Malware Analysis Report

2024-09-22 15:26

Sample ID 240325-fa3jqabb4v
Target ddos-reaper (2).zip
SHA256 933a3b090613a423aa7f9486e5a779f57a967776d8b154a40c078e2bff33f526
Tags
pandastealer phoenixstealer stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

933a3b090613a423aa7f9486e5a779f57a967776d8b154a40c078e2bff33f526

Threat Level: Known bad

The file ddos-reaper (2).zip was found to be: Known bad.

Malicious Activity Summary

pandastealer phoenixstealer stealer

PhoenixStealer

PandaStealer

Panda Stealer payload

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-25 04:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-25 04:41

Reported

2024-03-25 04:43

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ddos-reaper\ddos-reaper.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

PhoenixStealer

stealer phoenixstealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2956 set thread context of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ddos-reaper\ddos-reaper.exe

"C:\Users\Admin\AppData\Local\Temp\ddos-reaper\ddos-reaper.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

N/A

Files

memory/2956-0-0x0000000000400000-0x0000000000832000-memory.dmp

memory/2956-1-0x0000000000360000-0x00000000003C0000-memory.dmp

memory/2956-2-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2956-3-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2956-4-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2956-24-0x0000000000850000-0x0000000000851000-memory.dmp

memory/2956-23-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/2956-22-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/2956-21-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/2956-20-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/2956-19-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/2956-18-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/2956-17-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/2956-16-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2956-15-0x0000000000860000-0x0000000000861000-memory.dmp

memory/2956-14-0x0000000000890000-0x0000000000891000-memory.dmp

memory/2956-13-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2956-12-0x0000000000840000-0x0000000000841000-memory.dmp

memory/2956-11-0x00000000034B0000-0x00000000034B1000-memory.dmp

memory/2956-10-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2956-9-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/2956-8-0x0000000000350000-0x0000000000351000-memory.dmp

memory/2956-7-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2956-5-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2956-6-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2956-25-0x0000000003500000-0x0000000003589000-memory.dmp

memory/2956-26-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2956-27-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2956-28-0x00000000034F0000-0x00000000034F1000-memory.dmp

memory/2956-30-0x00000000034D0000-0x00000000034D1000-memory.dmp

memory/2956-29-0x00000000034E0000-0x00000000034E1000-memory.dmp

memory/2956-31-0x0000000000400000-0x0000000000832000-memory.dmp

memory/2956-33-0x0000000000360000-0x00000000003C0000-memory.dmp

memory/2956-34-0x0000000003500000-0x0000000003589000-memory.dmp

memory/2956-37-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/2632-38-0x0000000000400000-0x000000000048D000-memory.dmp

memory/2632-40-0x0000000000400000-0x000000000048D000-memory.dmp

memory/2632-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2632-49-0x0000000000400000-0x000000000048D000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-25 04:41

Reported

2024-03-25 04:43

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ddos-reaper\ddos-reaper.exe"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

PhoenixStealer

stealer phoenixstealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5076 set thread context of 5108 N/A C:\Users\Admin\AppData\Local\Temp\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ddos-reaper\ddos-reaper.exe

"C:\Users\Admin\AppData\Local\Temp\ddos-reaper\ddos-reaper.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5076 -ip 5076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 472

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 169.117.168.52.in-addr.arpa udp

Files

memory/5076-0-0x0000000000400000-0x0000000000832000-memory.dmp

memory/5076-1-0x0000000002620000-0x0000000002680000-memory.dmp

memory/5076-2-0x0000000002790000-0x0000000002791000-memory.dmp

memory/5076-3-0x0000000002780000-0x0000000002781000-memory.dmp

memory/5076-4-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/5076-6-0x0000000002800000-0x0000000002801000-memory.dmp

memory/5076-5-0x0000000000B20000-0x0000000000B21000-memory.dmp

memory/5076-7-0x00000000027B0000-0x00000000027B1000-memory.dmp

memory/5076-8-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/5076-9-0x0000000003760000-0x0000000003761000-memory.dmp

memory/5076-10-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/5076-11-0x0000000003750000-0x0000000003751000-memory.dmp

memory/5076-12-0x0000000002840000-0x0000000002841000-memory.dmp

memory/5076-14-0x0000000002890000-0x0000000002891000-memory.dmp

memory/5076-13-0x0000000002830000-0x0000000002831000-memory.dmp

memory/5076-15-0x0000000002860000-0x0000000002861000-memory.dmp

memory/5076-16-0x0000000002820000-0x0000000002821000-memory.dmp

memory/5076-17-0x00000000028A0000-0x00000000028A1000-memory.dmp

memory/5076-18-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/5076-20-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/5076-19-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/5076-21-0x0000000002910000-0x0000000002911000-memory.dmp

memory/5076-22-0x0000000002930000-0x0000000002931000-memory.dmp

memory/5076-23-0x0000000002850000-0x0000000002851000-memory.dmp

memory/5076-24-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-25-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-26-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-27-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-28-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-29-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-30-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-32-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-31-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-33-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-34-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-35-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-36-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-37-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-38-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-39-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-40-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-41-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-42-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-43-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-44-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-47-0x0000000002810000-0x0000000002811000-memory.dmp

memory/5076-48-0x0000000002810000-0x0000000002811000-memory.dmp

memory/5076-46-0x0000000002810000-0x0000000002811000-memory.dmp

memory/5076-45-0x0000000002810000-0x0000000002811000-memory.dmp

memory/5076-49-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/5076-50-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/5076-51-0x0000000003790000-0x0000000003791000-memory.dmp

memory/5076-52-0x0000000003780000-0x0000000003781000-memory.dmp

memory/5076-53-0x0000000003770000-0x0000000003771000-memory.dmp

memory/5076-54-0x0000000000400000-0x0000000000832000-memory.dmp

memory/5076-56-0x0000000002620000-0x0000000002680000-memory.dmp

memory/5076-57-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-58-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-60-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-59-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-61-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-62-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-63-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-64-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5076-65-0x00000000037A0000-0x0000000003833000-memory.dmp

memory/5108-112-0x0000000000400000-0x000000000048D000-memory.dmp

memory/5108-120-0x0000000000400000-0x000000000048D000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-25 04:41

Reported

2024-03-25 04:43

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\ddos-reaper\headers.txt

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\ddos-reaper\headers.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 04:41

Reported

2024-03-25 04:43

Platform

win7-20240215-en

Max time kernel

148s

Max time network

148s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

PhoenixStealer

stealer phoenixstealer

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe N/A
N/A N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2344 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2344 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2576 wrote to memory of 2184 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe
PID 2576 wrote to memory of 2184 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe
PID 2576 wrote to memory of 2184 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe
PID 2576 wrote to memory of 2184 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe
PID 2576 wrote to memory of 2624 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe
PID 2576 wrote to memory of 2624 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe
PID 2576 wrote to memory of 2624 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe
PID 2576 wrote to memory of 2624 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2184 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2624 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 wrote to memory of 1748 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 wrote to memory of 1748 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 wrote to memory of 1748 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 wrote to memory of 1748 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 wrote to memory of 1748 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 wrote to memory of 1748 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 wrote to memory of 1748 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 wrote to memory of 1748 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 944 wrote to memory of 1748 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"

C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe

"C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe"

C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe

"C:\Users\Admin\AppData\Local\Temp\7zO01A87FA6\ddos-reaper.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe

"C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
RU 95.142.46.35:6666 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe

MD5 dd20876bf25544aa55e0c3725103c666
SHA1 d00d689de9f35159188935d3bd93677c807ed655
SHA256 33e5d605c1c13a995d4a2d7cb9dca9facda4c97c1c7b41dc349cc756bfc0bd67
SHA512 8e88e8777717d203065144ce594e18f86048c83c83d06ef06f0255f42c0de1bfdb1da2faad2bb39da52a652eb4267af79a84d2822afb6e5e31e27899b70ab9fc

memory/2184-35-0x0000000000400000-0x0000000000832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zO01AB8E16\ddos-reaper.exe

MD5 efc58bf59658217c66218094b45dba17
SHA1 945d40c771cb2c9d780f4adece5f33ce47d798a4
SHA256 35a0e33e4fa16282c5a59be9ccc306a615439ad77e5fbdb3bd9fe8e317372806
SHA512 d59dd85372207f589167195d99eb75b938188b080a88db452d27bcf4142bca692bc3e6db5f2f88302886b4d87f20d666cda4ec7d01e67a15e70e6760da652ad1

memory/2184-38-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2184-39-0x0000000000340000-0x0000000000341000-memory.dmp

memory/2184-36-0x0000000000350000-0x00000000003B0000-memory.dmp

memory/2184-40-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2184-42-0x0000000000310000-0x0000000000311000-memory.dmp

memory/2184-41-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2184-43-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/2184-44-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/2184-45-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2184-46-0x00000000034B0000-0x00000000034B1000-memory.dmp

memory/2184-60-0x0000000003500000-0x0000000003589000-memory.dmp

memory/2184-59-0x0000000000850000-0x0000000000851000-memory.dmp

memory/2184-58-0x0000000002260000-0x0000000002261000-memory.dmp

memory/2184-57-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/2184-56-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/2184-55-0x0000000002270000-0x0000000002271000-memory.dmp

memory/2184-54-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/2184-53-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/2184-52-0x00000000008A0000-0x00000000008A1000-memory.dmp

memory/2184-51-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2184-50-0x0000000000860000-0x0000000000861000-memory.dmp

memory/2184-49-0x0000000000890000-0x0000000000891000-memory.dmp

memory/2184-48-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2184-47-0x0000000000840000-0x0000000000841000-memory.dmp

memory/2184-62-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2184-61-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2184-64-0x00000000034E0000-0x00000000034E1000-memory.dmp

memory/2184-63-0x00000000034F0000-0x00000000034F1000-memory.dmp

memory/2184-65-0x00000000034D0000-0x00000000034D1000-memory.dmp

memory/2184-66-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/2184-67-0x0000000000400000-0x0000000000832000-memory.dmp

memory/2184-68-0x0000000000350000-0x00000000003B0000-memory.dmp

memory/2184-81-0x0000000003500000-0x0000000003589000-memory.dmp

memory/2624-83-0x0000000000400000-0x0000000000832000-memory.dmp

memory/2624-85-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/2624-84-0x0000000000290000-0x00000000002F0000-memory.dmp

memory/2624-86-0x0000000003500000-0x0000000003589000-memory.dmp

memory/2624-89-0x00000000034D0000-0x00000000034D1000-memory.dmp

memory/2624-88-0x00000000034E0000-0x00000000034E1000-memory.dmp

memory/2624-87-0x00000000034F0000-0x00000000034F1000-memory.dmp

memory/2184-92-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/1616-93-0x0000000000400000-0x000000000048D000-memory.dmp

memory/1616-95-0x0000000000400000-0x000000000048D000-memory.dmp

memory/1616-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1616-105-0x0000000000400000-0x000000000048D000-memory.dmp

memory/2624-106-0x0000000000400000-0x0000000000832000-memory.dmp

memory/2624-108-0x0000000003500000-0x0000000003589000-memory.dmp

memory/2624-115-0x0000000000990000-0x0000000000A90000-memory.dmp

C:\Users\Admin\Desktop\ddos-reaper\api-ms-win-crt-string-l1-1-0.dll

MD5 f816666e3fc087cd24828943cb15f260
SHA1 eae814c9c41e3d333f43890ed7dafa3575e4c50e
SHA256 45e0835b1d3b446fe2c347bd87922c53cfb6dd826499e19a1d977bf4c11b0e4a
SHA512 6860abe8ab5220efb88f68b80e6c6e95fe35b4029f46b59bc467e3850fe671bda1c7c1c7b035b287bdfed5daeac879ee481d35330b153ea7ef2532970f62c581

memory/944-148-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/944-151-0x0000000003500000-0x0000000003589000-memory.dmp

memory/944-150-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/944-149-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/944-146-0x00000000002A0000-0x0000000000300000-memory.dmp

\Users\Admin\Desktop\ddos-reaper\api-ms-win-crt-utility-l1-1-0.dll

MD5 6f1a1dfb2761228ccc7d07b8b190054c
SHA1 117d66360c84a0088626e22d8b3b4b685cb70d56
SHA256 c81c4bba4e5f205359ad145963f6fbd074879047c66569f52b6d66711108e1ed
SHA512 480b4f9179d5da56010fa90e1937fe3a232f2f8682596c16eeaed08f57cf8cffeaa506060429501764f695cb6c5b3e56b0037de948c4d0e3933f022a0b4103d2

memory/944-142-0x0000000000400000-0x0000000000832000-memory.dmp

memory/944-154-0x00000000034D0000-0x00000000034D1000-memory.dmp

memory/944-153-0x00000000034E0000-0x00000000034E1000-memory.dmp

memory/944-152-0x00000000034F0000-0x00000000034F1000-memory.dmp

memory/944-155-0x0000000000400000-0x0000000000832000-memory.dmp

memory/944-156-0x00000000002A0000-0x0000000000300000-memory.dmp

memory/944-158-0x0000000003500000-0x0000000003589000-memory.dmp

memory/944-169-0x0000000000300000-0x0000000000400000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-25 04:41

Reported

2024-03-25 04:43

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ddos-reaper\api-ms-win-crt-utility-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ddos-reaper\api-ms-win-crt-utility-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-25 04:41

Reported

2024-03-25 04:43

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ddos-reaper\api-ms-win-crt-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ddos-reaper\api-ms-win-crt-string-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
SE 192.229.221.95:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-25 04:41

Reported

2024-03-25 04:43

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\ddos-reaper\headers.txt

Signatures

N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\ddos-reaper\headers.txt

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 04:41

Reported

2024-03-25 04:43

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"

Signatures

Panda Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PandaStealer

stealer pandastealer

PhoenixStealer

stealer phoenixstealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4128 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4128 wrote to memory of 1780 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1780 wrote to memory of 696 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe
PID 1780 wrote to memory of 696 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe
PID 1780 wrote to memory of 696 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe
PID 696 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 696 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 696 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 696 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 696 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 8 wrote to memory of 3360 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 8 wrote to memory of 3360 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 8 wrote to memory of 3360 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 8 wrote to memory of 3360 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 8 wrote to memory of 3360 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4868 wrote to memory of 3040 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4868 wrote to memory of 3040 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4868 wrote to memory of 3040 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4868 wrote to memory of 3040 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4868 wrote to memory of 3040 N/A C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ddos-reaper (2).7z"

C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe

"C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 696 -ip 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 696 -s 440

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe

"C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe"

C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe

"C:\Users\Admin\Desktop\ddos-reaper\ddos-reaper.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 8 -ip 8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8 -s 440

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4868 -ip 4868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 412

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
RU 95.142.46.35:6666 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
GB 96.17.178.174:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zO4F63ABB7\ddos-reaper.exe

MD5 dd20876bf25544aa55e0c3725103c666
SHA1 d00d689de9f35159188935d3bd93677c807ed655
SHA256 33e5d605c1c13a995d4a2d7cb9dca9facda4c97c1c7b41dc349cc756bfc0bd67
SHA512 8e88e8777717d203065144ce594e18f86048c83c83d06ef06f0255f42c0de1bfdb1da2faad2bb39da52a652eb4267af79a84d2822afb6e5e31e27899b70ab9fc

memory/696-11-0x0000000000400000-0x0000000000832000-memory.dmp

memory/696-13-0x00000000025F0000-0x0000000002650000-memory.dmp

memory/696-14-0x0000000002770000-0x0000000002771000-memory.dmp

memory/696-15-0x0000000002760000-0x0000000002761000-memory.dmp

memory/696-16-0x00000000027D0000-0x00000000027D1000-memory.dmp

memory/696-17-0x0000000002750000-0x0000000002751000-memory.dmp

memory/696-18-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/696-19-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/696-20-0x00000000027E0000-0x00000000027E1000-memory.dmp

memory/696-21-0x0000000003760000-0x0000000003761000-memory.dmp

memory/696-22-0x00000000027C0000-0x00000000027C1000-memory.dmp

memory/696-26-0x0000000002880000-0x0000000002881000-memory.dmp

memory/696-27-0x0000000002850000-0x0000000002851000-memory.dmp

memory/696-25-0x0000000002820000-0x0000000002821000-memory.dmp

memory/696-28-0x0000000002810000-0x0000000002811000-memory.dmp

memory/696-24-0x0000000002830000-0x0000000002831000-memory.dmp

memory/696-23-0x0000000003750000-0x0000000003751000-memory.dmp

memory/696-29-0x0000000002890000-0x0000000002891000-memory.dmp

memory/696-30-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/696-31-0x00000000028E0000-0x00000000028E1000-memory.dmp

memory/696-33-0x0000000002910000-0x0000000002911000-memory.dmp

memory/696-32-0x00000000028D0000-0x00000000028D1000-memory.dmp

memory/696-34-0x0000000002930000-0x0000000002931000-memory.dmp

memory/696-35-0x0000000002840000-0x0000000002841000-memory.dmp

memory/696-36-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-37-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-38-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-39-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-40-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-41-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-42-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-43-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-44-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-45-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-46-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-47-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-48-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-49-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-50-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-51-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-53-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-52-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-54-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-55-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-56-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-57-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-58-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-59-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-61-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-60-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-62-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-63-0x0000000002800000-0x0000000002801000-memory.dmp

memory/696-64-0x0000000002800000-0x0000000002801000-memory.dmp

memory/696-65-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/696-67-0x0000000003790000-0x0000000003791000-memory.dmp

memory/696-66-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/696-68-0x0000000003780000-0x0000000003781000-memory.dmp

memory/696-69-0x0000000003770000-0x0000000003771000-memory.dmp

memory/696-70-0x0000000000400000-0x0000000000832000-memory.dmp

memory/696-71-0x00000000025F0000-0x0000000002650000-memory.dmp

memory/696-73-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-74-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-76-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-77-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/696-75-0x00000000037A0000-0x0000000003830000-memory.dmp

memory/2468-130-0x0000000000400000-0x000000000048D000-memory.dmp

memory/2468-139-0x0000000000400000-0x000000000048D000-memory.dmp

C:\Users\Admin\Desktop\ddos-reaper\headers.txt

MD5 d96df362a721b7f2e5069f282231d008
SHA1 66506f444bcf6a3b0ab1d790598e64997f56a349
SHA256 8b834227d25fd9777362c074d3184c480f3ca1c51ac287c84097bb90ff1b9346
SHA512 121de04f3f8b4e34046e780605303508948e381e909b6cda5bc8cad61859ffc5ea0a82e700c3550b35aff88bcad699ab9c3266c1b4bb4daff36ff5bef11e302b

memory/8-197-0x0000000000400000-0x0000000000832000-memory.dmp

memory/3360-279-0x0000000000700000-0x000000000078D000-memory.dmp

memory/3360-288-0x0000000000700000-0x000000000078D000-memory.dmp

memory/4868-290-0x0000000000400000-0x0000000000832000-memory.dmp

memory/3040-353-0x0000000000400000-0x000000000048D000-memory.dmp