Malware Analysis Report

2025-06-16 05:18

Sample ID 220206-se7epabbf2
Target 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764
SHA256 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764
Tags
cryptbot discovery evasion spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764

Threat Level: Known bad

The file 0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764 was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery evasion spyware stealer

CryptBot Payload

CryptBot

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Blocklisted process makes network request

Checks BIOS information in registry

Reads user/profile data of web browsers

Checks computer location settings

Identifies Wine through registry keys

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Runs ping.exe

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-06 15:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-06 15:03

Reported

2022-02-06 15:06

Platform

win7-en-20211208

Max time kernel

156s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Microsoft\SystemCertificates\CA\Certificates\D89E3BD43D5D909B47A18977AA9D5CE36CEE184C\Blob = 030000000100000014000000d89e3bd43d5d909b47a18977aa9d5ce36cee184c1400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb040000000100000010000000285ec909c4ab0d2d57f5086b225799aa0f000000010000003000000013baa039635f1c5292a8c2f36aae7e1d25c025202e9092f5b0f53f5f752dfa9c71b3d1b8d9a6358fcee6ec75622fabf9190000000100000010000000ea6089055218053dd01e37e1d806eedf1800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000850500003082058130820469a00302010202103972443af922b751d7d36c10dd313595300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3139303331323030303030305a170d3238313233313233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a381f23081ef301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30110603551d20040a300830060604551d200030430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c05000382010100188751dc74213d9c8ae027b733d02eccecf0e6cb5e11de226f9b758e9e72fee4d6feaa1f9c962def034a7eaef48d6f723c433bc03febb8df5caaa9c6aef2fcd8eea37b43f686367c14e0cdf4f73ffedeb8b48af09196fefd43647efdccd201a17d7df81919c9422b13bf588bbaa4a266047688914e0c8914cea24dc932b3bae8141abc71f15bf0410b98000a220310e50cb1f9cd923719ed3bf1e43ab6f945132675afbbaaef3f7b773bd2c402913d1900d3175c39db3f7b180d45cd9385962f5ddf59164f3f51bdd545183fed4a8ee80661742316b50d50732744477f105d892a6b853114c4e8a96a4c80bc6a78cfb87f8e7672990c9dfed7910816a1a35f95 C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1332 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1332 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1332 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1680 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 844 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 844 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 844 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 844 wrote to memory of 1644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 1332 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1332 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1332 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1332 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1332 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1332 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 1332 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 2032 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 2032 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 2032 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 2032 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Windows\SysWOW64\cscript.exe
PID 2032 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe
PID 2032 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe
PID 2032 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe
PID 2032 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe
PID 2032 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe
PID 2032 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe
PID 2032 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe

"C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

C:\Windows\SysWOW64\cscript.exe

"cscript.exe" pub2.vbs //e:vbscript //NOLOGO

C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe

"C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe" /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.rationalowl.com udp
KR 211.239.150.87:443 www.rationalowl.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
DE 148.251.234.83:443 iplogger.org tcp
US 8.8.8.8:53 nkoopw13.top udp

Files

memory/1332-55-0x0000000075321000-0x0000000075323000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

memory/1680-61-0x0000000000110000-0x000000000011D000-memory.dmp

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 3aff699f5cdc7fcf5119ec1f8956ef43
SHA1 7dc71e7ff4e9367a3246ebaaa442628582a69913
SHA256 3098cb289b32a21f3a5419e1c4010b9eb36cd376c01a6c9e7f2a496de095798f
SHA512 3c8e7b3afd22a8a552c5e93a09075ded1613d0a553f814f98c21cddd077da124f4d0aeaefbec348cd64e2ce5439f5ac34cbe8aeb6b3ea718615c412901a4e8e3

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 3aff699f5cdc7fcf5119ec1f8956ef43
SHA1 7dc71e7ff4e9367a3246ebaaa442628582a69913
SHA256 3098cb289b32a21f3a5419e1c4010b9eb36cd376c01a6c9e7f2a496de095798f
SHA512 3c8e7b3afd22a8a552c5e93a09075ded1613d0a553f814f98c21cddd077da124f4d0aeaefbec348cd64e2ce5439f5ac34cbe8aeb6b3ea718615c412901a4e8e3

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 3aff699f5cdc7fcf5119ec1f8956ef43
SHA1 7dc71e7ff4e9367a3246ebaaa442628582a69913
SHA256 3098cb289b32a21f3a5419e1c4010b9eb36cd376c01a6c9e7f2a496de095798f
SHA512 3c8e7b3afd22a8a552c5e93a09075ded1613d0a553f814f98c21cddd077da124f4d0aeaefbec348cd64e2ce5439f5ac34cbe8aeb6b3ea718615c412901a4e8e3

\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 3aff699f5cdc7fcf5119ec1f8956ef43
SHA1 7dc71e7ff4e9367a3246ebaaa442628582a69913
SHA256 3098cb289b32a21f3a5419e1c4010b9eb36cd376c01a6c9e7f2a496de095798f
SHA512 3c8e7b3afd22a8a552c5e93a09075ded1613d0a553f814f98c21cddd077da124f4d0aeaefbec348cd64e2ce5439f5ac34cbe8aeb6b3ea718615c412901a4e8e3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 3aff699f5cdc7fcf5119ec1f8956ef43
SHA1 7dc71e7ff4e9367a3246ebaaa442628582a69913
SHA256 3098cb289b32a21f3a5419e1c4010b9eb36cd376c01a6c9e7f2a496de095798f
SHA512 3c8e7b3afd22a8a552c5e93a09075ded1613d0a553f814f98c21cddd077da124f4d0aeaefbec348cd64e2ce5439f5ac34cbe8aeb6b3ea718615c412901a4e8e3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 3aff699f5cdc7fcf5119ec1f8956ef43
SHA1 7dc71e7ff4e9367a3246ebaaa442628582a69913
SHA256 3098cb289b32a21f3a5419e1c4010b9eb36cd376c01a6c9e7f2a496de095798f
SHA512 3c8e7b3afd22a8a552c5e93a09075ded1613d0a553f814f98c21cddd077da124f4d0aeaefbec348cd64e2ce5439f5ac34cbe8aeb6b3ea718615c412901a4e8e3

\Users\Admin\AppData\Local\Temp\nsb454A.tmp\Sibuia.dll

MD5 6a3c3c97e92a5949f88311e80268bbb5
SHA1 48c11e3f694b468479bc2c978749d27b5d03faa2
SHA256 7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA512 6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

memory/2032-73-0x000000000E670000-0x000000000E671000-memory.dmp

memory/2032-74-0x000000000E671000-0x000000000E672000-memory.dmp

\Users\Admin\AppData\Local\Temp\sib46F0.tmp\SibClr.dll

MD5 5ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1 902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256 508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512 e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

\Users\Admin\AppData\Local\Temp\sib46F0.tmp\SibClr.dll

MD5 5ea6d2ffeb1be3fc0571961d0c4c2b5f
SHA1 902dfe9ae735c83fb0cb46b3e110bbf2aa80209e
SHA256 508336b6a7c3226738e74f6ce969e828da904ad9f7610b9112f883a316ee9222
SHA512 e81657087f451a37f06a07bf84175117fdaf75d5d8b84cbdc49497fcf88f96e259074518ea3037680d27c9eaeebd7a8df496297593fead88d7edea202a572585

memory/2032-77-0x0000000002820000-0x0000000002832000-memory.dmp

memory/2032-79-0x000000000E674000-0x000000000E675000-memory.dmp

memory/2032-78-0x000000000E673000-0x000000000E674000-memory.dmp

memory/2032-80-0x000000000E675000-0x000000000E677000-memory.dmp

memory/2032-81-0x0000000010D50000-0x0000000010E0A000-memory.dmp

\Users\Admin\AppData\Local\Temp\sib46F0.tmp\SibCa.dll

MD5 96b628dc0dccb7434b8b9e204d0217a5
SHA1 beefbdfa2eebca37534098af51e76480c0b665a6
SHA256 12969642b2c3eedfe8e1e7efda9096357c714d301301a60fa9dade7e97f37957
SHA512 9e851408b1cdfcd78819ff039bd061c8d6e00167e79deb7b84046ddcd29ece32e10e0abea9b0c686f61456cf1372d87ce9341e6c8e633494032a91be8d3fcb6a

\Users\Admin\AppData\Local\Temp\sib46F0.tmp\SibCa.dll

MD5 96b628dc0dccb7434b8b9e204d0217a5
SHA1 beefbdfa2eebca37534098af51e76480c0b665a6
SHA256 12969642b2c3eedfe8e1e7efda9096357c714d301301a60fa9dade7e97f37957
SHA512 9e851408b1cdfcd78819ff039bd061c8d6e00167e79deb7b84046ddcd29ece32e10e0abea9b0c686f61456cf1372d87ce9341e6c8e633494032a91be8d3fcb6a

memory/2032-84-0x000000000E640000-0x000000000E648000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\0\pub2.vbs

MD5 0bd4f555971d265433425fe4fb9adf46
SHA1 b6eed2aaaa222a07e048180e72ab51455cac02ab
SHA256 1306304bb08fa2f043811a319b6178fd20dfd93c2d63265df061bedcc439b66b
SHA512 bde9ef524261d22f5bd83587536d0cf79ff772318ebe8b38a6d0431864efd9fc5016e767f020d9546a569a45e5b676dc52357f6db0b39e8b6c95785608b05d5f

\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe

MD5 338bc562d6d019e0691a7678a1b99b5e
SHA1 220f9ee2d7791354e2126379fabfafe16f383fae
SHA256 4c3203b73552bc217c1be062919f54b17d06d5c4c7efc9ec12ea1a174ed4d19b
SHA512 ae57cb3b5f396d306ff614e1453cc56ebd9d22ad157705df40bcc95b8a6bcabcb55c4d6c4666947109c88433d87085e7b56658ae855ab3cce526029d2a1ab7cf

C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe

MD5 338bc562d6d019e0691a7678a1b99b5e
SHA1 220f9ee2d7791354e2126379fabfafe16f383fae
SHA256 4c3203b73552bc217c1be062919f54b17d06d5c4c7efc9ec12ea1a174ed4d19b
SHA512 ae57cb3b5f396d306ff614e1453cc56ebd9d22ad157705df40bcc95b8a6bcabcb55c4d6c4666947109c88433d87085e7b56658ae855ab3cce526029d2a1ab7cf

C:\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe

MD5 338bc562d6d019e0691a7678a1b99b5e
SHA1 220f9ee2d7791354e2126379fabfafe16f383fae
SHA256 4c3203b73552bc217c1be062919f54b17d06d5c4c7efc9ec12ea1a174ed4d19b
SHA512 ae57cb3b5f396d306ff614e1453cc56ebd9d22ad157705df40bcc95b8a6bcabcb55c4d6c4666947109c88433d87085e7b56658ae855ab3cce526029d2a1ab7cf

\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe

MD5 338bc562d6d019e0691a7678a1b99b5e
SHA1 220f9ee2d7791354e2126379fabfafe16f383fae
SHA256 4c3203b73552bc217c1be062919f54b17d06d5c4c7efc9ec12ea1a174ed4d19b
SHA512 ae57cb3b5f396d306ff614e1453cc56ebd9d22ad157705df40bcc95b8a6bcabcb55c4d6c4666947109c88433d87085e7b56658ae855ab3cce526029d2a1ab7cf

\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe

MD5 338bc562d6d019e0691a7678a1b99b5e
SHA1 220f9ee2d7791354e2126379fabfafe16f383fae
SHA256 4c3203b73552bc217c1be062919f54b17d06d5c4c7efc9ec12ea1a174ed4d19b
SHA512 ae57cb3b5f396d306ff614e1453cc56ebd9d22ad157705df40bcc95b8a6bcabcb55c4d6c4666947109c88433d87085e7b56658ae855ab3cce526029d2a1ab7cf

\Users\Admin\AppData\Local\Temp\sib46F0.tmp\1\2.exe

MD5 338bc562d6d019e0691a7678a1b99b5e
SHA1 220f9ee2d7791354e2126379fabfafe16f383fae
SHA256 4c3203b73552bc217c1be062919f54b17d06d5c4c7efc9ec12ea1a174ed4d19b
SHA512 ae57cb3b5f396d306ff614e1453cc56ebd9d22ad157705df40bcc95b8a6bcabcb55c4d6c4666947109c88433d87085e7b56658ae855ab3cce526029d2a1ab7cf

memory/1732-98-0x0000000000500000-0x0000000000501000-memory.dmp

memory/1732-97-0x0000000000720000-0x0000000000721000-memory.dmp

memory/1732-96-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/1732-95-0x00000000007E0000-0x00000000007E1000-memory.dmp

memory/1732-94-0x00000000005B0000-0x00000000005B2000-memory.dmp

memory/1732-99-0x0000000000900000-0x0000000000E04000-memory.dmp

memory/1732-100-0x0000000000890000-0x0000000000891000-memory.dmp

memory/1732-102-0x0000000000770000-0x0000000000771000-memory.dmp

memory/1732-103-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1732-101-0x00000000008B0000-0x00000000008B1000-memory.dmp

memory/1732-104-0x0000000000450000-0x0000000000451000-memory.dmp

memory/1732-111-0x0000000000550000-0x0000000000551000-memory.dmp

memory/1732-110-0x0000000000560000-0x0000000000561000-memory.dmp

memory/1732-109-0x00000000004E0000-0x00000000004E1000-memory.dmp

memory/1732-108-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/1732-107-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1732-106-0x0000000002530000-0x0000000002531000-memory.dmp

memory/1732-105-0x0000000000440000-0x0000000000441000-memory.dmp

memory/1732-112-0x0000000000610000-0x0000000000711000-memory.dmp

memory/1732-113-0x00000000715E1000-0x00000000715E3000-memory.dmp

memory/1732-114-0x0000000002850000-0x0000000002851000-memory.dmp

memory/1732-116-0x0000000071471000-0x0000000071473000-memory.dmp

memory/1732-115-0x0000000000780000-0x0000000000781000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-06 15:03

Reported

2022-02-06 15:06

Platform

win10v2004-en-20220113

Max time kernel

11s

Max time network

15s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\WindowsUpdate.log C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log C:\Windows\system32\svchost.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2B8F1B57330DBBA2D07A6C51F70EE90DDAB9AD8E\Blob = 5c000000010000000400000000100000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000e793c9b02fd8aa13e21c31228accb08119643b749c898964b1746d46c3d4cbd21400000001000000140000005379bf5aaa2b4acf5480e1d89bc09df2b20366cb1d0000000100000010000000885010358d29a38f059b028559c95f900b00000001000000100000005300650063007400690067006f0000000300000001000000140000002b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e2000000001000000e2050000308205de308203c6a003020102021001fd6d30fca3ca51a81bbc640e35032d300d06092a864886f70d01010c0500308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f72697479301e170d3130303230313030303030305a170d3338303131383233353935395a308188310b3009060355040613025553311330110603550408130a4e6577204a6572736579311430120603550407130b4a65727365792043697479311e301c060355040a131554686520555345525452555354204e6574776f726b312e302c06035504031325555345525472757374205253412043657274696669636174696f6e20417574686f7269747930820222300d06092a864886f70d01010105000382020f003082020a028202010080126517360ec3db08b3d0ac570d76edcd27d34cad508361e2aa204d092d6409dcce899fcc3da9ecf6cfc1dcf1d3b1d67b3728112b47da39c6bc3a19b45fa6bd7d9da36342b676f2a93b2b91f8e26fd0ec162090093ee2e874c918b491d46264db7fa306f188186a90223cbcfe13f087147bf6e41f8ed4e451c61167460851cb8614543fbc33fe7e6c9cff169d18bd518e35a6a766c87267db2166b1d49b7803c0503ae8ccf0dcbc9e4cfeaf0596351f575ab7ffcef93db72cb6f654ddc8e7123a4dae4c8ab75c9ab4b7203dca7f2234ae7e3b68660144e7014e46539b3360f794be5337907343f332c353efdbaafe744e69c76b8c6093dec4c70cdfe132aecc933b517895678bee3d56fe0cd0690f1b0ff325266b336df76e47fa7343e57e0ea566b1297c3284635589c40dc19354301913acd37d37a7eb5d3a6c355cdb41d712daa9490bdfd8808a0993628eb566cf2588cd84b8b13fa4390fd9029eeb124c957cf36b05a95e1683ccb867e2e8139dcc5b82d34cb3ed5bffdee573ac233b2d00bf3555740949d849581a7f9236e651920ef3267d1c4d17bcc9ec4326d0bf415f40a94444f499e757879e501f5754a83efd74632fb1506509e658422e431a4cb4f0254759fa041e93d426464a5081b2debe78b7fc6715e1c957841e0f63d6e962bad65f552eea5cc62808042539b80e2ba9f24c971c073f0d52f5edef2f820f0203010001a3423040301d0603551d0e041604145379bf5aaa2b4acf5480e1d89bc09df2b20366cb300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201005cd47c0dcff7017d4199650c73c5529fcbf8cf99067f1bda43159f9e0255579614f1523c27879428ed1f3a0137a276fc5350c0849bc66b4eba8c214fa28e556291f36915d8bc88e3c4aa0bfdefa8e94b552a06206d55782919ee5f305c4b241155ff249a6e5e2a2bee0b4d9f7ff70138941495430709fb60a9ee1cab128ca09a5ea7986a596d8b3f08fbc8d145af18156490120f73282ec5e2244efc58ecf0f445fe22b3eb2f8ed2d9456105c1976fa876728f8b8c36afbf0d05ce718de6a66f1f6ca67162c5d8d083720cf16711890c9c134c7234dfbcd571dfaa71dde1b96c8c3c125d65dabd5712b6436bffe5de4d661151cf99aeec17b6e871918cde49fedd3571a21527941ccf61e326bb6fa36725215de6dd1d0b2e681b3b82afec836785d4985174b1b9998089ff7f78195c794a602e9240ae4c372a2cc9c762c80e5df7365bcae0252501b4dd1a079c77003fd0dcd5ec3dd4fabb3fcc85d66f7fa92ddfb902f7f5979ab535dac367b0874aa9289e238eff5c276be1b04ff307ee002ed45987cb524195eaf447d7ee6441557c8d590295dd629dc2b9ee5a287484a59bb790c70c07dff589367432d628c1b0b00be09c4cc31cd6fce369b54746812fa282abd3634470c48dff2d33baad8f7bb57088ae3e19cf4028d8fcc890bb5d9922f552e658c51f883143ee881dd7c68e3c436a1da718de7d3d16f162f9ca90a8fd C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 3532 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 3532 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
PID 1956 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 1956 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe C:\Windows\SysWOW64\cmd.exe
PID 3532 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 3532 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 3532 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
PID 3244 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3244 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 3244 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe

"C:\Users\Admin\AppData\Local\Temp\0ce184ed442b827c16869a258ac9e25d5cd7dbaf065b8478c2a9333aabe3b764.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c ping 127.0.0.1 && del "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe" >> NUL

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 settings-win.data.microsoft.com udp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 www.rationalowl.com udp
KR 211.239.150.87:443 www.rationalowl.com tcp
NL 51.124.78.146:443 settings-win.data.microsoft.com tcp
US 8.8.8.8:53 iplogger.org udp
DE 148.251.234.83:443 iplogger.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

MD5 8f2a62627b2f078181b1c94666988121
SHA1 5b87477abdde9bf1bf7f5db877a0a11ef805099d
SHA256 fcc0a27322e855794eff2c2e5598647dca7cf095ece49dbdd5676f4a18c6c66e
SHA512 93cdae1cb29bb680be616f795c5a01e73b99b8dc89e62773a3897ca7a773f4ea8bcaf218c92d6e39498e89263dc4e7ff798984fccb4879312dfb32c5c94b30d4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 f322ac375e4273eb3e5b9a851db9f535
SHA1 d993cf3ed31fe9f71fd050df89aa4d5665e78e48
SHA256 982522771f14812aaaad2dfd8cfaf9ab4103badce0566c0b17de67c970d25eb6
SHA512 43f9f2c6f5bbc652bbc677e078ffca6c97e1c79a64e4fa7083440a3aff55f64072e4c6cf20376253aa6c89f8f12570dc4d287a4ec10db65a510c1245b0172778

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

MD5 7fed0570bdabdff95c3f2a936b1ec947
SHA1 6d2e51b7f7e8402a42236470d5ee9b8baa81e5f7
SHA256 a04962dd3e474c4ff854c00b3d10a9e9a72b809ffba327f7b01c1211a9f41471
SHA512 8296487838365177105a15c22fc174cf1c7df18d4c0254b25890a5b77f16712bbb74874d6547f8cedb77412cd7b832240e4ffad95f2e789cd84b55b49dd29d48

C:\Users\Admin\AppData\Local\Temp\nsd54A6.tmp\Sibuia.dll

MD5 6a3c3c97e92a5949f88311e80268bbb5
SHA1 48c11e3f694b468479bc2c978749d27b5d03faa2
SHA256 7938db73242aafbe80915e4ca886d38be9b7e872b93bdae1e8ee6cf4a005b7d9
SHA512 6141886a889825ccdfa59a419f7670a34ef240c4f90a83bc17223c415f2fbd983280e98e67485710e449746b5bf3284907537bef6ab698a48954dd4910ddf693

memory/2280-150-0x000002A40EDE0000-0x000002A40EDE4000-memory.dmp