Malware Analysis Report

2024-11-15 06:19

Sample ID 240227-q29r8aah5w
Target a94f8fd4c23a4a4ad1f94d78dfd186f2
SHA256 3bee0e38f8d9c624a72228396603d782c864e71b3118d5c89b440d62c1e908ff
Tags
lumma evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3bee0e38f8d9c624a72228396603d782c864e71b3118d5c89b440d62c1e908ff

Threat Level: Known bad

The file a94f8fd4c23a4a4ad1f94d78dfd186f2 was found to be: Known bad.

Malicious Activity Summary

lumma evasion stealer

Lumma Stealer

Modifies security service

Detect Lumma Stealer payload V4

Executes dropped EXE

Drops file in System32 directory

Unsigned PE

Modifies registry class

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 13:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 13:46

Reported

2024-02-27 13:49

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe N/A
File opened for modification C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A
File created C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" C:\Windows\SysWOW64\Tilesys.com N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ C:\Windows\SysWOW64\Tilesys.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4512 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe C:\Windows\SysWOW64\cmd.exe
PID 4512 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 116 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 116 wrote to memory of 2916 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4512 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe C:\Windows\SysWOW64\Tilesys.com
PID 4512 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe C:\Windows\SysWOW64\Tilesys.com
PID 4512 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe C:\Windows\SysWOW64\Tilesys.com
PID 2148 wrote to memory of 1836 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1836 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2148 wrote to memory of 1836 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1836 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1836 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1836 wrote to memory of 4340 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2148 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2148 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2148 wrote to memory of 2708 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2708 wrote to memory of 3360 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 3360 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 3360 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 3360 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3360 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3360 wrote to memory of 4988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2708 wrote to memory of 3656 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2708 wrote to memory of 3656 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2708 wrote to memory of 3656 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 3656 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 3656 wrote to memory of 1640 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1640 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1640 wrote to memory of 992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3656 wrote to memory of 4208 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 3656 wrote to memory of 4208 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 3656 wrote to memory of 4208 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 4208 wrote to memory of 3944 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 3944 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 4208 wrote to memory of 3944 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 3944 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3944 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3944 wrote to memory of 4536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4208 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 4208 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 4208 wrote to memory of 2932 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2932 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 4996 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4996 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4996 wrote to memory of 1476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2932 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2932 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 2932 wrote to memory of 1292 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1292 wrote to memory of 4428 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 4428 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 1292 wrote to memory of 4428 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe
PID 4428 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4428 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4428 wrote to memory of 636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1292 wrote to memory of 1176 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1292 wrote to memory of 1176 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1292 wrote to memory of 1176 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\Tilesys.com
PID 1176 wrote to memory of 3004 N/A C:\Windows\SysWOW64\Tilesys.com C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe

"C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1176 "C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1208 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1180 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1184 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1188 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1192 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1196 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1200 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1212 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Tilesys.com

C:\Windows\system32\Tilesys.com 1204 "C:\Windows\SysWOW64\Tilesys.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\tempr.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/4512-0-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4512-1-0x0000000000710000-0x0000000000711000-memory.dmp

memory/4512-2-0x0000000000740000-0x0000000000770000-memory.dmp

memory/4512-3-0x0000000002260000-0x0000000002263000-memory.dmp

memory/4512-5-0x0000000002250000-0x0000000002251000-memory.dmp

memory/4512-7-0x0000000002270000-0x0000000002271000-memory.dmp

memory/4512-8-0x0000000000720000-0x0000000000721000-memory.dmp

memory/4512-10-0x0000000002280000-0x0000000002281000-memory.dmp

memory/4512-9-0x0000000000730000-0x0000000000731000-memory.dmp

\??\c:\tempr.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/4512-68-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/4512-62-0x00000000022C0000-0x00000000022C1000-memory.dmp

memory/4512-120-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/4512-122-0x0000000002310000-0x0000000002311000-memory.dmp

memory/4512-121-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/4512-123-0x0000000002300000-0x0000000002301000-memory.dmp

memory/4512-124-0x0000000002330000-0x0000000002331000-memory.dmp

memory/4512-125-0x0000000002320000-0x0000000002321000-memory.dmp

memory/4512-126-0x0000000002460000-0x0000000002461000-memory.dmp

memory/4512-128-0x0000000002480000-0x0000000002481000-memory.dmp

memory/4512-129-0x0000000002470000-0x0000000002471000-memory.dmp

memory/4512-127-0x0000000002450000-0x0000000002451000-memory.dmp

memory/4512-133-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/4512-131-0x0000000002490000-0x0000000002491000-memory.dmp

memory/4512-132-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/4512-130-0x00000000024A0000-0x00000000024A1000-memory.dmp

memory/4512-135-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/4512-134-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/4512-136-0x0000000002510000-0x0000000002511000-memory.dmp

memory/4512-137-0x0000000002500000-0x0000000002501000-memory.dmp

memory/4512-138-0x0000000002530000-0x0000000002531000-memory.dmp

memory/4512-139-0x0000000002520000-0x0000000002521000-memory.dmp

memory/4512-140-0x0000000002550000-0x0000000002551000-memory.dmp

memory/4512-141-0x0000000002540000-0x0000000002541000-memory.dmp

memory/4512-143-0x0000000002570000-0x0000000002571000-memory.dmp

memory/4512-144-0x0000000002560000-0x0000000002561000-memory.dmp

memory/4512-145-0x0000000002590000-0x0000000002591000-memory.dmp

memory/4512-146-0x0000000002580000-0x0000000002581000-memory.dmp

memory/4512-148-0x0000000003130000-0x0000000003131000-memory.dmp

memory/4512-151-0x0000000003120000-0x0000000003121000-memory.dmp

memory/4512-152-0x0000000003250000-0x0000000003251000-memory.dmp

memory/4512-153-0x0000000003140000-0x0000000003141000-memory.dmp

memory/4512-155-0x0000000003270000-0x0000000003271000-memory.dmp

memory/4512-156-0x0000000003260000-0x0000000003261000-memory.dmp

C:\Windows\SysWOW64\Tilesys.com

MD5 a94f8fd4c23a4a4ad1f94d78dfd186f2
SHA1 d6a0c5c4f7ffdbbc9a5664ce33b6199ac245674a
SHA256 3bee0e38f8d9c624a72228396603d782c864e71b3118d5c89b440d62c1e908ff
SHA512 c96b98946c1a7947e5a60bbc2819debfd4d1a070104030ce17f5d9b5d42f7feccb90c6d7a7bfd62ddc974ef91d8a71335dc68b208cb313920bbb4d371254010a

memory/4512-158-0x0000000003290000-0x0000000003291000-memory.dmp

memory/4512-160-0x0000000003280000-0x0000000003281000-memory.dmp

memory/4512-161-0x00000000032B0000-0x00000000032B1000-memory.dmp

memory/4512-162-0x00000000032A0000-0x00000000032A1000-memory.dmp

memory/4512-164-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/4512-165-0x0000000003300000-0x0000000003301000-memory.dmp

memory/4512-166-0x0000000003330000-0x0000000003331000-memory.dmp

memory/4512-167-0x0000000003320000-0x0000000003321000-memory.dmp

memory/4512-168-0x0000000003350000-0x0000000003351000-memory.dmp

memory/4512-196-0x0000000003370000-0x0000000003371000-memory.dmp

memory/4512-170-0x0000000003340000-0x0000000003341000-memory.dmp

memory/4512-248-0x0000000003360000-0x0000000003361000-memory.dmp

memory/4512-251-0x0000000000740000-0x0000000000770000-memory.dmp

memory/2148-283-0x0000000000650000-0x0000000000651000-memory.dmp

memory/4512-282-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2148-250-0x0000000000520000-0x0000000000550000-memory.dmp

memory/2148-284-0x0000000000660000-0x0000000000661000-memory.dmp

memory/2148-285-0x0000000000730000-0x0000000000731000-memory.dmp

memory/2148-288-0x0000000002210000-0x0000000002211000-memory.dmp

memory/2148-286-0x00000000021F0000-0x00000000021F1000-memory.dmp

memory/2148-289-0x0000000002440000-0x0000000002441000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 ff6c57e8ec2b96b8da7fe900f1f3da1c
SHA1 a6f0dc2e2a0a46e1031017b81825173054bf76ae
SHA256 ad103027edabf24721c50018ae32c2b34872f7f63a352d31591a2cd7174008d6
SHA512 c0069e816bdf494c149e6bc278dc63ad58e348ec90d9bf161f2558bea03e9622e4b0c03b1a6b2517e87ef4e748d4aac36fb853f70180b55521e56c9c4960babc

C:\Windows\SysWOW64\Tilesys.com

MD5 0686e5df841eaea5a2d8937b9362faf5
SHA1 cf122dadd14f8c59496431987a9dd37861b7ac78
SHA256 6942990327df4b21713268bd9dd82bbffa7140bf36f3e9369e3205f99dd459dd
SHA512 4310c42a77ed5f850f640a452d49e45497cd379b614c1fe0f2c91aaf7c6774a3640c94e2cb93193b41ee78024e4c24b67f146c19c94780ed19931198ee174afb

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8d6eb64e58d3f14686110fcaf1363269
SHA1 d85c0b208716b400894ba4cb569a5af4aa178a2f
SHA256 c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5
SHA512 5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 13:46

Reported

2024-02-27 13:47

Platform

win7-20240221-en

Max time kernel

0s

Max time network

4s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe

"C:\Users\Admin\AppData\Local\Temp\a94f8fd4c23a4a4ad1f94d78dfd186f2.exe"

Network

N/A

Files

N/A