Malware Analysis Report

2024-11-13 13:54

Sample ID 231204-by4z8sgd63
Target 301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff
SHA256 301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff
Tags
ducktail persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff

Threat Level: Known bad

The file 301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff was found to be: Known bad.

Malicious Activity Summary

ducktail persistence spyware stealer

Ducktail family

Detect Ducktail Third Stage Payload

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-04 01:34

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-04 01:34

Reported

2023-12-04 01:37

Platform

win7-20231023-en

Max time kernel

119s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2244 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2244 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2244 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2244 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2244 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe

"C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2244-0-0x0000000006AC0000-0x0000000007449000-memory.dmp

memory/2244-3-0x0000000006AC0000-0x0000000007449000-memory.dmp

memory/2244-4-0x0000000000760000-0x0000000000807000-memory.dmp

memory/2244-5-0x0000000001280000-0x0000000001ACF000-memory.dmp

memory/2244-8-0x0000000000760000-0x0000000000807000-memory.dmp

memory/2244-9-0x00000000006E0000-0x00000000006FD000-memory.dmp

memory/2244-12-0x00000000006E0000-0x00000000006FD000-memory.dmp

memory/2244-13-0x00000000006B0000-0x00000000006D8000-memory.dmp

memory/2244-16-0x00000000006B0000-0x00000000006D8000-memory.dmp

memory/2244-17-0x0000000006860000-0x00000000069EE000-memory.dmp

memory/2244-20-0x0000000006860000-0x00000000069EE000-memory.dmp

memory/2244-21-0x0000000000E70000-0x0000000000EA0000-memory.dmp

memory/2244-24-0x0000000000E70000-0x0000000000EA0000-memory.dmp

memory/2244-25-0x0000000009200000-0x0000000009556000-memory.dmp

memory/2244-28-0x0000000009200000-0x0000000009556000-memory.dmp

memory/2244-29-0x00000000066C0000-0x0000000006765000-memory.dmp

memory/2244-32-0x00000000066C0000-0x0000000006765000-memory.dmp

memory/2244-33-0x0000000000EA0000-0x0000000000EB5000-memory.dmp

memory/2244-36-0x0000000000EA0000-0x0000000000EB5000-memory.dmp

memory/2244-37-0x0000000001220000-0x0000000001274000-memory.dmp

memory/2244-40-0x0000000001220000-0x0000000001274000-memory.dmp

memory/2244-41-0x0000000006770000-0x0000000006806000-memory.dmp

memory/2244-44-0x0000000006770000-0x0000000006806000-memory.dmp

memory/2244-45-0x00000000061C0000-0x000000000623A000-memory.dmp

memory/2244-48-0x00000000061C0000-0x000000000623A000-memory.dmp

memory/2244-49-0x0000000001060000-0x000000000109C000-memory.dmp

memory/2244-52-0x0000000001060000-0x000000000109C000-memory.dmp

memory/2244-53-0x0000000005F90000-0x0000000005FA2000-memory.dmp

memory/2244-56-0x0000000005F90000-0x0000000005FA2000-memory.dmp

memory/2244-57-0x0000000006160000-0x0000000006166000-memory.dmp

memory/2244-60-0x0000000006160000-0x0000000006166000-memory.dmp

memory/2244-61-0x0000000006150000-0x000000000615C000-memory.dmp

memory/2244-64-0x0000000006150000-0x000000000615C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF559.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarF753.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81622642191ec429a9fadbd9e3f8de76
SHA1 2f43e1cb07c70c94bc6e1abb142babe09271a9d1
SHA256 73fa1d7fdea2803d0be5ea665222362543b089409efaf0d03b4e785977ab2371
SHA512 fa9b11574b03b0ff40bfeff48fb53d374c930e4a079a4c1ebe3a0a6d3fa52e75323c32777264cbe8ae69a51bc0c6cc336637b3bbae3898b308e2c33a2e92b63c

memory/2576-202-0x0000000072F60000-0x000000007350B000-memory.dmp

memory/2576-203-0x0000000072F60000-0x000000007350B000-memory.dmp

memory/2576-204-0x0000000002850000-0x0000000002890000-memory.dmp

memory/2576-205-0x0000000002850000-0x0000000002890000-memory.dmp

memory/2576-206-0x0000000072F60000-0x000000007350B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 e8a2dc702abab9b7040613f65a747a3a
SHA1 5e5ec51364ac4f36d75c77009e8a68867fb6bfff
SHA256 948af59682ddc342315b1857baffc829d93cf48b7f950f83f2b9196ad5f0b790
SHA512 48865210e1f85b7c45c7f3f22e42fe5cf73553fcda3c345c63c64007496ca1a03d477d84349b1ab7e8a668b4a7210832a6cdb47215b59c2d399514d8b43f9c17

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PBN52VQGJ11L94S2S55Q.temp

MD5 e8a2dc702abab9b7040613f65a747a3a
SHA1 5e5ec51364ac4f36d75c77009e8a68867fb6bfff
SHA256 948af59682ddc342315b1857baffc829d93cf48b7f950f83f2b9196ad5f0b790
SHA512 48865210e1f85b7c45c7f3f22e42fe5cf73553fcda3c345c63c64007496ca1a03d477d84349b1ab7e8a668b4a7210832a6cdb47215b59c2d399514d8b43f9c17

memory/836-213-0x00000000729B0000-0x0000000072F5B000-memory.dmp

memory/836-214-0x0000000001F70000-0x0000000001FB0000-memory.dmp

memory/836-215-0x00000000729B0000-0x0000000072F5B000-memory.dmp

memory/836-216-0x0000000001F70000-0x0000000001FB0000-memory.dmp

memory/836-217-0x00000000729B0000-0x0000000072F5B000-memory.dmp

\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 77a0f6ab4a09f253a68ee7ab25319d0a
SHA1 4af8fceaa7ac5556ea47805cf6216ce153a504fd
SHA256 c2044a1b50f49bc71ed7c768f14b8854abde34c4fa9a4ec0c6942c883fd339f3
SHA512 5e3da5289acbf1d22713e11bb6521315051f8198a1ee6d0ba09b9d4b6080e3892c10bb80b9784fd7740c00da213e8efd87970f2093a7f1ad8be28d87ca5e4a26

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 77a0f6ab4a09f253a68ee7ab25319d0a
SHA1 4af8fceaa7ac5556ea47805cf6216ce153a504fd
SHA256 c2044a1b50f49bc71ed7c768f14b8854abde34c4fa9a4ec0c6942c883fd339f3
SHA512 5e3da5289acbf1d22713e11bb6521315051f8198a1ee6d0ba09b9d4b6080e3892c10bb80b9784fd7740c00da213e8efd87970f2093a7f1ad8be28d87ca5e4a26

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 77a0f6ab4a09f253a68ee7ab25319d0a
SHA1 4af8fceaa7ac5556ea47805cf6216ce153a504fd
SHA256 c2044a1b50f49bc71ed7c768f14b8854abde34c4fa9a4ec0c6942c883fd339f3
SHA512 5e3da5289acbf1d22713e11bb6521315051f8198a1ee6d0ba09b9d4b6080e3892c10bb80b9784fd7740c00da213e8efd87970f2093a7f1ad8be28d87ca5e4a26

memory/2244-279-0x0000000001280000-0x0000000001ACF000-memory.dmp

memory/1528-281-0x0000000001070000-0x00000000018B3000-memory.dmp

memory/1528-282-0x0000000001070000-0x00000000018B3000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-04 01:34

Reported

2023-12-04 01:37

Platform

win10v2004-20231127-en

Max time kernel

138s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2598572287-1024438387-935107970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleChromed = "C:\\Users\\Admin\\AppData\\Local\\Public Program\\Chrome Service.exe" C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2200 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe
PID 2200 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

Processes

C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe

"C:\Users\Admin\AppData\Local\Temp\301caec2769daa002d3d7f6408d24afa564fa59edd2033cb2962649754837bff.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "msedge"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Stop-Process -Name "firefox"

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

"C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 67.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 89.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 48.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp

Files

memory/2200-0-0x00000000076C0000-0x0000000008049000-memory.dmp

memory/2200-3-0x00000000076C0000-0x0000000008049000-memory.dmp

memory/2200-4-0x0000000000400000-0x00000000004A7000-memory.dmp

memory/2200-6-0x0000000000C50000-0x000000000149F000-memory.dmp

memory/2200-8-0x0000000007060000-0x000000000707D000-memory.dmp

memory/2200-11-0x0000000007060000-0x000000000707D000-memory.dmp

memory/2200-12-0x0000000007140000-0x0000000007168000-memory.dmp

memory/2200-15-0x0000000007140000-0x0000000007168000-memory.dmp

memory/2200-16-0x000000000B4B0000-0x000000000B63E000-memory.dmp

memory/2200-19-0x000000000B4B0000-0x000000000B63E000-memory.dmp

memory/2200-20-0x0000000007550000-0x0000000007580000-memory.dmp

memory/2200-24-0x000000000B9A0000-0x000000000BCF6000-memory.dmp

memory/2200-23-0x0000000007550000-0x0000000007580000-memory.dmp

memory/2200-27-0x000000000B9A0000-0x000000000BCF6000-memory.dmp

memory/2200-28-0x000000000B6F0000-0x000000000B795000-memory.dmp

memory/2200-32-0x0000000007660000-0x0000000007675000-memory.dmp

memory/2200-31-0x000000000B6F0000-0x000000000B795000-memory.dmp

memory/2200-35-0x0000000007660000-0x0000000007675000-memory.dmp

memory/2200-36-0x000000000B7A0000-0x000000000B7F4000-memory.dmp

memory/2200-39-0x000000000B7A0000-0x000000000B7F4000-memory.dmp

memory/2200-40-0x000000000B800000-0x000000000B896000-memory.dmp

memory/2200-43-0x000000000B800000-0x000000000B896000-memory.dmp

memory/2200-44-0x000000000B8A0000-0x000000000B91A000-memory.dmp

memory/2200-47-0x000000000B8A0000-0x000000000B91A000-memory.dmp

memory/2200-48-0x000000000B690000-0x000000000B6CC000-memory.dmp

memory/2200-51-0x000000000B690000-0x000000000B6CC000-memory.dmp

memory/2200-52-0x000000000B6D0000-0x000000000B6E2000-memory.dmp

memory/2200-55-0x000000000B6D0000-0x000000000B6E2000-memory.dmp

memory/2200-56-0x00000000076B0000-0x00000000076B6000-memory.dmp

memory/2200-59-0x00000000076B0000-0x00000000076B6000-memory.dmp

memory/2200-60-0x000000000B680000-0x000000000B68C000-memory.dmp

memory/2200-63-0x000000000B680000-0x000000000B68C000-memory.dmp

memory/2200-64-0x000000000C0E0000-0x000000000C11A000-memory.dmp

memory/1388-130-0x0000000005310000-0x0000000005346000-memory.dmp

memory/1388-131-0x0000000074230000-0x00000000749E0000-memory.dmp

memory/1388-132-0x0000000005430000-0x0000000005440000-memory.dmp

memory/1388-133-0x0000000005430000-0x0000000005440000-memory.dmp

memory/1388-134-0x0000000005A70000-0x0000000006098000-memory.dmp

memory/1388-135-0x0000000005A30000-0x0000000005A52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ekuicwom.vuw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1388-136-0x0000000006210000-0x0000000006276000-memory.dmp

memory/1388-142-0x0000000006280000-0x00000000062E6000-memory.dmp

memory/1388-147-0x0000000006500000-0x0000000006854000-memory.dmp

memory/1388-148-0x0000000006900000-0x000000000691E000-memory.dmp

memory/1388-149-0x0000000006940000-0x000000000698C000-memory.dmp

memory/1388-150-0x0000000005430000-0x0000000005440000-memory.dmp

memory/1388-151-0x0000000007B00000-0x0000000007B96000-memory.dmp

memory/1388-152-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

memory/1388-153-0x0000000006E20000-0x0000000006E42000-memory.dmp

memory/1388-154-0x0000000008150000-0x00000000086F4000-memory.dmp

memory/1388-157-0x0000000074230000-0x00000000749E0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 def65711d78669d7f8e69313be4acf2e
SHA1 6522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256 aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA512 05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

memory/624-168-0x0000000074230000-0x00000000749E0000-memory.dmp

memory/624-169-0x0000000004840000-0x0000000004850000-memory.dmp

memory/624-170-0x0000000004840000-0x0000000004850000-memory.dmp

memory/624-171-0x0000000005700000-0x0000000005A54000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 658a03f463d834b049174ff23b7a2c5f
SHA1 94d1fb641bc22a8e5c1d44728330c38735dc1924
SHA256 c2df74ca6cd98865b39f5c41edcc3d447a48a43d6f8a101578feae0edb3e46f0
SHA512 51303c13a2794e7334d6a709d8f60569b34471bd4d8e73cf3b832debf251b5a68ea717754a2194f54c624d8f1a95bfb84ed75c08c22d190b977095cff355a797

memory/624-182-0x0000000004840000-0x0000000004850000-memory.dmp

memory/624-184-0x0000000074230000-0x00000000749E0000-memory.dmp

memory/840-186-0x0000000074230000-0x00000000749E0000-memory.dmp

memory/840-187-0x0000000005030000-0x0000000005040000-memory.dmp

memory/840-188-0x0000000005030000-0x0000000005040000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f654dbe9ef0d7723435789921e351750
SHA1 45e9628f8aa772ebf406c1007c5d27302aa004c5
SHA256 3cc90a7e720ae2faeb022df185f9fdf424543a52811a68906f41ef174e63a140
SHA512 831095c0e233e112416613103b45446ada83158a0c4846e61b20d235063d62e582a1f826754831449e4b45ca7ecb9476f583833409b8dd3e570ca3e3bf9c64c4

memory/840-199-0x0000000005030000-0x0000000005040000-memory.dmp

memory/840-201-0x0000000074230000-0x00000000749E0000-memory.dmp

memory/2200-242-0x0000000000C50000-0x000000000149F000-memory.dmp

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 77a0f6ab4a09f253a68ee7ab25319d0a
SHA1 4af8fceaa7ac5556ea47805cf6216ce153a504fd
SHA256 c2044a1b50f49bc71ed7c768f14b8854abde34c4fa9a4ec0c6942c883fd339f3
SHA512 5e3da5289acbf1d22713e11bb6521315051f8198a1ee6d0ba09b9d4b6080e3892c10bb80b9784fd7740c00da213e8efd87970f2093a7f1ad8be28d87ca5e4a26

C:\Users\Admin\AppData\Local\Public Program\Chrome Service.exe

MD5 77a0f6ab4a09f253a68ee7ab25319d0a
SHA1 4af8fceaa7ac5556ea47805cf6216ce153a504fd
SHA256 c2044a1b50f49bc71ed7c768f14b8854abde34c4fa9a4ec0c6942c883fd339f3
SHA512 5e3da5289acbf1d22713e11bb6521315051f8198a1ee6d0ba09b9d4b6080e3892c10bb80b9784fd7740c00da213e8efd87970f2093a7f1ad8be28d87ca5e4a26

memory/680-278-0x0000000000210000-0x0000000000A53000-memory.dmp

memory/2200-279-0x0000000000C50000-0x000000000149F000-memory.dmp

memory/680-280-0x0000000000210000-0x0000000000A53000-memory.dmp