Malware Analysis Report

2025-01-18 05:23

Sample ID 231012-s3f8eahb3v
Target 553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe
SHA256 553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery dropper evasion infostealer loader persistence ransomware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae

Threat Level: Known bad

The file 553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) backdoor discovery dropper evasion infostealer loader persistence ransomware themida trojan

RedLine

Detected Djvu ransomware

Glupteba payload

Djvu Ransomware

Glupteba

SmokeLoader

RedLine payload

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Deletes itself

Loads dropped DLL

Modifies file permissions

Themida packer

Looks up external IP address via web service

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-12 15:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-12 15:38

Reported

2023-10-16 11:15

Platform

win7-20230831-en

Max time kernel

47s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\D338.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\D338.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\D338.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e59e88f8-e11d-44a4-ab70-86094c144b3c\\CF41.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\CF41.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\D338.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D338.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2616 set thread context of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 1192 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 1192 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 1192 wrote to memory of 2616 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 1192 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\D338.exe
PID 1192 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\D338.exe
PID 1192 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\D338.exe
PID 1192 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\D338.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 2616 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Users\Admin\AppData\Local\Temp\CF41.exe
PID 1192 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\D886.exe
PID 1192 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\D886.exe
PID 1192 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\D886.exe
PID 1192 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\D886.exe
PID 2612 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\D886.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\D886.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\D886.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\D886.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\D886.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\D886.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\D886.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\D886.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2612 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\D886.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1192 wrote to memory of 676 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 676 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 676 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 676 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 676 N/A N/A C:\Windows\system32\regsvr32.exe
PID 676 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 676 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 676 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 676 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 676 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 676 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 676 wrote to memory of 2856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2660 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Windows\SysWOW64\icacls.exe
PID 2660 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Windows\SysWOW64\icacls.exe
PID 2660 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Windows\SysWOW64\icacls.exe
PID 2660 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\CF41.exe C:\Windows\SysWOW64\icacls.exe
PID 1192 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\F626.exe
PID 1192 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\F626.exe
PID 1192 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\F626.exe
PID 1192 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\F626.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe

"C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe"

C:\Users\Admin\AppData\Local\Temp\CF41.exe

C:\Users\Admin\AppData\Local\Temp\CF41.exe

C:\Users\Admin\AppData\Local\Temp\D338.exe

C:\Users\Admin\AppData\Local\Temp\D338.exe

C:\Users\Admin\AppData\Local\Temp\CF41.exe

C:\Users\Admin\AppData\Local\Temp\CF41.exe

C:\Users\Admin\AppData\Local\Temp\D886.exe

C:\Users\Admin\AppData\Local\Temp\D886.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EE19.dll

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e59e88f8-e11d-44a4-ab70-86094c144b3c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\EE19.dll

C:\Users\Admin\AppData\Local\Temp\F626.exe

C:\Users\Admin\AppData\Local\Temp\F626.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\CF41.exe

"C:\Users\Admin\AppData\Local\Temp\CF41.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\15E6.exe

C:\Users\Admin\AppData\Local\Temp\15E6.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\CF41.exe

"C:\Users\Admin\AppData\Local\Temp\CF41.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {46CDA0AA-EA58-4FE6-A5B4-EF7703B76428} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016111547.log C:\Windows\Logs\CBS\CbsPersist_20231016111547.cab

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 31.41.244.27:41140 tcp

Files

memory/2324-1-0x0000000000770000-0x0000000000870000-memory.dmp

memory/2324-2-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/2324-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2324-5-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/1192-4-0x0000000002B50000-0x0000000002B66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF41.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\CF41.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\D338.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2780-24-0x00000000000E0000-0x0000000000888000-memory.dmp

memory/2616-25-0x00000000008C0000-0x0000000000952000-memory.dmp

memory/2660-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF41.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2660-30-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF41.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

\Users\Admin\AppData\Local\Temp\CF41.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2616-33-0x0000000002150000-0x000000000226B000-memory.dmp

memory/2780-35-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2616-32-0x00000000008C0000-0x0000000000952000-memory.dmp

memory/2780-36-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-37-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-39-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-41-0x0000000076F80000-0x0000000076FC7000-memory.dmp

memory/2780-43-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-44-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2660-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-50-0x0000000077610000-0x0000000077612000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D886.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2780-52-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-54-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-53-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-57-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-58-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-55-0x0000000076D20000-0x0000000076E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D886.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2780-59-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-60-0x0000000076F80000-0x0000000076FC7000-memory.dmp

memory/2780-61-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-62-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-63-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-64-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-65-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2660-66-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-67-0x00000000000E0000-0x0000000000888000-memory.dmp

memory/2780-68-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/1028-69-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1028-70-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1028-71-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE19.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

\Users\Admin\AppData\Local\Temp\EE19.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

C:\Users\Admin\AppData\Local\e59e88f8-e11d-44a4-ab70-86094c144b3c\CF41.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2856-94-0x0000000000180000-0x0000000000186000-memory.dmp

memory/2856-93-0x0000000010000000-0x00000000101E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F626.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\F626.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2660-104-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-105-0x00000000000E0000-0x0000000000888000-memory.dmp

memory/2780-106-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-108-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-109-0x0000000076F80000-0x0000000076FC7000-memory.dmp

memory/2780-107-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-111-0x0000000076D20000-0x0000000076E30000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2780-120-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2856-123-0x0000000000A50000-0x0000000000B40000-memory.dmp

\Users\Admin\AppData\Local\Temp\CF41.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\CF41.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2780-127-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-136-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2856-132-0x0000000000A50000-0x0000000000B40000-memory.dmp

memory/2660-131-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2856-137-0x0000000000A50000-0x0000000000B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15E6.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

\Users\Admin\AppData\Local\Temp\CF41.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/912-146-0x0000000001F90000-0x0000000002022000-memory.dmp

memory/2608-151-0x00000000048B0000-0x0000000004CA8000-memory.dmp

memory/2608-152-0x0000000004CB0000-0x000000000559B000-memory.dmp

memory/912-145-0x0000000001F90000-0x0000000002022000-memory.dmp

memory/2608-153-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15E6.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2608-144-0x00000000048B0000-0x0000000004CA8000-memory.dmp

memory/2780-130-0x0000000000C00000-0x0000000000C40000-memory.dmp

memory/2856-126-0x0000000000A50000-0x0000000000B40000-memory.dmp

memory/2780-125-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/296-155-0x0000000000070000-0x0000000000077000-memory.dmp

memory/296-154-0x0000000000060000-0x000000000006C000-memory.dmp

\Users\Admin\AppData\Local\Temp\CF41.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/2780-122-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-121-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2856-119-0x00000000023B0000-0x00000000024B8000-memory.dmp

memory/2780-118-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-116-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/2780-110-0x0000000076D20000-0x0000000076E30000-memory.dmp

memory/296-156-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2780-158-0x0000000000C00000-0x0000000000C40000-memory.dmp

memory/1032-159-0x0000000000110000-0x000000000017B000-memory.dmp

memory/1032-160-0x0000000000180000-0x00000000001F5000-memory.dmp

memory/1032-161-0x0000000000110000-0x000000000017B000-memory.dmp

memory/1032-174-0x0000000000110000-0x000000000017B000-memory.dmp

memory/2608-175-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2608-176-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2780-178-0x0000000000BE0000-0x0000000000BFC000-memory.dmp

memory/2608-179-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2780-180-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-181-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-183-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-185-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-187-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-189-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-192-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-194-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-196-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-198-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-200-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-202-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-204-0x0000000000BE0000-0x0000000000BF5000-memory.dmp

memory/2780-205-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/2028-206-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2028-208-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2028-210-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2028-212-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2780-222-0x0000000000C00000-0x0000000000C40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15E6.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2028-224-0x0000000074410000-0x0000000074AFE000-memory.dmp

memory/2028-225-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2780-226-0x0000000076D20000-0x0000000076E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-12 15:38

Reported

2023-10-16 11:15

Platform

win10v2004-20230915-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1ABD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1DAC.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 632 wrote to memory of 64 N/A N/A C:\Users\Admin\AppData\Local\Temp\1ABD.exe
PID 632 wrote to memory of 64 N/A N/A C:\Users\Admin\AppData\Local\Temp\1ABD.exe
PID 632 wrote to memory of 64 N/A N/A C:\Users\Admin\AppData\Local\Temp\1ABD.exe
PID 632 wrote to memory of 1904 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DAC.exe
PID 632 wrote to memory of 1904 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DAC.exe
PID 632 wrote to memory of 1904 N/A N/A C:\Users\Admin\AppData\Local\Temp\1DAC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe

"C:\Users\Admin\AppData\Local\Temp\553230c06bf11ece9093e3aa7ca6b414b84a21e1a35120d3d7c2f9c780d9c5ae_JC.exe"

C:\Users\Admin\AppData\Local\Temp\1ABD.exe

C:\Users\Admin\AppData\Local\Temp\1ABD.exe

C:\Users\Admin\AppData\Local\Temp\1DAC.exe

C:\Users\Admin\AppData\Local\Temp\1DAC.exe

C:\Users\Admin\AppData\Local\Temp\1F43.exe

C:\Users\Admin\AppData\Local\Temp\1F43.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2407.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\2407.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 211.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp

Files

memory/1632-1-0x0000000000890000-0x0000000000990000-memory.dmp

memory/1632-2-0x00000000001C0000-0x00000000001CB000-memory.dmp

memory/1632-3-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/1632-4-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/632-5-0x0000000003470000-0x0000000003486000-memory.dmp

memory/1632-6-0x0000000000400000-0x00000000005B0000-memory.dmp

memory/1632-9-0x00000000001C0000-0x00000000001CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1ABD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\1ABD.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\1DAC.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\1DAC.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/1904-24-0x00000000009F0000-0x0000000001198000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1F43.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/1904-29-0x00000000762D0000-0x00000000763C0000-memory.dmp

memory/1904-30-0x00000000762D0000-0x00000000763C0000-memory.dmp

memory/1904-25-0x00000000762D0000-0x00000000763C0000-memory.dmp

memory/1904-31-0x00000000762D0000-0x00000000763C0000-memory.dmp

memory/1904-32-0x00000000762D0000-0x00000000763C0000-memory.dmp

memory/1904-34-0x00000000762D0000-0x00000000763C0000-memory.dmp

memory/1904-35-0x00000000762D0000-0x00000000763C0000-memory.dmp

memory/1904-36-0x00000000762D0000-0x00000000763C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1F43.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/1904-38-0x00000000773C4000-0x00000000773C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2407.dll

MD5 463274ebe35336a9378de0177b959e83
SHA1 a32914f3a787868d090c5e4572d8c314659cbd91
SHA256 a82707888715246126688a3046a4442d48a1be92b6fcdbfbf6d800f9d2c35407
SHA512 34609c26ef622ebf6b608d4be774c5c206c5707b0fb2076be68629dcfb7b3ca61b33f9cf0ee682cec6c3dd06682f2e54e7ed2bf051f3e7e183a311c912501fbe

memory/64-44-0x00000000024F0000-0x0000000002583000-memory.dmp

memory/64-45-0x0000000002590000-0x00000000026AB000-memory.dmp