Malware Analysis Report

2024-10-18 23:00

Sample ID 220510-gq7ztaafam
Target star.exe
SHA256 59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
Tags
globeimposter persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

Threat Level: Known bad

The file star.exe was found to be: Known bad.

Malicious Activity Summary

globeimposter persistence ransomware spyware stealer

GlobeImposter

Modifies extensions of user files

Reads user/profile data of web browsers

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-10 06:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-10 06:01

Reported

2022-05-10 06:11

Platform

win7-20220414-en

Max time kernel

151s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\star.exe"

Signatures

GlobeImposter

ransomware globeimposter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ConnectLock.raw => C:\Users\Admin\Pictures\ConnectLock.raw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\ConvertSelect.crw => C:\Users\Admin\Pictures\ConvertSelect.crw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\ApproveClose.png => C:\Users\Admin\Pictures\ApproveClose.png.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\star.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe" C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1652 set thread context of 1196 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\VSTAClientPkgUI.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\Maple.gif C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Details.accdt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlcese35.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GKPowerPoint.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.Tools.Applications.Project.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\MedianMergeLetter.Dotx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCDDSLM.DLL C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Northwind.accdt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dialog.zip C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\UserControl.zip C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\MedianFax.Dotx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FRENCH.LNG C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Visualizer.zip C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\Synchronization.rll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Priority.accft C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\SalesReport.xltx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\OriginFax.Dotx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Students.accdt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IPOLK.DLL C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceme35.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\SEAMARBL.HTM C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\XmlFile.zip C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.DesignTime.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\System.AddIn.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\2 Top.accdt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AUDIOSEARCHSAPIFE.DLL C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sqlceca35.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielMergeFax.Dotx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeLetter.Dotx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Contacts.accdt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\LATIN1.SHP C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\Microsoft.VisualStudio.Tools.Applications.Adapter.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Phone.accft C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\WidescreenPresentation.potx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Tasks.accdt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IMPMAIL.DLL C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\VSTAClientPkg.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\MDIParent.zip C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\List.accdt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\AboutBox.zip C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\Microsoft.Synchronization.Data.Server.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\OriginMergeFax.Dotx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSEvents.man C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\CodeFile.zip C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\excelcnvpxy.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Installed_schemas14.xss C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\star.exe

"C:\Users\Admin\AppData\Local\Temp\star.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7975.tmp"

C:\Users\Admin\AppData\Local\Temp\star.exe

"{path}"

Network

N/A

Files

memory/1652-54-0x0000000000B80000-0x0000000000BE0000-memory.dmp

memory/1652-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

memory/1652-56-0x00000000004C0000-0x00000000004CA000-memory.dmp

memory/1652-57-0x0000000004480000-0x00000000044E6000-memory.dmp

memory/1652-58-0x0000000000AF0000-0x0000000000B02000-memory.dmp

memory/960-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7975.tmp

MD5 bb910ae88dc840ba6e45389ffe6c6196
SHA1 640c0e3a1e918c12255a51f16ab6bb5ece1e85a6
SHA256 68be26cec28d3e64f867678c40994352ad27b2e92c0c7db9fdaf068b290541ee
SHA512 e6b95310c5b3ad7553e9992ade23934e4ed128959702ca39b9c27cf5408517e1b2ca336a2823323aaf841ca04a793030cbd60af6d40ec15f728981c9bf840fb1

memory/1196-61-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1196-62-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1196-64-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1196-65-0x0000000000409F20-mapping.dmp

memory/1196-68-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1196-69-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe

MD5 288358daa673ba0dea60a03d56a37e7f
SHA1 81cdfb9c06fcb6b72a3241453d00f3a46d02b14d
SHA256 c09562db891c2110734610e0db85695493e92fc7aac8c9a6211a17d812fbfadb
SHA512 0c588cbd0e11f83ddeb208a3b205cbf98004218672d7134c046ca926e4b0ed4253c4a36990b0414c930e3ac48bfaf1bfd9459f5fd604fecdb9dd557a9fcd0599

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-10 06:01

Reported

2022-05-10 06:10

Platform

win10v2004-20220414-en

Max time kernel

157s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\star.exe"

Signatures

GlobeImposter

ransomware globeimposter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\RepairMeasure.tif => C:\Users\Admin\Pictures\RepairMeasure.tif.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\UnpublishConvertTo.tif => C:\Users\Admin\Pictures\UnpublishConvertTo.tif.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\MountUnblock.tif => C:\Users\Admin\Pictures\MountUnblock.tif.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\PingRead.crw => C:\Users\Admin\Pictures\PingRead.crw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe" C:\Users\Admin\AppData\Local\Temp\star.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2344 set thread context of 4764 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\star.exe

"C:\Users\Admin\AppData\Local\Temp\star.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE55F.tmp"

C:\Users\Admin\AppData\Local\Temp\star.exe

"{path}"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 20.42.72.131:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 204.79.197.200:443 tcp

Files

memory/2344-130-0x0000000000190000-0x00000000001F0000-memory.dmp

memory/2344-131-0x0000000004B90000-0x0000000004C2C000-memory.dmp

memory/2344-132-0x00000000052A0000-0x0000000005844000-memory.dmp

memory/2344-133-0x0000000004CF0000-0x0000000004D82000-memory.dmp

memory/2344-134-0x0000000004C30000-0x0000000004C3A000-memory.dmp

memory/2344-135-0x0000000004E80000-0x0000000004ED6000-memory.dmp

memory/1544-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpE55F.tmp

MD5 243998c586e102d5706d22e1ccdb5781
SHA1 a8326b85c94e9f68b6a92c45551933fb5d5fdb52
SHA256 4bcf513eb854417da91582ebb18b08b740bddb3fb6973f3693cbcf65c76b4331
SHA512 720376589d9dcd21c138f4725b66a8b604b3d6691c61c3c980cc0cead4184da328906e669497276caee719363cdf09c19d11c4a4729983a7a632c817c0ab642d

memory/4764-138-0x0000000000000000-mapping.dmp

memory/4764-139-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4764-141-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4764-142-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe

MD5 57b076b700553392d4b27b8aec82086b
SHA1 916044c79d0f3db65bc4732877dee3e5dbfeaae2
SHA256 9ff43e411d773083b87f5f5814bf3497b5792e508c0fbede15f7231d2c3692c7
SHA512 5dd8744ea9710f533fc05512bd73c7dd8e5b47df96143724cd85acee6e0d4b4e2ab1baf3a00344195686b996e4c7351c64b97c487dc8aed005273b511f298ce9