Analysis Overview
SHA256
e52afa16e426ed5b530dc3fc1bcac33dc99ca772ff841b7c0bbbf93e4e7c7fed
Threat Level: Known bad
The file MidNight - CRACKED.exe was found to be: Known bad.
Malicious Activity Summary
Panda Stealer payload
PandaStealer
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Opens file in notepad (likely ransom note)
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-02-17 06:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-17 06:01
Reported
2024-02-17 06:02
Platform
win7-20231215-en
Max time kernel
25s
Max time network
18s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PandaStealer
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Enumerates physical storage devices
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2452 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
| PID 2452 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
| PID 2452 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
| PID 2452 wrote to memory of 2832 | N/A | C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe | C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe
"C:\Users\Admin\AppData\Local\Temp\MidNight - CRACKED.exe"
C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
"C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\StepJoin.bat
Network
| Country | Destination | Domain | Proto |
| RU | 194.87.248.102:3000 | tcp |
Files
\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
| MD5 | e249bcd1e893795c71351bf62480c6b6 |
| SHA1 | e92158f135788d0916f2e293011b3568d498c092 |
| SHA256 | b15a74b64a63a348919203a024f8c8aa715c2ff21685e26da14f1be4a00520c5 |
| SHA512 | 8bfc855dc917a098f3795ef11815593ab29f02db7d219bfcc25a4ddc957f0e0ee0dc44c18fb3f50c9c11f89f3cc71f8aafb7ee1208429f7ee3bc492cc51d5a91 |
C:\Users\Admin\AppData\Local\Temp\10yPnSco9W4zfRozfL41HdUHsAscfkda.exe
| MD5 | 830550cd30753a9fde9d4d99b44344bf |
| SHA1 | 69cf20cac9879225cff7fcc50cbaac4e4b48ca5b |
| SHA256 | d4feb54f21f04e8e9d554aa7891648bd862403fe0164dbd1acf482fe6f8b3602 |
| SHA512 | 675aca6c9f74704f486aceed8c92ab7b5b42bd3da453da64a6068c9020dbe39fac6a5304f08cbadee9014f5d1e8a4b01f50ae623ea21a23dacc1894e93a65d88 |
memory/2452-15-0x00000000006A0000-0x00000000006A2000-memory.dmp
memory/2896-16-0x0000000000170000-0x0000000000172000-memory.dmp
memory/2896-17-0x00000000003D0000-0x00000000003D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\night.jpg
| MD5 | df04e5d97b4f113febcc037aae0fe6a5 |
| SHA1 | 3dd1f95edc40395d1984542f5daef9ea53c0925c |
| SHA256 | 41419008feab09129aec758571984915fbbc191c517a58b9245df86b86820450 |
| SHA512 | 85c54de7e2121df1a94f7128cf1c5723c07f5b09ae61d8f63a7398df292e0d54eef87d9a39a0c8d8dd22b9a7883dc52eeda388b11aab21d06365267a55b85b2a |
memory/2896-25-0x00000000003D0000-0x00000000003D1000-memory.dmp