Analysis Overview
SHA256
5bbe111d51daae6e765db9073044e5e0efc29c7ae3d2417018c0dd93d7b15259
Threat Level: Known bad
The file StellarImpact.zip was found to be: Known bad.
Malicious Activity Summary
Aurora
Executes dropped EXE
UPX packed file
Reads user/profile data of web browsers
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-25 13:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-25 13:47
Reported
2023-01-25 13:58
Platform
win10-20220812-en
Max time kernel
486s
Max time network
439s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5108 set thread context of 2996 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5108 wrote to memory of 2996 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 5108 wrote to memory of 2996 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 5108 wrote to memory of 2996 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 5108 wrote to memory of 2996 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 5108 wrote to memory of 2996 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 5108 wrote to memory of 2996 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 5108 wrote to memory of 2996 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip"
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 548
Network
| Country | Destination | Domain | Proto |
| N/A | 52.168.112.66:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
| MD5 | 8b9696b92228ad53ba0b47a0c153e2bb |
| SHA1 | 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b |
| SHA256 | 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610 |
| SHA512 | c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086 |
memory/5108-121-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-122-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-123-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-124-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-125-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-126-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-127-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-128-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-130-0x0000000077540000-0x00000000776CE000-memory.dmp
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
| MD5 | 8b9696b92228ad53ba0b47a0c153e2bb |
| SHA1 | 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b |
| SHA256 | 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610 |
| SHA512 | c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086 |
memory/5108-131-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-133-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-134-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-132-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-136-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-135-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-138-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-139-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-140-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-141-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-137-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-142-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-143-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-144-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-145-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-146-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-148-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-147-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-149-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-150-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-151-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-152-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-153-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-154-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-155-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-156-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-157-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-158-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-159-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-160-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-161-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-162-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-163-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-164-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-165-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-166-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-167-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-168-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-169-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-170-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-171-0x0000000000220000-0x00000000013B0000-memory.dmp
memory/5108-172-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-173-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-174-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-175-0x0000000006280000-0x000000000677E000-memory.dmp
memory/5108-176-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-178-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-179-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-177-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-180-0x0000000005D60000-0x0000000005D7C000-memory.dmp
memory/5108-181-0x0000000005FC0000-0x000000000605C000-memory.dmp
memory/5108-182-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2996-186-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2996-188-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/5108-190-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2996-191-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2996-192-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2996-189-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2996-187-0x0000000077540000-0x00000000776CE000-memory.dmp
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
| MD5 | 8b9696b92228ad53ba0b47a0c153e2bb |
| SHA1 | 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b |
| SHA256 | 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610 |
| SHA512 | c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086 |
memory/2996-184-0x0000000000883840-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-25 13:47
Reported
2023-01-25 13:58
Platform
win7-20221111-en
Max time kernel
495s
Max time network
521s
Command Line
Signatures
Aurora
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1572 set thread context of 1960 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\SysWOW64\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip"
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"
C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
Network
| Country | Destination | Domain | Proto |
| N/A | 45.15.156.206:8081 | tcp |
Files
memory/1500-54-0x000007FEFB731000-0x000007FEFB733000-memory.dmp
\Users\Admin\Desktop\StellarImpact\dbdata.dll
| MD5 | e0c6e6d48cef3cc2814bc49f2764dd02 |
| SHA1 | 79f77370cad505d6eed9f9fe7c00ab36e10c6cd6 |
| SHA256 | 2ee2780b0a8b58080f0aa3bf7df57e1aedd64e4c933e4083188edbdf2eb36541 |
| SHA512 | 66bf7f100a90bd5c14d0cbe634332b3bdbc787175b884b001ab54bdda3dbd3cbdc1566ba774b49e87aadb32e65db129d3cb5f9d1635af50c2d81cb1fcff54a41 |
\Users\Admin\Desktop\StellarImpact\winmm.dll
| MD5 | 646059c6cfa761c07cd5ecc91ac754ae |
| SHA1 | 5947c99ccea27edea25743db1ad52958d3a541db |
| SHA256 | 93072a1ef5798bbfdd6c62a7ed536d6c8320c38cff6befebcb8aa33518a681f9 |
| SHA512 | 0b6145b8aa1571327cf2dd0d342cd731400fb76e06fb8dcee3e5b83435e3b2541c319d17874bfbb45623918f0d7e06e4cb5ad55e48ab6a274fc0d4366814c582 |
\Users\Admin\Desktop\StellarImpact\winmm.dll
| MD5 | 646059c6cfa761c07cd5ecc91ac754ae |
| SHA1 | 5947c99ccea27edea25743db1ad52958d3a541db |
| SHA256 | 93072a1ef5798bbfdd6c62a7ed536d6c8320c38cff6befebcb8aa33518a681f9 |
| SHA512 | 0b6145b8aa1571327cf2dd0d342cd731400fb76e06fb8dcee3e5b83435e3b2541c319d17874bfbb45623918f0d7e06e4cb5ad55e48ab6a274fc0d4366814c582 |
\Users\Admin\Desktop\StellarImpact\winmm.dll
| MD5 | 646059c6cfa761c07cd5ecc91ac754ae |
| SHA1 | 5947c99ccea27edea25743db1ad52958d3a541db |
| SHA256 | 93072a1ef5798bbfdd6c62a7ed536d6c8320c38cff6befebcb8aa33518a681f9 |
| SHA512 | 0b6145b8aa1571327cf2dd0d342cd731400fb76e06fb8dcee3e5b83435e3b2541c319d17874bfbb45623918f0d7e06e4cb5ad55e48ab6a274fc0d4366814c582 |
\Users\Admin\Desktop\StellarImpact\winmm.dll
| MD5 | 646059c6cfa761c07cd5ecc91ac754ae |
| SHA1 | 5947c99ccea27edea25743db1ad52958d3a541db |
| SHA256 | 93072a1ef5798bbfdd6c62a7ed536d6c8320c38cff6befebcb8aa33518a681f9 |
| SHA512 | 0b6145b8aa1571327cf2dd0d342cd731400fb76e06fb8dcee3e5b83435e3b2541c319d17874bfbb45623918f0d7e06e4cb5ad55e48ab6a274fc0d4366814c582 |
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
| MD5 | 8b9696b92228ad53ba0b47a0c153e2bb |
| SHA1 | 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b |
| SHA256 | 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610 |
| SHA512 | c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086 |
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
| MD5 | 8b9696b92228ad53ba0b47a0c153e2bb |
| SHA1 | 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b |
| SHA256 | 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610 |
| SHA512 | c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086 |
memory/1572-63-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
memory/1572-64-0x0000000001270000-0x0000000002400000-memory.dmp
memory/1572-65-0x0000000000690000-0x00000000006AC000-memory.dmp
\Users\Admin\Desktop\StellarImpact\Launcher.exe
| MD5 | 8b9696b92228ad53ba0b47a0c153e2bb |
| SHA1 | 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b |
| SHA256 | 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610 |
| SHA512 | c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086 |
memory/1960-68-0x0000000000788000-0x00000000008B5000-memory.dmp
memory/1960-70-0x0000000000430000-0x00000000008B6000-memory.dmp
memory/1960-72-0x0000000000883840-mapping.dmp
memory/1960-74-0x0000000000430000-0x00000000008B6000-memory.dmp
memory/1960-75-0x0000000000430000-0x00000000008B6000-memory.dmp
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
| MD5 | 8b9696b92228ad53ba0b47a0c153e2bb |
| SHA1 | 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b |
| SHA256 | 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610 |
| SHA512 | c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086 |
memory/1960-78-0x0000000000430000-0x00000000008B6000-memory.dmp
memory/1960-80-0x0000000000430000-0x00000000008B6000-memory.dmp
memory/1052-81-0x0000000000000000-mapping.dmp
memory/1960-83-0x0000000000430000-0x00000000008B6000-memory.dmp
memory/1656-84-0x0000000000000000-mapping.dmp
memory/940-86-0x0000000000000000-mapping.dmp
memory/1168-88-0x0000000000000000-mapping.dmp
memory/856-90-0x0000000000000000-mapping.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-25 13:47
Reported
2023-01-25 13:59
Platform
win10v2004-20221111-en
Max time kernel
617s
Max time network
509s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2948 set thread context of 4264 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2948 wrote to memory of 4264 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 2948 wrote to memory of 4264 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 2948 wrote to memory of 4264 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 2948 wrote to memory of 4264 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 2948 wrote to memory of 4264 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 2948 wrote to memory of 4264 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
| PID 2948 wrote to memory of 4264 | N/A | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe | C:\Users\Admin\Desktop\StellarImpact\Launcher.exe |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip"
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4264 -ip 4264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 544
Network
| Country | Destination | Domain | Proto |
| N/A | 84.53.175.11:80 | tcp | |
| N/A | 84.53.175.11:80 | tcp | |
| N/A | 84.53.175.11:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 51.104.15.252:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
| MD5 | 8b9696b92228ad53ba0b47a0c153e2bb |
| SHA1 | 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b |
| SHA256 | 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610 |
| SHA512 | c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086 |
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
| MD5 | 8b9696b92228ad53ba0b47a0c153e2bb |
| SHA1 | 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b |
| SHA256 | 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610 |
| SHA512 | c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086 |
memory/2948-134-0x0000000000310000-0x00000000014A0000-memory.dmp
memory/2948-135-0x00000000067D0000-0x0000000006D74000-memory.dmp
memory/2948-136-0x0000000006220000-0x00000000062BC000-memory.dmp
memory/4264-137-0x0000000000000000-mapping.dmp
memory/4264-138-0x0000000000400000-0x0000000000886000-memory.dmp
C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
| MD5 | 8b9696b92228ad53ba0b47a0c153e2bb |
| SHA1 | 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b |
| SHA256 | 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610 |
| SHA512 | c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086 |
memory/4264-140-0x0000000001570000-0x00000000019F6000-memory.dmp
memory/4264-141-0x0000000001570000-0x00000000019F6000-memory.dmp