Analysis Overview
SHA256
e52afa16e426ed5b530dc3fc1bcac33dc99ca772ff841b7c0bbbf93e4e7c7fed
Threat Level: Known bad
The file MidNight - CRACKED.exe was found to be: Known bad.
Malicious Activity Summary
Panda Stealer payload
PandaStealer
Checks computer location settings
Reads data files stored by FTP clients
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-07 05:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-07 05:59
Reported
2023-02-07 06:03
Platform
win7-20220812-en
Max time kernel
210s
Max time network
53s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1644 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
| PID 1644 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
| PID 1644 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
| PID 1644 wrote to memory of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe
"C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe"
C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
"C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| RU | 194.87.248.102:3000 | tcp |
Files
memory/1644-54-0x0000000075E51000-0x0000000075E53000-memory.dmp
\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
| MD5 | e249bcd1e893795c71351bf62480c6b6 |
| SHA1 | e92158f135788d0916f2e293011b3568d498c092 |
| SHA256 | b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5 |
| SHA512 | 8bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91 |
\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
| MD5 | e249bcd1e893795c71351bf62480c6b6 |
| SHA1 | e92158f135788d0916f2e293011b3568d498c092 |
| SHA256 | b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5 |
| SHA512 | 8bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91 |
\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
| MD5 | e249bcd1e893795c71351bf62480c6b6 |
| SHA1 | e92158f135788d0916f2e293011b3568d498c092 |
| SHA256 | b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5 |
| SHA512 | 8bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91 |
memory/892-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
| MD5 | e249bcd1e893795c71351bf62480c6b6 |
| SHA1 | e92158f135788d0916f2e293011b3568d498c092 |
| SHA256 | b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5 |
| SHA512 | 8bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91 |
C:\Users\Admin\AppData\Local\Temp\night.jpg
| MD5 | df04e5d97b4f113febcc037aae0fe6a5 |
| SHA1 | 3dd1f95edc40395d1984542f5daef9ea53c0925c |
| SHA256 | 41419008feab09129aec758571984915fbbc191c517a58b9245df86b86820450 |
| SHA512 | 85c54de7e2121df1a94f7128cf1c5723c07f5b09ae61d8f63a7398df292e0d54eef87d9a39a0c8d8dd22b9a7883dc52eeda388b11aab21d06365267a55b85b2a |
memory/1692-63-0x000007FEFC311000-0x000007FEFC313000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
| MD5 | e249bcd1e893795c71351bf62480c6b6 |
| SHA1 | e92158f135788d0916f2e293011b3568d498c092 |
| SHA256 | b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5 |
| SHA512 | 8bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91 |
memory/1692-65-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1692-66-0x0000000001D70000-0x0000000001D80000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-07 05:59
Reported
2023-02-07 06:02
Platform
win10v2004-20220812-en
Max time kernel
85s
Max time network
148s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3912 wrote to memory of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
| PID 3912 wrote to memory of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
| PID 3912 wrote to memory of 5072 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe
"C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe"
C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
"C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| AU | 104.46.162.224:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 104.80.225.205:443 | tcp | |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
Files
memory/5072-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
| MD5 | e249bcd1e893795c71351bf62480c6b6 |
| SHA1 | e92158f135788d0916f2e293011b3568d498c092 |
| SHA256 | b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5 |
| SHA512 | 8bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91 |
C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
| MD5 | e249bcd1e893795c71351bf62480c6b6 |
| SHA1 | e92158f135788d0916f2e293011b3568d498c092 |
| SHA256 | b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5 |
| SHA512 | 8bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91 |