Analysis Overview
SHA256
055c4dea7de65d53d4386e3467c54da364ed77fa7fb11b528e5f5ca00e8b1aa1
Threat Level: Known bad
The file bf07127222e7e09de78d4fd32149882b.exe was found to be: Known bad.
Malicious Activity Summary
PrivateLoader
RedLine payload
RedLine
SmokeLoader
RisePro
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Drops startup file
Reads user/profile data of local email clients
Accesses Microsoft Outlook profiles
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
outlook_win_path
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 09:16
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 09:16
Reported
2023-12-11 09:18
Platform
win7-20231130-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D4FB.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1352 set thread context of 2768 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2058106572-1146578376-825901627-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe
"C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 276
C:\Users\Admin\AppData\Local\Temp\D4FB.exe
C:\Users\Admin\AppData\Local\Temp\D4FB.exe
Network
| Country | Destination | Domain | Proto |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.146.235:80 | www.maxmind.com | tcp |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.146.235:80 | www.maxmind.com | tcp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 77.105.132.87:6731 | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
| MD5 | 80bb9be6abda30c47f0c2ab6de2c8382 |
| SHA1 | 68d3950077850e7473bd8390785cef64ae2481ea |
| SHA256 | d9f6bd982274a4cf10037a2b9d82fc3ec5ff41a0192b95ee4b11276ec078101c |
| SHA512 | ad9ece60edcc79e2f4b68e76d4e9a664d2d2933122f210329f2bacade209b629c9c2d2d7f1c189c0e237f37e777a2d297980dafd111cbded94db2b7e18bb52da |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
| MD5 | fc6a5ca450402607a1fef0fa2fffa9a0 |
| SHA1 | 4db0d878f9f7b90eb9a6a4344e9cf8804a23fa01 |
| SHA256 | cc59cc4cfb19737891db87f17299f7fd62f07a31eb18fee792f809233642b5c7 |
| SHA512 | 54f380a3c80cf4a41800d58a12cdb4c26bfc08c171be5c7eb9d8c690bc8d467750cc625945dc9cd4f996c47d1e74600bb3f3c0f9d2b79bc079f66fc55bd97b5b |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
| MD5 | 7f79f4dd1fb063aab8fa9b9d9d57d014 |
| SHA1 | 2ab457ec8c91fdd2caffe868be69868d3d1f59a5 |
| SHA256 | a6a6c4b2f7e2382ae32f35b00d553d5961674a0a59dc2b627f642814563803f6 |
| SHA512 | 2ecb6b86f609ba680ce8cef66ae66283e89271556b09821dcc633cd89bfc514cb15b6f8c42adaaa1c516ae55bced15a973183fff5ae283d72f3239f95df6fe15 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
| MD5 | c0ec4bee2759628128e34dabc59f7270 |
| SHA1 | 72f73b612dab4ee56a2a1fbab919d25db303720e |
| SHA256 | 5f5534bbb6f63310c3695f1e4fea68e0cf35e097a69ee3607738e4ea808c6aa2 |
| SHA512 | c13eef30f3a9fea43da89dbca482c477adadaff8d72fd302df62c84326bca271b3acb8c4fd66f9989ec087d2b492744015b211b57ca06212217235ab2afb3eae |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
| MD5 | 22f5ec0c4bd12f7925edb3d114da15c8 |
| SHA1 | ae54f63513e49a9f3b697d6733c9470cecd7330c |
| SHA256 | 9b1a7811d563b47311625a3db529a8bbf56ac8429521dd625aa79a9e7863399f |
| SHA512 | f8b53f283c0b775e16673afb846e0b35dde5d4f3e0a2562e73446ff0f6b6082fe36ea5ede2aaa2da6a20d280a245cafc8c83a706b38f2b65243dbf562ed76f05 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
| MD5 | 936d958782b0f9ac8ff0896f8d85d040 |
| SHA1 | 329bc6c3e491281382e33d22fc48cc07a56c8391 |
| SHA256 | 1cad510afa8b4a4fdc7102333ce1544538bf93577a0c0eb1e928ebb05d67ec3e |
| SHA512 | 4836a8b133e49f8baf2749644a5da642ac012dbb49f0df370a7c5a4fbae42d876559ffc5485daa0c368ea695aba1ed341eb2026cd1991e3183197e1a6f520c62 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
| MD5 | 0a95260d2e993962cba05a1487caed54 |
| SHA1 | 798c8358f0148d0e130081ea8135350704622387 |
| SHA256 | 8ab4935efc6a79a59fead73609fa0f065a6a8170be1efd19dbddd69e250de403 |
| SHA512 | a0ca86752d018c5518e22f0ada61b4b51c1b864ed4756cc07f773f97e777204d3cdc19bfe202c02d4be577bf1a71113575a5f20edc33056b57705070b5ddd45e |
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
| MD5 | e041e63b53274c27d31118cff06c336e |
| SHA1 | 57321af67d25ea0628d9bf4dcdfb2b8d0f69bd0f |
| SHA256 | d623d8fd48d514f527c8fc00adc96fd3fd9956e3b8f3b62552ed9986c64aa74a |
| SHA512 | 3e794aa585bf7d1cee08d014ff8380c47f4353efe2b7aa3167af737f069aed1ea78e00c414ae6f6178773607a96e8bb2251f97e1f8e7deac09db6f0b5f1b9a58 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
| MD5 | 87b8c994606ba0d8f8af76187adf90ba |
| SHA1 | b8baa84db8224102d2a8c47356d2b7c30a29ebb6 |
| SHA256 | 18cc6adae252bf73442f002a7c556ea9933aee25c40455e5717827312b5c1d6b |
| SHA512 | 7e9324e4f8d95f6e636285c9454f339812d27465e655f0353511b2b8b172b4a6b581c4a8e318aac4e83820e2c1e933f84a4e5eb6f53e6e4aeca8ba5f766136ca |
\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | d9343863eceb39bb0e18bf04593ef7a0 |
| SHA1 | f70bef82fb102309d1ff45aa03453981bd6c585d |
| SHA256 | f5146fc514adb64e434a15de3d8a3f5acff4c8fd5e108c26876414a802fa5342 |
| SHA512 | 70d767419caedb6d73a338f6fa41b08013bfb390ee11c7406e6b4a13fc6fa6acc47bf24e158bdca4501a24cc39a20e0266cf85494a0da389f588d76c43018e3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar300B.tmp
| MD5 | a28bc49f86e41536ddfe67a68d69d7b2 |
| SHA1 | c14630864a727dde71ae5c58107af19b4f5f6ac9 |
| SHA256 | a884cdc37c60bf88733104dc62355b525f136fe3413535575a73555b3db178b8 |
| SHA512 | d68279f44aa927ee2835df2831ab721835eac7309c2c8c72061578273db6024c774a83db6f0b5248995e4ff426cc9f7df8dcf6144817f06e42f1c52dfe087262 |
C:\Users\Admin\AppData\Local\Temp\grandUIAxsAGOnQKR0sNt\information.txt
| MD5 | 1ee4fc1d8d3255d4d1c38a5f64048fe4 |
| SHA1 | 82408de1860f7abf75da243ae596942c801e6521 |
| SHA256 | 4ce44641b883a4e3f3a92a81a67f6628a2856c9ae6399050544c62a73a9eae9e |
| SHA512 | e81fc68b710d6a656eee08239dfe25b0f67e4fc1e3ff9a6851431b29a99a342b560e13f5a3263f2099eadf3034e93f781e792a7780a48a71c586c6c4d0feb171 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
| MD5 | 284868406d6bbc0bf89325b311c325ce |
| SHA1 | eec0e1b6bd29fd60bb980186969d04392fe0a3ca |
| SHA256 | fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0 |
| SHA512 | 550f5a20bd8fd4d4398b218c19a5f97a6bb07da826bff1398cfee1ad7cc80e67293716496236654fb252cfc848f77932ae80fe01053a60772f9d0270eb4bcd30 |
memory/1192-127-0x0000000000020000-0x000000000002B000-memory.dmp
memory/1192-126-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2536-123-0x0000000000100000-0x000000000010B000-memory.dmp
memory/2536-122-0x0000000000100000-0x000000000010B000-memory.dmp
memory/1356-128-0x0000000003240000-0x0000000003256000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | 12bee381342491880efa594723cfea87 |
| SHA1 | e455023d43a018a5c005a9930553f45a2efa36bb |
| SHA256 | a4f881b760c0dac85c37be74c58a1921b69332057df7ef172348884130d9e536 |
| SHA512 | b390840fdeaf601f4cf238c1d9b118d26b0c6875f044e20cc8c03cc93498d8e24533b4195ccb04278f84ba709e29c4ca50a673810ebf22feb87d2990d5d7dffc |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | 536e72b901221b686e7d3144df498e55 |
| SHA1 | e349ac760baa935aa7ab68303c72a59225bf400b |
| SHA256 | d4d44d80356e5d407a4eb20be6e730205d174ebf364a34cb83c9dabc257916ee |
| SHA512 | 64713663b57a16e42ad12f19e255f8c034dff819e70bef0579087d02b9582908532d145e92b179bee3dfaa234b92a9173a0442e4c958703f65b97c7ea80cf90a |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | 24dadd97268579d7cd971ab90acee811 |
| SHA1 | 0d234a3ea542f65dcbc6f969e0ca8e327a9c9881 |
| SHA256 | 576a60869f541ebcc3625963d54e51855cd9507d7273a47ddb5cf2ad3fa40882 |
| SHA512 | 7608724b287ca341bc077f74b3cefa08061ce173f3c582e42c7bab231781d2e2972a194583a00a4089dcf7123b4881b0b2bf064f1178ccad7e965d0ccbf699e3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | 06d612130862f1c9afa829c791a11c0a |
| SHA1 | 9ded415599320f2bab7b916ea498b3f68214bcd4 |
| SHA256 | 25254bf2dcc6f5c0c3dc5588cf0958b5f64f7896ba11e3fdeaf16008f64b1574 |
| SHA512 | a43a2f8ff10b40dc3835d54788252c1306bba5b0d081265e521b5cc6689823f4ad7882628c59687d9ff0d2db55c372f62049f5a36f4472fb64035f685c714ef5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | c5271da06a2eb452d820f1c7cd2aa258 |
| SHA1 | a20b1d5d27669e9862f54a8f6168ef4975a4c226 |
| SHA256 | 7dcbd545e021ac4ee379a8a2627d3d2b8f552a42e3a09af0e66f0917222fc754 |
| SHA512 | 344d5c11495fca5433c795c8055f777780a417c20b1fc44d46a385917d942be400ea205a58431db09efa551e36726658b90344e529b0a37de8b9b13e14b5cbec |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | e1a21cf48d309e3a9bc3a9b801a0e73f |
| SHA1 | 118a589f358aec81a92a26eb34e09c250f5ef1d4 |
| SHA256 | 3a3c64fbf2920cc32452e1d0ebd2d0db196dee63446359fa6afeeaa54466b55c |
| SHA512 | 4416c987ff820d04582db5d5900697ae7ba0aab3c31b2869f60dbca0c5cba062c9e4e91a384171f3ca9e9b91d7d22d0863a3b6b6c527fa69c4c28ae6594895ce |
memory/1192-129-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2768-142-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2768-147-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | 231fbe34fc1c659b7a10c109b183c263 |
| SHA1 | 9ec77a8ceef16c828d611a3c1b9704b33b995905 |
| SHA256 | a71574e531876f4ca8c1deef4b1d618362a46b16bb562c87f020c057d4459aa7 |
| SHA512 | 12b28a11263ebe6c7f343621d98ba6586578114993e264dc347eed7232d157c27f1a520700da3de7944a4937226ea8ea9ffcec73da3a6767bf61d0ab63f95ef6 |
memory/2768-168-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp
| MD5 | 2797f85570ce616ceb04cb48c7f04bb5 |
| SHA1 | f53998fe00fd1e95060cf3fc44475be64b55ad05 |
| SHA256 | 546d70eb5f76fc81786972bb3b7a3abc26312b980f9600881bfdc9db866eeb80 |
| SHA512 | 91bb790e74da1f7cc9b22f526d31ee4ea6665164076f4a549e3c48b4dab99a34cb1df303be7f2975903e960c5251f72a32b4a28dbd38e906724c2c7769b3f7df |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
| MD5 | 6a4caca2982d520962234c43354e353e |
| SHA1 | 12a661010b8e68768455ec54961f0f1be8409617 |
| SHA256 | b028b664d06993985e90d044ca7b1983e46ee34ced78a33e14cb6afe3a06c8d4 |
| SHA512 | b08993502243efb13f7207ea89c95ab305f9048961435f1a29bb551fe04e34e614505d57800df9d60fd5281ef349790ae5cf241a6deb5b6c222974f59a3bf8a2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | 3f8f74e2b2943fe30d1d6cf8efb64c77 |
| SHA1 | ba0251929ad312e21bd5fb4e9fc4622724edee12 |
| SHA256 | 970677ac1118f64e219e8d73ff1d02fc1113cab5abe9f1546d2f2ed5115cf411 |
| SHA512 | e7f14b8682d9122ae160447c01ee4d535f768a51eaba8db5a9f76afe84ae7bfae6db76ea9e1762dd47ab563a22ba7db5ee68b8cce93c56fae9d6b5bece120929 |
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | a1a0973c132169cf54bec9a2fb3dabe4 |
| SHA1 | 5bae0534bf89e039eaa01291afcece00bb8f4656 |
| SHA256 | 23e87e23bfd77865963f3b86538639c3d6d9a5b8dd0a5001019e98d8ed7ba87f |
| SHA512 | 2e6a5172202dfd27d96b595781a934a743ac32d6571de6df0d75c175e6bef4f9c1063ee5a49c6609619097be49b4e3b3f463282e83fcbfef39274050513f9378 |
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
| MD5 | b0dfc0b848413fe036c6807b7807a3a3 |
| SHA1 | 67d6fac572d80d8f9d1a4086c598b25c230331bc |
| SHA256 | 4f14aa67ca87c7a82ea1b3be7d07b7fe79b1289880c574419d5c41e41fa6428e |
| SHA512 | 55a9719f335a8bfd722356cd4f59f96959881bf1b1652dac758d3f3884c5e9d502d2bf95424ee47dda13497c80db3b03913dff9c0c787876fbdd8accec113124 |
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | 5f518876a92173f2a040ae7e4d759eae |
| SHA1 | f0b11e9867461036be9db4cfde2a68e627ad8c0e |
| SHA256 | b3ee5c3d00f6fbe2b7752ae3a0c25d8f636d7d2af6cf309a6f8c0ad67b63ecea |
| SHA512 | ae0cef597739026556f4351f1bd5217d3a385d4e763a9a5233be441fdb8ee11fcd95fdad00f12685535ad95a5542b01645c71d14675f96d373df6525316de1ac |
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
| MD5 | ec3584f3db838942ec3669db02dc908e |
| SHA1 | 8dceb96874d5c6425ebb81bfee587244c89416da |
| SHA256 | 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340 |
| SHA512 | 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | 423229ea05902d5ae1addf35daacb22e |
| SHA1 | 3005b065465ab4c953c2578de230375397de36b5 |
| SHA256 | 7ad5bfdc6ff4bba6054773e0fadc76893589ad523445641e3e8c09f2f694d349 |
| SHA512 | c1d3ede7713bbd654ce37900afb4dc4cfafa908141c1f1649aa8d558a94a885001b2ff525dd456ee55620cebe491e4b51b6ae2ff10ae639a13708adb05d3aa71 |
memory/2768-152-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2768-150-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2768-148-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2768-146-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2768-145-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2768-144-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2768-143-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2768-141-0x0000000000400000-0x0000000000598000-memory.dmp
memory/2768-170-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D4FB.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2304-175-0x00000000007A0000-0x00000000007DC000-memory.dmp
memory/2304-180-0x00000000730E0000-0x00000000737CE000-memory.dmp
memory/2304-181-0x00000000074D0000-0x0000000007510000-memory.dmp
memory/2304-184-0x00000000730E0000-0x00000000737CE000-memory.dmp
memory/2304-185-0x00000000074D0000-0x0000000007510000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 09:16
Reported
2023-12-11 09:18
Platform
win10v2004-20231130-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Downloads MZ/PE file
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2342.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4120 set thread context of 4628 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3936660601-1848837011-2142350499-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe
"C:\Users\Admin\AppData\Local\Temp\bf07127222e7e09de78d4fd32149882b.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3764 -ip 3764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 1864
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4120 -ip 4120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 596
C:\Users\Admin\AppData\Local\Temp\2342.exe
C:\Users\Admin\AppData\Local\Temp\2342.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | 51.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 193.233.132.51:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| RU | 77.105.132.87:6731 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
| MD5 | ae24ccfd84a7b22eeaeba3a423c9e360 |
| SHA1 | 7c5f0f5778b1c543eaffa60cf11a36200cde2371 |
| SHA256 | f5555f227b7330bbc6af8dfb3ed07ff7ef865b41c44f19995d7d772a68fe00ea |
| SHA512 | 8cc58a32ee973b1110f6ce8e35d19607fc4882e7e60348883fb205a76510be6805ab552ad6f2aa849bb72e51cb7a7a8a00320d6628b5f5c2f526d6a16fc06ce4 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BX7lI95.exe
| MD5 | 5a9437533c002143895f93f1c6afdd25 |
| SHA1 | 900ba7e8497db384197b91aef9043c2d2333b366 |
| SHA256 | a931d2ae0a6709d0dae7edd1b6b48a8b971cb542f5b85f11fed53cb61410ca4e |
| SHA512 | 7d1932dae4160183715655cc57b42c7eab72a841990848e9e471ab89bbc6ab274a3c722a5fe49173fcb7bd8b7084ef168504b663ee80557114e65046d0ca5509 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
| MD5 | b8204313299233c571076878bb1a0b49 |
| SHA1 | b629671f39e667de51cf3d853745a7b3db2186c4 |
| SHA256 | d77f815c9e1eade0cd4aa6c45fec45b2072339f065b811ae7dce945665cdfbd2 |
| SHA512 | 16f104a9dbfc5e7375e1fed5d9709c9f281e9a898d121428e252eb9c8884c8cb2426fc0d0a3a960e77c546cc4da7ac8f5a8188dc6dd399b6bf54b98b8398d44b |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\1Fz05dP5.exe
| MD5 | 01ed22aa5f00bbde33b96500aabf76f2 |
| SHA1 | 9eca23056463faa3f2df2b5915671cf7dfaeebb2 |
| SHA256 | c8c20287e01dda81514d51eb76573247094573481528b4fc9db5ec22fad094b5 |
| SHA512 | 17b153f6fe3bbe888d113dc273789ba2a44c76e9cf91355dead19345d40e373d237c4c4edba1675a9e3dc0787d7fbd11a5f80a8bcab5bdf61d9cb155cc600d92 |
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | 925f967aa6e6ec13c26aad3b05e3e66a |
| SHA1 | ee228016f19b6a7cedc39a1d70d4b3077edcde3b |
| SHA256 | e210d25a4a6e67b078781473371a469cfd5a8de25850da058aa6c717bf8a4a91 |
| SHA512 | 2d93c6497152bb5247bff9e9bf0cd6726cea5d760069eb7d523fcd220066370e7f1274f8c27498dcc3e8bc8edd6d9ab52d8a633ae7a9832a785db33447d007c4 |
C:\Users\Admin\AppData\Local\Temp\grandUIA0Lj688hsPPW5_\information.txt
| MD5 | b0881627b63b0f67d0b09e857bed1a9d |
| SHA1 | 54de4b43b4924cb5d59dd1a2860b4c909356e3be |
| SHA256 | 241a4f73b2a215c1ba5814ea9c1ef2cd053aeb08ea7c005c1e2a1d177aa3c3d3 |
| SHA512 | a2527cf88b4c8cf7472f9ff05096723026e1145312e01c3ce36a9c604021a5551668baa33cc13fcd6547c8614fc30430e5d46a69fde559db6aad070f62abaa63 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\3Fn30De.exe
| MD5 | 284868406d6bbc0bf89325b311c325ce |
| SHA1 | eec0e1b6bd29fd60bb980186969d04392fe0a3ca |
| SHA256 | fd3b5cae25f6e183b1d917bd9074662c7526ead9c307279d25cd979cd8805cb0 |
| SHA512 | 550f5a20bd8fd4d4398b218c19a5f97a6bb07da826bff1398cfee1ad7cc80e67293716496236654fb252cfc848f77932ae80fe01053a60772f9d0270eb4bcd30 |
memory/3448-93-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3436-94-0x0000000002CF0000-0x0000000002D06000-memory.dmp
memory/3448-96-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | c483b3039ec03e5b3627332c3492c334 |
| SHA1 | 0298b2014841b33cf6655edd15a9c4311722d873 |
| SHA256 | 11b0cd40698847f2fa90320e7a1270ba844447b382c3d909956698da8ecab550 |
| SHA512 | 01c832dfdb19c8537173cae55d3a7cbff3becad5a74c2f7a2fc9002aafa79a3e21bff12f0549159534aab75facffa1c04b6829c35ba7d4e841b960d103e6e573 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4dC065jy.exe
| MD5 | 5118cb26de2566fc2be8d7c7c24dfae7 |
| SHA1 | c2935ecf06fd9915a634f74f7955a8812185afc4 |
| SHA256 | 0140d772d8766e8a1fdcb7b2a0d9269e821487e92b7b6fd93e4d1f2eba40a622 |
| SHA512 | fe1a545378a191eac7ba472bb8ff9fb28b2a1fb331f825cc29e4a5e6133dfac262cf1b32c60d39d0dffa3540fec7bc565a0a0ee860dd9288afcabae5625020ee |
memory/4628-103-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4628-105-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4628-119-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Windows\SysWOW64\GroupPolicy\gpt.ini
| MD5 | ec3584f3db838942ec3669db02dc908e |
| SHA1 | 8dceb96874d5c6425ebb81bfee587244c89416da |
| SHA256 | 77c7c10b4c860d5ddf4e057e713383e61e9f21bcf0ec4cfbbc16193f2e28f340 |
| SHA512 | 35253883bb627a49918e7415a6ba6b765c86b516504d03a1f4fd05f80902f352a7a40e2a67a6d1b99a14b9b79dab82f3ac7a67c512ccf6701256c13d0096855e |
C:\Users\Admin\AppData\Local\Temp\rise131M9Asphalt.tmp
| MD5 | 09b280670e7657d6f4277c02d9e152a6 |
| SHA1 | b6fab6f0186670122e2ece961ae3bdd115366dcf |
| SHA256 | f6316b23a391a4a9fb70f191f8d76b319b76880c3c98d6c3e58aec07f4e93087 |
| SHA512 | a49a65bb8e5f1755c61da82d1b281d68e6a770e55c232e1ca757ce3b74d3bd1473f456c35625a6e134b3ec9753e28ce2f23c24cf3d8f82f89b3e0ff9f7909867 |
C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe
| MD5 | f5a209e11a3c4279aaa9ab27d68eaa01 |
| SHA1 | 4721e00de2ce10d57ce52a95b847bdcc84519694 |
| SHA256 | 9aed9918a3c3292671ef82dba54c48f50745281335ec35f35973e2a0a42c08d8 |
| SHA512 | 7551076b56c731e932146ad407724d0581b537bfef11a00774011188349704294bf8e2914bd15917c3c085251296a912fc59037a801e4d275be10a9664b4c78e |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk
| MD5 | f1cd8f36a20713cbba192a8fa289cf12 |
| SHA1 | ed0d5926fede44fb1057b085fea51640604677a5 |
| SHA256 | e16a25979a5cdca67980dce043552aae84e3c3c7ab72dd129d02444ce3a73577 |
| SHA512 | 3fb91c8bf8b708398c59c1e685be3d862b797a1a5eb004479b005a88a0f56c3868857f3b2643f06fa56b9ff70362b5cfa13b9ad597eff046025168aad500f06d |
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe
| MD5 | 5c55fb4358fb4996a4059491af29867d |
| SHA1 | a85fbcfa939658c33b81e1a9622728bb50a0697e |
| SHA256 | df338aff65c814e7c25db148da5f78008f2f3930da6af8b14f935bcb235e025c |
| SHA512 | 16d51866be3265298d0de72186e84fd20e18a1f19fc69b3f882fdc6d87f7daba81f54270bce054faa67b94524477904bc48dca3253606dc5d6263293e8b25186 |
C:\Users\Admin\AppData\Local\MaxLoonaFest131\MaxLoonaFest131.exe
| MD5 | 1eb2007265da890dd7b8dbfa5c03f56e |
| SHA1 | 9673bf216559e1af53ff6a275e99ac42086bd750 |
| SHA256 | 9ee802d80ba7430ed8d8e7bc6ecc11e1a4909f9a35340ec824fb658cdb6d55c1 |
| SHA512 | 3d7d667f927bfad56393c16b5c5f7a61a38af4eb90dd8add8011c86178418c9b4c1b8bfdfb896ceb93092ddcc167521cf650aff466b0c8ac8b4e3f8706c778f2 |
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
memory/4628-102-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4628-101-0x0000000000400000-0x0000000000598000-memory.dmp
memory/4628-120-0x0000000000400000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2342.exe
| MD5 | de1f6706aee0fe3d936d8212ad71bca8 |
| SHA1 | 95a72550dc16f2ec60ab2d2a20c29b02fddc8f8a |
| SHA256 | 682c17e1c89f6ae8e392e6985ac70685f33b89deec459947655cf82589ab5a8a |
| SHA512 | 21e74b76bb8de6ad075fe56322ec512fdc38e0b79e988783d913178b58b078b1a1a9c97dacd1d7246d4d40fb6067343d58d62d2d38f96829aad2042a81505d52 |
C:\Users\Admin\AppData\Local\Temp\2342.exe
| MD5 | fe322d72d71f6de6c522f87b26c3f715 |
| SHA1 | 55a4cfc867ef125857bbea0d5a33c605597c95d1 |
| SHA256 | 9167973d38ded87a93ef5582d7cf37374c88f9094e8a2b582c3434e2bfd2a190 |
| SHA512 | 48655b6f3080efd1dde1308ef6825f5a54c12612d3eaf4269eaca842cce3a0b55236c06fe2831666ed0bb3e20924a279f82ef6473afcac0c5763f359f6ad4502 |
memory/1768-125-0x0000000000F60000-0x0000000000F9C000-memory.dmp
memory/1768-130-0x0000000074730000-0x0000000074EE0000-memory.dmp
memory/1768-132-0x0000000007C20000-0x0000000007CB2000-memory.dmp
memory/1768-131-0x0000000008130000-0x00000000086D4000-memory.dmp
memory/1768-133-0x0000000007E00000-0x0000000007E10000-memory.dmp
memory/1768-134-0x0000000007C10000-0x0000000007C1A000-memory.dmp
memory/1768-135-0x0000000009110000-0x0000000009728000-memory.dmp
memory/1768-138-0x000000000A9F0000-0x000000000AA2C000-memory.dmp
memory/1768-137-0x000000000A990000-0x000000000A9A2000-memory.dmp
memory/1768-136-0x000000000AAA0000-0x000000000ABAA000-memory.dmp
memory/1768-139-0x000000000AA30000-0x000000000AA7C000-memory.dmp