Malware Analysis Report

2024-10-23 17:20

Sample ID 240210-nslb6adf22
Target ElectronRob.rar
SHA256 7709b8e6fe27a77e62613f71849a6ba98627161287e71d52bf1baf66df8951b0
Tags
povertystealer spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7709b8e6fe27a77e62613f71849a6ba98627161287e71d52bf1baf66df8951b0

Threat Level: Known bad

The file ElectronRob.rar was found to be: Known bad.

Malicious Activity Summary

povertystealer spyware stealer

Detect Poverty Stealer Payload

Poverty Stealer

.NET Reactor proctector

Reads user/profile data of web browsers

Executes dropped EXE

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-10 11:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-10 11:39

Reported

2024-02-10 11:43

Platform

win10-20231215-en

Max time kernel

123s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectronR\binkawin.dll,#1

Signatures

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\4183903823\810424605.pri C:\Windows\system32\taskmgr.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\system32\taskmgr.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: 33 N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 4644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3292 wrote to memory of 4644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3292 wrote to memory of 4644 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectronR\binkawin.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectronR\binkawin.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 616

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-10 11:39

Reported

2024-02-10 11:43

Platform

win10-20231215-en

Max time kernel

112s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\ElectronR\cef_extensions.js

Signatures

N/A

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\ElectronR\cef_extensions.js

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-10 11:39

Reported

2024-02-10 11:43

Platform

win10-20231215-en

Max time kernel

129s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ElectronR\metod 2\loader.exe"

Signatures

Detect Poverty Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Poverty Stealer

stealer povertystealer

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5052 set thread context of 5028 N/A C:\Users\Admin\AppData\Local\Temp\ElectronR\metod 2\loader.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ElectronR\metod 2\loader.exe

"C:\Users\Admin\AppData\Local\Temp\ElectronR\metod 2\loader.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Network

Country Destination Domain Proto
DE 146.70.169.164:2227 tcp
US 8.8.8.8:53 164.169.70.146.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/5052-0-0x0000000002460000-0x0000000002480000-memory.dmp

memory/5052-1-0x0000000073AE0000-0x00000000741CE000-memory.dmp

memory/5052-2-0x0000000002440000-0x0000000002450000-memory.dmp

memory/5052-3-0x0000000002440000-0x0000000002450000-memory.dmp

memory/5052-4-0x0000000002440000-0x0000000002450000-memory.dmp

memory/5052-5-0x00000000049E0000-0x0000000004EDE000-memory.dmp

memory/5052-6-0x00000000025F0000-0x000000000260E000-memory.dmp

memory/5052-7-0x0000000002440000-0x0000000002450000-memory.dmp

memory/5028-10-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5028-13-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5052-16-0x0000000073AE0000-0x00000000741CE000-memory.dmp

memory/5052-15-0x00000000026A0000-0x00000000046A0000-memory.dmp

memory/5028-17-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5028-18-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5028-19-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5028-20-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/5028-21-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5028-22-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5028-23-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5052-24-0x00000000026A0000-0x00000000046A0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-10 11:39

Reported

2024-02-10 11:43

Platform

win10-20231215-en

Max time kernel

127s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ElectronR\Electron.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\26363\Portable.pif N/A

Enumerates physical storage devices

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3336 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\ElectronR\Electron.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\ElectronR\Electron.exe C:\Windows\SysWOW64\cmd.exe
PID 3336 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\ElectronR\Electron.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 516 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 516 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 516 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 516 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 516 wrote to memory of 4984 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 516 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 516 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 516 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 516 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 516 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 516 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 516 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 4044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 4704 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 4892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 516 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\26363\Portable.pif
PID 516 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\26363\Portable.pif
PID 516 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\26363\Portable.pif
PID 516 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 516 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 516 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\ElectronR\Electron.exe

"C:\Users\Admin\AppData\Local\Temp\ElectronR\Electron.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Wrote Wrote.bat & Wrote.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 26363

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Gas + Hi + Greatest + Tt + Warned 26363\Portable.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Facility + Philippines + Examination 26363\p

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\26363\Portable.pif

26363\Portable.pif 26363\p

C:\Windows\SysWOW64\PING.EXE

ping -n 5 localhost

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 1428

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 ZgIJbdrDbTC.ZgIJbdrDbTC udp
US 8.8.8.8:53 inviteaccessiblesaltw.shop udp
US 104.21.27.129:443 inviteaccessiblesaltw.shop tcp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 172.67.152.52:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 129.27.21.104.in-addr.arpa udp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 172.67.213.168:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 172.67.199.120:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 52.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 172.67.182.52:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 168.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 120.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 52.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Wrote

MD5 dd132c1ee49e593d1a79a83821f6249d
SHA1 1dcd1090567438d2c9688f39e13b6fa09c07f4e4
SHA256 c2556187454ede05fd7695c9e0ac0b7a276019aaca9767ae90ee0406c0b2f9c9
SHA512 0011ed581f7d16afab56a093b3169c6f88c6e763cfe0d6c50548a13fce5c70fc89e60a51f4cbc7713e5a6ea9bd76a189ff59932fd1687d00e0466a9449b35807

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Gas

MD5 c8a3569960605d0760396e76fb468359
SHA1 9befd5b49fd99bf1f861aa4eca9d5174ee1f388c
SHA256 61afc1c35e66b0dd1d642ef8f5607695603324a1cda4df52b1453f7e5aa3dd43
SHA512 1f79ced4d09635ab6df22422f8fd40bced14a37000602ccb2f7ae81061612220ccd33f3f5d455edccba725101149a6cad934d1a9eb2def5422e93c6659da01f5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Hi

MD5 746cceed20f0a245bb68e83a1fb85c24
SHA1 53f41ef24cc5e16aa578327f05e32b55bf4da178
SHA256 ab5f2634377cb2038e9c1771ff7c79efa1387d829f9477c82f0fd5bec81d19bb
SHA512 49dc1914e09b1cd8a61c944f3b65051868630d63b75ebc57ada4a113cd7f2b51b0d5a89ec95860c9fa8a5ae6684f7537865de96a64c284660c787de4e788fdb3

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Warned

MD5 b970e49a663ec8658eef87d7229d0dae
SHA1 c6ed196e268aef284d3bd01660fd1d0e459211bb
SHA256 189d61ff27e4b697c71029992ab68fd1163449eb30d23e5e056cb7e3ebf4354b
SHA512 4d7a7d282a78cbb578806fd9aa38f0f93d8bb7ec3ae6840786ca1388951c1f1aa103838000de54d998d693e2a4addfcd6a6976928ae0e929aed2e544b496e299

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tt

MD5 2dd793cf664294992a3c507b075d03a7
SHA1 ec24ab070e911b9d87efad7e56fa6f049c20764f
SHA256 18bdb7ef83fa5394d7b600cb374a4ebaaebb3ec91823093d46d163d64b501baf
SHA512 eacb8043da1bc390b76822f9a73aaa831476e0b0f6e6cb8e8843ffe612314eb390d441f2460f61e7e9b7314b004982859553da303d272b089159da95b7db8567

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Greatest

MD5 08734786d96a87ff67208bfea37a174c
SHA1 d6f5ba711169bcf4d29ca0ffee81caf448203cf4
SHA256 eb3b8127bd02ee1f124592f5bf3693cedb898c9465dc3f277ff3f7883a39d0b1
SHA512 5e230f0a6656aa29c480f8f03a56c3978dbccb91afe5ebe57d60d858244054f7a3535d6d4c7374c75cee3a8989d69c8c3f0e077aff6b6edd4376afd87f5269ad

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Facility

MD5 29b4d4a0d9adaa370b145e23869d3b1e
SHA1 19e622023774ccbccdcc4bc897faacaf02934b2e
SHA256 96312e07a3101f9e2b0f5147c19a541e8919fa230205a999f96ea02434803f27
SHA512 8347ece2e1a0c44c7c732ecae19d7673ccfa0e0ba83b9a79d2da1363b418176fe497784b923c681959805a78f1c7cb0199655eb053068a99f8bbd88edd02ccb5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Philippines

MD5 9ae6eff2ff0cbe4f86ad73b6947735a2
SHA1 40b276864d298b5d7501d4533952666cb857ff5d
SHA256 12f53e5b91579112cfcf9fc608ffca2fe23c64fc054db2218bf612b952034206
SHA512 8175300f8d67dcbef65a7d4f9096df234fefa1f5ca7e5028bdb1b5902bed06f35252cdc40872175f1e11639d86f26fe227798defcab707b248e1c6ccec712bf5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Examination

MD5 d683b954389796556a871b4e9b5fd0ca
SHA1 af5565a57860d56f026eb1aeecdbceca3fa806f2
SHA256 74c62bacca7218617d10309451112db79a7525d9e2f811b4b0b03675d5edb103
SHA512 5c217b4d356e7337462c10283a2af8fa9af60d6f810b32bafa0b66aa7a07a0737749d7fc90cdf48d10c764b8a4ce5839b444ffcca2bae1ff2a9c4d25b5e01c1b

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\26363\Portable.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\26363\p

MD5 528e65e1e3d650999577e6da3c472c68
SHA1 2b682db1c854de88ff312761e4e0968cfb5972bb
SHA256 18c5148029908f7be16be2eb5d99472bb26bc6fc5781bc5e7e6cfceb8325ffa5
SHA512 6f99b957915655b19ebc5efa8516f60ae436d2253b94893966e7279e61c357b2e68d98153522f7115c0f9326194f61b7b36e4d283349f3719e169b3c3c09bdc7

memory/2872-32-0x0000000077B41000-0x0000000077C54000-memory.dmp

memory/2872-34-0x0000000003DF0000-0x0000000003DF1000-memory.dmp

memory/2872-35-0x0000000004DE0000-0x0000000004E75000-memory.dmp

memory/2872-36-0x0000000004DE0000-0x0000000004E75000-memory.dmp

memory/2872-37-0x0000000004DE0000-0x0000000004E75000-memory.dmp

memory/2872-38-0x0000000004DE0000-0x0000000004E75000-memory.dmp

memory/2872-39-0x0000000004DE0000-0x0000000004E75000-memory.dmp

memory/2872-40-0x0000000004DE0000-0x0000000004E75000-memory.dmp

memory/2872-41-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2872-42-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2872-43-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2872-44-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2872-45-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2872-46-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2872-47-0x0000000004DE0000-0x0000000004E75000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-10 11:39

Reported

2024-02-10 11:43

Platform

win10-20231220-en

Max time kernel

128s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectronR\WpfAnimatedGif.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectronR\WpfAnimatedGif.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A