Malware Analysis Report

2025-03-15 05:13

Sample ID 231211-hzc2gagber
Target XO0UY05.exe
SHA256 cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718
Tags
privateloader redline risepro smokeloader @oleh_ps livetraffic up3 backdoor collection discovery evasion infostealer loader persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718

Threat Level: Known bad

The file XO0UY05.exe was found to be: Known bad.

Malicious Activity Summary

privateloader redline risepro smokeloader @oleh_ps livetraffic up3 backdoor collection discovery evasion infostealer loader persistence spyware stealer trojan

RisePro

SmokeLoader

RedLine

PrivateLoader

RedLine payload

Modifies Windows Firewall

Downloads MZ/PE file

Drops startup file

Executes dropped EXE

Reads user/profile data of local email clients

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Adds Run key to start application

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops file in System32 directory

Program crash

Unsigned PE

Enumerates physical storage devices

outlook_office_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-11 07:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-11 07:10

Reported

2023-12-11 07:12

Platform

win7-20231023-en

Max time kernel

133s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"

Signatures

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\CD8C.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1856 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1856 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1856 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1856 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1856 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1856 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1856 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 3048 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 3048 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1856 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1856 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1856 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1856 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1856 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1856 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1856 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 1276 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1276 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1276 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1276 wrote to memory of 1668 N/A N/A C:\Users\Admin\AppData\Local\Temp\CD8C.exe
PID 1276 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\Temp\4480.exe
PID 1276 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\Temp\4480.exe
PID 1276 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\Temp\4480.exe
PID 1276 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\Temp\4480.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe

"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

C:\Users\Admin\AppData\Local\Temp\CD8C.exe

C:\Users\Admin\AppData\Local\Temp\CD8C.exe

C:\Users\Admin\AppData\Local\Temp\4480.exe

C:\Users\Admin\AppData\Local\Temp\4480.exe

C:\Users\Admin\AppData\Local\Temp\475E.exe

C:\Users\Admin\AppData\Local\Temp\475E.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\tuc3.exe

"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\is-2BK5B.tmp\tuc3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2BK5B.tmp\tuc3.tmp" /SL5="$110152,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\Broom.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211071228.log C:\Windows\Logs\CBS\CbsPersist_20231211071228.cab

C:\Users\Admin\AppData\Local\Temp\629D.exe

C:\Users\Admin\AppData\Local\Temp\629D.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
US 8.8.8.8:53 www.maxmind.com udp
US 104.18.146.235:80 www.maxmind.com tcp
RU 81.19.131.34:80 81.19.131.34 tcp
RU 185.172.128.19:80 185.172.128.19 tcp
RU 77.105.132.87:6731 tcp
RU 81.19.131.34:80 81.19.131.34 tcp
MD 176.123.7.190:32927 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

MD5 9b10f741fad1d0dd09b89dc6638833ae
SHA1 1f0ffa6f136cd5433f202c9c79ce5956796b4151
SHA256 1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6
SHA512 4c83e0b137338a8685481623e592d10039ff15032f059b1e200f8e6a7810978e2eb5047604d12c31923761a0e46146c01fcabc871b8748b61a546bd1a32891f7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

MD5 1a02cbd4846b31176b76998ee12223c1
SHA1 8117ccd23d6dd664d9286121b8c7b76a87e5c211
SHA256 acefb12e31b69bb85f05f4b962d92b5b8550452eba7c263385ad8a901b48a6d6
SHA512 d238149966650fb9703a550f231f700f99442aa7124ca2d6c0ccae44cff7c84ed066482ec2bb53fe4c5b812989514562b78c763cc650a3d6b4cad0649f6bd63e

\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

MD5 4f29a3c96e73c5ebb246b0fda2a3b79d
SHA1 d0f52345a5a31c6bbea0d0bbc456f70f218c5a72
SHA256 e5c5990aed28391ad8623d5f1294ee03af9cfb375083e9c4dd619b2eef26c09f
SHA512 6c1814e72cf66b86078f739c518907e576b053d8c26968b6f1229def6f9d55a6ee4b149ff9518a81164e20b5168fc47579f9a3f6cb8b5b49c811576e241c5832

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

MD5 b0a822c38a0766b3d20266623882b3ba
SHA1 244322f02ed06c79f0789dbb4f339743553a442e
SHA256 528b05df765efb94fab9780028454ea84c8ed43962cefd994ed241bc0a560060
SHA512 bdc466ad01869c6f44b9db6c0d55eab6c48bdfd6687aa29d5d3789725f7342e804f8a1d4ca26c7f28e90e688452d6f34101d56598e1a840205ac582526a87032

C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe

MD5 646adfb5ed2202fd251e2cf5e95330f1
SHA1 3b7c375cc9d8598035bbc3033c56ca92ff15ae53
SHA256 86ad3a3f454090951ce79947929c493d28e4055ce28aed1dbd9e3d213b05efb5
SHA512 55548fe2db19d7d49f4deebc3cff6c55524830a7d615fcd527b506544b85f1f4d7a8d9c32d3c56f6d2c8950741720af63f8f6a02ae920d23754f1f78e008dd3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar6159.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\grandUIAJ71H1v_YLtbS0\information.txt

MD5 79d56f4262d4f85e61764dfd6a10a87f
SHA1 8a2f78ca967d856098f8f33e1b15b264dcf0b7b9
SHA256 9bb307c3c421b682489cc20b64e2bf67474ac958b23e1009886362fc77476c91
SHA512 1c1fd70d61da1672b52778cb7538a8d59e9b1b3b30e52ca953541365f8565d74776d9a8db630069259f902e2686e4ce08bafb516d32814ffe56d6ecde64c28a4

\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

MD5 8837a89b82d0d3b0259cc9f47b2e599b
SHA1 51dd86a6a717a8f1470fff7a65f96c983aa71f09
SHA256 ad5c98936429f847e6808a4efdb80faf452a5c5c31d91f9f7de2560e51478701
SHA512 4a6c660c78bc99916d68978243f1140203a5805a3a7ae7a1749c609bd5aaf06b9ac253c09c0a206acdb832b45bc1ab700a5beb98024131779a45c70b53c7bc71

memory/1724-117-0x0000000000400000-0x000000000040B000-memory.dmp

memory/1856-113-0x00000000000B0000-0x00000000000BB000-memory.dmp

memory/1856-109-0x00000000000B0000-0x00000000000BB000-memory.dmp

memory/1276-118-0x00000000029A0000-0x00000000029B6000-memory.dmp

memory/1724-119-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD8C.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/1668-126-0x00000000000F0000-0x000000000012C000-memory.dmp

memory/1668-131-0x0000000074390000-0x0000000074A7E000-memory.dmp

memory/1668-132-0x0000000007490000-0x00000000074D0000-memory.dmp

memory/1668-136-0x0000000074390000-0x0000000074A7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4480.exe

MD5 edc1341a2699667c4606459c372669b1
SHA1 d7722b0ff8f20582bcb4f6c60e4ecc9d0cc1d8b9
SHA256 da3cc791755b59135047bd48dc64ae5c8726be1cad27ab419c50a59d63015635
SHA512 3ca49fbccc9ea08911069d8981c00e7d5b9f9bc0d0af645807fc4d5cf0a51c344353674b628e49bc770d7d8f85f8445a0a0b0643934b9bbb73bb97a665e94722

C:\Users\Admin\AppData\Local\Temp\4480.exe

MD5 0c61c1830763156dcfb2aff4550f40a4
SHA1 13293576aecfd4b571fd19f6e2016850cb397729
SHA256 68d7339dea4053d9a2be6bb147c407aa1139cbfe0819b3c9cf8d48c79820c118
SHA512 b679ec1106056933ac6beb4748199951035726ab2219c6e657c68c93a6c06d881a0c1b88231c35be5c4555429b41149ee26a5378160452990e1526fd6b428d7b

memory/1600-142-0x0000000073CA0000-0x000000007438E000-memory.dmp

memory/1600-143-0x00000000001D0000-0x0000000001686000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\475E.exe

MD5 91d23595c11c7ee4424b6267aabf3600
SHA1 ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02
SHA256 d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47
SHA512 cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b

memory/2600-152-0x0000000004740000-0x0000000004780000-memory.dmp

memory/2600-150-0x0000000000A60000-0x0000000000A9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 98f5a8128bb24e8588b548a340fe1279
SHA1 ac523595241fd3df577a6d10fd646019e8730dba
SHA256 bbc4abefe3ae5aaf9acc0cc0410a91062358df23f464ff0deb275bd048a117b6
SHA512 f8919626eeb3d6c85dca20ed0905621a9c3f6e9a6063d9b98abd8d55067d28d13d998dcb73733012d8fc636f378e9c848319a6bc2168b636185668f0a8d6dfb7

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 cde750f39f58f1ec80ef41ce2f4f1db9
SHA1 942ea40349b0e5af7583fd34f4d913398a9c3b96
SHA256 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094
SHA512 c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 f23bb700f0c51834e58ce154af8213f7
SHA1 1fb8f483bc19f225a86843d835e095c59d70428d
SHA256 8c0c1ecede271f663afdcb231c774abe4919ff11d1f6573f979666a938f66497
SHA512 85846f137fb71bd9d3c7065e66bbb12229fabc2e75f97e07b9f056dc9197346f034cf4702a6d4d1e79d3685e374a1e7a2a680c373452076c2f2e8c547b7fe83c

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 205ed9df272172f2e8b0f301b9d07baa
SHA1 44e008b4ec8a960c88d65d7eea8380db59dc5678
SHA256 1b41a09d71dba2ebfbc6e88dbba22fd9af2af42b57fc3f3771cc1fbd0e1456d9
SHA512 755e3c188c8d05dcf4b1af757eea6f49d81141057a8b5f7d93305b80097e65477220cd06d36c6d4df8b7280765559b88a322842d49392d8f05cdf1add8202f89

memory/2628-185-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 4065c03bf4116f8e7d9b6ca2a6179e75
SHA1 0408006ae48149f72797b467075d4f59bb7c99cc
SHA256 40238930cd4daf0832a7bf20e2bb56fa527040d15b71f889db62357e915e5a0f
SHA512 e81c45ef7651279e6ffa2b91a2cb9bb45d3030df4600cb8f8d7cc73937fd3e7c9b3d8ce1b47513f20ddc014893d5440f2b45db022d7e3c73bf40a267eab9f720

\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 c32171aa355627312377a69b872a0bce
SHA1 33d1299b70d338b6e9066299127610285e494d62
SHA256 a2825515f1bbe0e5e5804b4c53603f6e03a668bf07a37d91edab2e550bbe0716
SHA512 a6d43b6505dd1d2d90fe0132396c6bc816715b1d647f24987942cfe8b72178509982efcd4fbad32b03802363f5d19d8f2391cdd58b0892560f9d5a749b25978d

\Users\Admin\AppData\Local\Temp\Broom.exe

MD5 0be3f7f7e2e2cb4d23f2849b1dcb91ea
SHA1 c818035a8486f48dde184cb600935c80b0f67b94
SHA256 ed28fd90d56a83de82ed73ee0297a4ecb08e52254bdef941e612798c6d76363f
SHA512 2e52603e524ea1192121a51bef0880e1cc45923d842ff3b5e2bf565b69b50ad9b99a6f9d32365c9420154e6f2f78dad6832cccdd5ba3c359b1c670c8a56d1764

C:\Users\Admin\AppData\Local\Temp\latestX.exe

MD5 5e5032296d50435725b3dbeab1ee3dba
SHA1 212c1bf92d18bd04f1bbcfcdb641881552660b94
SHA256 06f6fd83dfe8245ac6acdf50a762e406854af8f6f962be65fcfae87eeaf5b4a9
SHA512 1e82416120baf9bf880eecfc546565fc5c575f3e80365bc459ccce1befae0c3e220712683f24c4a94e899e69728f3f4ae7377538bf1f0a1121fb173e3ce4820f

memory/2500-199-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/2980-200-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2608-214-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1600-196-0x0000000073CA0000-0x000000007438E000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 c888cf992ccee49836505df6826a295e
SHA1 3a7e327529ae538fa7d4d93e2f96e6de5bd579bc
SHA256 189991b7912f46539d6e01c8bc136ab1baa64290237cb84d64976e53a64adcb4
SHA512 62c07833e8a003037b7fa07256e1125d62b96ee38cb8f0280c8a6176fff7e49abe5b995e7211aadd226c0e103b0c4f44ee8104bf0bdb2db084e0f713946b72ba

memory/2600-149-0x0000000073CA0000-0x000000007438E000-memory.dmp

memory/2500-231-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/2500-232-0x00000000029C0000-0x00000000032AB000-memory.dmp

memory/2500-233-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f4793e37be01c0df71861a0d30246e2b
SHA1 6aa56e704518be704bb65c50101ac462391b155b
SHA256 02958ed4a8738e34fbaad5735d48170f25ffabd87abdcb420af24abb595bd144
SHA512 762d5f049c10202fb194ba56f5ee67e24d8e752c58bd7bb9e917910bd36df3c457cc5b122771d54b9816b1f5648c12cbcaf56a75e684e32892d2e106afba50bd

memory/2780-238-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2684-239-0x0000000000240000-0x0000000000249000-memory.dmp

memory/2780-243-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 b1f5896e60f94e9e14bed0ec110fb2a5
SHA1 879d68827d6fc17a4c1813a70c3f5902c5959103
SHA256 b534acb6db481fc0dd4b3e287896b7a5b3eddf815c4b2a79bcf8485032b0c53c
SHA512 dbe801fcf94e35de9a513830acc2927bde07ad92853031053774f274b212869d8779fb66485630970278444d603ae5eeff557931080487009f1ee6ebf2cf68a8

memory/2780-241-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2684-237-0x0000000000250000-0x0000000000350000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub2.exe

MD5 51ea5b7509e843e683d78d0a91986126
SHA1 535cd05ea2e1fa5092922e792d2a996c8d56c4b3
SHA256 a487fb711c9ac8e19dc18b4405d663958612b006b1087bbe68965fbc0c7c2a49
SHA512 2bf0e5e348a8679fb27bb498b3fbf6c7e187520b1e22701bc1090857ad13aace5b90c75d2121a72ab52f07f077a07a0da13789b277f2a99f1f4db1ab0d7cd9d8

C:\Users\Admin\AppData\Local\Temp\629D.exe

MD5 f7af57399ce46cee841b90443c34472e
SHA1 d31060e709fa6271aa521f22b5f32ba06f3be71c
SHA256 adf7c3214e77b64b14eb35a7c81cfbb53bdebe2ded9949051a32667dbcebfbc8
SHA512 330d016f8000d623cf7e858462c666bfbbcde05f0119baa64186d6c506e763895f37dbaf9759006637ec55742bc420149f4f16165e836f88799523f67cf4483b

C:\Users\Admin\AppData\Local\Temp\629D.exe

MD5 8b2d9f898e78a7f949722c89b3c2b02c
SHA1 7d6f56c409dfb59a9c548517f31022b260e2cbcc
SHA256 2b4d1e817b0e8c68285f2567124742f698c75916a9953ddb9543209c304dcb88
SHA512 05d52f3cf267dacb37cac3a442c105346a05aae78f331683b3670ff4c3b2b6c645cd0ab1735409156d3a41e020d3e80b698459faf38a984ca536aae283b11841

memory/2600-249-0x0000000073CA0000-0x000000007438E000-memory.dmp

memory/2000-250-0x0000000000FF0000-0x00000000015A2000-memory.dmp

memory/2000-251-0x0000000073CA0000-0x000000007438E000-memory.dmp

memory/2600-252-0x0000000004740000-0x0000000004780000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7a8a96fc605f9b03aa6bec35edab3c63
SHA1 a738231cecfdcf88fe02f1077d3da894f5353202
SHA256 93194d6b734b808e7237d1ef495127f2a7a5ca0801365e9ebcce683cd0212299
SHA512 00eff6cf0e0e1e41fbc5639c4893fcd19d2a4b70044ebe620748bad5be9d63f1846d0f84bca04ec8e9c021e04d7ad2e3e8c933373458348bc9515079708ef71a

memory/2500-254-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2500-255-0x00000000029C0000-0x00000000032AB000-memory.dmp

memory/2500-256-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/2904-257-0x00000000027E0000-0x0000000002BD8000-memory.dmp

memory/2628-258-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1276-259-0x0000000002150000-0x0000000002166000-memory.dmp

memory/2780-260-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2904-266-0x00000000027E0000-0x0000000002BD8000-memory.dmp

memory/2980-267-0x0000000000400000-0x0000000000965000-memory.dmp

memory/2904-268-0x0000000002BE0000-0x00000000034CB000-memory.dmp

memory/2980-265-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2768-269-0x000000013FEF0000-0x0000000140491000-memory.dmp

memory/2608-270-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2904-271-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 6fe5a8f31d07b70a5bb056a53ce4e220
SHA1 b112d27a7f4c0f14cacaf176ca0f3b31b485d421
SHA256 ba4793e9d384788a7f6d24b28344d41321164da918333ed36695f4ce52602e8b
SHA512 f3ca340634b328d4e3e96e36ec158ea03b6f544d73f667a888f015eb2307930d11d0b5dc7955544e33184585354fff8f80f40a0efc183924cb5b3aa738b050e8

memory/2904-280-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2904-281-0x00000000027E0000-0x0000000002BD8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 a2e7f81541953a418ad00ece018024af
SHA1 663b8f8932fb8ba13c036d33ee86a87713e79d46
SHA256 8b322838a2e097f1643559794170e750c88f3185cb44d419c4a4f24c6054f9cc
SHA512 6bfbd72a4929ae4bf419478ec7142393a7f195ad609fceffaefabdf8236766ee6ae6ab3265897adff6efb53bb78e93493541bde62dd078f5dc4ef14c248a53c0

\Windows\rss\csrss.exe

MD5 67d91d7dfd2e3b4a538cb9332272e91e
SHA1 bc44b3caee1c81096ca085f33b7cf50e631849c2
SHA256 a674a3e179fdad3f5818d36a8ba0f32b6baad27e563f2daddf1f27c4601537fe
SHA512 009eb7e14f9434e860a847e86ca79f5caa066a927389f0bae8885d8d2b19253338c51b26886c00e07aaf26f972c708de45588e571d830701e2bf6a44e19bc547

memory/1900-293-0x0000000002850000-0x0000000002C48000-memory.dmp

memory/2608-294-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1900-295-0x0000000002850000-0x0000000002C48000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ee2e3d307a26f6ff503c4500baea5ade
SHA1 36ecef67c18c5c03618450fcadf485d4f9b67cbf
SHA256 243b1bd4544ab206acfaa5cf116812f0a7d87e1f4f0b279235cdc1d2d20f4bd9
SHA512 c06c2c9100de3f5750b1933a1a3e93b5a375b4f97cf16ddbdee1383a672bf34e14e2f2c73d989b519485e578d25a75de22e0e51697f9b15b718a6a0b520ce1a9

memory/1900-297-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-11 07:10

Reported

2023-12-11 07:12

Platform

win10v2004-20231130-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"

Signatures

PrivateLoader

loader privateloader

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 220 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 220 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 220 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
PID 1432 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 1432 wrote to memory of 1012 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe C:\Windows\SysWOW64\schtasks.exe
PID 220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 220 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
PID 3120 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\Temp\B844.exe
PID 3120 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\Temp\B844.exe
PID 3120 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\Temp\B844.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe

"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1432 -ip 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1780

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

C:\Users\Admin\AppData\Local\Temp\B844.exe

C:\Users\Admin\AppData\Local\Temp\B844.exe

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 193.233.132.51:50500 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 51.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
RU 81.19.131.34:80 81.19.131.34 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 34.131.19.81.in-addr.arpa udp
RU 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
RU 77.105.132.87:6731 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp
GB 96.17.178.174:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

MD5 99ce0ae115832abc40e2e57599ef78a0
SHA1 fd842bd20905ab8a03b5ccb5160dd5103b6aec55
SHA256 10b22af94e1e8a1892ea1fc7cc30cec8d75804adce908779f5f6c3ed8324fcb8
SHA512 cc5a374e0034db4f9500e103cf6413b434d6de63871f4afca61d2f0e01050a565c8ff78f1c6cccc486ef9b66e1d8f8548e1e5ab11d5c6bbe046cc9347e64a7ef

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe

MD5 9b10f741fad1d0dd09b89dc6638833ae
SHA1 1f0ffa6f136cd5433f202c9c79ce5956796b4151
SHA256 1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6
SHA512 4c83e0b137338a8685481623e592d10039ff15032f059b1e200f8e6a7810978e2eb5047604d12c31923761a0e46146c01fcabc871b8748b61a546bd1a32891f7

C:\Users\Admin\AppData\Local\Temp\grandUIAJ71H1v_YLtbS0\information.txt

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2652-86-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe

MD5 8837a89b82d0d3b0259cc9f47b2e599b
SHA1 51dd86a6a717a8f1470fff7a65f96c983aa71f09
SHA256 ad5c98936429f847e6808a4efdb80faf452a5c5c31d91f9f7de2560e51478701
SHA512 4a6c660c78bc99916d68978243f1140203a5805a3a7ae7a1749c609bd5aaf06b9ac253c09c0a206acdb832b45bc1ab700a5beb98024131779a45c70b53c7bc71

memory/3120-87-0x0000000000A10000-0x0000000000A26000-memory.dmp

memory/2652-89-0x0000000000400000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B844.exe

MD5 f88edad62a7789c2c5d8047133da5fa7
SHA1 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256 eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512 e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60

memory/1728-95-0x00000000007D0000-0x000000000080C000-memory.dmp

memory/1728-100-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/1728-101-0x00000000079E0000-0x0000000007F84000-memory.dmp

memory/1728-102-0x00000000074D0000-0x0000000007562000-memory.dmp

memory/1728-103-0x0000000007760000-0x0000000007770000-memory.dmp

memory/1728-104-0x00000000074A0000-0x00000000074AA000-memory.dmp

memory/1728-106-0x00000000089B0000-0x0000000008FC8000-memory.dmp

memory/1728-108-0x0000000008990000-0x00000000089A2000-memory.dmp

memory/1728-110-0x000000000A2B0000-0x000000000A2FC000-memory.dmp

memory/1728-109-0x000000000A270000-0x000000000A2AC000-memory.dmp

memory/1728-107-0x000000000A340000-0x000000000A44A000-memory.dmp

memory/1728-111-0x000000000AF40000-0x000000000AFA6000-memory.dmp

memory/1728-112-0x00000000746E0000-0x0000000074E90000-memory.dmp

memory/1728-113-0x0000000007760000-0x0000000007770000-memory.dmp