Malware Analysis Report

2025-01-22 14:05

Sample ID 240229-lwxs9adb9v
Target 25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b
SHA256 25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b
Tags
njrat hacked trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b

Threat Level: Known bad

The file 25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b was found to be: Known bad.

Malicious Activity Summary

njrat hacked trojan

njRAT/Bladabindi

AutoIT Executable

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 09:53

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 09:53

Reported

2024-02-29 09:56

Platform

win7-20240215-en

Max time kernel

140s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe"

Signatures

njRAT/Bladabindi

trojan njrat

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1844 set thread context of 1928 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415362291" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0069f244f56ada01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c60000000002000000000010660000000100002000000068582cb017035f5dea15f7854ad84e23a195c7e25671cf475ab455aeec677d8e000000000e80000000020000200000008cc328e7000385944c2201075d57fdb8c3b3ade8efd5d570ed0342be9901813390000000e57867250c4f7359894edaebbb036fc9300e333ec4183d3030ec5f2ed399bc32010e798e153af14e183eff647db4468ee1eb5e2b994ed963f4ae0d6ba8ce1803e4c206941a174392a0b1a6111a2942e29b7f1d61d928e0778454e25ad476f652cd0cfbf48a22023f0f4c17545c6c705110fa4b0bf9a25a09dd3e3e5b3d4b13f75fb80a239b7204def499e3617a174d4c400000000d18559d0f83f0091f82ad21138a9123d92ed2a90cec934a047e120f9b3bf4e4524c9139aef3d9691c7616059d1c1e8bae115f785afd971d6e0886879f4531ae C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c60000000002000000000010660000000100002000000050fd85c8ff852a92f1c411567d9a231cda9040f94588d2ed5da03ec83fe9be12000000000e80000000020000200000000b5a1bda2b9a4876e3538c08343a3a4c3e98f1ffaa5f58a9f04be986add45889200000009f50be37a1d4d8019a9470f090edf23526ae0a175c15400479904e380d6cb94d40000000111d32d38f75e1ed0c98ddbfa9ab20e3203bcd903735e7759fa5d94057c28f8e74186c503bdafd7685c19bfe3f46c4e40ac57152c6b54f237305217104eea861 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6CFE54E1-D6E8-11EE-8B6F-CA05972DBE1D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1844 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 1844 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 1844 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 1844 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 1844 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 1844 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 1844 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 1844 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 1844 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe
PID 2672 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2672 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe

"C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe"

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\SysWOW64\WerFault.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=WerFault.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2672 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 learn.microsoft.com udp
GB 2.17.6.67:443 learn.microsoft.com tcp
GB 2.17.6.67:443 learn.microsoft.com tcp
GB 2.17.6.67:443 learn.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1844-0-0x0000000000080000-0x0000000000162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.resource

MD5 eafef8e758eb5c700740fba6068d4770
SHA1 38a73dd8aebaa6070e99674b34c46008e70d2cba
SHA256 e45626261fe0dd6823c65f166e7959b328acb17d203a73fce802786f90ee639c
SHA512 ef21d31f0538b39951058569c9b72cb6c11e82d49ff79f510848efc64ef3bbd380adc227ce74b680e85e755247560393a300c438ba6e4020bebf484b75d71d5e

memory/1928-8-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1928-10-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1928-12-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1928-14-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1928-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1928-17-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2D3A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar2E4A.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 1a33507b1a17c0c793529045d85733d1
SHA1 1aeb704cb5ff8f296dcc86cc97fb95b36b30d98e
SHA256 ec1193d17a1a8f6c69df634df5a7e18c5e5aae5c92f5e1ab2e985dfd92bf3448
SHA512 c3a01d4aaf3454cab20aa421a4bc30382210ea20d474316eadac3b4b3eadccd67b49faa74145caaf63581c8818b2c6bbbe8320b4372a04dcac66638065ddbac8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 83223d00bdc53752304419b626cecc3e
SHA1 1b5b6440668551173dfa95f66df137cfc91182f8
SHA256 8232a1571c74121955a42e8a35b71df2a17418ae5ad7cb09bf02e6fa95e41b33
SHA512 fb311af2a59a7e2a66eeef9c694fd331858a0845a84ce8fb08336ba9d63d0299f81d12714e62865c94b20af088281bf581fdb72cb21b44192a3a7373e921a2ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac0c3d1b590453b902e551f532d5b7b0
SHA1 f8325c78ebcefd0561df9b4909d86d1dc86d12be
SHA256 8d8388d8d3b54b7ba179e916982d83e889c7b3c15834a9ee639e18973e17fce8
SHA512 1142964ed7032e0bc4f159a2c2dd21c3b6830db358354a2b80ae12ae4f613b27719ef520c36bb33843061b18f74795db6b3f82d8b0d4f76015ba8a3f17fd29e0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41087539ff9fd60a555be38a1b8c160e
SHA1 f0c39d692fce4c2614071afb1b857bc85249b7d2
SHA256 66c495e6e4ee86e6facbe7d9888345c6896754a901d2198e71b16c1d44146011
SHA512 59085c0a7dac2b604c07dcec89fbeafed5be0f8ddb43e3a358072598f2c1a835097217deff09f7a42aa3aed3b10052fc53295359dbb4b9bcdc3676dd4a18691f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7b9808b5883e3aa82bfb9f53f144daf
SHA1 22e6bb98c3c4ddf315b35bc6ea6ea90660c7c8c4
SHA256 0c9a49aab7f6e5dfe9a8f2a0ed6c6499f248dc7c742b4dfd2297885c5f8bc794
SHA512 156fbac4ac8faf93f718e682fad9c4d10ae26a37659bb6411bf9b173fa5055acafffb87e0a80ec65d148820ee90f15cae9dc5601eeb6b35feb443dbf27eb5ce4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88bfe99c58eb3bd941594fe4ebbb68e0
SHA1 7947e743856ad48b5c31c525fc736518caa4e77e
SHA256 b36e707f18addc49200e62df61bbeea26c36e124e6d6b8195b267abaac45b829
SHA512 db09dd36fa6337b7e3190312931e63bfb921889a3481018d54390e325a1040cb351a84fae0d77376c45cd1ee886146fa97a610a2c3eba3f80dffb49d2bde8704

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a73c52d65f456fc15dd35d6e734c796d
SHA1 1f83123ddda49c37c9cef8a60e4012a2ceebb66b
SHA256 fc580d0cebef3c417343d67e202b97013a897a337bd0ace53ef96a47380af509
SHA512 1f0c15e8fbf82344709e878e8e1e3340e95583a3e835d86f08ffee29f1ce6270d009a3866dcc46d1e37b4009cd4667acf941cc665a288e3c275c79b7d5ae53de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9c34069a77d4af30a44bf5c6bac68726
SHA1 97a97b5734e47ca3bc0a52e62a60622f4962c4bd
SHA256 35e89a13305f738af120987ed4127884039341b235319898e45c488104530eec
SHA512 a284eec6e1b82d2e9dd34d4d60f081de899e6868799c38d83839d173a6a1c2d45a8cc280ab32c1ba4b7ab2a43391219be6ef259e8600e5bec4ba97c81cfc098b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d6c145a917438542f4259781cbee1c2
SHA1 19541101988f8ff414750e50a390af1a6235c3ba
SHA256 63ee9f32718548fa071cf301bbe07fa62bc5ee111bdd95a7ba27476b363c7ced
SHA512 7589e038de53d2ad226e1aaf98ba2078883b6f6c7af8e4d946f6fc3de0f97e49bd9ac3d49183c160ddd31df41e5e79f81c1bc51b2d38c21ed107a27e87e22405

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98e62bdc3a0535d29ee4884fae539b1c
SHA1 37b8b9324e38df40c2491af8f334e8c92d57745d
SHA256 018de3eb9b31b4467a24082d8e6e7b11a5a7913fa7397ad240ab2f327c9d2a8c
SHA512 4a900ea94c974e7738a405e1073ccb78291f3d31d9ab65ba3a0f14c92da809d1efd8febcac72e9ed04769293e916c0ec9c886328b4c4a95cbc64b49b1407df7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 150f744bfcc168d4c15a0545dc3cf0f9
SHA1 cf26902e2ed4fb53f79284b46807bfaefa775ae1
SHA256 53a95c5da2dd23a1a13019b712917cc840ba20806401cc13028bdde2d3ef69a1
SHA512 fbe336f61abb2d864bd41d75984d8d352bde6bc51e2a8e23bfbe340bc05a5bd04cd8d559e4ca74761cce04f977a5dbddee84e239909456609bc7a30d42140f77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7d9f38e11856b458c464aeaaa9a7758
SHA1 10cf2e8b252e2bbb0f1c4eba4d72e2ee3f38ba6b
SHA256 986c26f65d89d9008788985a0ade01424e675555f0beee1a4a3b086161c817dc
SHA512 b5fd3a11ded890f1ecbd255bbaafbcaf494164656d327c135b61b6840ea9d9638cf93c08941df68c673c25ff7baf25a436ba348c8b52c7d6d0b7ab40f5dbf725

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e4ec9195e6fe9eaf9104d19363ead98
SHA1 1d5ffb28ef2eb4be8cd078a41d269499ccfaa718
SHA256 0e458df97997277922f6b94dc0caaf113a7702978a98b4d0d047c29be5d9f967
SHA512 bd84702faa66398d0b4f4744968668c95eb006e378d67e1fa84853f1d52b14dea14656d0083d0d45f7811c1bf3406289210624cde9544448deb3463fcb66a5a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 084252f86cb81b0d5b98befdf67950ae
SHA1 3a88a085cbb0b38fd7436092ef559721d28535dd
SHA256 3c085d37e981e13d77e86ca12853dbf41ca1b3aa2fb7a80d92a130c953d23bf4
SHA512 7e1cce2ce3e72acc0f83f787a0d85dd3cab63fa0d8b804c12bb9dfa86cf8d8720ccb6bd9aaa1a2bddb74cc56b9b32fda2ffceb351dda693d56476e6a53626d60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 811eb9132376af97b408be2593760865
SHA1 01e8e67ab22518d304b606608b47bbd6f955c908
SHA256 76be0407480d68822fe9eefa1a4b0a98110b782b430653e6fb7ed31cfc529afb
SHA512 293c1d336f42adc3aae51702aab1bc6e6cc1ad06e38c95a4d4bba1fa88a395eb2a74eb1bb95b076702f76b973978441bebbe51dd7a503ebefd62209f9b5b159e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 960d8bea4cdb52486fb17611691ce08b
SHA1 6abbccb55f22cbc4c79c1361ad93210a26d08299
SHA256 bf793b3b85e8ab95ba502807a9d7f4316b42adf3a7f327cb6377541666767521
SHA512 98636ede80cd4be36a52c1ad2837c4634f06f7f609f7b9f14683c3812b5d31ca426b80997bc96cbafd963bd5cbd5c2520b8f0752ba551abcde62e1957f9b3965

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 efdcfded2098984fb0b4f8242a110123
SHA1 c78df5336d3618b6b7d37a3dfbd427ae1e4b888f
SHA256 9941d5881ca83e4a2dd5e409cb858d3245bf0f7b8e8c02a6f12b4b69f6821fbf
SHA512 9b3d0187f3cef043abe01f7aa6432c2da8f38582081dd4abd59073652be28cdeace8da5fcced1725c47f8cec696f1712db59a12ba35caa64ab39aece8ab5a58c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9018cf13bb59d3c9e3ec857b381fb47
SHA1 f6f677f34f089ddcd0754e5d090249ed2dc1e325
SHA256 8132a5ccc16af7bec71edb9ac14f5d6a9e20acc95d076a5f588f8feae1fb8e68
SHA512 d93cfc79f21c7de5e97ff014302fc5902039b46600d2fb7995daa214fd645d31947bbba5dfeb5a60128d67b11893d1e5123c82e8bc34a40a37d14987878896cd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 157724735ed8ef5a72cb985c86489d53
SHA1 5430eee0b29a7e009788edf7037a03b940716cde
SHA256 42991b8a3d69effb048bba7f7245b885700b356f72aa11b8a390d7c85f130979
SHA512 d145efcbf11710ddec0dda34c46ef953ef5454029fa727ec7ae973b210b3ea2acf26d717c452cdc2f2ebf389fbccac8cc43e11e66f332f1cb5a88b5ff8bfbacd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ddf53929daf0ebf5e0c19ec77afa11d
SHA1 041c14dc7de0c7df89810f943908609d2e5774d5
SHA256 fae6b59afc6eaec99daaf07fee15971be981c5424411bac14e3b865d0a53b172
SHA512 eae3081fb37a1bb5c570ad35592501685d45a990959d9a30fd0e092d17e8feb717b1365f81b6bfd4d2d5d9e091b27860e1e43b5dfd62535952597f4407bc5228

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6918dd7ec71fe23ac7331649da8b51e
SHA1 3a611aee8c5061849cd68e16a055f03673f6775f
SHA256 a770e18e86ce35e3dff524b4e727c2c8bd2f5215792ef22d4151d76fe642648f
SHA512 eed3fc76f0f2bd3bbbc70b1968f37a7179fb41630bb111a3d6470878fc86d62f45d77168432301483faf7dce61c00b3996df82f334388ac6807b7529a9d559c5

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 09:53

Reported

2024-02-29 09:56

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe"

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3036 set thread context of 1876 N/A C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe C:\Windows\SysWOW64\WerFault.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe

"C:\Users\Admin\AppData\Local\Temp\25b32a1fec9f1427b5085dcb052de990021b5d2ee82cc4ae6908f606b4fbae3b.exe"

C:\Windows\SysWOW64\WerFault.exe

"C:\Windows\SysWOW64\WerFault.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1876 -ip 1876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 80

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

memory/3036-0-0x0000000000F80000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut3529.tmp

MD5 eafef8e758eb5c700740fba6068d4770
SHA1 38a73dd8aebaa6070e99674b34c46008e70d2cba
SHA256 e45626261fe0dd6823c65f166e7959b328acb17d203a73fce802786f90ee639c
SHA512 ef21d31f0538b39951058569c9b72cb6c11e82d49ff79f510848efc64ef3bbd380adc227ce74b680e85e755247560393a300c438ba6e4020bebf484b75d71d5e