Analysis Overview
SHA256
8f25770adfb0401fc602c1e21067f3b5756a40b68b582f9e495708b8366cca03
Threat Level: Known bad
The file 8f25770adfb0401fc602c1e21067f3b5756a40b68b582f9e495708b8366cca03 was found to be: Known bad.
Malicious Activity Summary
LimeRAT
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Maps connected drives based on registry
Legitimate hosting services abused for malware hosting/C2
Program crash
Enumerates physical storage devices
NSIS installer
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-12 10:18
Signatures
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win7-20220414-en
Max time kernel
200s
Max time network
207s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe"
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
"C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe"
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe'"
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
"C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
Files
memory/1008-54-0x0000000075381000-0x0000000075383000-memory.dmp
\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/1796-57-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/1072-60-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
memory/1796-64-0x0000000000C30000-0x0000000000C3C000-memory.dmp
memory/1072-65-0x00000000001F0000-0x00000000001F8000-memory.dmp
memory/912-67-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/980-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/980-74-0x0000000000940000-0x000000000094C000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win10v2004-20220414-en
Max time kernel
203s
Max time network
208s
Command Line
Signatures
LimeRAT
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Cure Tool.exe"
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
"C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe"
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
"C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc ONLOGON /RL HIGHEST /tn LimeRAT-Admin /tr "'C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe'"
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
"C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| IE | 13.69.239.73:443 | tcp | |
| US | 67.26.211.254:80 | tcp | |
| US | 67.26.211.254:80 | tcp | |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
| US | 8.8.8.8:53 | uipapai.duckdns.org | udp |
Files
memory/3368-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Local\Temp\tvsxwrc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/4528-133-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
C:\Users\Admin\AppData\Local\Temp\Cure Tool.exe
| MD5 | 7658c455f3acdc2b574da9f863855f01 |
| SHA1 | c05e0e3ccfb01bec9e6e4f8592fc21fe8a991b32 |
| SHA256 | 8d0ab3ac5f70ab0d16c1c3f1f66e4580e4116175d30bece8b14514858c9174dc |
| SHA512 | 7325535c7228542cecf43c2042dd07caee54d8f61a49ea5750508f7ed27ad0f5b24c62a023c0c8f675bb8c077720d60565338ce10754ae098ec7d47bf3f83730 |
memory/3368-136-0x0000000000170000-0x000000000017C000-memory.dmp
memory/4528-137-0x0000000000BC0000-0x0000000000BC8000-memory.dmp
memory/3368-138-0x0000000004AC0000-0x0000000004B5C000-memory.dmp
memory/3368-139-0x0000000004B60000-0x0000000004BC6000-memory.dmp
memory/3368-140-0x0000000005780000-0x0000000005D24000-memory.dmp
memory/4412-141-0x0000000000000000-mapping.dmp
memory/3520-142-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
C:\Users\Admin\AppData\Roaming\TeamViewer\twvrsvc.exe
| MD5 | 7374806e51b404de9c639cbff4226eed |
| SHA1 | 6c7466e48018fa00ccf53a24615448117697f494 |
| SHA256 | 5963297e6660586d55779912944414ca8e5ccdf2769419b779e145d5fc597c9f |
| SHA512 | 5c29c8c16be3a46cf64997fda0810953fa16c3f53fd8f7979e80a97849e23e36baca1cf84cf84a1404b55cbde8543c3d740c9397da576738a14c64a9962f00f7 |
memory/3520-145-0x00000000066D0000-0x0000000006762000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win10v2004-20220414-en
Max time kernel
158s
Max time network
185s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Mono.Cecil.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.6:443 | tcp | |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:42
Platform
win7-20220414-en
Max time kernel
44s
Max time network
49s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 548 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 548 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 548 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 548 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 548 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 548 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 548 wrote to memory of 908 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Ranger.BrowserLogging.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Ranger.BrowserLogging.dll",#1
Network
Files
memory/908-54-0x0000000000000000-mapping.dmp
memory/908-55-0x0000000076181000-0x0000000076183000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win7-20220414-en
Max time kernel
22s
Max time network
46s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1832 wrote to memory of 1840 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1832 wrote to memory of 1840 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1832 wrote to memory of 1840 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1832 wrote to memory of 1840 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1832 wrote to memory of 1840 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1832 wrote to memory of 1840 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1832 wrote to memory of 1840 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\ranger.browserlogging.vault.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\ranger.browserlogging.vault.dll",#1
Network
Files
memory/1840-54-0x0000000000000000-mapping.dmp
memory/1840-55-0x0000000074F91000-0x0000000074F93000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:42
Platform
win10v2004-20220414-en
Max time kernel
112s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\961API.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.253.208.113:80 | tcp | |
| IE | 20.50.73.9:443 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp | |
| US | 8.253.208.113:80 | tcp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win10v2004-20220414-en
Max time kernel
177s
Max time network
220s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Booya Theme.dll",#1
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| US | 13.89.178.26:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| GB | 92.123.140.25:80 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win10v2004-20220414-en
Max time kernel
193s
Max time network
206s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\KeikoObfuscator.dll",#1
Network
| Country | Destination | Domain | Proto |
| GB | 173.222.211.107:80 | tcp | |
| GB | 173.222.211.107:80 | tcp | |
| IE | 13.69.239.72:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| US | 40.125.122.151:443 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| NL | 104.123.41.162:80 | tcp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win7-20220414-en
Max time kernel
33s
Max time network
48s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Mono.Cecil.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp |
Files
Analysis: behavioral18
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win10v2004-20220414-en
Max time kernel
150s
Max time network
191s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3744 wrote to memory of 4532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3744 wrote to memory of 4532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3744 wrote to memory of 4532 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Ranger.BrowserLogging.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Ranger.BrowserLogging.dll",#1
Network
| Country | Destination | Domain | Proto |
| NL | 8.248.1.254:80 | tcp | |
| NL | 52.178.17.3:443 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| US | 8.8.8.8:53 | 106.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
Files
memory/4532-130-0x0000000000000000-mapping.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:42
Platform
win7-20220414-en
Max time kernel
42s
Max time network
46s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe
"C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.orionkeylogger.com | udp |
Files
memory/2024-54-0x00000000009A0000-0x0000000000ABA000-memory.dmp
memory/2024-55-0x000007FEFC061000-0x000007FEFC063000-memory.dmp
memory/2024-56-0x0000000000500000-0x0000000000510000-memory.dmp
memory/2024-57-0x0000000000520000-0x000000000053E000-memory.dmp
memory/2024-58-0x0000000001EC0000-0x0000000001EFC000-memory.dmp
memory/2024-59-0x000000001AFA7000-0x000000001AFC6000-memory.dmp
memory/2024-60-0x000000001AFA7000-0x000000001AFC6000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win10v2004-20220414-en
Max time kernel
168s
Max time network
172s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe
"C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Orion Keylogger2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | www.orionkeylogger.com | udp |
| US | 20.42.73.26:443 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| NL | 87.248.202.1:80 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 67.26.209.254:80 | tcp | |
| US | 8.252.117.126:80 | tcp |
Files
memory/868-130-0x00000260711A0000-0x00000260712BA000-memory.dmp
memory/868-131-0x0000026072F10000-0x0000026072F20000-memory.dmp
memory/868-132-0x0000026073710000-0x000002607372E000-memory.dmp
memory/868-133-0x0000026074930000-0x000002607496C000-memory.dmp
memory/868-134-0x00007FFC6B8B0000-0x00007FFC6C371000-memory.dmp
memory/868-135-0x00007FFC6B8B0000-0x00007FFC6C371000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win10v2004-20220414-en
Max time kernel
175s
Max time network
188s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4728 wrote to memory of 3956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4728 wrote to memory of 3956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4728 wrote to memory of 3956 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\ranger.browserlogging.vault.dll",#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\ranger.browserlogging.vault.dll",#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 3956 -ip 3956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 664
Network
| Country | Destination | Domain | Proto |
| FR | 2.16.119.157:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 13.89.178.27:443 | tcp | |
| FR | 2.16.119.157:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 88.221.144.179:80 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
Files
memory/3956-130-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:41
Platform
win7-20220414-en
Max time kernel
45s
Max time network
49s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\961API.dll",#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:42
Platform
win7-20220414-en
Max time kernel
9s
Max time network
47s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Booya Theme.dll",#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win7-20220414-en
Max time kernel
57s
Max time network
47s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\KeikoObfuscator.dll",#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win7-20220414-en
Max time kernel
9s
Max time network
45s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Newtonsoft.Json.dll",#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win7-20220414-en
Max time kernel
9s
Max time network
47s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\MintUI.dll",#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win10v2004-20220414-en
Max time kernel
173s
Max time network
184s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\MintUI.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 13.107.4.50:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 20.189.173.15:443 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| IE | 20.54.89.106:443 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:42
Platform
win10v2004-20220414-en
Max time kernel
91s
Max time network
136s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\Newtonsoft.Json.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 20.42.73.26:443 | tcp | |
| NL | 8.238.21.126:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| US | 8.253.208.112:80 | tcp | |
| NL | 104.110.191.133:80 | tcp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:44
Platform
win7-20220414-en
Max time kernel
9s
Max time network
47s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\RedPandaUI.dll",#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2022-06-12 10:18
Reported
2022-06-12 15:43
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
187s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Orion Keylogger 2.1 crcked\RedPandaUI.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 20.189.173.6:443 | tcp | |
| CH | 173.222.108.226:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| US | 52.152.108.96:443 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |