Analysis Overview
SHA256
a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449
Threat Level: Known bad
The file a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449 was found to be: Known bad.
Malicious Activity Summary
Bitrat family
BitRAT
Checks computer location settings
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
Loads dropped DLL
UPX packed file
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-04-25 13:10
Signatures
Bitrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-04-25 13:10
Reported
2024-04-25 13:15
Platform
win10-20240404-en
Max time kernel
298s
Max time network
305s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1\uff00" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1ë°€" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1瀀" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1退" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| DE | 185.244.193.141:9001 | tcp | |
| SE | 109.105.109.162:60784 | tcp | |
| N/A | 127.0.0.1:49806 | tcp | |
| US | 8.8.8.8:53 | 162.109.105.109.in-addr.arpa | udp |
| DE | 87.106.159.40:443 | tcp | |
| US | 185.150.189.243:9100 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 243.189.150.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.159.106.87.in-addr.arpa | udp |
| DE | 51.195.121.102:6672 | tcp | |
| US | 8.8.8.8:53 | 102.121.195.51.in-addr.arpa | udp |
| US | 185.150.189.243:9100 | tcp | |
| DE | 87.106.159.40:443 | tcp | |
| DE | 51.195.121.102:6672 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.66.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:49941 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| DE | 45.142.176.96:9100 | tcp | |
| NL | 5.253.84.137:9100 | tcp | |
| US | 8.8.8.8:53 | 96.176.142.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.84.253.5.in-addr.arpa | udp |
| DE | 164.68.113.149:9001 | tcp | |
| US | 8.8.8.8:53 | 149.113.68.164.in-addr.arpa | udp |
| N/A | 127.0.0.1:49982 | tcp | |
| US | 8.8.8.8:53 | 174.117.168.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 241.197.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:50049 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| CH | 92.106.221.55:9001 | tcp | |
| US | 8.8.8.8:53 | 55.221.106.92.in-addr.arpa | udp |
| EE | 95.153.32.22:9001 | tcp | |
| US | 8.8.8.8:53 | 22.32.153.95.in-addr.arpa | udp |
| N/A | 127.0.0.1:50093 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:50161 | tcp | |
| CH | 185.32.222.237:8443 | tcp | |
| N/A | 127.0.0.1:50198 | tcp | |
| US | 74.91.26.170:80 | tcp | |
| CH | 92.106.221.55:9001 | tcp | |
| US | 8.8.8.8:53 | 237.222.32.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.26.91.74.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50249 | tcp | |
| GR | 185.4.132.148:443 | tcp | |
| N/A | 127.0.0.1:50275 | tcp | |
| CH | 92.106.221.55:9001 | tcp | |
| US | 8.8.8.8:53 | 148.132.4.185.in-addr.arpa | udp |
| FI | 85.23.104.222:443 | tcp | |
| US | 8.8.8.8:53 | 222.104.23.85.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp |
Files
memory/4960-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/4960-1-0x0000000073BF0000-0x0000000073C2A000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
memory/3344-31-0x0000000000350000-0x0000000000754000-memory.dmp
memory/3344-32-0x00000000731C0000-0x000000007328E000-memory.dmp
memory/3344-33-0x0000000073190000-0x00000000731B4000-memory.dmp
memory/3344-38-0x00000000014C0000-0x0000000001548000-memory.dmp
memory/3344-37-0x0000000072F20000-0x0000000072FA8000-memory.dmp
memory/3344-41-0x00000000014C0000-0x000000000178F000-memory.dmp
memory/3344-42-0x0000000072C50000-0x0000000072F1F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/3344-35-0x0000000072FB0000-0x00000000730BA000-memory.dmp
memory/3344-34-0x00000000730C0000-0x0000000073188000-memory.dmp
memory/3344-43-0x0000000073290000-0x00000000732D9000-memory.dmp
memory/4960-49-0x0000000072960000-0x000000007299A000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 2980d648c78c4022d9424561f0995f00 |
| SHA1 | 88b745a69b46a1a67cf43e759fbfe510af85dec5 |
| SHA256 | a69c5e427c091b1b429339c58b4ddb78c917cc719dc0401dd45361d716d1e29b |
| SHA512 | 1eec6a28547d1adf4564646dca7a19d8b6a503c0506f015b53a640a6edf17b12290ee128b60072cf0d86cd20c16798e724746a1771432b20255b9e3ad05c2e6b |
memory/3344-57-0x0000000000350000-0x0000000000754000-memory.dmp
memory/3344-59-0x00000000731C0000-0x000000007328E000-memory.dmp
memory/3344-61-0x00000000730C0000-0x0000000073188000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 78e32487c4ba05dfd5aa6bdd2cd8f1ca |
| SHA1 | 5695c97c01e643a1f82225992bda97de8b2aa278 |
| SHA256 | 1126807b3546c66eabba10c33e0d91f28f3e2d7f7b661daded14295a3bbde721 |
| SHA512 | f1a5ff1587ef1cff98f9c810271244f4abf34d23eb3f2d6e308052774a2bea435fcd2911d36d6df568202b5db12229ea038c727bc8313c0db9399990d76493a2 |
memory/3344-67-0x0000000000350000-0x0000000000754000-memory.dmp
memory/3344-68-0x0000000000350000-0x0000000000754000-memory.dmp
memory/3344-76-0x00000000014C0000-0x0000000001548000-memory.dmp
memory/3344-77-0x00000000014C0000-0x000000000178F000-memory.dmp
memory/3344-80-0x0000000000350000-0x0000000000754000-memory.dmp
memory/3344-99-0x0000000000350000-0x0000000000754000-memory.dmp
memory/4960-107-0x00000000734F0000-0x000000007352A000-memory.dmp
memory/3344-108-0x0000000000350000-0x0000000000754000-memory.dmp
memory/3344-116-0x0000000000350000-0x0000000000754000-memory.dmp
memory/3344-132-0x0000000000350000-0x0000000000754000-memory.dmp
memory/3344-141-0x0000000000350000-0x0000000000754000-memory.dmp
memory/712-151-0x0000000000350000-0x0000000000754000-memory.dmp
memory/712-160-0x0000000073290000-0x00000000732D9000-memory.dmp
memory/712-155-0x00000000730C0000-0x0000000073188000-memory.dmp
memory/712-161-0x0000000000350000-0x0000000000754000-memory.dmp
memory/712-157-0x00000000731C0000-0x000000007328E000-memory.dmp
memory/712-164-0x0000000073190000-0x00000000731B4000-memory.dmp
memory/712-154-0x0000000072C50000-0x0000000072F1F000-memory.dmp
memory/712-167-0x0000000072FB0000-0x00000000730BA000-memory.dmp
memory/712-169-0x0000000072F20000-0x0000000072FA8000-memory.dmp
memory/712-174-0x0000000072C50000-0x0000000072F1F000-memory.dmp
memory/712-176-0x00000000731C0000-0x000000007328E000-memory.dmp
memory/712-175-0x00000000730C0000-0x0000000073188000-memory.dmp
memory/4960-177-0x0000000073090000-0x00000000730CA000-memory.dmp
memory/2752-188-0x0000000072510000-0x00000000725D8000-memory.dmp
memory/2752-190-0x0000000072C90000-0x0000000072CD9000-memory.dmp
memory/2752-191-0x0000000072C60000-0x0000000072C84000-memory.dmp
memory/2752-192-0x0000000072400000-0x000000007250A000-memory.dmp
memory/2752-198-0x0000000072CE0000-0x0000000072FAF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 555ae3f1e738ed21bda3e71ac117d78b |
| SHA1 | 5aadd88a40dabaff5f83f1b00105d460f8af955c |
| SHA256 | c67020b670ff97718224b8ad656845662e393eee28bd5f080de45b07fb2497c8 |
| SHA512 | f0e58af89accc1c2b664503c44f3ca742576025e4a92d2d6cf3b7c9ac9fd597d216133fb364f80f5b966695e74b01f59042a806867322350d659113fb794784a |
memory/2752-199-0x00000000722A0000-0x000000007236E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | f3902607e8722174922adc72e977ea7c |
| SHA1 | f307612d35cfaae0d3396f3af1fa652b99921633 |
| SHA256 | 0411042816f81960bed1782da5128037bd2dfbd7ca2e3ad3506249e30017ae38 |
| SHA512 | 03a70399c7f0ad64d3cecb4cef92caf11b72f0057424aca8f8af783f634ef6f6e7e5b5271fcffd9eefa2a4b2493ef365d8b240c0d51c0d2d68122ac2c4c41341 |
memory/2752-193-0x0000000072370000-0x00000000723F8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 97e6c637a35e2ea1e52b3eade593e8f1 |
| SHA1 | 85235a0e7780a9e368abb469456dff61f4ad32b9 |
| SHA256 | 62682d5f5a897a85b0bb114b9365dac4abda122dc1bfec4448468ef50d7986c8 |
| SHA512 | 4096cda0d7b368f7f21f0e740cfbb6b83594288e643b0560e928fda4edffb79ffab851ef252b488a113a639cd885f441e5d8e04b7c95bda4d67179091a0ca0e7 |
memory/2752-215-0x0000000000350000-0x0000000000754000-memory.dmp
memory/2752-216-0x0000000072C90000-0x0000000072CD9000-memory.dmp
memory/2752-225-0x0000000072510000-0x00000000725D8000-memory.dmp
memory/2752-261-0x0000000000350000-0x0000000000754000-memory.dmp
memory/2644-264-0x0000000000350000-0x0000000000754000-memory.dmp
memory/2644-265-0x0000000072CE0000-0x0000000072FAF000-memory.dmp
memory/2644-268-0x0000000072510000-0x00000000725D8000-memory.dmp
memory/2644-270-0x00000000722A0000-0x000000007236E000-memory.dmp
memory/2644-271-0x0000000072C90000-0x0000000072CD9000-memory.dmp
memory/2644-273-0x0000000072C60000-0x0000000072C84000-memory.dmp
memory/2644-276-0x0000000072370000-0x00000000723F8000-memory.dmp
memory/2644-275-0x0000000072400000-0x000000007250A000-memory.dmp
memory/4588-289-0x0000000072C90000-0x0000000072CD9000-memory.dmp
memory/4588-288-0x0000000072510000-0x00000000725D8000-memory.dmp
memory/4588-290-0x0000000072C60000-0x0000000072C84000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | bc046b6bc6391e381756c2abc8c03dae |
| SHA1 | f6a60b3daee18cbe2791070196b1db3fa2919ec4 |
| SHA256 | 96b227718c7d44ba09063088edae9fa7f0774b464ba2c95bac09b1a8d49e660a |
| SHA512 | 647362d33afe5def2347f1c52097234b5ef7a712f00edb720b43919590aa6cf863bb3de6a44318e2027ccbac6e886b27a5472bd6397dfa298a227be39b9b77f1 |
memory/4588-292-0x0000000072370000-0x00000000723F8000-memory.dmp
memory/4588-295-0x00000000722A0000-0x000000007236E000-memory.dmp
memory/4588-294-0x0000000072400000-0x000000007250A000-memory.dmp
memory/4588-296-0x0000000072CE0000-0x0000000072FAF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | d97706f3e606d91881e9071653c8ea26 |
| SHA1 | 553793d430deba3485ca6075bc5935ab257364b0 |
| SHA256 | 81b337da399164c7f1f5ed2dc0cf3b148fb565e591c6035e017f91899e621ecf |
| SHA512 | d45582e8cf2619dbe025e7a32b85106a77e2f6a16470f8897a174350f4b3a006de7cc1c511bdf4e12a3524789867571694c4d6d48e5c5c3a802ab78241c72155 |
memory/4960-300-0x0000000073BF0000-0x0000000073C2A000-memory.dmp
memory/4960-309-0x0000000072960000-0x000000007299A000-memory.dmp
memory/4588-310-0x0000000000350000-0x0000000000754000-memory.dmp
memory/4588-319-0x0000000072510000-0x00000000725D8000-memory.dmp
memory/4960-344-0x00000000734F0000-0x000000007352A000-memory.dmp
memory/2464-367-0x0000000000350000-0x0000000000754000-memory.dmp
memory/4588-365-0x0000000000350000-0x0000000000754000-memory.dmp
memory/2464-369-0x0000000072CE0000-0x0000000072FAF000-memory.dmp
memory/2464-371-0x0000000072510000-0x00000000725D8000-memory.dmp
memory/2464-373-0x00000000722A0000-0x000000007236E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-04-25 13:10
Reported
2024-04-25 13:15
Platform
win10v2004-20240226-en
Max time kernel
291s
Max time network
308s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3772 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| PL | 54.37.139.118:9001 | tcp | |
| US | 8.8.8.8:53 | 118.139.37.54.in-addr.arpa | udp |
| N/A | 127.0.0.1:49876 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 88.99.31.186:34746 | tcp | |
| US | 135.148.52.158:443 | tcp | |
| US | 8.8.8.8:53 | 186.31.99.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.52.148.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| DE | 88.99.31.186:34746 | tcp | |
| US | 135.148.52.158:443 | tcp | |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| CH | 77.109.152.87:143 | tcp | |
| US | 8.8.8.8:53 | 87.152.109.77.in-addr.arpa | udp |
| DE | 5.9.24.169:9001 | tcp | |
| US | 8.8.8.8:53 | 169.24.9.5.in-addr.arpa | udp |
| N/A | 127.0.0.1:50002 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| LU | 107.189.28.139:9001 | tcp | |
| ES | 217.76.159.216:443 | tcp | |
| US | 8.8.8.8:53 | 139.28.189.107.in-addr.arpa | udp |
| US | 18.18.82.17:9001 | tcp | |
| US | 8.8.8.8:53 | 216.159.76.217.in-addr.arpa | udp |
| N/A | 127.0.0.1:50084 | tcp | |
| US | 8.8.8.8:53 | 17.82.18.18.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50149 | tcp | |
| US | 8.8.8.8:53 | 91.242.123.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50195 | tcp | |
| DE | 193.42.11.238:443 | tcp | |
| GB | 37.143.61.132:9001 | tcp | |
| US | 8.8.8.8:53 | 238.11.42.193.in-addr.arpa | udp |
| FI | 65.21.85.98:9001 | tcp | |
| US | 8.8.8.8:53 | 132.61.143.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.85.21.65.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50263 | tcp | |
| N/A | 127.0.0.1:50293 | tcp | |
| NL | 192.87.28.28:9001 | tcp | |
| US | 147.135.65.26:443 | tcp | |
| US | 8.8.8.8:53 | 28.28.87.192.in-addr.arpa | udp |
| US | 172.96.172.157:443 | tcp | |
| US | 8.8.8.8:53 | 26.65.135.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.172.96.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| FR | 212.47.233.250:9001 | tcp | |
| CZ | 37.46.208.113:443 | tcp | |
| DE | 162.55.131.67:9100 | tcp | |
| US | 8.8.8.8:53 | 113.208.46.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.131.55.162.in-addr.arpa | udp |
Files
memory/1456-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/1456-1-0x0000000074350000-0x0000000074389000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/3908-22-0x0000000000800000-0x0000000000C04000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
memory/3908-28-0x00000000737A0000-0x00000000737C4000-memory.dmp
memory/3908-27-0x00000000737D0000-0x0000000073898000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
memory/3908-33-0x00000000736D0000-0x000000007379E000-memory.dmp
memory/3908-37-0x0000000073570000-0x000000007367A000-memory.dmp
memory/3908-36-0x0000000000F50000-0x0000000000F99000-memory.dmp
memory/3908-34-0x0000000073680000-0x00000000736C9000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/3908-43-0x00000000732A0000-0x000000007356F000-memory.dmp
memory/3908-45-0x0000000073210000-0x0000000073298000-memory.dmp
memory/3908-44-0x0000000000F50000-0x0000000000FD8000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/3908-42-0x00000000017D0000-0x0000000001A9F000-memory.dmp
memory/1456-49-0x0000000072E00000-0x0000000072E39000-memory.dmp
memory/3908-52-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/3908-53-0x00000000737D0000-0x0000000073898000-memory.dmp
memory/3908-54-0x00000000737A0000-0x00000000737C4000-memory.dmp
memory/3908-55-0x00000000736D0000-0x000000007379E000-memory.dmp
memory/3908-56-0x0000000073680000-0x00000000736C9000-memory.dmp
memory/3908-57-0x0000000073570000-0x000000007367A000-memory.dmp
memory/3908-58-0x00000000732A0000-0x000000007356F000-memory.dmp
memory/3908-63-0x0000000000800000-0x0000000000C04000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 84e49117ff2bdf43e685eb0c61e226aa |
| SHA1 | f55d1a80c7c8c9435b787d5ea4764f3cb17a0771 |
| SHA256 | da63ec7df89f3f47fd25e7736764bdb67ba21093e1dc00e0059620b12caee426 |
| SHA512 | 292011df58b6def6c267dfa8112848ce13b7a48820443bb87a82eb93cdcc957f0871086f713ce3697d452124c7b1de686b542139b5210a9f6ed193c6b730e822 |
memory/3908-71-0x0000000000F50000-0x0000000000F99000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 62edfd0316d3370f6c2977195a9bdf51 |
| SHA1 | 483dd260a491e766f6feeeb88b4a7f8c061d025f |
| SHA256 | 6e296c79ce004aa00a4a57fda0b69d76cc3395f97902d113227fbb95a050e02a |
| SHA512 | 2f3114ead5b805c0605a3255d351f82a17653302ef65737a13b1ed2bed975763a7a268aa2c18ca73c78e6f56370bf6d31664ca0d9e4e34f2b311e8b233729f79 |
memory/3908-73-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/3908-81-0x00000000017D0000-0x0000000001A9F000-memory.dmp
memory/3908-82-0x0000000000F50000-0x0000000000FD8000-memory.dmp
memory/3908-91-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/3908-101-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/3908-109-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/3908-124-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/3384-141-0x00000000732A0000-0x000000007356F000-memory.dmp
memory/3384-140-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/3384-142-0x00000000737D0000-0x0000000073898000-memory.dmp
memory/3384-144-0x0000000073680000-0x00000000736C9000-memory.dmp
memory/3384-150-0x0000000073570000-0x000000007367A000-memory.dmp
memory/3384-151-0x0000000073210000-0x0000000073298000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 55034a47e336a1c33a63874c07a4873b |
| SHA1 | cec4d680b8d857ecfa29e25f2a8dec36f2070bb5 |
| SHA256 | f17597084ae8071aea8043897cd8884c8a9f5a554d9cd52d22dd2163f5c3fe4b |
| SHA512 | 4b57f0d6d146c310c68ca5bbc65e1cf85931879132ac114ef39ebbd3353adee87613200ecb1310b09a64afb6188ce6303dccd0c876267bc0f70d2ee87ff2360c |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 781bab4a82b3fcc5950252fb8cafbc6d |
| SHA1 | af49fcd4168cab082e31169344d6717338d7cddf |
| SHA256 | 0581577076f0e4c435111828cdd8e3698978f72eb4d5a704d4a14417beca5720 |
| SHA512 | b1c3e304af4fd896f2b8eb453d73516b3d85955f5118881d651a9de6015d1a753ae58fd47efeaf2a85447ca0337c11d05a1cbf25f0abc3b4360a2fb6b7cf358e |
memory/3384-149-0x00000000737A0000-0x00000000737C4000-memory.dmp
memory/3384-143-0x00000000736D0000-0x000000007379E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 7aae9736515b4fd5f0d10da37fdcf904 |
| SHA1 | bfed7bbd5263c565e602295d5948d9f23803d9bd |
| SHA256 | e1aad8c9b7cf816e093703a971e0a4cae8286cc9ef514e5f1db159d8cd9cece5 |
| SHA512 | 63e1b89c915c44df91ddf291b70c6662ff2721ce9a36e36d34628341277bf0788d886ca4acd563526aec3291b6c6b992b8f31958319d94d1cdddb7c2e7b33979 |
memory/3384-159-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/3384-160-0x00000000732A0000-0x000000007356F000-memory.dmp
memory/3384-162-0x00000000736D0000-0x000000007379E000-memory.dmp
memory/3384-161-0x00000000737D0000-0x0000000073898000-memory.dmp
memory/3384-167-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/1456-175-0x0000000071F20000-0x0000000071F59000-memory.dmp
memory/3384-176-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/2088-208-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/2088-212-0x00000000736D0000-0x000000007379E000-memory.dmp
memory/2088-214-0x0000000073680000-0x00000000736C9000-memory.dmp
memory/2088-215-0x00000000737A0000-0x00000000737C4000-memory.dmp
memory/3384-213-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/2088-211-0x00000000737D0000-0x0000000073898000-memory.dmp
memory/2088-216-0x0000000073570000-0x000000007367A000-memory.dmp
memory/2088-217-0x0000000073210000-0x0000000073298000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 1264126d786cb0279d5f3e3293f39be3 |
| SHA1 | aaf21b22c88c647bba9107d73f61e8c27ea013c0 |
| SHA256 | 3beb918d31d91412aee3c1bbb5c0662fd394d9ef3cdb101901e8397cc27ee40b |
| SHA512 | f73d96e63b40e6622571b82784b64001b5220ecceb1f21eeaf0660bd5f500c077e712cd0a29e5dc6784a091d97886041011bbec37e05d8168992fc4b663371e7 |
memory/2088-220-0x00000000732A0000-0x000000007356F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 994804e39802f8d8c9780b4da3e39d09 |
| SHA1 | 41e5dd6987eab27f378c824e460ff8a099dac1f7 |
| SHA256 | d8b0ce4a52ea0387701746be80846400cef60c21a14919b69ec3abfb5c917689 |
| SHA512 | 4d8f023dc7e91aba28d48afc7bf6595e78d7db1484df752058bb16aa9dc75ee129f8f677bc2da112117569785124c1315774dc91a9fd7dabcacdc1845750eb6f |
memory/2088-240-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/2088-241-0x00000000736D0000-0x000000007379E000-memory.dmp
memory/2088-242-0x00000000737D0000-0x0000000073898000-memory.dmp
memory/2088-243-0x00000000732A0000-0x000000007356F000-memory.dmp
memory/2772-267-0x00000000737D0000-0x0000000073898000-memory.dmp
memory/2772-271-0x0000000073680000-0x00000000736C9000-memory.dmp
memory/2088-272-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/2772-273-0x00000000737A0000-0x00000000737C4000-memory.dmp
memory/2772-276-0x0000000073570000-0x000000007367A000-memory.dmp
memory/2772-269-0x00000000736D0000-0x000000007379E000-memory.dmp
memory/2772-277-0x0000000073210000-0x0000000073298000-memory.dmp
memory/2772-280-0x00000000732A0000-0x000000007356F000-memory.dmp
memory/2772-290-0x0000000000800000-0x0000000000C04000-memory.dmp
memory/2772-291-0x00000000737D0000-0x0000000073898000-memory.dmp
memory/2772-289-0x0000000073570000-0x000000007367A000-memory.dmp
memory/2772-288-0x00000000737A0000-0x00000000737C4000-memory.dmp
memory/2772-287-0x0000000073680000-0x00000000736C9000-memory.dmp
memory/2772-286-0x00000000736D0000-0x000000007379E000-memory.dmp
memory/1456-292-0x0000000074350000-0x0000000074389000-memory.dmp
memory/408-304-0x0000000073500000-0x00000000735C8000-memory.dmp
memory/408-306-0x00000000735D0000-0x000000007389F000-memory.dmp
memory/408-307-0x00000000734B0000-0x00000000734F9000-memory.dmp
memory/408-308-0x0000000073480000-0x00000000734A4000-memory.dmp
memory/408-310-0x00000000732E0000-0x0000000073368000-memory.dmp
memory/408-311-0x0000000073210000-0x00000000732DE000-memory.dmp
memory/408-312-0x0000000001200000-0x0000000001288000-memory.dmp
memory/408-309-0x0000000073370000-0x000000007347A000-memory.dmp
memory/1456-323-0x0000000072E00000-0x0000000072E39000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-04-25 13:10
Reported
2024-04-25 13:15
Platform
win11-20240412-en
Max time kernel
300s
Max time network
303s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3777591257-2471171023-3629228286-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 173.255.245.116:9001 | tcp | |
| N/A | 127.0.0.1:49795 | tcp | |
| RU | 37.153.1.10:9001 | tcp | |
| US | 173.88.182.35:9001 | tcp | |
| DE | 37.120.186.122:4711 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 173.88.182.35:9001 | tcp | |
| DE | 37.120.186.122:4711 | tcp | |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:49937 | tcp | |
| DE | 136.243.154.74:9001 | tcp | |
| FR | 94.23.168.79:9000 | tcp | |
| N/A | 127.0.0.1:49972 | tcp | |
| NL | 194.126.173.158:24752 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50054 | tcp | |
| DE | 185.232.68.32:9001 | tcp | |
| N/A | 127.0.0.1:50095 | tcp | |
| DE | 145.239.136.129:443 | tcp | |
| CA | 192.99.228.114:666 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:50164 | tcp | |
| FR | 45.158.77.29:9000 | tcp | |
| N/A | 127.0.0.1:50191 | tcp | |
| DE | 185.232.68.32:9001 | tcp | |
| DE | 80.241.220.57:443 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:50264 | tcp | |
| N/A | 127.0.0.1:50283 | tcp | |
| SE | 171.25.193.20:443 | tcp | |
| FI | 65.108.3.114:1066 | tcp | |
| DE | 185.232.68.32:9001 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| MD | 178.17.174.14:9001 | tcp | |
| N/A | 127.0.0.1:50340 | tcp | |
| DE | 136.243.154.74:9001 | tcp | |
| US | 18.18.82.19:9001 | tcp | |
| DE | 185.232.68.32:9001 | tcp |
Files
memory/2692-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/2692-1-0x0000000074AF0000-0x0000000074B2C000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/1504-32-0x0000000073FF0000-0x0000000074039000-memory.dmp
memory/1504-35-0x0000000073F20000-0x0000000073FEE000-memory.dmp
memory/1504-36-0x0000000073E90000-0x0000000073F18000-memory.dmp
memory/1504-37-0x0000000073E60000-0x0000000073E84000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/1504-38-0x0000000073D50000-0x0000000073E5A000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/1504-29-0x0000000000020000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/1504-42-0x0000000073A80000-0x0000000073D4F000-memory.dmp
memory/1504-43-0x0000000074040000-0x0000000074108000-memory.dmp
memory/1504-44-0x00000000016D0000-0x000000000199F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus
| MD5 | 84e49117ff2bdf43e685eb0c61e226aa |
| SHA1 | f55d1a80c7c8c9435b787d5ea4764f3cb17a0771 |
| SHA256 | da63ec7df89f3f47fd25e7736764bdb67ba21093e1dc00e0059620b12caee426 |
| SHA512 | 292011df58b6def6c267dfa8112848ce13b7a48820443bb87a82eb93cdcc957f0871086f713ce3697d452124c7b1de686b542139b5210a9f6ed193c6b730e822 |
memory/2692-53-0x0000000073660000-0x000000007369C000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | c8ead1771542044a2549189c3ff62e53 |
| SHA1 | 81f65a866596669bf38379bdee74c455d8e3413a |
| SHA256 | 686973775f5a4bf1a4efc97466cd5586a3f5d1774b1a7b7eb407762e2a219e55 |
| SHA512 | 8f9d0421420fd1725138ef1b176155037e9c3cf1982af71651ce8f7355c32206e38fab2e9798faa0490158a84b6870d8600df1d02fbf0e204a24a57655bb51f5 |
memory/1504-69-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1504-71-0x0000000073FF0000-0x0000000074039000-memory.dmp
memory/1504-72-0x0000000073F20000-0x0000000073FEE000-memory.dmp
memory/1504-77-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1504-78-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1504-86-0x00000000016D0000-0x000000000199F000-memory.dmp
memory/1504-87-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1504-95-0x0000000000020000-0x0000000000424000-memory.dmp
memory/2692-109-0x0000000072B30000-0x0000000072B6C000-memory.dmp
memory/1504-110-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1504-118-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1504-126-0x0000000000020000-0x0000000000424000-memory.dmp
memory/1504-135-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3504-151-0x0000000000020000-0x0000000000424000-memory.dmp
memory/3504-152-0x0000000073A80000-0x0000000073D4F000-memory.dmp
memory/3504-153-0x0000000074040000-0x0000000074108000-memory.dmp
memory/3504-155-0x0000000073F20000-0x0000000073FEE000-memory.dmp
memory/3504-157-0x0000000073E60000-0x0000000073E84000-memory.dmp
memory/3504-156-0x0000000073FF0000-0x0000000074039000-memory.dmp
memory/3504-162-0x0000000073E90000-0x0000000073F18000-memory.dmp
memory/3504-160-0x0000000073D50000-0x0000000073E5A000-memory.dmp
memory/3504-171-0x0000000073FF0000-0x0000000074039000-memory.dmp
memory/3504-170-0x0000000073F20000-0x0000000073FEE000-memory.dmp
memory/3504-172-0x0000000073E60000-0x0000000073E84000-memory.dmp
memory/3504-169-0x0000000074040000-0x0000000074108000-memory.dmp
memory/3504-168-0x0000000073A80000-0x0000000073D4F000-memory.dmp
memory/3504-173-0x0000000000020000-0x0000000000424000-memory.dmp
memory/4816-185-0x0000000000020000-0x0000000000424000-memory.dmp
memory/4816-186-0x0000000073D80000-0x0000000073E48000-memory.dmp
memory/4816-187-0x0000000073D30000-0x0000000073D79000-memory.dmp
memory/4816-191-0x0000000073D00000-0x0000000073D24000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | aa0c08b930eee9ae383d130e397f8f87 |
| SHA1 | fda90d2b9ac6a852b36ec8e66e7a5034560662de |
| SHA256 | e9550915e943d697bfc132223d83d78fc20fb838cc130dc71933b87e7ff83394 |
| SHA512 | caf35fc08231329e346d6baeb04bf31242ba0f2e6415540b7a1931ee14d06c34163a2555930a35c60970f6a8f7cd4bca887d0009e3961264025afd88827844a0 |
memory/4816-193-0x0000000073BF0000-0x0000000073CFA000-memory.dmp
memory/4816-194-0x0000000073B60000-0x0000000073BE8000-memory.dmp
memory/4816-195-0x0000000073A90000-0x0000000073B5E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 85ee5c8303a1e54204f71672eb7aa95f |
| SHA1 | bfe500e0a02ba9608bb60a387dfcce5c561d4f61 |
| SHA256 | abb01db30dec8d47c7def2aed46514b8c7b8c835736ea10e00becf43ea371bf2 |
| SHA512 | 4fcdbfb8c478f8ca0b9361b22f616cd590e65adde84dd352df787408067dd0eb5955b6b8afa94231f02add79c33ab99772912c6862ccf957ff13d1f519094aa4 |
memory/4816-196-0x0000000073E50000-0x000000007411F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 90d7f6bbd47690127aef77b24bdd46e7 |
| SHA1 | 1dd78265266dfa07fa7a7def6b2a1d76eb03d5d5 |
| SHA256 | b7a9c09551280d13d127d9162837ac575b178e283a22108cc5f0a9c13c8d76d8 |
| SHA512 | ddbdfac6e314001c5ee5d8cbb6cc1280f25545d1d46bc48af404fb98ceeffbc8d9b7354058c9c5483cc6998ed8d2f846af2c415a852eb66748c6a8b71f71bec9 |
memory/4816-211-0x0000000000020000-0x0000000000424000-memory.dmp
memory/4816-220-0x0000000073D80000-0x0000000073E48000-memory.dmp
memory/788-258-0x0000000000020000-0x0000000000424000-memory.dmp
memory/788-261-0x0000000073E50000-0x000000007411F000-memory.dmp
memory/788-266-0x0000000073A90000-0x0000000073B5E000-memory.dmp
memory/4816-268-0x0000000000020000-0x0000000000424000-memory.dmp
memory/788-270-0x0000000073D00000-0x0000000073D24000-memory.dmp
memory/788-272-0x0000000073BF0000-0x0000000073CFA000-memory.dmp
memory/788-267-0x0000000073D30000-0x0000000073D79000-memory.dmp
memory/788-274-0x0000000073B60000-0x0000000073BE8000-memory.dmp
memory/788-263-0x0000000073D80000-0x0000000073E48000-memory.dmp
memory/788-280-0x0000000073A90000-0x0000000073B5E000-memory.dmp
memory/788-281-0x0000000000020000-0x0000000000424000-memory.dmp
memory/788-282-0x0000000073E50000-0x000000007411F000-memory.dmp
memory/788-283-0x0000000073D80000-0x0000000073E48000-memory.dmp
memory/4068-295-0x0000000073D80000-0x0000000073E48000-memory.dmp
memory/4068-296-0x0000000073CB0000-0x0000000073D7E000-memory.dmp
memory/4068-297-0x0000000073C60000-0x0000000073CA9000-memory.dmp
memory/4068-298-0x0000000073C30000-0x0000000073C54000-memory.dmp
memory/4068-299-0x0000000073B20000-0x0000000073C2A000-memory.dmp
memory/4068-300-0x0000000073A90000-0x0000000073B18000-memory.dmp
memory/4068-303-0x0000000073E50000-0x000000007411F000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 5b6d7b254d7445b5a19641098f3e1b78 |
| SHA1 | 32c9106371d9fa861d6da30f814d26c609183e04 |
| SHA256 | 2a7e06cc74bcd68a60fa0718aa1da736f210f7c46553e12a1c57284b3d35cf0c |
| SHA512 | 4b07f5e58d7f6b19fdca3ead1902e8a996dfffc2b0c02b824168794995c1643b54d5799616948fdd3c44840d1b65a8436592deb9e152c086f98e67d5876d83ba |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | 021ceff30e5fa0ccdf3405d4d2775f6b |
| SHA1 | ee2afbcb2df676a178e8c14d2b1f1a1f3826fdda |
| SHA256 | 928a2e08d99097ea33447d2f4fa92e8fccfe81832136434ba048645e6b0c376a |
| SHA512 | 9091ea85a2d0db705143e4b3e12958c1f2894d7784303274e303555bf5738e051d8c819275bdb4823357228aaa26a0fd0319a8d06ba479960455fa0796f7ef6b |
memory/4068-315-0x0000000000020000-0x0000000000424000-memory.dmp
memory/4068-324-0x0000000073D80000-0x0000000073E48000-memory.dmp
memory/4068-325-0x0000000073CB0000-0x0000000073D7E000-memory.dmp
memory/4068-326-0x0000000073E50000-0x000000007411F000-memory.dmp
memory/2692-343-0x0000000074AF0000-0x0000000074B2C000-memory.dmp
memory/2712-351-0x0000000000020000-0x0000000000424000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-25 13:10
Reported
2024-04-25 13:15
Platform
win10v2004-20240412-en
Max time kernel
295s
Max time network
300s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
| N/A | myexternalip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.32.209.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| FR | 51.254.136.195:443 | tcp | |
| N/A | 127.0.0.1:61653 | tcp | |
| US | 166.70.207.2:9101 | tcp | |
| CZ | 31.31.78.49:443 | tcp | |
| US | 8.8.8.8:53 | 2.207.70.166.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.78.31.31.in-addr.arpa | udp |
| GB | 37.26.77.247:443 | tcp | |
| FR | 178.32.41.33:8080 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 247.77.26.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.41.32.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| GB | 37.26.77.247:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FR | 178.32.41.33:8080 | tcp | |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | myexternalip.com | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 44.118.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.190.18.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| US | 8.8.8.8:53 | 49.15.97.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:61790 | tcp | |
| CA | 142.44.129.21:9001 | tcp | |
| US | 8.8.8.8:53 | 21.129.44.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:61819 | tcp | |
| US | 18.18.82.19:9001 | tcp | |
| US | 8.8.8.8:53 | 19.82.18.18.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:61908 | tcp | |
| NL | 93.158.213.15:443 | tcp | |
| US | 38.147.122.252:443 | tcp | |
| N/A | 127.0.0.1:61944 | tcp | |
| US | 8.8.8.8:53 | 252.122.147.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.213.158.93.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:62003 | tcp | |
| DE | 148.251.91.87:443 | tcp | |
| N/A | 127.0.0.1:62024 | tcp | |
| US | 147.135.65.87:8443 | tcp | |
| US | 8.8.8.8:53 | 87.91.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 87.65.135.147.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 65.49.20.11:443 | tcp | |
| US | 8.8.8.8:53 | 11.20.49.65.in-addr.arpa | udp |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:62081 | tcp | |
| N/A | 127.0.0.1:62104 | tcp | |
| CA | 192.160.102.164:9001 | tcp | |
| DE | 148.251.91.87:443 | tcp | |
| US | 8.8.8.8:53 | 164.102.160.192.in-addr.arpa | udp |
| FR | 45.158.77.29:9300 | tcp | |
| US | 8.8.8.8:53 | 29.77.158.45.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:62159 | tcp | |
| N/A | 127.0.0.1:62182 | tcp | |
| FR | 212.47.233.250:9001 | tcp | |
| DE | 148.251.91.87:443 | tcp | |
| FR | 5.196.64.99:39353 | tcp | |
| NL | 93.158.213.15:443 | tcp | |
| US | 8.8.8.8:53 | 99.64.196.5.in-addr.arpa | udp |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 34.117.118.44:443 | myexternalip.com | tcp |
| N/A | 127.0.0.1:62245 | tcp | |
| DE | 78.47.18.110:80 | tcp | |
| DK | 130.225.244.90:9001 | tcp | |
| US | 8.8.8.8:53 | 90.244.225.130.in-addr.arpa | udp |
| DE | 148.251.91.87:443 | tcp |
Files
memory/3080-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
memory/3080-1-0x0000000074610000-0x0000000074649000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
memory/60-19-0x0000000000940000-0x0000000000D44000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/60-34-0x00000000739C0000-0x0000000073A88000-memory.dmp
memory/60-35-0x0000000073A90000-0x0000000073B5E000-memory.dmp
memory/60-36-0x00000000736A0000-0x00000000736E9000-memory.dmp
memory/60-38-0x0000000073670000-0x0000000073694000-memory.dmp
memory/60-37-0x00000000736F0000-0x00000000739BF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
memory/60-40-0x00000000734D0000-0x0000000073558000-memory.dmp
memory/60-43-0x0000000001B00000-0x0000000001B88000-memory.dmp
memory/60-44-0x0000000073560000-0x000000007366A000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
memory/3080-45-0x00000000730C0000-0x00000000730F9000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 84e49117ff2bdf43e685eb0c61e226aa |
| SHA1 | f55d1a80c7c8c9435b787d5ea4764f3cb17a0771 |
| SHA256 | da63ec7df89f3f47fd25e7736764bdb67ba21093e1dc00e0059620b12caee426 |
| SHA512 | 292011df58b6def6c267dfa8112848ce13b7a48820443bb87a82eb93cdcc957f0871086f713ce3697d452124c7b1de686b542139b5210a9f6ed193c6b730e822 |
memory/60-55-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/60-56-0x00000000739C0000-0x0000000073A88000-memory.dmp
memory/60-57-0x0000000073A90000-0x0000000073B5E000-memory.dmp
memory/60-59-0x00000000736F0000-0x00000000739BF000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | f3b21c6769e227f72120184e8e0cbc6b |
| SHA1 | 379c82c427ccdec56024f018af7581e12e3a2b2f |
| SHA256 | f6b3c423a90c410c7f6439241c94420586956528061fa3dd61a120af90b51ef7 |
| SHA512 | 25a754f6fe5d7785d74ccb2393e6c30a57c2183a8a3908e55b6bc7c6793febd90a36cce87bb18571a91d97485ece3608fdb69fc341518bad23704dfb4af8c17b |
memory/60-77-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/60-78-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/60-86-0x0000000001B00000-0x0000000001B88000-memory.dmp
memory/60-87-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/60-101-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/3080-109-0x00000000727F0000-0x0000000072829000-memory.dmp
memory/60-110-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/60-118-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/60-127-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/2520-143-0x00000000736F0000-0x00000000739BF000-memory.dmp
memory/2520-145-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/2520-146-0x00000000739C0000-0x0000000073A88000-memory.dmp
memory/2520-148-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/2520-150-0x0000000073670000-0x0000000073694000-memory.dmp
memory/2520-149-0x00000000736A0000-0x00000000736E9000-memory.dmp
memory/2520-151-0x00000000736F0000-0x00000000739BF000-memory.dmp
memory/2520-153-0x0000000073560000-0x000000007366A000-memory.dmp
memory/2520-154-0x0000000073A90000-0x0000000073B5E000-memory.dmp
memory/2520-155-0x00000000734D0000-0x0000000073558000-memory.dmp
memory/2520-152-0x00000000739C0000-0x0000000073A88000-memory.dmp
memory/60-144-0x0000000001B00000-0x0000000001B88000-memory.dmp
memory/1468-171-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/1468-172-0x0000000073890000-0x0000000073B5F000-memory.dmp
memory/1468-179-0x0000000073740000-0x0000000073764000-memory.dmp
memory/1468-178-0x0000000073770000-0x00000000737B9000-memory.dmp
memory/1468-180-0x0000000073630000-0x000000007373A000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | cbb17373d7aba2c6ae68b4c7f2a1008d |
| SHA1 | efb3967de11aa1605081a4d4a1a2e532d8773846 |
| SHA256 | 8b4241b9f5e370893a5331ee2c340e27bea213cbcbba54ca6c7afa77dcdf5b6d |
| SHA512 | 5174bf64e262e84d84801464878b1afb32636e3def8cac6b0317757da7fa95bf9feca1ff6137a5923c4c05be7ce76da7b98f4557c99578e3b5590ea5deb90ca5 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 3162e683b98bcf23236b0bc95c3b804a |
| SHA1 | a3165c56d7cbbb572272d3103eaa16ab09f25003 |
| SHA256 | a4a16f81fb6b79950be49a32972e5825128cf550621ab93ffd19a3973870293a |
| SHA512 | 98cc0cf32e97263500d0d80d8c6a3c87bcbc079fa65349f780d92e360e3571373787116a9a62f8e6e242a39d10e2317b618dc620b94a4888be15cc7b98374fea |
memory/1468-173-0x00000000737C0000-0x0000000073888000-memory.dmp
memory/1468-181-0x00000000735A0000-0x0000000073628000-memory.dmp
memory/1468-182-0x00000000734D0000-0x000000007359E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 79d673fd01a7ec522abe090ab4515e00 |
| SHA1 | 305cae72e6eabc9567338dbf0725882120757743 |
| SHA256 | efb126b4976c2c77584d1b17d9f09da70d789d283fde5655e14b4fdb4520729a |
| SHA512 | 4de38b26da202a387fbe9ef0138bb0c5e67fca9c263a310b0fd8766edb68cc91ca0e545e8033c43e78aaba90f20e96c30b6886a1630409d28b3c9060e9e2f311 |
memory/1468-206-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/1468-207-0x0000000073890000-0x0000000073B5F000-memory.dmp
memory/1468-208-0x00000000737C0000-0x0000000073888000-memory.dmp
memory/1988-238-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/1988-242-0x00000000737C0000-0x0000000073888000-memory.dmp
memory/1988-241-0x0000000073890000-0x0000000073B5F000-memory.dmp
memory/1988-245-0x00000000734D0000-0x000000007359E000-memory.dmp
memory/1988-250-0x0000000073630000-0x000000007373A000-memory.dmp
memory/1468-248-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/1988-252-0x00000000735A0000-0x0000000073628000-memory.dmp
memory/1988-249-0x0000000073740000-0x0000000073764000-memory.dmp
memory/1988-246-0x0000000073770000-0x00000000737B9000-memory.dmp
memory/1988-260-0x00000000734D0000-0x000000007359E000-memory.dmp
memory/1988-261-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/1988-263-0x00000000737C0000-0x0000000073888000-memory.dmp
memory/1988-262-0x0000000073890000-0x0000000073B5F000-memory.dmp
memory/1072-279-0x0000000073740000-0x0000000073764000-memory.dmp
memory/1072-276-0x0000000073890000-0x0000000073B5F000-memory.dmp
memory/1072-280-0x0000000073630000-0x000000007373A000-memory.dmp
memory/1072-278-0x0000000073770000-0x00000000737B9000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | da155c1d4a3b1519e3991600a4281731 |
| SHA1 | 742144f6fe0f9b24ccd8cf5452b14f67d5757eed |
| SHA256 | 57aa0bc159e2959f574e6ae86e33e212952860f8f69678b53d283162583a3bbd |
| SHA512 | a5603c194b4d044e065c4a7cf52979e22b827d3663d2bdfe2fe317f78c20db2e3ecdc4ee207ca26b6654b34270b5e155b1827ed58c97f02da73bf591b548ada6 |
memory/1072-283-0x00000000734D0000-0x000000007359E000-memory.dmp
memory/1072-284-0x00000000015A0000-0x0000000001628000-memory.dmp
memory/1072-285-0x00000000735A0000-0x0000000073628000-memory.dmp
memory/1072-277-0x00000000737C0000-0x0000000073888000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs
| MD5 | e3a83b8e1f7067c0fd68682b8e32ab0e |
| SHA1 | aa7280861ade2a2faaaff336b73064da6258d218 |
| SHA256 | a7172c4b10279133920323648dbb91cd9c38b2afea28dc0203041f509359802e |
| SHA512 | 5ffee37a25c2dc1173bc4f1f3c9488c7ac42b909149ec4dae32de154c4928083df0781a854e15d8194eca22cbe689f5120410c469cb81e2f4c852add5b89488a |
memory/1072-305-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/1072-306-0x0000000073890000-0x0000000073B5F000-memory.dmp
memory/1072-307-0x00000000737C0000-0x0000000073888000-memory.dmp
memory/1072-308-0x00000000015A0000-0x0000000001628000-memory.dmp
memory/4592-321-0x0000000000940000-0x0000000000D44000-memory.dmp
memory/4592-324-0x0000000073890000-0x0000000073B5F000-memory.dmp
memory/4592-328-0x00000000734D0000-0x000000007359E000-memory.dmp
memory/4592-326-0x00000000737C0000-0x0000000073888000-memory.dmp
memory/4592-330-0x0000000073770000-0x00000000737B9000-memory.dmp
memory/4592-331-0x0000000073740000-0x0000000073764000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-25 13:10
Reported
2024-04-25 13:15
Platform
win7-20240221-en
Max time kernel
298s
Max time network
305s
Command Line
Signatures
BitRAT
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\test1 = "C:\\Users\\Admin\\AppData\\Local\\temp\\test1" | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe
"C:\Users\Admin\AppData\Local\Temp\a4c959944542c7c2606d38cca52cfb4f37312144513089a7bafa533276872449.exe"
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
"C:\Users\Admin\AppData\Local\d46500b0\tor\test2.exe" -f torrc
Network
| Country | Destination | Domain | Proto |
| NL | 192.87.28.28:9001 | tcp | |
| DE | 92.60.38.166:443 | tcp | |
| DE | 89.58.33.214:443 | tcp | |
| N/A | 127.0.0.1:49245 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| N/A | 127.0.0.1:49322 | tcp | |
| N/A | 127.0.0.1:45808 | tcp | |
| US | 23.29.119.122:9000 | tcp | |
| FI | 95.217.71.73:9001 | tcp | |
| N/A | 127.0.0.1:49464 | tcp | |
| US | 23.29.119.122:9000 | tcp | |
| FI | 95.217.71.73:9001 | tcp |
Files
memory/2444-0-0x0000000000400000-0x0000000000BD8000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\test2.exe
| MD5 | 5cfe61ff895c7daa889708665ef05d7b |
| SHA1 | 5e58efe30406243fbd58d4968b0492ddeef145f2 |
| SHA256 | f9c1d18b50ce7484bf212cb61a9035602cfb90ebdfe66a077b9f6df73196a9f5 |
| SHA512 | 43b6f10391a863a21f70e05cee41900729c7543750e118ff5d74c0cac3d1383f10bcb73eade2a28b555a393cada4795e204246129b01ad9177d1167827dd68da |
C:\Users\Admin\AppData\Local\d46500b0\tor\libcrypto-1_1.dll
| MD5 | 2384a02c4a1f7ec481adde3a020607d3 |
| SHA1 | 7e848d35a10bf9296c8fa41956a3daa777f86365 |
| SHA256 | c8db0ff0f7047ed91b057005e86ad3a23eae616253313aa047c560d9eb398369 |
| SHA512 | 1ac74dd2d863acd7415ef8b9490a5342865462fbabdad0645da22424b0d56f5e9c389a3d7c41386f2414d6c4715c79a6ddecb6e6cff29e98319e1fd1060f4503 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libssp-0.dll
| MD5 | 2c916456f503075f746c6ea649cf9539 |
| SHA1 | fa1afc1f3d728c89b2e90e14ca7d88b599580a9d |
| SHA256 | cbb5236d923d4f4baf2f0d2797c72a2cbae42ef7ac0acce786daf5fdc5b456e6 |
| SHA512 | 1c1995e1aa7c33c597c64122395275861d9219e46d45277d4f1768a2e06227b353d5d77d6b7cb655082dc6fb9736ad6f7cfcc0c90e02776e27d50857e792e3fd |
C:\Users\Admin\AppData\Local\d46500b0\tor\libevent-2-1-6.dll
| MD5 | 099983c13bade9554a3c17484e5481f1 |
| SHA1 | a84e69ad9722f999252d59d0ed9a99901a60e564 |
| SHA256 | b65f9aa0c7912af64bd9b05e9322e994339a11b0c8907e6a6166d7b814bda838 |
| SHA512 | 89f1a963de77873296395662d4150e3eff7a2d297fb9ec54ec06aa2e40d41e5f4fc4611e9bc34126d760c9134f2907fea3bebdf2fbbd7eaddad99f8e4be1f5e2 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libgcc_s_sjlj-1.dll
| MD5 | b0d98f7157d972190fe0759d4368d320 |
| SHA1 | 5715a533621a2b642aad9616e603c6907d80efc4 |
| SHA256 | 2922193133dabab5b82088d4e87484e2fac75e9e0c765dacaf22eb5f4f18b0c5 |
| SHA512 | 41ce56c428158533bf8b8ffe0a71875b5a3abc549b88d7d3e69acc6080653abea344d6d66fff39c04bf019fcaa295768d620377d85a933ddaf17f3d90df29496 |
C:\Users\Admin\AppData\Local\d46500b0\tor\libwinpthread-1.dll
| MD5 | d407cc6d79a08039a6f4b50539e560b8 |
| SHA1 | 21171adbc176dc19aaa5e595cd2cd4bd1dfd0c71 |
| SHA256 | 92cfd0277c8781a15a0f17b7aee6cff69631b9606a001101631f04b3381efc4e |
| SHA512 | 378a10fed915591445d97c6d04e82d28008d8ea65e0e40c142b8ee59867035d561d4e103495c8f0d9c19b51597706ce0b450c25516aa0f1744579ffcd097ae0c |
memory/2444-29-0x0000000003BF0000-0x0000000003FF4000-memory.dmp
memory/2544-30-0x00000000001F0000-0x00000000005F4000-memory.dmp
memory/2544-31-0x0000000074650000-0x000000007491F000-memory.dmp
memory/2544-32-0x0000000074BA0000-0x0000000074BE9000-memory.dmp
\Users\Admin\AppData\Local\d46500b0\tor\libssl-1_1.dll
| MD5 | c88826ac4bb879622e43ead5bdb95aeb |
| SHA1 | 87d29853649a86f0463bfd9ad887b85eedc21723 |
| SHA256 | c4d898b1a4285a45153af9ed88d79aa2a073dcb7225961b6b276b532b4d18b6f |
| SHA512 | f733041ef35b9b8058fbcf98faa0d1fea5c0858fea941ecebbe9f083cd73e3e66323afffd8d734097fcdd5e6e59db4d94f51fca5874edbcd2a382d9ba6cd97b3 |
C:\Users\Admin\AppData\Local\d46500b0\tor\zlib1.dll
| MD5 | add33041af894b67fe34e1dc819b7eb6 |
| SHA1 | 6db46eb021855a587c95479422adcc774a272eeb |
| SHA256 | 8688bd7ca55dcc0c23c429762776a0a43fe5b0332dfd5b79ef74e55d4bbc1183 |
| SHA512 | bafc441198d03f0e7fe804bab89283c389d38884d0f87d81b11950a9b79fcbf7b32be4bb16f4fcd9179b66f865c563c172a46b4514a6087ef0af64425a4b2cfa |
memory/2444-39-0x0000000003BF0000-0x0000000003FF4000-memory.dmp
memory/2544-35-0x0000000074B10000-0x0000000074B98000-memory.dmp
memory/2544-34-0x0000000074470000-0x000000007457A000-memory.dmp
memory/2544-40-0x0000000074EF0000-0x0000000074F14000-memory.dmp
memory/2544-33-0x0000000074580000-0x0000000074648000-memory.dmp
memory/2544-41-0x00000000743A0000-0x000000007446E000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\torrc
| MD5 | 439cd73927f46fde28540391feee8477 |
| SHA1 | ee7fb2aeb7708378abda293b03f5c9ffb6dbc742 |
| SHA256 | d1604e8bdb1a544638a97aa210b3e1eb12f1f159323d6b5942e03e11eafe9f75 |
| SHA512 | c11ad07964e190696f500468d52c61d8af5f075e7828ef00d525f06937f4205ca58eb3eabe5fd9cc8fa88c1d191de919429b6bbf3cdbb2dda6eed7d1b9ca7319 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdesc-consensus.tmp
| MD5 | 84e49117ff2bdf43e685eb0c61e226aa |
| SHA1 | f55d1a80c7c8c9435b787d5ea4764f3cb17a0771 |
| SHA256 | da63ec7df89f3f47fd25e7736764bdb67ba21093e1dc00e0059620b12caee426 |
| SHA512 | 292011df58b6def6c267dfa8112848ce13b7a48820443bb87a82eb93cdcc957f0871086f713ce3697d452124c7b1de686b542139b5210a9f6ed193c6b730e822 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 8654ca32afcb2449dc8f82895ac494f5 |
| SHA1 | a84d381e1376073de7157b81d5e25a20dac63ae3 |
| SHA256 | 281189fcd650023fde52c1fcac44b9032a9fdcb3572b7c2f0a350a168ca2138e |
| SHA512 | 666316ff5c2717298f8996b49534589fd4f7b791eb8ff71465de19d4e3b584285e327b71c29a817d458390ef3475ac31795cf1ec1c2c6911a424c7e82160d2e2 |
memory/2544-58-0x00000000001F0000-0x00000000005F4000-memory.dmp
memory/2544-59-0x0000000074650000-0x000000007491F000-memory.dmp
memory/2544-60-0x0000000074BA0000-0x0000000074BE9000-memory.dmp
memory/2544-61-0x0000000074580000-0x0000000074648000-memory.dmp
memory/2544-62-0x0000000074470000-0x000000007457A000-memory.dmp
memory/2544-63-0x0000000074B10000-0x0000000074B98000-memory.dmp
memory/2544-64-0x00000000743A0000-0x000000007446E000-memory.dmp
memory/2444-66-0x0000000003BF0000-0x0000000003FF4000-memory.dmp
memory/2544-67-0x00000000001F0000-0x00000000005F4000-memory.dmp
memory/2544-75-0x00000000001F0000-0x00000000005F4000-memory.dmp
memory/2444-76-0x0000000003BF0000-0x0000000003FF4000-memory.dmp
memory/2544-77-0x00000000001F0000-0x00000000005F4000-memory.dmp
memory/2544-85-0x00000000001F0000-0x00000000005F4000-memory.dmp
memory/2544-94-0x00000000001F0000-0x00000000005F4000-memory.dmp
memory/2444-101-0x0000000004850000-0x0000000004C54000-memory.dmp
memory/1920-110-0x0000000074650000-0x000000007491F000-memory.dmp
memory/1920-111-0x0000000074BA0000-0x0000000074BE9000-memory.dmp
memory/1920-112-0x0000000074580000-0x0000000074648000-memory.dmp
memory/1920-114-0x0000000074470000-0x000000007457A000-memory.dmp
memory/1920-116-0x0000000074B10000-0x0000000074B98000-memory.dmp
memory/1920-115-0x00000000001F0000-0x00000000005F4000-memory.dmp
memory/1920-118-0x00000000743A0000-0x000000007446E000-memory.dmp
memory/1920-117-0x0000000074650000-0x000000007491F000-memory.dmp
memory/1920-120-0x0000000074BA0000-0x0000000074BE9000-memory.dmp
memory/1920-122-0x0000000074580000-0x0000000074648000-memory.dmp
memory/1920-124-0x0000000074470000-0x000000007457A000-memory.dmp
memory/1920-126-0x0000000074B10000-0x0000000074B98000-memory.dmp
memory/1920-130-0x0000000074EF0000-0x0000000074F14000-memory.dmp
memory/2452-242-0x0000000001010000-0x0000000001414000-memory.dmp
memory/2452-243-0x0000000074380000-0x000000007464F000-memory.dmp
memory/2452-247-0x0000000074850000-0x0000000074918000-memory.dmp
memory/2452-248-0x0000000074740000-0x000000007484A000-memory.dmp
memory/2452-250-0x0000000074BC0000-0x0000000074BE4000-memory.dmp
memory/2452-249-0x00000000746B0000-0x0000000074738000-memory.dmp
memory/2452-251-0x00000000741F0000-0x00000000742BE000-memory.dmp
memory/2452-244-0x0000000074B50000-0x0000000074B99000-memory.dmp
memory/2444-241-0x0000000004850000-0x0000000004C54000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\state
| MD5 | 2e0cd8f40f8dceb3a001bed49bac220d |
| SHA1 | 1a0f08224b20c4225f8014912e7c8864e8f5efec |
| SHA256 | 4e2e93341ef6b9ee05ffd64c28385287fe584af3499a762314fdfa70ad60f5cb |
| SHA512 | a90a0c0481dfa067ce7ad9a864b28b400055304bd8eadc84c84fc88c6a529fd827b141f59efb5dedf3d75054e0882161f54cdb166c373f2065df4275384a8fa9 |
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-certs
| MD5 | 376b41fc4d8584cbb4c644179b5e705a |
| SHA1 | 733b1fc80f71e1dfc583476d93620587ba50bf78 |
| SHA256 | 56d98710b2dfc720e40ed5b7025440832696dec5e2edc04075da256e0ab0b4a4 |
| SHA512 | d031106106df085e2615f468ad8f735e3628e1e82803cbf124d1df2c47c693a2aa4c40e5bce9984cb78cb73529cc4dceefa9aacbadeaae7d35f05f60674b5cf0 |
memory/2452-280-0x0000000074B50000-0x0000000074B99000-memory.dmp
C:\Users\Admin\AppData\Local\d46500b0\tor\data\cached-microdescs.new
| MD5 | 597db4debb80a240fb497aef1ee62f9a |
| SHA1 | 9a3a2f4dbbea9d4b0b8a4a21dbbbc0bf33172a48 |
| SHA256 | 404b48c14be21e7507cca57f4cc98f6a263986b72b2b8110d9d45a3cd81d9396 |
| SHA512 | 2396d49b7598f02db3e3ac95c0af31ad5477573f578c453bae9388c4e46043695aed9144935292547956fc4b7af64d3a571b0bb9943787c57cc765d8ede0320f |
memory/2444-285-0x0000000004850000-0x0000000004C54000-memory.dmp
memory/2452-286-0x0000000001010000-0x0000000001414000-memory.dmp
memory/2452-288-0x0000000074380000-0x000000007464F000-memory.dmp
memory/2452-289-0x0000000074850000-0x0000000074918000-memory.dmp
memory/2452-294-0x00000000741F0000-0x00000000742BE000-memory.dmp