Malware Analysis Report

2025-04-03 08:54

Sample ID 230125-q3hecsge76
Target StellarImpact.zip
SHA256 5bbe111d51daae6e765db9073044e5e0efc29c7ae3d2417018c0dd93d7b15259
Tags
aurora spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5bbe111d51daae6e765db9073044e5e0efc29c7ae3d2417018c0dd93d7b15259

Threat Level: Known bad

The file StellarImpact.zip was found to be: Known bad.

Malicious Activity Summary

aurora spyware stealer upx

Aurora

Executes dropped EXE

UPX packed file

Reads user/profile data of web browsers

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-25 13:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-25 13:47

Reported

2023-01-25 13:58

Platform

win10-20220812-en

Max time kernel

486s

Max time network

439s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe N/A
N/A N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5108 set thread context of 2996 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip"

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2996 -s 548

Network

Country Destination Domain Proto
N/A 52.168.112.66:443 tcp
N/A 93.184.221.240:80 tcp

Files

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

MD5 8b9696b92228ad53ba0b47a0c153e2bb
SHA1 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b
SHA256 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610
SHA512 c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086

memory/5108-121-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-122-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-123-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-124-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-125-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-126-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-127-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-128-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-130-0x0000000077540000-0x00000000776CE000-memory.dmp

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

MD5 8b9696b92228ad53ba0b47a0c153e2bb
SHA1 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b
SHA256 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610
SHA512 c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086

memory/5108-131-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-133-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-134-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-132-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-136-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-135-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-138-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-139-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-140-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-141-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-137-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-142-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-143-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-144-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-145-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-146-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-148-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-147-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-149-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-150-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-151-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-152-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-153-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-154-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-155-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-156-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-157-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-158-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-159-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-160-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-161-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-162-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-163-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-164-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-165-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-166-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-167-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-168-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-169-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-170-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-171-0x0000000000220000-0x00000000013B0000-memory.dmp

memory/5108-172-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-173-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-174-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-175-0x0000000006280000-0x000000000677E000-memory.dmp

memory/5108-176-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-178-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-179-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-177-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-180-0x0000000005D60000-0x0000000005D7C000-memory.dmp

memory/5108-181-0x0000000005FC0000-0x000000000605C000-memory.dmp

memory/5108-182-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2996-186-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2996-188-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/5108-190-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2996-191-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2996-192-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2996-189-0x0000000077540000-0x00000000776CE000-memory.dmp

memory/2996-187-0x0000000077540000-0x00000000776CE000-memory.dmp

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

MD5 8b9696b92228ad53ba0b47a0c153e2bb
SHA1 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b
SHA256 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610
SHA512 c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086

memory/2996-184-0x0000000000883840-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-25 13:47

Reported

2023-01-25 13:58

Platform

win7-20221111-en

Max time kernel

495s

Max time network

521s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip

Signatures

Aurora

stealer aurora

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe N/A
N/A N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1572 set thread context of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1572 wrote to memory of 1960 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe
PID 1960 wrote to memory of 1052 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1960 wrote to memory of 1052 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1960 wrote to memory of 1052 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1960 wrote to memory of 1052 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1960 wrote to memory of 1052 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1960 wrote to memory of 1052 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1960 wrote to memory of 1052 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\Wbem\wmic.exe
PID 1960 wrote to memory of 1656 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1656 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1656 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1656 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1656 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1656 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1656 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1656 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1656 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1656 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1656 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1656 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1656 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1960 wrote to memory of 1168 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1168 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1168 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1168 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1168 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1168 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1960 wrote to memory of 1168 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1168 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1168 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1168 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1168 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1168 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1168 wrote to memory of 856 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip"

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"

C:\Windows\SysWOW64\Wbem\wmic.exe

wmic os get Caption

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

cmd /C "wmic cpu get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic cpu get name

Network

Country Destination Domain Proto
N/A 45.15.156.206:8081 tcp

Files

memory/1500-54-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

\Users\Admin\Desktop\StellarImpact\dbdata.dll

MD5 e0c6e6d48cef3cc2814bc49f2764dd02
SHA1 79f77370cad505d6eed9f9fe7c00ab36e10c6cd6
SHA256 2ee2780b0a8b58080f0aa3bf7df57e1aedd64e4c933e4083188edbdf2eb36541
SHA512 66bf7f100a90bd5c14d0cbe634332b3bdbc787175b884b001ab54bdda3dbd3cbdc1566ba774b49e87aadb32e65db129d3cb5f9d1635af50c2d81cb1fcff54a41

\Users\Admin\Desktop\StellarImpact\winmm.dll

MD5 646059c6cfa761c07cd5ecc91ac754ae
SHA1 5947c99ccea27edea25743db1ad52958d3a541db
SHA256 93072a1ef5798bbfdd6c62a7ed536d6c8320c38cff6befebcb8aa33518a681f9
SHA512 0b6145b8aa1571327cf2dd0d342cd731400fb76e06fb8dcee3e5b83435e3b2541c319d17874bfbb45623918f0d7e06e4cb5ad55e48ab6a274fc0d4366814c582

\Users\Admin\Desktop\StellarImpact\winmm.dll

MD5 646059c6cfa761c07cd5ecc91ac754ae
SHA1 5947c99ccea27edea25743db1ad52958d3a541db
SHA256 93072a1ef5798bbfdd6c62a7ed536d6c8320c38cff6befebcb8aa33518a681f9
SHA512 0b6145b8aa1571327cf2dd0d342cd731400fb76e06fb8dcee3e5b83435e3b2541c319d17874bfbb45623918f0d7e06e4cb5ad55e48ab6a274fc0d4366814c582

\Users\Admin\Desktop\StellarImpact\winmm.dll

MD5 646059c6cfa761c07cd5ecc91ac754ae
SHA1 5947c99ccea27edea25743db1ad52958d3a541db
SHA256 93072a1ef5798bbfdd6c62a7ed536d6c8320c38cff6befebcb8aa33518a681f9
SHA512 0b6145b8aa1571327cf2dd0d342cd731400fb76e06fb8dcee3e5b83435e3b2541c319d17874bfbb45623918f0d7e06e4cb5ad55e48ab6a274fc0d4366814c582

\Users\Admin\Desktop\StellarImpact\winmm.dll

MD5 646059c6cfa761c07cd5ecc91ac754ae
SHA1 5947c99ccea27edea25743db1ad52958d3a541db
SHA256 93072a1ef5798bbfdd6c62a7ed536d6c8320c38cff6befebcb8aa33518a681f9
SHA512 0b6145b8aa1571327cf2dd0d342cd731400fb76e06fb8dcee3e5b83435e3b2541c319d17874bfbb45623918f0d7e06e4cb5ad55e48ab6a274fc0d4366814c582

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

MD5 8b9696b92228ad53ba0b47a0c153e2bb
SHA1 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b
SHA256 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610
SHA512 c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

MD5 8b9696b92228ad53ba0b47a0c153e2bb
SHA1 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b
SHA256 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610
SHA512 c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086

memory/1572-63-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

memory/1572-64-0x0000000001270000-0x0000000002400000-memory.dmp

memory/1572-65-0x0000000000690000-0x00000000006AC000-memory.dmp

\Users\Admin\Desktop\StellarImpact\Launcher.exe

MD5 8b9696b92228ad53ba0b47a0c153e2bb
SHA1 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b
SHA256 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610
SHA512 c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086

memory/1960-68-0x0000000000788000-0x00000000008B5000-memory.dmp

memory/1960-70-0x0000000000430000-0x00000000008B6000-memory.dmp

memory/1960-72-0x0000000000883840-mapping.dmp

memory/1960-74-0x0000000000430000-0x00000000008B6000-memory.dmp

memory/1960-75-0x0000000000430000-0x00000000008B6000-memory.dmp

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

MD5 8b9696b92228ad53ba0b47a0c153e2bb
SHA1 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b
SHA256 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610
SHA512 c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086

memory/1960-78-0x0000000000430000-0x00000000008B6000-memory.dmp

memory/1960-80-0x0000000000430000-0x00000000008B6000-memory.dmp

memory/1052-81-0x0000000000000000-mapping.dmp

memory/1960-83-0x0000000000430000-0x00000000008B6000-memory.dmp

memory/1656-84-0x0000000000000000-mapping.dmp

memory/940-86-0x0000000000000000-mapping.dmp

memory/1168-88-0x0000000000000000-mapping.dmp

memory/856-90-0x0000000000000000-mapping.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-01-25 13:47

Reported

2023-01-25 13:59

Platform

win10v2004-20221111-en

Max time kernel

617s

Max time network

509s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe N/A
N/A N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2948 set thread context of 4264 N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\StellarImpact\Launcher.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\StellarImpact.zip"

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

"C:\Users\Admin\Desktop\StellarImpact\Launcher.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4264 -ip 4264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4264 -s 544

Network

Country Destination Domain Proto
N/A 84.53.175.11:80 tcp
N/A 84.53.175.11:80 tcp
N/A 84.53.175.11:80 tcp
N/A 104.80.225.205:443 tcp
N/A 51.104.15.252:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 226.101.242.52.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

MD5 8b9696b92228ad53ba0b47a0c153e2bb
SHA1 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b
SHA256 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610
SHA512 c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

MD5 8b9696b92228ad53ba0b47a0c153e2bb
SHA1 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b
SHA256 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610
SHA512 c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086

memory/2948-134-0x0000000000310000-0x00000000014A0000-memory.dmp

memory/2948-135-0x00000000067D0000-0x0000000006D74000-memory.dmp

memory/2948-136-0x0000000006220000-0x00000000062BC000-memory.dmp

memory/4264-137-0x0000000000000000-mapping.dmp

memory/4264-138-0x0000000000400000-0x0000000000886000-memory.dmp

C:\Users\Admin\Desktop\StellarImpact\Launcher.exe

MD5 8b9696b92228ad53ba0b47a0c153e2bb
SHA1 9c58928dfd6f2bd90bec81ddf1daa4875c96d77b
SHA256 6d6a13d21a6c22eb8d02bb6830d173a5ee37ae35efa1f22e76693ac5f29c7610
SHA512 c7bbca74f028fed4e97d01b54b98cc06cb5ad318bca65e618d94569fd5bc9b9cf6a7d101fd0c920efd799a6ff48f421d0fcbdc43022d6fa7ab750cad5a532086

memory/4264-140-0x0000000001570000-0x00000000019F6000-memory.dmp

memory/4264-141-0x0000000001570000-0x00000000019F6000-memory.dmp