Analysis Overview
SHA256
bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b
Threat Level: Known bad
The file bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b was found to be: Known bad.
Malicious Activity Summary
BitRAT
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
UPX packed file
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-30 14:32
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-30 14:32
Reported
2022-12-02 12:26
Platform
win7-20220812-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\W.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\W = "C:\\Users\\Admin\\AppData\\Roaming\\W.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2016 set thread context of 1600 | N/A | C:\Users\Admin\AppData\Roaming\W.exe | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\W.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\W.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\W.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe
"C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "W" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\W.exe"
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "W" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\W.exe"
C:\Users\Admin\AppData\Roaming\W.exe
"C:\Users\Admin\AppData\Roaming\W.exe"
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"
C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
"C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe" -f torrc
C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
"C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49217 | tcp | |
| N/A | 31.185.104.21:443 | tcp | |
| N/A | 193.70.43.76:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 50.7.74.173:9001 | tcp | |
| N/A | 171.25.193.25:443 | tcp | |
| N/A | 198.96.155.3:5001 | tcp | |
| N/A | 131.188.40.189:443 | tcp | |
| N/A | 50.7.74.172:443 | tcp | |
| N/A | 198.140.141.51:443 | tcp | |
| N/A | 95.214.54.70:8443 | tcp | |
| N/A | 91.143.88.2:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 198.140.141.51:443 | tcp | |
| N/A | 91.143.88.2:443 | tcp | |
| N/A | 127.0.0.1:49256 | tcp | |
| N/A | 141.98.136.79:443 | tcp | |
| N/A | 185.125.168.42:443 | tcp |
Files
memory/1960-54-0x0000000000310000-0x0000000000BC2000-memory.dmp
memory/1960-55-0x0000000076181000-0x0000000076183000-memory.dmp
memory/1960-56-0x0000000000EC0000-0x0000000000EE8000-memory.dmp
memory/1744-57-0x0000000000000000-mapping.dmp
memory/952-58-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\W.exe
| MD5 | 99da955426a8cfa74ac059a995a2a9a6 |
| SHA1 | cc6d485ed25c1e25fad316c51a5529f0e646c68e |
| SHA256 | bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b |
| SHA512 | e0a0430f929d71396c48ce3687652ebfac26490c17c5da091562804ecc4b023639548416bafffd2f2ab2ab00c1ecebcd8b7cad8a34c113f0031dc5cd14ddc67d |
memory/2016-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\W.exe
| MD5 | 99da955426a8cfa74ac059a995a2a9a6 |
| SHA1 | cc6d485ed25c1e25fad316c51a5529f0e646c68e |
| SHA256 | bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b |
| SHA512 | e0a0430f929d71396c48ce3687652ebfac26490c17c5da091562804ecc4b023639548416bafffd2f2ab2ab00c1ecebcd8b7cad8a34c113f0031dc5cd14ddc67d |
C:\Users\Admin\AppData\Roaming\W.exe
| MD5 | 99da955426a8cfa74ac059a995a2a9a6 |
| SHA1 | cc6d485ed25c1e25fad316c51a5529f0e646c68e |
| SHA256 | bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b |
| SHA512 | e0a0430f929d71396c48ce3687652ebfac26490c17c5da091562804ecc4b023639548416bafffd2f2ab2ab00c1ecebcd8b7cad8a34c113f0031dc5cd14ddc67d |
memory/2016-63-0x0000000000AC0000-0x0000000001372000-memory.dmp
memory/2016-65-0x00000000003A0000-0x00000000003B4000-memory.dmp
memory/2016-66-0x00000000007B0000-0x00000000007B6000-memory.dmp
\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
| MD5 | 6a673bfc3b67ae9782cb31af2f234c68 |
| SHA1 | 7544e89566d91e84e3cd437b9a073e5f6b56566e |
| SHA256 | 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e |
| SHA512 | 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39 |
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
| MD5 | 6a673bfc3b67ae9782cb31af2f234c68 |
| SHA1 | 7544e89566d91e84e3cd437b9a073e5f6b56566e |
| SHA256 | 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e |
| SHA512 | 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39 |
memory/1600-69-0x0000000000220000-0x0000000000E17000-memory.dmp
memory/1600-75-0x0000000000BECCD0-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe
| MD5 | 6a673bfc3b67ae9782cb31af2f234c68 |
| SHA1 | 7544e89566d91e84e3cd437b9a073e5f6b56566e |
| SHA256 | 978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e |
| SHA512 | 72c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39 |
memory/1600-79-0x0000000000220000-0x0000000000E17000-memory.dmp
memory/1600-81-0x0000000000220000-0x0000000000E17000-memory.dmp
memory/1600-82-0x0000000000220000-0x0000000000E17000-memory.dmp
\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/1928-85-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\954a5290\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
\Users\Admin\AppData\Local\954a5290\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\954a5290\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\954a5290\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\954a5290\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/1600-94-0x00000000042B0000-0x00000000046B4000-memory.dmp
\Users\Admin\AppData\Local\954a5290\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/1600-95-0x00000000042B0000-0x00000000046B4000-memory.dmp
C:\Users\Admin\AppData\Local\954a5290\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\954a5290\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/1928-98-0x0000000000EA0000-0x00000000012A4000-memory.dmp
C:\Users\Admin\AppData\Local\954a5290\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/1928-99-0x0000000074C40000-0x0000000074F0F000-memory.dmp
memory/1928-100-0x0000000075200000-0x0000000075249000-memory.dmp
\Users\Admin\AppData\Local\954a5290\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
C:\Users\Admin\AppData\Local\954a5290\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\954a5290\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\954a5290\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\954a5290\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\954a5290\tor\torrc
| MD5 | 593e865b08dbc7145bae68904242dcf7 |
| SHA1 | bd8cb5843113f5dad36f63331fc235eb544b014e |
| SHA256 | c1dffd6d7e4f0ffb4c0244cc3dcf5a385a1f21c9aa6c47e8db8cb3c9edba3f45 |
| SHA512 | 6e1ffcbffc2bda094f462c1b8886981584092d0c1293e62893420499bc5e359fbaad3ccc4823a94210aa7bbb538e34dc4ab607b8b40989712c23e7fff55a8b29 |
memory/1928-108-0x0000000075130000-0x00000000751F8000-memory.dmp
memory/1928-109-0x0000000074B30000-0x0000000074C3A000-memory.dmp
memory/1928-110-0x0000000074AA0000-0x0000000074B28000-memory.dmp
memory/1928-111-0x00000000749D0000-0x0000000074A9E000-memory.dmp
memory/1928-112-0x00000000752A0000-0x00000000752C4000-memory.dmp
memory/1600-113-0x00000000042B0000-0x00000000046B4000-memory.dmp
memory/1928-114-0x0000000000EA0000-0x00000000012A4000-memory.dmp
memory/1928-115-0x0000000075200000-0x0000000075249000-memory.dmp
memory/1600-116-0x00000000042B0000-0x00000000046B4000-memory.dmp
memory/1928-117-0x0000000074C40000-0x0000000074F0F000-memory.dmp
memory/952-119-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/1928-127-0x0000000000EA0000-0x00000000012A4000-memory.dmp
\Users\Admin\AppData\Local\954a5290\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\954a5290\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
\Users\Admin\AppData\Local\954a5290\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\954a5290\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\954a5290\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
\Users\Admin\AppData\Local\954a5290\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
\Users\Admin\AppData\Local\954a5290\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\954a5290\tor\TORBUILD.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\954a5290\tor\torrc
| MD5 | 593e865b08dbc7145bae68904242dcf7 |
| SHA1 | bd8cb5843113f5dad36f63331fc235eb544b014e |
| SHA256 | c1dffd6d7e4f0ffb4c0244cc3dcf5a385a1f21c9aa6c47e8db8cb3c9edba3f45 |
| SHA512 | 6e1ffcbffc2bda094f462c1b8886981584092d0c1293e62893420499bc5e359fbaad3ccc4823a94210aa7bbb538e34dc4ab607b8b40989712c23e7fff55a8b29 |
C:\Users\Admin\AppData\Local\954a5290\tor\data\state
| MD5 | a44d1e82ea8be3d97d5c8f24fa83fb59 |
| SHA1 | 97992823e1db31c5ebf5a2ce631ae758ae3974ef |
| SHA256 | 574484b8979efaef90ea345447632e6e4ef650bcdf6396e6f12e3c7d2d0f9ba6 |
| SHA512 | 985a1ce1ef91636eb30aab0482cd36cda57227fe061bab55a851281de58b8c75815ca1fea1c12410cb37e02a247350dd9e0056302973a474da4da3dfaba8dbb2 |
C:\Users\Admin\AppData\Local\954a5290\tor\data\cached-certs
| MD5 | 6722813343c6c39cc84631cb340c363a |
| SHA1 | cfef92dc63d38dc70f0b9d648b359013582b2675 |
| SHA256 | 22656fe0e2d3123be13bc5a59c848c00eaa8a40e4dc7a65c78c85b1911b78f0a |
| SHA512 | ac7a966206c11fa478697a7e0e863fa1afc9d76bb3e775a37e5865fc1485e8a63b563ec89b78b50d9ff547a69179faf0831bf1cd8972ca69197e63f83d57f62c |
C:\Users\Admin\AppData\Local\954a5290\tor\data\cached-microdesc-consensus
| MD5 | ef4ce74e85152715b340e5ed98a6818d |
| SHA1 | e24dd6270924ba88c8ee69d7eb640165ab0c9feb |
| SHA256 | 3eb828d5ebc27ab9c4a090d196d87e083254ca4072a80e6634cb64399ffef838 |
| SHA512 | 9793221e53209379e62a10abf5f2fb6231571212ddd5d0e9280f2f29930ed28c143de889291ce552c22eee85bdae3bd68d21c9ef6e8162cb86e3148c65e46f7d |
C:\Users\Admin\AppData\Local\954a5290\tor\data\cached-microdescs.new
| MD5 | a6710a2471803dc5853f753d0db81ecb |
| SHA1 | 455aa5f77e7658b0b3d71443bea81da94174e4cf |
| SHA256 | 5957f0dcfca3d1a728cbc8ce8074039c9f607f4b340733957ffc2e942e8eaa4b |
| SHA512 | 2d00fc83d1156f991944c4faf5a8152964b3a094b7eca1f0567cdd4a51d0edbe82ca124fb7bcc88d1efa90af26263a6ac51e997eaf8f2fa6e049f07ee872d9ad |
memory/1600-135-0x0000000004F40000-0x0000000005344000-memory.dmp
memory/952-136-0x0000000000EA0000-0x00000000012A4000-memory.dmp
memory/952-137-0x0000000074C40000-0x0000000074F0F000-memory.dmp
memory/952-138-0x0000000075200000-0x0000000075249000-memory.dmp
memory/952-139-0x0000000075130000-0x00000000751F8000-memory.dmp
memory/952-140-0x0000000074B30000-0x0000000074C3A000-memory.dmp
memory/952-141-0x0000000074AA0000-0x0000000074B28000-memory.dmp
memory/952-142-0x00000000749D0000-0x0000000074A9E000-memory.dmp
memory/952-143-0x00000000752A0000-0x00000000752C4000-memory.dmp
C:\Users\Admin\AppData\Local\954a5290\tor\data\unverified-microdesc-consensus
| MD5 | ef4ce74e85152715b340e5ed98a6818d |
| SHA1 | e24dd6270924ba88c8ee69d7eb640165ab0c9feb |
| SHA256 | 3eb828d5ebc27ab9c4a090d196d87e083254ca4072a80e6634cb64399ffef838 |
| SHA512 | 9793221e53209379e62a10abf5f2fb6231571212ddd5d0e9280f2f29930ed28c143de889291ce552c22eee85bdae3bd68d21c9ef6e8162cb86e3148c65e46f7d |
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-30 14:32
Reported
2022-12-02 12:30
Platform
win10v2004-20221111-en
Max time kernel
298s
Max time network
334s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe
"C:\Users\Admin\AppData\Local\Temp\bdc7fa90a1a4ae03e63fe914c7222cd7019d1b3cd0676fa5ee3f6f7c04416d7b.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 40.79.197.35:443 | tcp | |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 51.11.192.48:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | 14.110.152.52.in-addr.arpa | udp |
Files
memory/2876-132-0x00000000009D0000-0x0000000001282000-memory.dmp
memory/2876-133-0x00000000062A0000-0x0000000006844000-memory.dmp
memory/2876-134-0x0000000005C30000-0x0000000005CC2000-memory.dmp
memory/2876-135-0x00000000060F0000-0x000000000618C000-memory.dmp