Analysis Overview
SHA256
511a99c70f3a3aaad381b3bf626e411b3b41f7a7cf3e040068a8cdddc6224296
Threat Level: Known bad
The file S500 CRASHED DESTROYED BY BIG DICK.zip was found to be: Known bad.
Malicious Activity Summary
AgentTesla payload
Agenttesla family
Arrowrat family
Async RAT payload
Asyncrat family
Contains code to disable Windows Defender
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-19 17:58
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Arrowrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-19 17:57
Reported
2024-02-19 21:39
Platform
win7-20231215-en
Max time kernel
1564s
Max time network
1575s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-19 17:57
Reported
2024-02-19 19:37
Platform
win10-20240214-en
Max time kernel
398s
Max time network
1615s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.193.132.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-19 17:57
Reported
2024-02-19 21:40
Platform
win10v2004-20231215-en
Max time kernel
1520s
Max time network
1484s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 150.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.2.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.177.78.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
Files
memory/4436-0-0x0000025ECC960000-0x0000025ECC970000-memory.dmp
memory/4436-16-0x0000025ECCA60000-0x0000025ECCA70000-memory.dmp
memory/4436-32-0x0000025ED4F50000-0x0000025ED4F51000-memory.dmp
memory/4436-33-0x0000025ED4F60000-0x0000025ED4F61000-memory.dmp
memory/4436-34-0x0000025ED4F60000-0x0000025ED4F61000-memory.dmp
memory/4436-35-0x0000025ED4F60000-0x0000025ED4F61000-memory.dmp
memory/4436-36-0x0000025ED4F60000-0x0000025ED4F61000-memory.dmp
memory/4436-37-0x0000025ED4F60000-0x0000025ED4F61000-memory.dmp
memory/4436-38-0x0000025ED4F60000-0x0000025ED4F61000-memory.dmp
memory/4436-39-0x0000025ED4F60000-0x0000025ED4F61000-memory.dmp
memory/4436-40-0x0000025ED4F60000-0x0000025ED4F61000-memory.dmp
memory/4436-41-0x0000025ED4F60000-0x0000025ED4F61000-memory.dmp
memory/4436-42-0x0000025ED4F60000-0x0000025ED4F61000-memory.dmp
memory/4436-43-0x0000025ED4CA0000-0x0000025ED4CA1000-memory.dmp
memory/4436-44-0x0000025ED4C90000-0x0000025ED4C91000-memory.dmp
memory/4436-46-0x0000025ED4CA0000-0x0000025ED4CA1000-memory.dmp
memory/4436-49-0x0000025ED4C90000-0x0000025ED4C91000-memory.dmp
memory/4436-52-0x0000025ED4BD0000-0x0000025ED4BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
| MD5 | c29c253648c4bb15a2859d58d5745933 |
| SHA1 | 938dcf1eb96e77fbdcea38c5492ac5377eeceee8 |
| SHA256 | 11a3ffcc3596df9c77ab4d2be3646cbe54fe88d2547670ec639eb442a3203e67 |
| SHA512 | 2d5c4c427598cb9a9657ab1117a392c240d2ad06e4c23290ade8de90e0dcedccebb8eb4feb66c8869025f6041858d67b5eb1d22780c6637f835a4cb2fd3c1bc5 |
memory/4436-64-0x0000025ED4DD0000-0x0000025ED4DD1000-memory.dmp
memory/4436-66-0x0000025ED4DE0000-0x0000025ED4DE1000-memory.dmp
memory/4436-67-0x0000025ED4DE0000-0x0000025ED4DE1000-memory.dmp
memory/4436-68-0x0000025ED4EF0000-0x0000025ED4EF1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-19 17:57
Reported
2024-02-19 21:40
Platform
win11-20240214-en
Max time kernel
1443s
Max time network
1505s
Command Line
Signatures
Processes
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\S500 CRASHED DESTROYED BY BIG DICK.zip"