Malware Analysis Report

2024-10-18 23:00

Sample ID 220519-cqrklscehj
Target star.exe
SHA256 59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486
Tags
globeimposter persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

59e0ab333060b4e510db5d36d87f0fe267ab66b0881955649b06d91d6dd2d486

Threat Level: Known bad

The file star.exe was found to be: Known bad.

Malicious Activity Summary

globeimposter persistence ransomware spyware stealer

GlobeImposter

Modifies extensions of user files

Checks computer location settings

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-19 02:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-19 02:17

Reported

2022-05-19 02:32

Platform

win7-20220414-en

Max time kernel

151s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\star.exe"

Signatures

GlobeImposter

ransomware globeimposter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ResolveOpen.raw => C:\Users\Admin\Pictures\ResolveOpen.raw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\UnblockSplit.png => C:\Users\Admin\Pictures\UnblockSplit.png.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\star.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe" C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2036 set thread context of 1540 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\SessionMember.ico C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00122_.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01180_.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00116_.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\br.gif C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN111.XML C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0233018.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00130_.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\liberase_plugin.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\SAVE.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SHOW_01.MID C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPRNG_01.MID C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBCONV.DLL C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00126_.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.HK.XML C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\read-me.txt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00234_.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02743G.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00212_.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Formal.dotx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14532_.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0251871.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01734_.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\psmachine.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Training.potx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INLAUNCH.DLL C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue.css C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\MyriadCAD.otf C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\adobepdf.xdc C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Class.zip C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\background.gif C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\TAB_ON.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14869_.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152570.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00494_.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01743_.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ApothecaryMergeLetter.dotx C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Students.accdt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SegoeChess.ttf C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libflaschen_plugin.dll C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\button_mid.gif C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198226.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03668_.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01751_.GIF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Assets.accdt C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLSTL.ICO C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00390_.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01063_.WMF C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\star.exe

"C:\Users\Admin\AppData\Local\Temp\star.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp49CD.tmp"

C:\Users\Admin\AppData\Local\Temp\star.exe

"{path}"

Network

N/A

Files

memory/2036-54-0x0000000000F40000-0x0000000000FA0000-memory.dmp

memory/2036-55-0x0000000075521000-0x0000000075523000-memory.dmp

memory/2036-56-0x00000000004B0000-0x00000000004BA000-memory.dmp

memory/2036-57-0x0000000005100000-0x0000000005166000-memory.dmp

memory/2036-58-0x0000000000B90000-0x0000000000BA2000-memory.dmp

memory/904-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp49CD.tmp

MD5 b6923e4e3d518b37344300a5a9af0f4f
SHA1 35279530b84c8de57384bc0d9ef21034de6a2438
SHA256 7f606adc31e791d6e9e553ee4e10758ac53e534812f517a9e353da0ab12cba2d
SHA512 d5346240c2f32f203d20f2fb247311db09b81ea6e915bb0e34a8f53dff127e45e41259a4b471cf16a875434ddb7bc01adab2a91f0f9b6866ea4eedbc9bae4bb7

memory/1540-61-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1540-62-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1540-64-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1540-65-0x0000000000409F20-mapping.dmp

memory/1540-68-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1540-69-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe

MD5 21b6b6c69b40e4cd8de3f27be835ab6a
SHA1 e3cde51e3deb7d744b9a49a2e41c2a2a57d67c41
SHA256 073074e8f5bd2a390713e18ea0558a2d0f62f473bf5cb55619c37e1b3a1f8adb
SHA512 0c08ecc50c35aba161355aa33309c6fd6622fb758cffb0a3e5fd44f4f48817dbc4413bb4671b57d50d90473e8f6c5191c935fde05c3d46054ce858e80a043fe2

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-19 02:17

Reported

2022-05-19 02:32

Platform

win10v2004-20220414-en

Max time kernel

159s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\star.exe"

Signatures

GlobeImposter

ransomware globeimposter

Modifies extensions of user files

ransomware
Description Indicator Process Target
File renamed C:\Users\Admin\Pictures\ShowOptimize.crw => C:\Users\Admin\Pictures\ShowOptimize.crw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\SubmitCompress.tif => C:\Users\Admin\Pictures\SubmitCompress.tif.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\CompressUnlock.raw => C:\Users\Admin\Pictures\CompressUnlock.raw.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\DebugUnpublish.tiff C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File renamed C:\Users\Admin\Pictures\DebugUnpublish.tiff => C:\Users\Admin\Pictures\DebugUnpublish.tiff.xls C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\star.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\star.exe" C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4880 set thread context of 1920 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\star.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\star.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4880 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Windows\SysWOW64\schtasks.exe
PID 4880 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Windows\SysWOW64\schtasks.exe
PID 4880 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Windows\SysWOW64\schtasks.exe
PID 4880 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe
PID 4880 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe
PID 4880 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe
PID 4880 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe
PID 4880 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe
PID 4880 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe
PID 4880 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe
PID 4880 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe
PID 4880 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\star.exe C:\Users\Admin\AppData\Local\Temp\star.exe

Processes

C:\Users\Admin\AppData\Local\Temp\star.exe

"C:\Users\Admin\AppData\Local\Temp\star.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jVYbanglCI" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDE89.tmp"

C:\Users\Admin\AppData\Local\Temp\star.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\star.exe

"{path}"

Network

Country Destination Domain Proto
GB 51.104.15.253:443 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.140:80 tcp
US 8.8.8.8:53 96.108.152.52.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 204.79.197.200:443 tcp

Files

memory/4880-130-0x0000000000E30000-0x0000000000E90000-memory.dmp

memory/4880-131-0x00000000057D0000-0x000000000586C000-memory.dmp

memory/4880-132-0x0000000005ED0000-0x0000000006474000-memory.dmp

memory/4880-133-0x0000000005920000-0x00000000059B2000-memory.dmp

memory/4880-134-0x00000000058C0000-0x00000000058CA000-memory.dmp

memory/4880-135-0x0000000005A20000-0x0000000005A76000-memory.dmp

memory/3016-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDE89.tmp

MD5 243998c586e102d5706d22e1ccdb5781
SHA1 a8326b85c94e9f68b6a92c45551933fb5d5fdb52
SHA256 4bcf513eb854417da91582ebb18b08b740bddb3fb6973f3693cbcf65c76b4331
SHA512 720376589d9dcd21c138f4725b66a8b604b3d6691c61c3c980cc0cead4184da328906e669497276caee719363cdf09c19d11c4a4729983a7a632c817c0ab642d

memory/1076-138-0x0000000000000000-mapping.dmp

memory/1920-139-0x0000000000000000-mapping.dmp

memory/1920-140-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1920-142-0x0000000000400000-0x000000000040E000-memory.dmp

memory/1920-143-0x0000000000400000-0x000000000040E000-memory.dmp

C:\Users\Admin\AppData\Roaming\jVYbanglCI.exe

MD5 09dbea5dd7daa3bcb4318e5c2ab91f7c
SHA1 9dc5488b07ff8bd58d5ab292ab39c91b88a7d82b
SHA256 217b6fc0f7b5f8c4956c5f7f6c30035923ce6c388be625e6b9aebba509d576f2
SHA512 046dbe140ec99e1e11f39596a4608d266153c586426f2a0a32d7e5f9ea81191706db3c486939e86b9002fef16b81d104be70bd31f5a5c706a24d96adaba2c924