js.zip"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js.zip"

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-12-04 11:47

Reported

2024-12-04 11:52

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js.zip"

Signatures

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\REVENGE-RAT.js.zip"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 88.238.56.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.173.189.20.in-addr.arpa udp

Files

N/A