Malware Analysis Report

2025-08-05 14:43

Sample ID 250701-h6yxhs1ydx
Target e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5
SHA256 e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5
Tags
aspackv2 bootkit discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5

Threat Level: Likely malicious

The file e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5 was found to be: Likely malicious.

Malicious Activity Summary

aspackv2 bootkit discovery persistence spyware stealer

Blocklisted process makes network request

ASPack v2.12-2.42

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Writes to the Master Boot Record (MBR)

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-01 07:21

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-01 07:21

Reported

2025-07-01 07:24

Platform

win10v2004-20250619-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\eqhed.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\eqhed.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\zjzhm\\eucfe.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\eqhed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A \??\c:\windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe N/A
N/A N/A \??\c:\eqhed.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5784 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe C:\Windows\SysWOW64\cmd.exe
PID 5784 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe C:\Windows\SysWOW64\cmd.exe
PID 5784 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2956 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2956 wrote to memory of 2500 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 2956 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\eqhed.exe
PID 2956 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\eqhed.exe
PID 2956 wrote to memory of 4268 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\eqhed.exe
PID 4268 wrote to memory of 5160 N/A \??\c:\eqhed.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 5160 N/A \??\c:\eqhed.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4268 wrote to memory of 5160 N/A \??\c:\eqhed.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 5028 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 5028 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 5028 wrote to memory of 4916 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4916 wrote to memory of 4528 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 4528 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 4528 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4652 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4528 wrote to memory of 4652 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4528 wrote to memory of 4652 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe

"C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\eqhed.exe "C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\eqhed.exe

c:\eqhed.exe "C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\zjzhm\eucfe.dll",GetWindowClass c:\eqhed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\SysWOW64\rundll32.exe "c:\zjzhm\eucfe.dll",GetWindowClass

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\SysWOW64\rundll32.exe "c:\zjzhm\eucfe.dll",GetWindowClass

\??\c:\windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\zjzhm"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
US 107.163.241.230:6520 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp

Files

memory/5784-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/5784-1-0x0000000000418000-0x0000000000419000-memory.dmp

memory/5784-3-0x0000000000400000-0x000000000041A000-memory.dmp

C:\eqhed.exe

MD5 1c6a375a955e5ab89a131ea82a9e6a14
SHA1 f195d91b07ce3515f38764b5fc2befd6ad99ed96
SHA256 d95212beb040619c4693c5bee79cdbebc18da6fcdf004891e730f8fec5d050bd
SHA512 c46d8bd41823ec53a246d134634bf712fc1aaa5219dd37a0d1301a2354c970c0c04433f329962c8605825bc8abe60b9cb4229f177b7bbe06a16eb2077bd2366e

memory/4268-7-0x0000000000400000-0x000000000041A000-memory.dmp

memory/4268-10-0x0000000000400000-0x000000000041A000-memory.dmp

\??\c:\zjzhm\eucfe.dll

MD5 a3fd41430ddcaa55fde840788925406a
SHA1 dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2
SHA256 f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9
SHA512 23109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9

memory/5160-13-0x0000000010000000-0x000000001002E000-memory.dmp

memory/5160-14-0x0000000010001000-0x000000001001E000-memory.dmp

memory/4916-16-0x0000000010000000-0x000000001002E000-memory.dmp

memory/4916-17-0x0000000010000000-0x000000001002E000-memory.dmp

memory/5160-18-0x0000000010000000-0x000000001002E000-memory.dmp

memory/5160-19-0x0000000010001000-0x000000001001E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-01 07:21

Reported

2025-07-01 07:24

Platform

win11-20250619-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A \??\c:\uzczz.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\uzczz.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Software\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\xdgdt\\uhrbg.dll\",GetWindowClass" \??\c:\windows\SysWOW64\rundll32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\q: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\t: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\b: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\e: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\h: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\p: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\r: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\u: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\z: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\a: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\l: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\n: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\s: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\w: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\x: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\g: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\i: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\k: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\v: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\y: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\j: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\m: \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened (read-only) \??\o: \??\c:\windows\SysWOW64\rundll32.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A
File opened for modification \??\PHYSICALDRIVE0 \??\c:\windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\PING.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\uzczz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\windows\SysWOW64\rundll32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A
N/A N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\windows\SysWOW64\rundll32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe N/A
N/A N/A \??\c:\uzczz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe C:\Windows\SysWOW64\cmd.exe
PID 3844 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3844 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3844 wrote to memory of 2132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3844 wrote to memory of 5652 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\uzczz.exe
PID 3844 wrote to memory of 5652 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\uzczz.exe
PID 3844 wrote to memory of 5652 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\uzczz.exe
PID 5652 wrote to memory of 3172 N/A \??\c:\uzczz.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 5652 wrote to memory of 3172 N/A \??\c:\uzczz.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 5652 wrote to memory of 3172 N/A \??\c:\uzczz.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 4576 wrote to memory of 728 N/A C:\Windows\system32\cmd.exe \??\c:\windows\SysWOW64\rundll32.exe
PID 728 wrote to memory of 3972 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 3972 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 728 wrote to memory of 3972 N/A \??\c:\windows\SysWOW64\rundll32.exe \??\c:\windows\SysWOW64\cmd.exe
PID 3972 wrote to memory of 5004 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3972 wrote to memory of 5004 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3972 wrote to memory of 5004 N/A \??\c:\windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe

"C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 2&c:\uzczz.exe "C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 2

\??\c:\uzczz.exe

c:\uzczz.exe "C:\Users\Admin\AppData\Local\Temp\e6b4312aa2a3037519e99ab278c9bdbfcc130ce3a77d53f101b8bea9c9eed1f5.exe"

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\system32\rundll32.exe "c:\xdgdt\uhrbg.dll",GetWindowClass c:\uzczz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c c:\windows\SysWOW64\rundll32.exe "c:\xdgdt\uhrbg.dll",GetWindowClass

\??\c:\windows\SysWOW64\rundll32.exe

c:\windows\SysWOW64\rundll32.exe "c:\xdgdt\uhrbg.dll",GetWindowClass

\??\c:\windows\SysWOW64\cmd.exe

cmd.exe /c ping 127.0.0.1 -n 3&rd /s /q "c:\xdgdt"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 3

Network

Country Destination Domain Proto
US 107.163.241.230:6520 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.234:12354 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp
US 107.163.241.230:6520 tcp

Files

memory/2780-0-0x0000000000400000-0x000000000041A000-memory.dmp

memory/2780-1-0x0000000000418000-0x0000000000419000-memory.dmp

memory/2780-3-0x0000000000400000-0x000000000041A000-memory.dmp

C:\uzczz.exe

MD5 f70959a74d140e37d0e78141ab782e1a
SHA1 a47c644551d2060cc67489f6552e0d30bb4d4ade
SHA256 b87e7efea9c7716a31c300c6bb9fa856e2b71b73832e38f27e37117675a400cf
SHA512 4b431c03ff23803ea107b40b2e944f74dc77f0aed176f485da788eca1aac02dfde3ff78661a2cf1212706da32c0382f4b2fb3358aca76ff7faa4269110a27019

memory/5652-7-0x0000000000400000-0x000000000041A000-memory.dmp

memory/5652-10-0x0000000000400000-0x000000000041A000-memory.dmp

\??\c:\xdgdt\uhrbg.dll

MD5 a3fd41430ddcaa55fde840788925406a
SHA1 dbdd87f5c1bbf6a6f44c2e2c4744675d5e4e75c2
SHA256 f57f9e54f4774c2b944fb070ae0c2a02cbb4b7686ab3207544c3ccaff0ff3dd9
SHA512 23109572cfc9a282ea3ec84d93bfe02303d27f365ad2d9f47f6234f91da14c64f80133cc5e49746dfcb65d2454b7e7c13eff59ba4bbc18e09d2fb1c630ba59c9

memory/3172-13-0x0000000010000000-0x000000001002E000-memory.dmp

memory/3172-14-0x0000000010001000-0x000000001001E000-memory.dmp

memory/728-16-0x0000000010000000-0x000000001002E000-memory.dmp

memory/3172-17-0x0000000010000000-0x000000001002E000-memory.dmp

memory/3172-18-0x0000000010001000-0x000000001001E000-memory.dmp