Malware Analysis Report

2024-09-22 23:53

Sample ID 240427-n41wzsaa69
Target Paid Combo Tools.rar
SHA256 9ade92534340b3624c65018cd83dcf57a6b08037aa15af111a34cf561effbccc
Tags
stormkitty asyncrat default rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ade92534340b3624c65018cd83dcf57a6b08037aa15af111a34cf561effbccc

Threat Level: Known bad

The file Paid Combo Tools.rar was found to be: Known bad.

Malicious Activity Summary

stormkitty asyncrat default rat spyware stealer

StormKitty

AsyncRat

Stormkitty family

StormKitty payload

Async RAT payload

Reads user/profile data of web browsers

Executes dropped EXE

Drops desktop.ini file(s)

Looks up external IP address via web service

Looks up geolocation information via web service

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

Creates scheduled task(s)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-27 11:57

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 11:57

Reported

2024-04-27 12:08

Platform

win10-20240404-fr

Max time kernel

371s

Max time network

438s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools.rar"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools.rar"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 11:57

Reported

2024-04-27 12:08

Platform

win10-20240404-fr

Max time kernel

380s

Max time network

437s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Combo List Tools.pdb"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Combo List Tools.pdb"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-27 11:57

Reported

2024-04-27 11:59

Platform

win10-20240404-fr

Max time kernel

93s

Max time network

80s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\COMBO LIST TOOLS.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
File opened for modification C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
File created C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\COMBO LIST TOOLS.EXE C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe N/A
File created C:\Program Files (x86)\PRIVATE CHECKER.EXE C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\COMBO LIST TOOLS.EXE

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
N/A N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe C:\Program Files (x86)\COMBO LIST TOOLS.EXE
PID 1688 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe C:\Program Files (x86)\COMBO LIST TOOLS.EXE
PID 1688 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe C:\Program Files (x86)\COMBO LIST TOOLS.EXE
PID 1688 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe C:\Program Files (x86)\PRIVATE CHECKER.EXE
PID 1688 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe C:\Program Files (x86)\PRIVATE CHECKER.EXE
PID 1688 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe C:\Program Files (x86)\PRIVATE CHECKER.EXE
PID 60 wrote to memory of 4604 N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 4604 N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 4604 N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4604 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4604 wrote to memory of 5104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4604 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4604 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4604 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4604 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4604 wrote to memory of 3720 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 60 wrote to memory of 8 N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 8 N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE C:\Windows\SysWOW64\cmd.exe
PID 60 wrote to memory of 8 N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE C:\Windows\SysWOW64\cmd.exe
PID 8 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8 wrote to memory of 3584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 8 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 8 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 60 wrote to memory of 316 N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 316 N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE C:\Windows\SysWOW64\schtasks.exe
PID 60 wrote to memory of 316 N/A C:\Program Files (x86)\PRIVATE CHECKER.EXE C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe

"C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\Paid combo Tools.exe"

C:\Program Files (x86)\COMBO LIST TOOLS.EXE

"C:\Program Files (x86)\COMBO LIST TOOLS.EXE"

C:\Program Files (x86)\PRIVATE CHECKER.EXE

"C:\Program Files (x86)\PRIVATE CHECKER.EXE"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 900

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "Chrome Update" /tr "C:\Program Files (x86)\PRIVATE CHECKER.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.0.8.0.8.0.8.0.ip6.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 104.21.44.66:443 api.mylnikov.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 66.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
N/A 127.0.0.1:7707 tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Program Files (x86)\COMBO LIST TOOLS.EXE

MD5 de1c74b3096e1c1bf7373dd88afa9acf
SHA1 6bd8f04e8f1594802e298ac57d55d5bf3787e8f8
SHA256 c4986d1e40fbf336e46fb9b70cf05befa222f04c27b406435a110d16e3c17836
SHA512 dcb37164782e91568763ba5822233c42c21c4ff3822f944f2027f91732cd205ccfac8d3ea4e4ab9d79c7994c0adf61c0c3a9cf55d1687a3aec39e00dd3b554bf

C:\Program Files (x86)\PRIVATE CHECKER.EXE

MD5 7f4680b1d2a029e070ed7418660c459b
SHA1 d0c77596dd6cd21e0953c058b7dc78ed6d292fbf
SHA256 f802ffd8e77365dcd2e55b567f10513a98e3117b6601fd1a48b41572ece82f3f
SHA512 56e70beb5721ecbb15e4551078940b8e94d0fc7658236f874051e2383a656f6b3d48b87aa74879d35bc6f1878c860035acd11f4d3df2fd1afebd7a583eb9ab04

memory/60-11-0x00000000002A0000-0x00000000002D2000-memory.dmp

memory/4148-10-0x00000000002D0000-0x00000000003A4000-memory.dmp

memory/60-12-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/60-13-0x0000000004AF0000-0x0000000004B56000-memory.dmp

memory/4148-14-0x00000000051C0000-0x00000000056BE000-memory.dmp

memory/4148-15-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/60-16-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/4148-17-0x00000000058D0000-0x00000000059D2000-memory.dmp

memory/60-18-0x0000000005390000-0x0000000005422000-memory.dmp

memory/60-61-0x0000000005CA0000-0x0000000005CE2000-memory.dmp

C:\Users\Admin\AppData\Local\36b92c1256e7a9c357f976cd41710ed5\Admin@NDTNZVHN_fr-FR\System\Process.txt

MD5 6d0d0799b8b15f71c97757224e912752
SHA1 2a93f292ebf38b68217c78beb2d180b8f5d1b780
SHA256 bdfe7553ff0b38a1f8a4a6bddd38ce84e13b663c9d8b919e3cfcd956a37bc0f4
SHA512 43ac95a97ce486978b3c3945392e09c135ff7d6b5f6e6169bcdbe2158790a78e322ea481bb2998c4121e512ee8cf4ab97dc77bd38d903350776eb82c7c134c91

memory/60-143-0x0000000005E50000-0x0000000005E5A000-memory.dmp

C:\Users\Admin\AppData\Local\8b741d72f02884d5db39d33a5fbf3fcd\msgid.dat

MD5 58aa19b2723cd2f486a0d2f2f065b176
SHA1 52e9f3502a3af8e746b79fad539ce5cf28727b7f
SHA256 8759256b1d0538b15f10ea0b1e8539f08806b18ffa91fc1c9cacf07c1cb93dc8
SHA512 5f927dbf3dc5f6610524a7510e232c4598aba0c5951514fdbfb3b0245e5248b5e93920fe6b7f84adb1e058fc00df761718731b763f84e09f3ebd19aabc8ed6e1

memory/60-149-0x0000000006710000-0x0000000006722000-memory.dmp

memory/60-174-0x0000000007450000-0x000000000745A000-memory.dmp

memory/4148-175-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/60-176-0x0000000073E50000-0x000000007453E000-memory.dmp

memory/60-177-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-27 11:57

Reported

2024-04-27 12:08

Platform

win10-20240404-fr

Max time kernel

316s

Max time network

398s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\SkinSoft.VisualStyler.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Paid Combo Tools\SkinSoft.VisualStyler.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A