Analysis Overview
SHA256
cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718
Threat Level: Known bad
The file XO0UY05.exe was found to be: Known bad.
Malicious Activity Summary
RisePro
SmokeLoader
RedLine
PrivateLoader
RedLine payload
Modifies Windows Firewall
Downloads MZ/PE file
Drops startup file
Executes dropped EXE
Reads user/profile data of local email clients
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Adds Run key to start application
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Drops file in System32 directory
Program crash
Unsigned PE
Enumerates physical storage devices
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 07:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 07:10
Reported
2023-12-11 07:12
Platform
win7-20231023-en
Max time kernel
133s
Max time network
138s
Command Line
Signatures
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CD8C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4480.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CD8C.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe
"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
C:\Users\Admin\AppData\Local\Temp\CD8C.exe
C:\Users\Admin\AppData\Local\Temp\CD8C.exe
C:\Users\Admin\AppData\Local\Temp\4480.exe
C:\Users\Admin\AppData\Local\Temp\4480.exe
C:\Users\Admin\AppData\Local\Temp\475E.exe
C:\Users\Admin\AppData\Local\Temp\475E.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-2BK5B.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2BK5B.tmp\tuc3.tmp" /SL5="$110152,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211071228.log C:\Windows\Logs\CBS\CbsPersist_20231211071228.cab
C:\Users\Admin\AppData\Local\Temp\629D.exe
C:\Users\Admin\AppData\Local\Temp\629D.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
Network
| Country | Destination | Domain | Proto |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.146.235:80 | www.maxmind.com | tcp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
| MD5 | 9b10f741fad1d0dd09b89dc6638833ae |
| SHA1 | 1f0ffa6f136cd5433f202c9c79ce5956796b4151 |
| SHA256 | 1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6 |
| SHA512 | 4c83e0b137338a8685481623e592d10039ff15032f059b1e200f8e6a7810978e2eb5047604d12c31923761a0e46146c01fcabc871b8748b61a546bd1a32891f7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
| MD5 | 1a02cbd4846b31176b76998ee12223c1 |
| SHA1 | 8117ccd23d6dd664d9286121b8c7b76a87e5c211 |
| SHA256 | acefb12e31b69bb85f05f4b962d92b5b8550452eba7c263385ad8a901b48a6d6 |
| SHA512 | d238149966650fb9703a550f231f700f99442aa7124ca2d6c0ccae44cff7c84ed066482ec2bb53fe4c5b812989514562b78c763cc650a3d6b4cad0649f6bd63e |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
| MD5 | 4f29a3c96e73c5ebb246b0fda2a3b79d |
| SHA1 | d0f52345a5a31c6bbea0d0bbc456f70f218c5a72 |
| SHA256 | e5c5990aed28391ad8623d5f1294ee03af9cfb375083e9c4dd619b2eef26c09f |
| SHA512 | 6c1814e72cf66b86078f739c518907e576b053d8c26968b6f1229def6f9d55a6ee4b149ff9518a81164e20b5168fc47579f9a3f6cb8b5b49c811576e241c5832 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
| MD5 | b0a822c38a0766b3d20266623882b3ba |
| SHA1 | 244322f02ed06c79f0789dbb4f339743553a442e |
| SHA256 | 528b05df765efb94fab9780028454ea84c8ed43962cefd994ed241bc0a560060 |
| SHA512 | bdc466ad01869c6f44b9db6c0d55eab6c48bdfd6687aa29d5d3789725f7342e804f8a1d4ca26c7f28e90e688452d6f34101d56598e1a840205ac582526a87032 |
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
| MD5 | 646adfb5ed2202fd251e2cf5e95330f1 |
| SHA1 | 3b7c375cc9d8598035bbc3033c56ca92ff15ae53 |
| SHA256 | 86ad3a3f454090951ce79947929c493d28e4055ce28aed1dbd9e3d213b05efb5 |
| SHA512 | 55548fe2db19d7d49f4deebc3cff6c55524830a7d615fcd527b506544b85f1f4d7a8d9c32d3c56f6d2c8950741720af63f8f6a02ae920d23754f1f78e008dd3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar6159.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\grandUIAJ71H1v_YLtbS0\information.txt
| MD5 | 79d56f4262d4f85e61764dfd6a10a87f |
| SHA1 | 8a2f78ca967d856098f8f33e1b15b264dcf0b7b9 |
| SHA256 | 9bb307c3c421b682489cc20b64e2bf67474ac958b23e1009886362fc77476c91 |
| SHA512 | 1c1fd70d61da1672b52778cb7538a8d59e9b1b3b30e52ca953541365f8565d74776d9a8db630069259f902e2686e4ce08bafb516d32814ffe56d6ecde64c28a4 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
| MD5 | 8837a89b82d0d3b0259cc9f47b2e599b |
| SHA1 | 51dd86a6a717a8f1470fff7a65f96c983aa71f09 |
| SHA256 | ad5c98936429f847e6808a4efdb80faf452a5c5c31d91f9f7de2560e51478701 |
| SHA512 | 4a6c660c78bc99916d68978243f1140203a5805a3a7ae7a1749c609bd5aaf06b9ac253c09c0a206acdb832b45bc1ab700a5beb98024131779a45c70b53c7bc71 |
memory/1724-117-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1856-113-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/1856-109-0x00000000000B0000-0x00000000000BB000-memory.dmp
memory/1276-118-0x00000000029A0000-0x00000000029B6000-memory.dmp
memory/1724-119-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CD8C.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/1668-126-0x00000000000F0000-0x000000000012C000-memory.dmp
memory/1668-131-0x0000000074390000-0x0000000074A7E000-memory.dmp
memory/1668-132-0x0000000007490000-0x00000000074D0000-memory.dmp
memory/1668-136-0x0000000074390000-0x0000000074A7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4480.exe
| MD5 | edc1341a2699667c4606459c372669b1 |
| SHA1 | d7722b0ff8f20582bcb4f6c60e4ecc9d0cc1d8b9 |
| SHA256 | da3cc791755b59135047bd48dc64ae5c8726be1cad27ab419c50a59d63015635 |
| SHA512 | 3ca49fbccc9ea08911069d8981c00e7d5b9f9bc0d0af645807fc4d5cf0a51c344353674b628e49bc770d7d8f85f8445a0a0b0643934b9bbb73bb97a665e94722 |
C:\Users\Admin\AppData\Local\Temp\4480.exe
| MD5 | 0c61c1830763156dcfb2aff4550f40a4 |
| SHA1 | 13293576aecfd4b571fd19f6e2016850cb397729 |
| SHA256 | 68d7339dea4053d9a2be6bb147c407aa1139cbfe0819b3c9cf8d48c79820c118 |
| SHA512 | b679ec1106056933ac6beb4748199951035726ab2219c6e657c68c93a6c06d881a0c1b88231c35be5c4555429b41149ee26a5378160452990e1526fd6b428d7b |
memory/1600-142-0x0000000073CA0000-0x000000007438E000-memory.dmp
memory/1600-143-0x00000000001D0000-0x0000000001686000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\475E.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/2600-152-0x0000000004740000-0x0000000004780000-memory.dmp
memory/2600-150-0x0000000000A60000-0x0000000000A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 98f5a8128bb24e8588b548a340fe1279 |
| SHA1 | ac523595241fd3df577a6d10fd646019e8730dba |
| SHA256 | bbc4abefe3ae5aaf9acc0cc0410a91062358df23f464ff0deb275bd048a117b6 |
| SHA512 | f8919626eeb3d6c85dca20ed0905621a9c3f6e9a6063d9b98abd8d55067d28d13d998dcb73733012d8fc636f378e9c848319a6bc2168b636185668f0a8d6dfb7 |
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | f23bb700f0c51834e58ce154af8213f7 |
| SHA1 | 1fb8f483bc19f225a86843d835e095c59d70428d |
| SHA256 | 8c0c1ecede271f663afdcb231c774abe4919ff11d1f6573f979666a938f66497 |
| SHA512 | 85846f137fb71bd9d3c7065e66bbb12229fabc2e75f97e07b9f056dc9197346f034cf4702a6d4d1e79d3685e374a1e7a2a680c373452076c2f2e8c547b7fe83c |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 205ed9df272172f2e8b0f301b9d07baa |
| SHA1 | 44e008b4ec8a960c88d65d7eea8380db59dc5678 |
| SHA256 | 1b41a09d71dba2ebfbc6e88dbba22fd9af2af42b57fc3f3771cc1fbd0e1456d9 |
| SHA512 | 755e3c188c8d05dcf4b1af757eea6f49d81141057a8b5f7d93305b80097e65477220cd06d36c6d4df8b7280765559b88a322842d49392d8f05cdf1add8202f89 |
memory/2628-185-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 4065c03bf4116f8e7d9b6ca2a6179e75 |
| SHA1 | 0408006ae48149f72797b467075d4f59bb7c99cc |
| SHA256 | 40238930cd4daf0832a7bf20e2bb56fa527040d15b71f889db62357e915e5a0f |
| SHA512 | e81c45ef7651279e6ffa2b91a2cb9bb45d3030df4600cb8f8d7cc73937fd3e7c9b3d8ce1b47513f20ddc014893d5440f2b45db022d7e3c73bf40a267eab9f720 |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | c32171aa355627312377a69b872a0bce |
| SHA1 | 33d1299b70d338b6e9066299127610285e494d62 |
| SHA256 | a2825515f1bbe0e5e5804b4c53603f6e03a668bf07a37d91edab2e550bbe0716 |
| SHA512 | a6d43b6505dd1d2d90fe0132396c6bc816715b1d647f24987942cfe8b72178509982efcd4fbad32b03802363f5d19d8f2391cdd58b0892560f9d5a749b25978d |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 0be3f7f7e2e2cb4d23f2849b1dcb91ea |
| SHA1 | c818035a8486f48dde184cb600935c80b0f67b94 |
| SHA256 | ed28fd90d56a83de82ed73ee0297a4ecb08e52254bdef941e612798c6d76363f |
| SHA512 | 2e52603e524ea1192121a51bef0880e1cc45923d842ff3b5e2bf565b69b50ad9b99a6f9d32365c9420154e6f2f78dad6832cccdd5ba3c359b1c670c8a56d1764 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 5e5032296d50435725b3dbeab1ee3dba |
| SHA1 | 212c1bf92d18bd04f1bbcfcdb641881552660b94 |
| SHA256 | 06f6fd83dfe8245ac6acdf50a762e406854af8f6f962be65fcfae87eeaf5b4a9 |
| SHA512 | 1e82416120baf9bf880eecfc546565fc5c575f3e80365bc459ccce1befae0c3e220712683f24c4a94e899e69728f3f4ae7377538bf1f0a1121fb173e3ce4820f |
memory/2500-199-0x00000000025C0000-0x00000000029B8000-memory.dmp
memory/2980-200-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2608-214-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1600-196-0x0000000073CA0000-0x000000007438E000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | c888cf992ccee49836505df6826a295e |
| SHA1 | 3a7e327529ae538fa7d4d93e2f96e6de5bd579bc |
| SHA256 | 189991b7912f46539d6e01c8bc136ab1baa64290237cb84d64976e53a64adcb4 |
| SHA512 | 62c07833e8a003037b7fa07256e1125d62b96ee38cb8f0280c8a6176fff7e49abe5b995e7211aadd226c0e103b0c4f44ee8104bf0bdb2db084e0f713946b72ba |
memory/2600-149-0x0000000073CA0000-0x000000007438E000-memory.dmp
memory/2500-231-0x00000000025C0000-0x00000000029B8000-memory.dmp
memory/2500-232-0x00000000029C0000-0x00000000032AB000-memory.dmp
memory/2500-233-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f4793e37be01c0df71861a0d30246e2b |
| SHA1 | 6aa56e704518be704bb65c50101ac462391b155b |
| SHA256 | 02958ed4a8738e34fbaad5735d48170f25ffabd87abdcb420af24abb595bd144 |
| SHA512 | 762d5f049c10202fb194ba56f5ee67e24d8e752c58bd7bb9e917910bd36df3c457cc5b122771d54b9816b1f5648c12cbcaf56a75e684e32892d2e106afba50bd |
memory/2780-238-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2684-239-0x0000000000240000-0x0000000000249000-memory.dmp
memory/2780-243-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | b1f5896e60f94e9e14bed0ec110fb2a5 |
| SHA1 | 879d68827d6fc17a4c1813a70c3f5902c5959103 |
| SHA256 | b534acb6db481fc0dd4b3e287896b7a5b3eddf815c4b2a79bcf8485032b0c53c |
| SHA512 | dbe801fcf94e35de9a513830acc2927bde07ad92853031053774f274b212869d8779fb66485630970278444d603ae5eeff557931080487009f1ee6ebf2cf68a8 |
memory/2780-241-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2684-237-0x0000000000250000-0x0000000000350000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 51ea5b7509e843e683d78d0a91986126 |
| SHA1 | 535cd05ea2e1fa5092922e792d2a996c8d56c4b3 |
| SHA256 | a487fb711c9ac8e19dc18b4405d663958612b006b1087bbe68965fbc0c7c2a49 |
| SHA512 | 2bf0e5e348a8679fb27bb498b3fbf6c7e187520b1e22701bc1090857ad13aace5b90c75d2121a72ab52f07f077a07a0da13789b277f2a99f1f4db1ab0d7cd9d8 |
C:\Users\Admin\AppData\Local\Temp\629D.exe
| MD5 | f7af57399ce46cee841b90443c34472e |
| SHA1 | d31060e709fa6271aa521f22b5f32ba06f3be71c |
| SHA256 | adf7c3214e77b64b14eb35a7c81cfbb53bdebe2ded9949051a32667dbcebfbc8 |
| SHA512 | 330d016f8000d623cf7e858462c666bfbbcde05f0119baa64186d6c506e763895f37dbaf9759006637ec55742bc420149f4f16165e836f88799523f67cf4483b |
C:\Users\Admin\AppData\Local\Temp\629D.exe
| MD5 | 8b2d9f898e78a7f949722c89b3c2b02c |
| SHA1 | 7d6f56c409dfb59a9c548517f31022b260e2cbcc |
| SHA256 | 2b4d1e817b0e8c68285f2567124742f698c75916a9953ddb9543209c304dcb88 |
| SHA512 | 05d52f3cf267dacb37cac3a442c105346a05aae78f331683b3670ff4c3b2b6c645cd0ab1735409156d3a41e020d3e80b698459faf38a984ca536aae283b11841 |
memory/2600-249-0x0000000073CA0000-0x000000007438E000-memory.dmp
memory/2000-250-0x0000000000FF0000-0x00000000015A2000-memory.dmp
memory/2000-251-0x0000000073CA0000-0x000000007438E000-memory.dmp
memory/2600-252-0x0000000004740000-0x0000000004780000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7a8a96fc605f9b03aa6bec35edab3c63 |
| SHA1 | a738231cecfdcf88fe02f1077d3da894f5353202 |
| SHA256 | 93194d6b734b808e7237d1ef495127f2a7a5ca0801365e9ebcce683cd0212299 |
| SHA512 | 00eff6cf0e0e1e41fbc5639c4893fcd19d2a4b70044ebe620748bad5be9d63f1846d0f84bca04ec8e9c021e04d7ad2e3e8c933373458348bc9515079708ef71a |
memory/2500-254-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2500-255-0x00000000029C0000-0x00000000032AB000-memory.dmp
memory/2500-256-0x00000000025C0000-0x00000000029B8000-memory.dmp
memory/2904-257-0x00000000027E0000-0x0000000002BD8000-memory.dmp
memory/2628-258-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1276-259-0x0000000002150000-0x0000000002166000-memory.dmp
memory/2780-260-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2904-266-0x00000000027E0000-0x0000000002BD8000-memory.dmp
memory/2980-267-0x0000000000400000-0x0000000000965000-memory.dmp
memory/2904-268-0x0000000002BE0000-0x00000000034CB000-memory.dmp
memory/2980-265-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2768-269-0x000000013FEF0000-0x0000000140491000-memory.dmp
memory/2608-270-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2904-271-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 6fe5a8f31d07b70a5bb056a53ce4e220 |
| SHA1 | b112d27a7f4c0f14cacaf176ca0f3b31b485d421 |
| SHA256 | ba4793e9d384788a7f6d24b28344d41321164da918333ed36695f4ce52602e8b |
| SHA512 | f3ca340634b328d4e3e96e36ec158ea03b6f544d73f667a888f015eb2307930d11d0b5dc7955544e33184585354fff8f80f40a0efc183924cb5b3aa738b050e8 |
memory/2904-280-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2904-281-0x00000000027E0000-0x0000000002BD8000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | a2e7f81541953a418ad00ece018024af |
| SHA1 | 663b8f8932fb8ba13c036d33ee86a87713e79d46 |
| SHA256 | 8b322838a2e097f1643559794170e750c88f3185cb44d419c4a4f24c6054f9cc |
| SHA512 | 6bfbd72a4929ae4bf419478ec7142393a7f195ad609fceffaefabdf8236766ee6ae6ab3265897adff6efb53bb78e93493541bde62dd078f5dc4ef14c248a53c0 |
\Windows\rss\csrss.exe
| MD5 | 67d91d7dfd2e3b4a538cb9332272e91e |
| SHA1 | bc44b3caee1c81096ca085f33b7cf50e631849c2 |
| SHA256 | a674a3e179fdad3f5818d36a8ba0f32b6baad27e563f2daddf1f27c4601537fe |
| SHA512 | 009eb7e14f9434e860a847e86ca79f5caa066a927389f0bae8885d8d2b19253338c51b26886c00e07aaf26f972c708de45588e571d830701e2bf6a44e19bc547 |
memory/1900-293-0x0000000002850000-0x0000000002C48000-memory.dmp
memory/2608-294-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/1900-295-0x0000000002850000-0x0000000002C48000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | ee2e3d307a26f6ff503c4500baea5ade |
| SHA1 | 36ecef67c18c5c03618450fcadf485d4f9b67cbf |
| SHA256 | 243b1bd4544ab206acfaa5cf116812f0a7d87e1f4f0b279235cdc1d2d20f4bd9 |
| SHA512 | c06c2c9100de3f5750b1933a1a3e93b5a375b4f97cf16ddbdee1383a672bf34e14e2f2c73d989b519485e578d25a75de22e0e51697f9b15b718a6a0b520ce1a9 |
memory/1900-297-0x0000000000400000-0x0000000000D1C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 07:10
Reported
2023-12-11 07:12
Platform
win10v2004-20231130-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B844.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe
"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1432 -ip 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1780
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
C:\Users\Admin\AppData\Local\Temp\B844.exe
C:\Users\Admin\AppData\Local\Temp\B844.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | 51.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | 99ce0ae115832abc40e2e57599ef78a0 |
| SHA1 | fd842bd20905ab8a03b5ccb5160dd5103b6aec55 |
| SHA256 | 10b22af94e1e8a1892ea1fc7cc30cec8d75804adce908779f5f6c3ed8324fcb8 |
| SHA512 | cc5a374e0034db4f9500e103cf6413b434d6de63871f4afca61d2f0e01050a565c8ff78f1c6cccc486ef9b66e1d8f8548e1e5ab11d5c6bbe046cc9347e64a7ef |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe
| MD5 | 9b10f741fad1d0dd09b89dc6638833ae |
| SHA1 | 1f0ffa6f136cd5433f202c9c79ce5956796b4151 |
| SHA256 | 1b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6 |
| SHA512 | 4c83e0b137338a8685481623e592d10039ff15032f059b1e200f8e6a7810978e2eb5047604d12c31923761a0e46146c01fcabc871b8748b61a546bd1a32891f7 |
C:\Users\Admin\AppData\Local\Temp\grandUIAJ71H1v_YLtbS0\information.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2652-86-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe
| MD5 | 8837a89b82d0d3b0259cc9f47b2e599b |
| SHA1 | 51dd86a6a717a8f1470fff7a65f96c983aa71f09 |
| SHA256 | ad5c98936429f847e6808a4efdb80faf452a5c5c31d91f9f7de2560e51478701 |
| SHA512 | 4a6c660c78bc99916d68978243f1140203a5805a3a7ae7a1749c609bd5aaf06b9ac253c09c0a206acdb832b45bc1ab700a5beb98024131779a45c70b53c7bc71 |
memory/3120-87-0x0000000000A10000-0x0000000000A26000-memory.dmp
memory/2652-89-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B844.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/1728-95-0x00000000007D0000-0x000000000080C000-memory.dmp
memory/1728-100-0x00000000746E0000-0x0000000074E90000-memory.dmp
memory/1728-101-0x00000000079E0000-0x0000000007F84000-memory.dmp
memory/1728-102-0x00000000074D0000-0x0000000007562000-memory.dmp
memory/1728-103-0x0000000007760000-0x0000000007770000-memory.dmp
memory/1728-104-0x00000000074A0000-0x00000000074AA000-memory.dmp
memory/1728-106-0x00000000089B0000-0x0000000008FC8000-memory.dmp
memory/1728-108-0x0000000008990000-0x00000000089A2000-memory.dmp
memory/1728-110-0x000000000A2B0000-0x000000000A2FC000-memory.dmp
memory/1728-109-0x000000000A270000-0x000000000A2AC000-memory.dmp
memory/1728-107-0x000000000A340000-0x000000000A44A000-memory.dmp
memory/1728-111-0x000000000AF40000-0x000000000AFA6000-memory.dmp
memory/1728-112-0x00000000746E0000-0x0000000074E90000-memory.dmp
memory/1728-113-0x0000000007760000-0x0000000007770000-memory.dmp