Analysis Overview
SHA256
5f99c75fe6d2e804c083efae9d6b70c5ad4a72d9dbeb02537038c6fb3fb51622
Threat Level: Known bad
The file GDS Pizza Massacre.exe was found to be: Known bad.
Malicious Activity Summary
An infostealer written in Python and packaged with PyInstaller.
Crealstealer family
Reads user/profile data of web browsers
Drops startup file
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Accesses cryptocurrency files/wallets, possible credential harvesting
Unsigned PE
Detects Pyinstaller
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Enumerates processes with tasklist
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 02:48
Signatures
An infostealer written in Python and packaged with PyInstaller.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Crealstealer family
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 02:48
Reported
2024-01-23 02:52
Platform
win7-20231215-en
Max time kernel
24s
Max time network
140s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GDS Pizza Massacre.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\GDS Pizza Massacre.exe
"C:\Users\Admin\AppData\Local\Temp\GDS Pizza Massacre.exe"
C:\Users\Admin\AppData\Local\Temp\GDS Pizza Massacre.exe
"C:\Users\Admin\AppData\Local\Temp\GDS Pizza Massacre.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6569758,0x7fef6569768,0x7fef6569778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2052 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2356 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2676 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1256 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3084 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3108 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3772 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4084 --field-trial-handle=1364,i,17342203736588127455,11009950114385109022,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.187.238:443 | apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | roblox.com | udp |
| DE | 128.116.123.4:443 | roblox.com | tcp |
| DE | 128.116.123.4:443 | roblox.com | tcp |
| US | 8.8.8.8:53 | www.roblox.com | udp |
| GB | 128.116.119.4:443 | www.roblox.com | tcp |
| US | 8.8.8.8:53 | css.rbxcdn.com | udp |
| GB | 216.137.44.23:443 | css.rbxcdn.com | tcp |
| GB | 216.137.44.23:443 | css.rbxcdn.com | tcp |
| GB | 216.137.44.23:443 | css.rbxcdn.com | tcp |
| GB | 216.137.44.23:443 | css.rbxcdn.com | tcp |
| GB | 216.137.44.23:443 | css.rbxcdn.com | tcp |
| GB | 216.137.44.23:443 | css.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | static.rbxcdn.com | udp |
| US | 8.8.8.8:53 | js.rbxcdn.com | udp |
| GB | 104.77.160.203:443 | static.rbxcdn.com | tcp |
| GB | 18.245.253.65:443 | js.rbxcdn.com | tcp |
| GB | 18.245.253.65:443 | js.rbxcdn.com | tcp |
| GB | 18.245.253.65:443 | js.rbxcdn.com | tcp |
| GB | 18.245.253.65:443 | js.rbxcdn.com | tcp |
| GB | 18.245.253.65:443 | js.rbxcdn.com | tcp |
| GB | 18.245.253.65:443 | js.rbxcdn.com | tcp |
| GB | 216.137.44.23:443 | css.rbxcdn.com | tcp |
| GB | 216.137.44.23:443 | css.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | roblox-api.arkoselabs.com | udp |
| US | 172.64.154.86:443 | roblox-api.arkoselabs.com | tcp |
| US | 8.8.8.8:53 | metrics.roblox.com | udp |
| US | 8.8.8.8:53 | ecsv2.roblox.com | udp |
| GB | 128.116.119.3:443 | ecsv2.roblox.com | tcp |
| US | 8.8.8.8:53 | apis.roblox.com | udp |
| GB | 128.116.119.4:443 | apis.roblox.com | tcp |
| US | 8.8.8.8:53 | apis.rbxcdn.com | udp |
| GB | 104.77.160.221:443 | apis.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | locale.roblox.com | udp |
| US | 8.8.8.8:53 | images.rbxcdn.com | udp |
| US | 172.64.154.86:443 | roblox-api.arkoselabs.com | udp |
| GB | 216.137.44.23:443 | css.rbxcdn.com | tcp |
| GB | 216.137.44.124:443 | images.rbxcdn.com | tcp |
| GB | 216.137.44.124:443 | images.rbxcdn.com | tcp |
| GB | 216.137.44.124:443 | images.rbxcdn.com | tcp |
| GB | 216.137.44.124:443 | images.rbxcdn.com | tcp |
| GB | 216.137.44.124:443 | images.rbxcdn.com | tcp |
| GB | 216.137.44.124:443 | images.rbxcdn.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | auth.roblox.com | udp |
| GB | 172.217.169.10:443 | content-autofill.googleapis.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | udp |
| GB | 172.217.169.10:443 | content-autofill.googleapis.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 192.178.49.3:443 | beacons.gcp.gvt2.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI8082\python310.dll
| MD5 | 87bb8d7f9f22e11d2a3c196ee9bf36a5 |
| SHA1 | 45dfcb22987f5a20a9b32410336c0d097ca91b35 |
| SHA256 | 1269f15b1c8daa25af81e6ad22f9bcebfd2c76aec81c18c6d800460b7105bf98 |
| SHA512 | 75bb2ae36b693e2a1e5ba003503d07ba975f9436fb3da9bf3fc4087a281cb172fa9bd13ad6fc27a62f796af6cbe0c800e2a169c65949a96bd4d0e150f4858288 |
\??\pipe\crashpad_2772_QBSWMNOFVJZMPJNP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Temp\Cab8D15.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar9053.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
| MD5 | 55540a230bdab55187a841cfe1aa1545 |
| SHA1 | 363e4734f757bdeb89868efe94907774a327695e |
| SHA256 | d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb |
| SHA512 | c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bf5e757d7cc4a84e22884d2bfde539c2 |
| SHA1 | ba2b71c298711009cf0ac4bbd4755c173a1c924b |
| SHA256 | 5b20fbeb19241167f11bb96b3d2029305c552175ddecf86af1d8f1e1fd4528e1 |
| SHA512 | a5a8c3480d06183ba3ddf706656d32a127d26db0f3e4a4e019170d1b175b5f8f20ff53df518d1a3b91f55746e6049819dd5fa5999cbeab583102c2f818e49cef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 504307a14d50461173e2ab5565c01db9 |
| SHA1 | 7b43be07260cea70103c55160f86c6c9653afa1f |
| SHA256 | 5b5dce4f866f415a6d29c470c1ab188a4b06e89743b29579db73b8539b016302 |
| SHA512 | 6a4ff0ea9e71adfc5833ea743b970317150d129a796990c7b78d2ea0dd8f3b24c6a3c6d68f6e9d62a60c10ad173fe506f5533b5b79bb8dc83efabc6090fe14a6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 02f66fb8fa7666b18c716c4f0bacb1e8 |
| SHA1 | f4faeb082adb6ba2db5358c720752f1cd24fedcf |
| SHA256 | 2b8805a2e8ddfd5fb72fdea9bfd11b379029b5cd29c39ae414422c10afbbda90 |
| SHA512 | 9d93a7680edbc0a87ed540203721e2a88e09d1bc886a1cdee40ace495ed45126b32e5574da412eb6205a6e7cec5eaa8f3a916fd1d8129eee480fdef4ce941d36 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
| MD5 | c12c1895cb3ceb2257e6643a37d9fa8d |
| SHA1 | cd48c51ee7b80755c92ebdb21da87d90ae5ef5b8 |
| SHA256 | 31c642c10599ca7f63d9e2cb0c4e57f7f3fc63d42b14a6096e06c3e3ded8d10a |
| SHA512 | 565dd3866b83d8d1bf1c6b274eaa744f1f0ad8e9e183359b9c51c66a280658f4d51245c2c41c4480658995929fb46f2433688f0d6fa43e8201e8005f46649faa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3603423c7a29f59cbbe99086410975c |
| SHA1 | 734517727dbc056d2c085593430b5d5e3cc422f5 |
| SHA256 | a4c1f330afc62a68bebe6e419608a077a31e8f328ec084b97f590ee00ffbb3ea |
| SHA512 | 4a8124d51f6b1da723aa2aa042a5cf8c04ea9628100dafb68a4006f3be9c29f12608a9e0de94cb083a5746597a6dd000d01d83cc7da551001e9f343fa80861ad |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e421b21cf90dfde106629171d92c61c6 |
| SHA1 | a180d75929ea03f811a929e250bf6cb9129f14d7 |
| SHA256 | 6b46823b466dd6ee38428e6a83edbf6295b5c786ed5fb81d5abcf842cfc22c19 |
| SHA512 | 2a75ae5d5220c2e624dfd67960638dbb329691d330a1d10bed247e3d80a702da7f97a8bc9941450ac25a8ca7ee2d52a6fb9bcd617828fcc4d2dab2477bedbfd1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 66f896d10b787b87c37231ff40acbeda |
| SHA1 | 7f63137de9e78f5355482f2374f96d5da75f56c4 |
| SHA256 | 41efb04766bbd5afeb744ab1df6044af99a9a7d292447f98b5bb0722efa4f754 |
| SHA512 | 5862fa0a01b3141be5da67f0302459d2698b107f32bff2460b53a89ae06e6ec49c1c9366cfc6b68e3c5958439421f4c2ce48ab2f66ff18b865e98f124bd5db74 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002a
| MD5 | 5036f7c363373f5d9cc2b6519806feae |
| SHA1 | 3caf2148a2eb7c82f9aff0f3a2f4594ee70327bf |
| SHA256 | 715c5d3e3839c1b47c3008e8a89f929e60858ee379724a20775003c692e9fd6c |
| SHA512 | 4661cd6fb02dccc48a42fe127b1e88f7e794cd4eb1d8a5a8f5075f772dad63211efa349bab579c5bb81bfb2c4b1be201c6725a56f617f8913a2235e3565fe645 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | c4da869c4cbf9f3f16d2235b81f3dcad |
| SHA1 | 9aed84aba3995559c78951c8f821159a51e6b535 |
| SHA256 | 609fc95b0ceb4711756b55b2ca89545364e413c9f83830f656df3b2f0dc1b672 |
| SHA512 | 1b1b53d1b13dd254b90bb1decac3bd06929965048e2e40c1520b75b5f222b429861b491de90e6f1d160a1604e0c6bb67db37b26f96a071916fa0360c0a500f52 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 3c28c5a01ccb6cc0f13304824cf6c4bc |
| SHA1 | cdaff2adf16e7e1fd779151449523d1e5a58e6e6 |
| SHA256 | b098621dc5ac9767b9c70387ca1fb74a50df26411818b312681ad614bd197e7a |
| SHA512 | 20d2dcdd472be6a475831864b79acb23c772bea01ceacd37b23eac196ee6930c0582d16892c389b3cecae8133459abd50814ce7f6e8a1b5e6bcb4201309d4f2e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 93a2c5c19d7d883f8e395be619f3d733 |
| SHA1 | 272acd4ec41295a30078195a7130c5c6b344bc73 |
| SHA256 | e0af7dec5f4e55569a7dbc0ea25ee83aea964f87d6a9433db801a5ad6796ed55 |
| SHA512 | ccb01096eb974874c73029818a4eb14d8715b9422b2b0e8d4d2239c11b50919b0f02e8b1166e6ac7e3a049b49f6fd2eaa6440f263cbd9c298e7c7e8c1690ba3c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e2625c27-bb38-48be-8856-88d734303d2b.tmp
| MD5 | 48758928efb52f6c98dd2d59be5da6d8 |
| SHA1 | 5ce57a9611af27eb3e8669f16605dda7beb97c20 |
| SHA256 | 13f6689eeea2b8ac00db6b049b155a2c8ad41cdfffb18dd34838b0f09eea3406 |
| SHA512 | fed3e7fead5c3eb4bd58d800cc5d33b95e1d9ddcb80dca91183199b83759bb6081a59e886a45f05ec4f89f7a01038496233e3481030193da495c55cf7c326412 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 02:48
Reported
2024-01-23 02:52
Platform
win10v2004-20231215-en
Max time kernel
139s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GDS Pizza Massacre.exe | C:\Users\Admin\AppData\Local\Temp\GDS Pizza Massacre.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\GDS Pizza Massacre.exe
"C:\Users\Admin\AppData\Local\Temp\GDS Pizza Massacre.exe"
C:\Users\Admin\AppData\Local\Temp\GDS Pizza Massacre.exe
"C:\Users\Admin\AppData\Local\Temp\GDS Pizza Massacre.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| US | 173.231.16.75:443 | api.ipify.org | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 31.14.70.242:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | geolocation-db.com | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 173.231.16.75:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.66.178.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.16.231.173.in-addr.arpa | udp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| FR | 51.178.66.33:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 242.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.102.89.159.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store9.gofile.io | udp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 8.8.8.8:53 | 239.190.168.206.in-addr.arpa | udp |
| US | 173.231.16.75:443 | api.ipify.org | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 173.231.16.75:443 | api.ipify.org | tcp |
| DE | 159.89.102.253:443 | geolocation-db.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI45282\python310.dll
| MD5 | 87bb8d7f9f22e11d2a3c196ee9bf36a5 |
| SHA1 | 45dfcb22987f5a20a9b32410336c0d097ca91b35 |
| SHA256 | 1269f15b1c8daa25af81e6ad22f9bcebfd2c76aec81c18c6d800460b7105bf98 |
| SHA512 | 75bb2ae36b693e2a1e5ba003503d07ba975f9436fb3da9bf3fc4087a281cb172fa9bd13ad6fc27a62f796af6cbe0c800e2a169c65949a96bd4d0e150f4858288 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\VCRUNTIME140.dll
| MD5 | 31ce620cb32ac950d31e019e67efc638 |
| SHA1 | eaf02a203bc11d593a1adb74c246f7a613e8ef09 |
| SHA256 | 1e0f8f7f13502f5cee17232e9bebca7b44dd6ec29f1842bb61033044c65b2bbf |
| SHA512 | 603e8dceda4cb5b3317020e71f1951d01ace045468eaf118b422f4f44b8b6b2794f5002ea2e3fe9107c222e4cb55b932ed0d897a1871976d75f8ee10d5d12374 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\base_library.zip
| MD5 | e46f30c7dd4ca0252b6af8ce8343f9d5 |
| SHA1 | 6807be48dfca61efce5a08a2b6ebe7feb9b865f2 |
| SHA256 | 3d2e2fb220dd0f786365bf14932660b5500d04610fceed317b8d9ece5a3c9359 |
| SHA512 | 64827b4019fe3df75323aba39649503f279da81ec3e5e1c867ae19d815f0b41904f25d31667c639f4e3649bb0ec497ae8388a28008e7f4e5eef68bb08a17f745 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\_ctypes.pyd
| MD5 | 30e16eeedd78a40498b600312d18161f |
| SHA1 | c00f657b13e0b0ab5739abf2ee7b627238cd8055 |
| SHA256 | 92ccf5b99a1f4553001e57fd58bbf8d843b6d6907057e31d236f913f0c51ab82 |
| SHA512 | 76e213afcec7c06d7fe53b674b983773da8e1d32690bf8ba4ad0aa585e7517f36e7a287d9abb108a438c8937fd0c909ed6ce69658556563648cd581f12536707 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\libffi-7.dll
| MD5 | bc20614744ebf4c2b8acd28d1fe54174 |
| SHA1 | 665c0acc404e13a69800fae94efd69a41bdda901 |
| SHA256 | 0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57 |
| SHA512 | 0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\_bz2.pyd
| MD5 | 216f736db1b110548da2f8f21c381412 |
| SHA1 | da3781dfe8f6b3bdacc92f82c330cc26248b6b5d |
| SHA256 | ce4f48bdc1f6144b4bcb288896392867176a2b5f10efbfbc2d5454e14cde61ce |
| SHA512 | 3bea7426995833f37996468ca3d122c4c182cfcde6f6469d51c211624baa169daacd20101abb1ce8ba50b46fd9f25d1bf1f5e913ebfbea600a5d7ad557f33544 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\_lzma.pyd
| MD5 | 4a42b4f058c2e58eb3ab47e0166259cc |
| SHA1 | 4a55098dbffd59c651b862c2e610961b20f3b9da |
| SHA256 | adddfd498ed73729af21bc139c421411aa40fa9000da1054c1ed73be6b2c8f56 |
| SHA512 | dd68e0a20a58c127a91406e7dfbb20f473635974fec15de0e678101241272c70ea7335e3e0cf990bef200d29f73adc519701989992ab55b53894c6d3133df52e |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\_sqlite3.pyd
| MD5 | 864db9d3b9a4da476a3fb06b76263eed |
| SHA1 | 6c77e33aab6b8095822d42c6af1c992dfb3eb956 |
| SHA256 | 4a208afeb6d3f8c2dbdcd710cf7670100e5244a740480f5b6991956590809b40 |
| SHA512 | a0a7e1ae4f9b568028950cc8731695b9656e7e41e3b4db57516b6916203587652e2c490d411a9a57ae2ee68788f5461c51a0bbd26d99f74e6dc0fe74ccec7013 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\sqlite3.dll
| MD5 | 619ed191f0de16a3d0c91cd81170a75c |
| SHA1 | b5a97b57bdcc45fb65c242e948091f6911645706 |
| SHA256 | 5a374374fb7efd50e2d738909fe86196b895d7150747872a4db015572e66a6fc |
| SHA512 | 6751528304822a377f369e4c2a604d3a88bd9694bada6669abce861ff41bbeb8061b17e946dbc13df05617d871850390d4d5c18f7fabf134bac66ea12860ac21 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\_hashlib.pyd
| MD5 | f9f0589c4d853060b62b1e83b3c6e8f8 |
| SHA1 | 11d474d1a0006c0f8746187ed575d2923fdf3b01 |
| SHA256 | 600ff18011b09cf9d49660dd7f58601ef438a921c1732054fdc5f312425c55e1 |
| SHA512 | ee3ef23cf79cd3782a84214548db2bb394e256db5f7e60d00ef6d62fad191d4654b889588ebd0da8cfbee0154ff3df362f2b1a76370e437edfcb398ba7982c69 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\libcrypto-1_1.dll
| MD5 | 31c2130f39942ac41f99c77273969cd7 |
| SHA1 | 540edcfcfa75d0769c94877b451f5d0133b1826c |
| SHA256 | dd55258272eeb8f2b91a85082887463d0596e992614213730000b2dbc164bcad |
| SHA512 | cb4e0b90ea86076bd5c904b46f6389d0fd4afffe0bd3a903c7ff0338c542797063870498e674f86d58764cdbb73b444d1df4b4aa64f69f99b224e86ddaf74bb5 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\_socket.pyd
| MD5 | c7191cfe1da82b09fbedb5ea207397c5 |
| SHA1 | 894199e61d3aa786ce2f5f2e159e8a9d6ffc1f68 |
| SHA256 | 006c61209b77985aae77a8883293be2ac1e3f3913d6d436e16088311135f5bc2 |
| SHA512 | c6b35f1573fdea5a51b636243f171a2021b93f29092fc46a2c0717cf2f2ce187c77598c203b3c5fa225936e01fc81d957ae684fc9b5b2ecc70bc010ef9a64f38 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\select.pyd
| MD5 | 0b16458372bde0b85e84ce467cfc8c95 |
| SHA1 | a3ee99f69f0e5ffae36686af479ead1102c2a0a6 |
| SHA256 | bc9531896aee675fd8ae0fd2805524b5e9ce921dd5365145b9f32141604082db |
| SHA512 | 727cda4aa085c1af0ce3a9a3a6833057b255678666b2f00dca4f737f322a7cc02cd896ef3353bf9add02faf53b90ce6344e85860cc35da969fcee085c2f210bc |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\_ssl.pyd
| MD5 | 79595e0f25d0e59d8493f4e6e3c83c64 |
| SHA1 | 7be5783a05a9555dfb634c58453d3422bcac2f78 |
| SHA256 | 4f6f68fa2bc4a974b678737dff7ba97600bcbdda4cdc4cd83261401ffadd846c |
| SHA512 | ac1fb03d3cfa7c72b79e0ef13fba72fa9b913e86e7ece2094e3df634a83ee7604b0797d17b3b09c4cee63a63abaab87848df527c9ca399b2d846c286f53c14f3 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\libssl-1_1.dll
| MD5 | 8471e73a5594c8fbbb3a8b3df4fb7372 |
| SHA1 | 488772cb5bbb50f14a4a9546051edef4ae75dd20 |
| SHA256 | 380bb2c4ce42dd1ef77c33086cf95aa4fe50290a30849a3e77a18900141af793 |
| SHA512 | 24025b8f0cc076a6656eba288f5850847c75f8581c9c3e36273350db475050deee903d034ad130d56d1dede20c0d33b56b567c2ef72eb518f76d887f9254b11b |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\_uuid.pyd
| MD5 | 54f10c6f7f793fc393bc138c822bf918 |
| SHA1 | 61a7cb976124e70c36dec56752e25f7d1efcc30c |
| SHA256 | 9de300ca515e6c7dc1518b662ccab87f8a23d86f3a387abff71ce2e9a3e0f809 |
| SHA512 | 1696741d41a1d2c905cb470cb00c25c44094c121d3e93ff143b70ae49855719a723f90063e77d22b3b972f5c487bedef0238f6c2f39d5814d140c54f08013017 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\_queue.pyd
| MD5 | d105039da54edcabd7b893068c86d1ce |
| SHA1 | 3ce7b89011ac1311243e1935eeb3a8e49ec8bed8 |
| SHA256 | 214739fe1823ffd6c1d81be15c675743d08b69f73ad2699ff9d193589d8d47f7 |
| SHA512 | dfcb68e285957ec3f54d7205a59f295eadc495b1d6119591fd850e8c7471cddd4c3367c68f884729486ca1f9352be8f546ea06a988e9f2d2afae9394be46d5d0 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\unicodedata.pyd
| MD5 | 9f0d733a0c240692270fb45ad30028df |
| SHA1 | da06251cae9c6e4c7179ec9e9a67ac6cc1691077 |
| SHA256 | 0c4342f33bd82f4840e293f5115ed0e87ec4409c5d8c78e43161fa3d60fa235a |
| SHA512 | c72988875256eb1cea0e95a15f3731e95d847eacb52c5cb03b65e41ddc64b2591d34ea499f6e71ed203cf37f6ee09697708acf64d9e37cc4d1d37cb86de9c52b |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Cipher\_raw_ecb.pyd
| MD5 | 343a85336768660c9fe27519ea59d4e6 |
| SHA1 | dad3dd2652d1defb064d07d1c9ccb377a3e77cac |
| SHA256 | 6afc2e4d986d212b2bc3a207f1c2b9522ce683042fff73e2b625cdb6288c6c1a |
| SHA512 | 4688c87252e3576f540e26c51f468fed4ce1b3d49acbc7aef882ced225c40708669d81bc05e5b45fe54cd02b992544495a3d13f82773356086adafda10bdc3a3 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Cipher\_raw_cbc.pyd
| MD5 | d841eb263c63b5e4dd9e0eaa76d10b8e |
| SHA1 | 5f5ef28ab4bade0725ebe723434785af80c0e8b8 |
| SHA256 | f04effa6cc1eccc69edfa9325149e777df651e1a75430cda1b04e38e77b1e4f1 |
| SHA512 | c160cc47403692e0075d00129d51f0d1302bfbc497cf0b9c7f27d11d31597e5786db437b836e41e2ab25734c1d4c582113632819805f05994caa9210cdf64582 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Cipher\_raw_cfb.pyd
| MD5 | 55d8c9b0f340a50ffd3b4af6d91f8558 |
| SHA1 | 2e0fbab3798a4e9804ef90ef130231a3bc82d9cb |
| SHA256 | 25f07818d785397faaf1563437fc7523e9c5faf2949292722a7b379347172ea1 |
| SHA512 | f9df0ee37e71e4f2288c3e4e7ec57e1c6100a56c98d824ffd8db31dbf2738325de4b710b2de4c82a7fd47cae9c3636127dd472da336f8275a19d68862ef4b282 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Cipher\_raw_ofb.pyd
| MD5 | 21d377cd15af89f9e48d0f1401a0f973 |
| SHA1 | 2182ccd470f02fb1050b2e7778159922d249832a |
| SHA256 | bd3cff503c58dcbb5f5b51ce96196bd6a563e4d2927869507f6251cd115cc198 |
| SHA512 | 86cc4643a9364e1fdeede1e2b7aa70dbea6d792685669c484140b77c4b37a29dc2f8f7bfdffddd380d8e6ee28ff9c63430fcac274d43ebd173c763eb91efe70d |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Cipher\_raw_ctr.pyd
| MD5 | 35f51943c67491380a5136ce9d09ad60 |
| SHA1 | 6b462683ae8eac284c0593caa0ed5233d77aedc7 |
| SHA256 | ca65568532c1072291383ecfd5f10fd0fcfcdfb2ab04e90fbd77d3029ad61adc |
| SHA512 | 07e928fc6e3cea3594491b16be7fadffa422d0dd454b10523e800352ac5605d3389815932b070b0ab60d74ee5b21a2806c6c8cabcef2fbaa8b012224ffe711db |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Util\_strxor.pyd
| MD5 | d7940da21e43b5152cce28442137e984 |
| SHA1 | e2692d95aa1d21fc87d43f00e19409820a7432b7 |
| SHA256 | 4a8494db26c07b2218142238108b61a4d4ec270668809519b8dade68d1dd02f0 |
| SHA512 | ff32cde189dd00a3402ea9d659df175d403b04371fa2ee1fb13b52dc8eb8d94df46328d6aeabe5ea50fce5fd51ff29348e0e6d9de2732e5587019d087fb513aa |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Hash\_BLAKE2s.pyd
| MD5 | 18815850f5bb02f0e5dade49729271ae |
| SHA1 | b78f3221e43173f393dfee3db42e317b8984484a |
| SHA256 | 3df2a9e9dbf8b1977de9284456df18f7960d4b853fae4d6f770fb0cf6d4b0f07 |
| SHA512 | 1fe7580f60749124e7ec605db578dbe037e91d26454a51757daffd27e9430aa90579160cdebc82224e28e54b75b53e7c97e4be36b1f5a0c72f2a07273816469b |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Hash\_SHA1.pyd
| MD5 | 1c93c1b17b308a72cb0c6b6905097bbc |
| SHA1 | 4803e4740f36a3ab828a6c99c1b7781fc7592fc0 |
| SHA256 | 7c1d904599569f339880c7454648c70dd9ce1f5774d0523da5ff1bef73011041 |
| SHA512 | f97f6b1ea15711a37496a05bf6f378fbefada47c2281614313b4577c7c0efc325985b2da6345da09e9b58644dcd4146769e5ed93bf74fadd712d4f0239a5630b |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Hash\_SHA256.pyd
| MD5 | 7f78e53eea99e8aa5d5204f7003a21fd |
| SHA1 | 553e16a5a0a746d4aff36676a07dfa8d7da130db |
| SHA256 | e4d42bdd9c3c078746502e9a86f9f4ddad105adc1ac79a82b0e6dddc58356f40 |
| SHA512 | 9a09b40a63787a0bdd782111c80e24e1a1e81d62c3f13fbafa2b63694ac3ed53ae85e4b421f16de81cd9e28deb94647df7fd89ba67154797dfe0dd3a86cdd10a |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Cipher\_Salsa20.pyd
| MD5 | db9617f8c167d0f9be9fb5fb22657c25 |
| SHA1 | 2226fb91fbfada5020373a5396a652748c97482d |
| SHA256 | 3ff968443e1c9641ea2c8931643e7ef51b12bc5a95c87be374aba3bc4411df48 |
| SHA512 | 9a1809da2d2e6e18c06544f571dc2aaada5d5f7ec069fe68e19af9b4fc194583953b72d9fa0185e4852d1199ef32fe9a1ff3181b9c0327f408cb44b324ee46a9 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Hash\_MD5.pyd
| MD5 | ac81da346facc29fdc711e4db404ea19 |
| SHA1 | 4776e720e25c54919d9490ac74cd119b172bbd88 |
| SHA256 | 157499786ee705c7cdf59249f8bd9ab5b4a73ba6020c7b04480bc8a03a14c22c |
| SHA512 | 2e0379ccd261edc297c1de12634abbb6616852854f13d65b529f2397822b18ace3d669161ef30f66609328d2d70e0d660cd0dfedc09aa495aa95b04790730154 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Protocol\_scrypt.pyd
| MD5 | c8ba0c5ebb188da0dbcd5f00771973e7 |
| SHA1 | 9bc93c8781404cd24d6d6ee2c664a9de4d3fd6bb |
| SHA256 | c61089df42fed6ef32ff37de803500ea79cf3761d7de35240f86c2cc9c69939f |
| SHA512 | 865cc27ea89b9c120ac676631de4db9ea0858142b6af3c7f51f561114c2c8fb3e4f9730402251256326add155b6be1bd55b9708be12e219d4af77f086a8d8bb1 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Hash\_ghash_clmul.pyd
| MD5 | da9ad98234fd66b480a5ee9e95ad8dfc |
| SHA1 | 69a02c117dcf7a1f8fcd1378b5ccfe277c594623 |
| SHA256 | 532d66b68cb106b040edb441d3279b2a9f7bad4e8a73660c1f9336908761aad4 |
| SHA512 | 409ccb274d4a9e54ca91d0c2431299931ba9fd761933dbdd0db7f1476ffff948bada0140dabaea7aa82b9e396940f302c92d3effc295db162478101dcded0896 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Hash\_ghash_portable.pyd
| MD5 | 8d455bf1d01be57b45ae426d3197df7f |
| SHA1 | 24dd7537f6d41f94c0fe2421115e22cfc839f6ff |
| SHA256 | ef1e6f109d808de9fe25b6f2951efd0ae1ec675d76ac2f07aa34b4a9ba3ba765 |
| SHA512 | 98df88df2495abc197e6e60c8a32c6ae065578e3f658bfbdf7d7ea87813b6031fc3efd1e586f8116e521aeaa610800c2ffab51f85e71f372c6e7c2c128d2c8f9 |
C:\Users\Admin\AppData\Local\Temp\_MEI45282\Crypto\Util\_cpuid_c.pyd
| MD5 | 5951664724d348f7be9c497ba597e81c |
| SHA1 | 0dbb62b4f860d91f005de7e56f5164c7ef6a62bb |
| SHA256 | e919ccea958bc9a83f51c32ed271b64c7b5fb748267013eede05aad2c860a2f6 |
| SHA512 | 88961a15871d6321570f70f89b14aeb4bf234a07ab5543f0fb0e6709c705f2093ca76311f0a812503b84abf660274a2893726580d6c6f3607e4f0aba14a63698 |
C:\Users\Admin\AppData\Local\Temp\crcook.txt
| MD5 | 155ea3c94a04ceab8bd7480f9205257d |
| SHA1 | b46bbbb64b3df5322dd81613e7fa14426816b1c1 |
| SHA256 | 445e2bcecaa0d8d427b87e17e7e53581d172af1b9674cf1a33dbe1014732108b |
| SHA512 | 3d47449da7c91fe279217a946d2f86e5d95d396f53b55607ec8aca7e9aa545cfaf9cb97914b643a5d8a91944570f9237e18eecec0f1526735be6ceee45ecba05 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-01-23 02:48
Reported
2024-01-23 02:52
Platform
win7-20231215-en
Max time kernel
120s
Max time network
122s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\pyc_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.pyc | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\.pyc\ = "pyc_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\pyc_auto_file\shell\Read | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\pyc_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\pyc_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000_CLASSES\pyc_auto_file\shell\Read\command | C:\Windows\system32\rundll32.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2252 wrote to memory of 2196 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2252 wrote to memory of 2196 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2252 wrote to memory of 2196 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\rundll32.exe |
| PID 2196 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2196 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2196 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
| PID 2196 wrote to memory of 2720 | N/A | C:\Windows\system32\rundll32.exe | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Creal.pyc
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Creal.pyc
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Creal.pyc"
Network
Files
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
| MD5 | 7add2bb64ec1ddf666950b822c938f84 |
| SHA1 | af2e4280afc1150772e93a80c1466b4ac1378455 |
| SHA256 | 69f070e15757573ca8d28c8301d41135436f2e6780c5f9407d02549cdee3d5a9 |
| SHA512 | 858d6f0e36e00f1d661b6d38e83a20069102c8ac11e2be63bd755c08b56751ff2df0b7673956a38c80600f4d03bcc969bfed9f8b40f1f993465717aaecf12f1b |
Analysis: behavioral4
Detonation Overview
Submitted
2024-01-23 02:48
Reported
2024-01-23 02:52
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Creal.pyc
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |