Malware Analysis Report

2024-09-22 16:46

Sample ID 240410-lrxbxseb6t
Target 14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196
SHA256 14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196
Tags
babadeda outsteel crypter loader spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196

Threat Level: Known bad

The file 14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196 was found to be: Known bad.

Malicious Activity Summary

babadeda outsteel crypter loader spyware stealer

OutSteel

Babadeda

Babadeda Crypter

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates connected drives

AutoIT Executable

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-10 09:46

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 09:46

Reported

2024-04-10 09:49

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe"

Signatures

Babadeda

loader crypter babadeda

Babadeda Crypter

Description Indicator Process Target
N/A N/A N/A N/A

OutSteel

stealer outsteel

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-O9H5R.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-PNISQ.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-PNISQ.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4476 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-O9H5R.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 4476 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-O9H5R.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 4476 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-O9H5R.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 3788 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\is-O9H5R.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 3788 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\is-O9H5R.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 3788 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\is-O9H5R.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 1520 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-PNISQ.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 1520 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-PNISQ.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 1520 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-PNISQ.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 4708 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\is-PNISQ.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe
PID 4708 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\is-PNISQ.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe
PID 4708 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\is-PNISQ.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe
PID 2168 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 748 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4548 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe

"C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe"

C:\Users\Admin\AppData\Local\Temp\is-O9H5R.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

"C:\Users\Admin\AppData\Local\Temp\is-O9H5R.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp" /SL5="$B0050,6104050,943104,C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe"

C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe

"C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-PNISQ.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

"C:\Users\Admin\AppData\Local\Temp\is-PNISQ.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp" /SL5="$9004A,6104050,943104,C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe

"C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.doc" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pdf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppt" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.xl" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.csv" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rtf" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.dot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.mdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.accdb" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pot" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.pps" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.ppa" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.rar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.zip" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.tar" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.7z" /S /B /A

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /U /C DIR "\Users\Admin\*.txt" /S /B /A

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 127.0.0.1:52733 udp
N/A 127.0.0.1:52732 udp
N/A 10.127.0.82:52732 udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 smm2021.net udp
US 50.2.155.18:80 smm2021.net tcp
US 8.8.8.8:53 18.155.2.50.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
RU 185.244.41.109:8080 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.244.41.109:8080 tcp
RU 185.244.41.109:8080 tcp
RU 185.244.41.109:8080 tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

memory/4476-0-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/4476-2-0x0000000000400000-0x00000000004F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-O9H5R.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

MD5 10a0c7f88554ff904404989bb8a504ea
SHA1 dc810dc1f2bf2dc37f69669e6c8e588943053a49
SHA256 596b99105a085e245e744c4d0c49fd7260616c0849d80d485986f2773c387a4b
SHA512 0a9b45796fb4b0d710d48fe1b730cefd4ccca9b9c16d627d5eb443b22661bb948151a7d6d478106196ef6e956d099b03c6d376abca2a32a7424ea6c2d5ff2dc4

memory/3788-6-0x0000000000D50000-0x0000000000D51000-memory.dmp

memory/1520-10-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/3788-13-0x0000000000400000-0x000000000072D000-memory.dmp

memory/4476-17-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/4708-19-0x00000000008D0000-0x00000000008D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe

MD5 5d735d8c7243f61a30f5e91539f76df9
SHA1 26474ba449682e82ca38fef32836dcb23ee24012
SHA256 f00b523635707cf97be5877c9dea1abec7abf8d0e6bcce529cc96826344511a0
SHA512 a7bc38389f8905bc98a3742243fa1fd810241908578656c509c022855aeb1c97b8a3519456488b9cdef3e8b64824f8d2bb48e846d5b0f63e3b7d38041220b13f

memory/2168-589-0x0000000000E60000-0x000000000171B000-memory.dmp

C:\Users\Admin\AppData\Roaming\mX Parser\JxCnv40.dll

MD5 7052d63610b063c859af7f128a0c05cd
SHA1 7d44391b76368b8331c4f468f8ddbaf6ee5a6793
SHA256 6e3917257f9239ff1c0ec0c17a7d9b6b01dead526c56218a11b0676174440112
SHA512 8d34fdd4a48835b6db7ceda48716959e8c50bee04d10aa66044a880a78c13760cf314781f8e347644c5a2d71ff467577e431c70beaafcd52db72cb8044c9bc05

memory/4708-593-0x0000000000400000-0x000000000072D000-memory.dmp

memory/1520-595-0x0000000000400000-0x00000000004F4000-memory.dmp

C:\Users\Admin\AppData\Roaming\mX Parser\manual.pdf

MD5 079766094541035de5f115a9bbb4f583
SHA1 8423b25054aa78535c49042295558f33d34deae1
SHA256 6434913278186cb5b12ca38580a4e94b2ce2af83a836f7e50ab9c5ea8e265a59
SHA512 35b56c24d0b8aa2fec31ab9f329a1bfee15d97eb4fcce795e08bd15c5fd31726aae91c16bce0e1956cc2bbc2b529ace18212b09f47668e540f72079398dd3426

memory/2168-597-0x0000000000E60000-0x000000000171B000-memory.dmp

C:\Users\Admin\AppData\Roaming\mX Parser\libics4.0.dll

MD5 28267ea322e3975f1e98c64a1c77f509
SHA1 e1d92e085df142d703ed9fd9c65ed92562a759fa
SHA256 18f24841651461bd84a5eac08be9bce9eab54b133b0e837d5298dac44e199d5f
SHA512 2c0bd061a51e48c057fdd0b05dc959c48e79ef3df3ca1abec105b8be2aa53f416f92c109c23029a11d4d3e7e75529215877d41b5bfe5d462d844b3bae29c1a42

C:\Users\Admin\Downloads\installation.exe

MD5 345e3700c5b584ca43a6748670480864
SHA1 90802b6139b4ad5c8b218e137af9e5466ad4d0fa
SHA256 e952eeacb54e0d9c07da6db899c7012b49cfd19b19ec46b99321ebe831b53a7c
SHA512 0c17385d336dd25b36e06c2c323694ec43683bf6c179985989eadd680df190bda220ddbd4afa548d6827877fdcfde06f67fd692ebe37653b574d00f5e377a566

memory/2168-612-0x0000000000E60000-0x000000000171B000-memory.dmp

memory/2168-613-0x0000000000E60000-0x000000000171B000-memory.dmp

memory/2168-615-0x0000000000E60000-0x000000000171B000-memory.dmp

memory/2168-617-0x0000000000E60000-0x000000000171B000-memory.dmp

memory/2168-619-0x0000000000E60000-0x000000000171B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 09:46

Reported

2024-04-10 09:49

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe"

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2660 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2916 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2916 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2596 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp
PID 2396 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe
PID 2396 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe
PID 2396 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe
PID 2396 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe
PID 2012 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\WerFault.exe
PID 2012 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\WerFault.exe
PID 2012 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\WerFault.exe
PID 2012 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe

"C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe"

C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

"C:\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp" /SL5="$50150,6104050,943104,C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe"

C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe

"C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe" /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9F1LV.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp" /SL5="$60150,6104050,943104,C:\Users\Admin\AppData\Local\Temp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.exe" /VERYSILENT

C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe

"C:\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2012 -s 260

Network

Country Destination Domain Proto
N/A 127.0.0.1:61486 udp
N/A 127.0.0.1:61487 udp

Files

memory/2660-1-0x0000000000400000-0x00000000004F4000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-P7REO.tmp\14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196.tmp

MD5 10a0c7f88554ff904404989bb8a504ea
SHA1 dc810dc1f2bf2dc37f69669e6c8e588943053a49
SHA256 596b99105a085e245e744c4d0c49fd7260616c0849d80d485986f2773c387a4b
SHA512 0a9b45796fb4b0d710d48fe1b730cefd4ccca9b9c16d627d5eb443b22661bb948151a7d6d478106196ef6e956d099b03c6d376abca2a32a7424ea6c2d5ff2dc4

memory/2916-8-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2596-13-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/2916-11-0x0000000000400000-0x000000000072D000-memory.dmp

memory/2660-16-0x0000000000400000-0x00000000004F4000-memory.dmp

memory/2396-22-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Roaming\mX Parser\mathparser.exe

MD5 5d735d8c7243f61a30f5e91539f76df9
SHA1 26474ba449682e82ca38fef32836dcb23ee24012
SHA256 f00b523635707cf97be5877c9dea1abec7abf8d0e6bcce529cc96826344511a0
SHA512 a7bc38389f8905bc98a3742243fa1fd810241908578656c509c022855aeb1c97b8a3519456488b9cdef3e8b64824f8d2bb48e846d5b0f63e3b7d38041220b13f

memory/2396-584-0x00000000038F0000-0x0000000003900000-memory.dmp

\Users\Admin\AppData\Roaming\mX Parser\JxCnv40.dll

MD5 7052d63610b063c859af7f128a0c05cd
SHA1 7d44391b76368b8331c4f468f8ddbaf6ee5a6793
SHA256 6e3917257f9239ff1c0ec0c17a7d9b6b01dead526c56218a11b0676174440112
SHA512 8d34fdd4a48835b6db7ceda48716959e8c50bee04d10aa66044a880a78c13760cf314781f8e347644c5a2d71ff467577e431c70beaafcd52db72cb8044c9bc05

memory/2396-591-0x0000000004840000-0x00000000050FB000-memory.dmp

memory/2012-593-0x0000000000D60000-0x000000000161B000-memory.dmp

memory/2396-595-0x0000000000400000-0x000000000072D000-memory.dmp

memory/2596-597-0x0000000000400000-0x00000000004F4000-memory.dmp