Malware Analysis Report

2025-03-15 01:11

Sample ID 250224-nyscna1jv6
Target config.exe
SHA256 ede4efe8923397c1a2a876da4b847f78791e76b193ab0f84aa08a91fcc76ccef
Tags
silverrat defense_evasion execution persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ede4efe8923397c1a2a876da4b847f78791e76b193ab0f84aa08a91fcc76ccef

Threat Level: Known bad

The file config.exe was found to be: Known bad.

Malicious Activity Summary

silverrat defense_evasion execution persistence trojan

Silverrat family

SilverRat

Sets file to hidden

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Unsigned PE

Views/modifies file attributes

Scheduled Task/Job: Scheduled Task

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-24 11:48

Signatures

Silverrat family

silverrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-24 11:48

Reported

2025-02-24 11:51

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\config.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\systemSafemode\\OFXsystemSafemode.exe\"" C:\Users\Admin\AppData\Local\Temp\config.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2248 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2248 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2248 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2248 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2248 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 2248 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\system32\cmd.exe
PID 2248 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\system32\cmd.exe
PID 2248 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\system32\cmd.exe
PID 2336 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2336 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2336 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2336 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe
PID 2336 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe
PID 2336 wrote to memory of 2640 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe
PID 2640 wrote to memory of 2672 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2672 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2672 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2628 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2628 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2628 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2680 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2680 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2680 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\system32\schtasks.exe
PID 2640 wrote to memory of 2472 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 2472 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 2472 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2640 wrote to memory of 760 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\System32\schtasks.exe
PID 2640 wrote to memory of 760 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\System32\schtasks.exe
PID 2640 wrote to memory of 760 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\config.exe

"C:\Users\Admin\AppData\Local\Temp\config.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\systemSafemode"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF077.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe

"C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe"

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN OFXsystemSafemode.exe

C:\Windows\system32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "OFXsystemSafemode.exe" /TR "C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe \"\OFXsystemSafemode.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\system32\schtasks.exe

"schtasks.exe" /query /TN OFXsystemSafemode.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "OFXsystemSafemode_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 AK4-53145.portmap.host udp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp

Files

memory/2248-0-0x000007FEF6543000-0x000007FEF6544000-memory.dmp

memory/2248-1-0x000000013FC50000-0x000000013FC5E000-memory.dmp

memory/2248-2-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp

C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe

MD5 eec97c1c972c1a4db59f48fe5f590187
SHA1 2e8ad75a10cac16b345f8456c6a0411feea316c5
SHA256 ede4efe8923397c1a2a876da4b847f78791e76b193ab0f84aa08a91fcc76ccef
SHA512 af5c6b9540fdd224cbd1a62051c187198d7413ee237991cbb18339cabb9c79a4c93c44419128c4748cef55fe78454132f05648b4d414900470801b6e42b671a2

memory/2248-4-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF077.tmp.bat

MD5 cd1b87adbe309307a9fb11d01f251bad
SHA1 27dec4b5ab4bb60695443170e8e5937be85dcf34
SHA256 478af4ad0db1612f5c038007ea26fff679356dea14e65ce27ce0aa98dce28b21
SHA512 fc8cf8ce6acf26562ce018fa9ecb303aba8152fbe12c50637a15a27a807cdd7f78a6f1f9a44a1527e742f74b869ca495f34b650a711fdbc06a78754aea60d4b0

memory/2248-13-0x000007FEF6540000-0x000007FEF6F2C000-memory.dmp

memory/2640-16-0x000000013F650000-0x000000013F65E000-memory.dmp

memory/2472-22-0x0000000001E90000-0x0000000001E98000-memory.dmp

memory/2472-21-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-24 11:48

Reported

2025-02-24 11:51

Platform

win10v2004-20250217-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\config.exe"

Signatures

SilverRat

trojan silverrat

Silverrat family

silverrat

Sets file to hidden

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1294999112-580688058-1763548717-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\config.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\systemSafemode\\OFXsystemSafemode.exe\"" C:\Users\Admin\AppData\Local\Temp\config.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Enumerates physical storage devices

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\config.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 1772 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 1772 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 1772 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\System32\attrib.exe
PID 1772 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\system32\cmd.exe
PID 1772 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\config.exe C:\Windows\system32\cmd.exe
PID 3012 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3012 wrote to memory of 2920 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3012 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe
PID 3012 wrote to memory of 4372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe
PID 4372 wrote to memory of 1852 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4372 wrote to memory of 1852 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4372 wrote to memory of 2408 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4372 wrote to memory of 2408 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4372 wrote to memory of 3828 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4372 wrote to memory of 3828 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\SYSTEM32\schtasks.exe
PID 4372 wrote to memory of 3004 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 3004 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4372 wrote to memory of 1412 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\System32\schtasks.exe
PID 4372 wrote to memory of 1412 N/A C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\attrib.exe N/A
N/A N/A C:\Windows\System32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\config.exe

"C:\Users\Admin\AppData\Local\Temp\config.exe"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\systemSafemode"

C:\Windows\System32\attrib.exe

"C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5E7.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe

"C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe"

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN OFXsystemSafemode.exe

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /Create /SC ONCE /TN "OFXsystemSafemode.exe" /TR "C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe \"\OFXsystemSafemode.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST

C:\Windows\SYSTEM32\schtasks.exe

"schtasks.exe" /query /TN OFXsystemSafemode.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionExtension exe,bat,dll,ps1;exit

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /sc daily /tn "OFXsystemSafemode_Task-DAILY-21PM" /TR "%MyFile%" /ST 21:00

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
GB 2.16.34.83:443 www.bing.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 AK4-53145.portmap.host udp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp
DE 193.161.193.99:53145 AK4-53145.portmap.host tcp

Files

memory/1772-0-0x00007FF8DA963000-0x00007FF8DA965000-memory.dmp

memory/1772-1-0x0000000000720000-0x000000000072E000-memory.dmp

memory/1772-2-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

C:\Users\Admin\systemSafemode\OFXsystemSafemode.exe

MD5 eec97c1c972c1a4db59f48fe5f590187
SHA1 2e8ad75a10cac16b345f8456c6a0411feea316c5
SHA256 ede4efe8923397c1a2a876da4b847f78791e76b193ab0f84aa08a91fcc76ccef
SHA512 af5c6b9540fdd224cbd1a62051c187198d7413ee237991cbb18339cabb9c79a4c93c44419128c4748cef55fe78454132f05648b4d414900470801b6e42b671a2

memory/1772-4-0x00007FF8DA963000-0x00007FF8DA965000-memory.dmp

memory/1772-5-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5E7.tmp.bat

MD5 a18d76c89fecf5c2d842ad5f58a1a5cd
SHA1 b562a7fd56fd876804d55e7be9651f044dcb17f9
SHA256 cab62174d99318ace5b72d074256d8ca3d514b9f4a17fc4a75a2b06a34590e9a
SHA512 db5c853c63cd7f5ebd457097ecfa1457252b16606bf0703f27305e414fe3e90803817c15ff0b43cc24ac1cca4d5a1a79360518b6d36f11d0d9f9837e2159dcf3

memory/1772-10-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

memory/4372-12-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp

memory/3004-13-0x000001B2D7170000-0x000001B2D7192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hsllgzyh.hcg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4372-25-0x00007FF8DA960000-0x00007FF8DB421000-memory.dmp