Malware Analysis Report

2024-12-08 01:41

Sample ID 240427-pjqqysba4w
Target UHQ Combo Tool.rar
SHA256 ec0ee9965906048d6e0688a2ab57040378262966f2235798bb6d3ff8914fcbf5
Tags
redline sectoprat infostealer rat trojan persistence pyinstaller telegramone xmrig evasion miner upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ec0ee9965906048d6e0688a2ab57040378262966f2235798bb6d3ff8914fcbf5

Threat Level: Known bad

The file UHQ Combo Tool.rar was found to be: Known bad.

Malicious Activity Summary

redline sectoprat infostealer rat trojan persistence pyinstaller telegramone xmrig evasion miner upx

RedLine payload

SectopRAT

RedLine

SectopRAT payload

Sectoprat family

xmrig

Redline family

XMRig Miner payload

Creates new service(s)

Stops running service(s)

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Detects Pyinstaller

Kills process with taskkill

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 12:21

Signatures

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\stub.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\stub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\stub.exe"

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

memory/316-0-0x0000000000200000-0x000000000021E000-memory.dmp

memory/316-1-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/316-2-0x0000000005200000-0x00000000057A4000-memory.dmp

memory/316-3-0x0000000005DD0000-0x00000000063E8000-memory.dmp

memory/316-4-0x0000000004E10000-0x0000000004EA2000-memory.dmp

memory/316-5-0x0000000004DE0000-0x0000000004DF2000-memory.dmp

memory/316-6-0x0000000005090000-0x00000000050CC000-memory.dmp

memory/316-7-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/316-8-0x00000000057B0000-0x00000000057FC000-memory.dmp

memory/316-9-0x0000000005940000-0x0000000005A4A000-memory.dmp

memory/316-10-0x0000000074FE0000-0x0000000075790000-memory.dmp

memory/316-11-0x0000000004E00000-0x0000000004E10000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win7-20240220-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\Mono.Cecil.Pdb.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\Mono.Cecil.Pdb.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

94s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\Mono.Cecil.Pdb.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\Mono.Cecil.Pdb.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win7-20240221-en

Max time kernel

119s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\Mono.Cecil.Rocks.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\Mono.Cecil.Rocks.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\stub.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\stub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\stub.exe"

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 g.bing.com udp
US 138.91.171.81:80 tcp

Files

memory/2432-0-0x0000000000EA0000-0x0000000000EBE000-memory.dmp

memory/2432-1-0x0000000075100000-0x00000000758B0000-memory.dmp

memory/2432-2-0x0000000005E90000-0x0000000006434000-memory.dmp

memory/2432-3-0x0000000006A60000-0x0000000007078000-memory.dmp

memory/2432-4-0x0000000005A80000-0x0000000005B12000-memory.dmp

memory/2432-5-0x0000000005A20000-0x0000000005A32000-memory.dmp

memory/2432-6-0x0000000005B60000-0x0000000005B9C000-memory.dmp

memory/2432-7-0x0000000005950000-0x0000000005960000-memory.dmp

memory/2432-8-0x00000000067D0000-0x000000000681C000-memory.dmp

memory/2432-9-0x00000000082E0000-0x00000000083EA000-memory.dmp

memory/2432-10-0x0000000075100000-0x00000000758B0000-memory.dmp

memory/2432-11-0x0000000005950000-0x0000000005960000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\Mono.Cecil.Pdb.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\Mono.Cecil.Pdb.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win7-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\stub.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\stub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\stub.exe"

Network

N/A

Files

memory/1340-0-0x0000000000DB0000-0x0000000000DCE000-memory.dmp

memory/1340-1-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1340-2-0x00000000042F0000-0x0000000004330000-memory.dmp

memory/1340-3-0x00000000745E0000-0x0000000074CCE000-memory.dmp

memory/1340-4-0x00000000042F0000-0x0000000004330000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\Mono.Cecil.Rocks.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\Mono.Cecil.Rocks.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win10v2004-20240419-en

Max time kernel

66s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix1.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\fix1.exe N/A
N/A N/A C:\Users\Admin\fix1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update64 = "C:\\Users\\Admin\\fix1.exe" C:\Users\Admin\fix1.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix1.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix1.exe"

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix1.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\activate.bat

C:\Windows\system32\taskkill.exe

taskkill /f /im "fix1.exe"

C:\Users\Admin\fix1.exe

"fix1.exe"

C:\Users\Admin\fix1.exe

"fix1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI14962\python312.dll

MD5 550288a078dffc3430c08da888e70810
SHA1 01b1d31f37fb3fd81d893cc5e4a258e976f5884f
SHA256 789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d
SHA512 7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723

C:\Users\Admin\AppData\Local\Temp\_MEI14962\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI14962\_ctypes.pyd

MD5 2a834c3738742d45c0a06d40221cc588
SHA1 606705a593631d6767467fb38f9300d7cd04ab3e
SHA256 f20dfa748b878751ea1c4fe77a230d65212720652b99c4e5577bce461bbd9089
SHA512 924235a506ce4d635fa7c2b34e5d8e77eff73f963e58e29c6ef89db157bf7bab587678bb2120d09da70594926d82d87dbaa5d247e861e331cf591d45ea19a117

C:\Users\Admin\AppData\Local\Temp\_MEI14962\base_library.zip

MD5 630153ac2b37b16b8c5b0dbb69a3b9d6
SHA1 f901cd701fe081489b45d18157b4a15c83943d9d
SHA256 ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2
SHA512 7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

C:\Users\Admin\AppData\Local\Temp\_MEI14962\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI14962\unicodedata.pyd

MD5 04f35d7eec1f6b72bab9daf330fd0d6b
SHA1 ecf0c25ba7adf7624109e2720f2b5930cd2dba65
SHA256 be942308d99cc954931fe6f48ed8cc7a57891ccbe99aae728121bcda1fd929ab
SHA512 3da405e4c1371f4b265e744229dcc149491a112a2b7ea8e518d5945f8c259cad15583f25592b35ec8a344e43007ae00da9673822635ee734d32664f65c9c8d9b

C:\Users\Admin\AppData\Local\Temp\_MEI14962\_wmi.pyd

MD5 c1654ebebfeeda425eade8b77ca96de5
SHA1 a4a150f1c810077b6e762f689c657227cc4fd257
SHA256 aa1443a715fbf84a84f39bd89707271fc11a77b597d7324ce86fc5cfa56a63a9
SHA512 21705b991e75efd5e59b8431a3b19ae5fcc38a3e7f137a9d52acd24e7f67d61758e48abc1c9c0d4314fa02010a1886c15ead5bca8dca1b1d4ccbfc3c589d342e

C:\Users\Admin\AppData\Local\Temp\_MEI14962\_socket.pyd

MD5 9c6283cc17f9d86106b706ec4ea77356
SHA1 af4f2f52ce6122f340e5ea1f021f98b1ffd6d5b6
SHA256 5cc62aac52edf87916deb4ebbad9abb58a6a3565b32e7544f672aca305c38027
SHA512 11fd6f570dd78f8ff00be645e47472a96daffa3253e8bd29183bccde3f0746f7e436a106e9a68c57cc05b80a112365441d06cc719d51c906703b428a32c93124

C:\Users\Admin\AppData\Local\Temp\_MEI14962\_lzma.pyd

MD5 b71dbe0f137ffbda6c3a89d5bcbf1017
SHA1 a2e2bdc40fdb83cc625c5b5e8a336ca3f0c29c5f
SHA256 6216173194b29875e84963cd4dc4752f7ca9493f5b1fd7e4130ca0e411c8ac6a
SHA512 9a5c7b1e25d8e1b5738f01aedfd468c1837f1ac8dd4a5b1d24ce86dcae0db1c5b20f2ff4280960bc523aee70b71db54fd515047cdaf10d21a8bec3ebd6663358

C:\Users\Admin\AppData\Local\Temp\_MEI14962\_hashlib.pyd

MD5 b0262bd89a59a3699bfa75c4dcc3ee06
SHA1 eb658849c646a26572dea7f6bfc042cb62fb49dc
SHA256 4adfbbd6366d9b55d902fc54d2b42e7c8c989a83016ed707bd7a302fc3fc7b67
SHA512 2e4b214de3b306e3a16124af434ff8f5ab832aa3eeb1aa0aa9b49b0ada0928dcbb05c57909292fbe3b01126f4cd3fe0dac9cc15eaea5f3844d6e267865b9f7b1

C:\Users\Admin\AppData\Local\Temp\_MEI14962\_decimal.pyd

MD5 f930b7550574446a015bc602d59b0948
SHA1 4ee6ff8019c6c540525bdd2790fc76385cdd6186
SHA256 3b9ad1d2bc9ec03d37da86135853dac73b3fe851b164fe52265564a81eb8c544
SHA512 10b864975945d6504433554f9ff11b47218caa00f809c6bce00f9e4089b862190a4219f659697a4ba5e5c21edbe1d8d325950921e09371acc4410469bd9189ee

C:\Users\Admin\AppData\Local\Temp\_MEI14962\_bz2.pyd

MD5 59d60a559c23202beb622021af29e8a9
SHA1 a405f23916833f1b882f37bdbba2dd799f93ea32
SHA256 706d4a0c26dd454538926cbb2ff6c64257c3d9bd48c956f7cabd6def36ffd13e
SHA512 2f60e79603cf456b2a14b8254cec75ce8be0a28d55a874d4fb23d92d63bbe781ed823ab0f4d13a23dc60c4df505cbf1dbe1a0a2049b02e4bdec8d374898002b1

C:\Users\Admin\AppData\Local\Temp\_MEI14962\select.pyd

MD5 8a273f518973801f3c63d92ad726ec03
SHA1 069fc26b9bd0f6ea3f9b3821ad7c812fd94b021f
SHA256 af358285a7450de6e2e5e7ff074f964d6a257fb41d9eb750146e03c7dda503ca
SHA512 7fedae0573ecb3946ede7d0b809a98acad3d4c95d6c531a40e51a31bdb035badc9f416d8aaa26463784ff2c5e7a0cc2c793d62b5fdb2b8e9fad357f93d3a65f8

C:\Users\Admin\AppData\Local\Temp\_MEI14962\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\activate.bat

MD5 4c483a47143202b467470be273d52cbc
SHA1 8b24747b7f4206aaf0a01539cc862e788b3e7e90
SHA256 245b5bf29eaf5a3d744f33b38f0964c97af662d733b40b86dd65bd181fa2b472
SHA512 55f9d25b447e2e0c52f782721a05505c7a2096beb8051d45df15a7997ecade27ee17efc679c072fe5be1577b26ad214cb8823e42fa5efcd8ad6c6611483f14f1

C:\Users\Admin\fix1.exe

MD5 150f7378fd18d19ecc002761fa112de5
SHA1 a5ef247183d14dcd0d9b112306c1965c38720a1e
SHA256 b3bfd7d408a13096897fe8cbaff158cb8ff34f6d2d2269b25a1a268daeef387c
SHA512 dd3739f3e7736c6d6319dbf71346addfdab60d668c84b91d9c87bdf5ee7c6ea085b49a314c52338cb196cceb212067fdbf804da91d9f517a34e1b0978ceebb6d

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win10v2004-20240419-en

Max time kernel

66s

Max time network

50s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\ConsoleApp1.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\ConsoleApp1.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\ConsoleApp1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

memory/1524-0-0x000001E1B0750000-0x000001E1B0758000-memory.dmp

memory/1524-1-0x00007FFAE6C60000-0x00007FFAE7721000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win10v2004-20240419-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 632 set thread context of 4560 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 set thread context of 4316 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A
N/A N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A
N/A N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4616 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4616 wrote to memory of 5000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 632 wrote to memory of 4560 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4560 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4560 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4560 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4560 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4560 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4560 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4560 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4560 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4316 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4316 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4316 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4316 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 632 wrote to memory of 4316 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2016 wrote to memory of 4840 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "BAZVYEGL"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "BAZVYEGL" binpath= "C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "BAZVYEGL"

C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe

C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.supportxmr.com udp
US 8.8.8.8:53 pool.supportxmr.com udp
US 8.8.8.8:53 pool.supportxmr.com udp
US 8.8.8.8:53 pool.supportxmr.com udp
US 8.8.8.8:53 pool.supportxmr.com udp
US 8.8.8.8:53 pool.supportxmr.com udp
US 8.8.8.8:53 pool.supportxmr.com udp
US 8.8.8.8:53 pool.supportxmr.com udp

Files

memory/5096-0-0x000001C41CD00000-0x000001C41CD22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ykta1hmn.kvu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5096-12-0x000001C41AB50000-0x000001C41AB60000-memory.dmp

memory/5096-11-0x000001C41AB50000-0x000001C41AB60000-memory.dmp

memory/5096-10-0x00007FFA181E0000-0x00007FFA18CA1000-memory.dmp

memory/5096-15-0x00007FFA181E0000-0x00007FFA18CA1000-memory.dmp

C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe

MD5 5eb488fde8ae946dbe2ee631a44e2264
SHA1 7a7c0b9d4dfb605bed6d6f1fe256cb2b9e8799db
SHA256 f4894d1b685f8b6a53bfcbc23869c806258c0b7e7def3f4f946c2d6a7019dfad
SHA512 29fe591da31225aeb09490ddfed86e3a48c47bc17d2110ca63a7a1b243516cc8fc7f5c3a33e364c718183a4872d145b7ab8d80a5c8b932d69229cae065318c06

memory/3128-37-0x000002417F0E0000-0x000002417F0FC000-memory.dmp

memory/3128-38-0x000002417F100000-0x000002417F1B5000-memory.dmp

memory/3128-39-0x000002417CC70000-0x000002417CC7A000-memory.dmp

memory/3128-40-0x000002417F320000-0x000002417F33C000-memory.dmp

memory/3128-41-0x000002417F300000-0x000002417F30A000-memory.dmp

memory/3128-42-0x000002417F360000-0x000002417F37A000-memory.dmp

memory/3128-43-0x000002417F310000-0x000002417F318000-memory.dmp

memory/3128-44-0x000002417F340000-0x000002417F346000-memory.dmp

memory/3128-45-0x000002417F350000-0x000002417F35A000-memory.dmp

memory/4560-48-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4560-55-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4560-52-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4560-51-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4560-50-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4560-49-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4316-56-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-58-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-62-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-61-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-59-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-57-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-63-0x0000022BC10D0000-0x0000022BC10F0000-memory.dmp

memory/4316-60-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-67-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-68-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-66-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-65-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-64-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4316-69-0x0000000140000000-0x0000000140848000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

95s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\Mono.Cecil.Rocks.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\Mono.Cecil.Rocks.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win7-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\stub.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\stub.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\stub.exe"

Network

N/A

Files

memory/1612-0-0x0000000000170000-0x000000000018E000-memory.dmp

memory/1612-1-0x0000000074050000-0x000000007473E000-memory.dmp

memory/1612-2-0x0000000004B90000-0x0000000004BD0000-memory.dmp

memory/1612-3-0x0000000074050000-0x000000007473E000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win10v2004-20240419-en

Max time kernel

55s

Max time network

55s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\Mono.Cecil.Rocks.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\Mono.Cecil.Rocks.dll",#1

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win7-20240221-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe"

Signatures

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2608 set thread context of 2184 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 set thread context of 2180 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0641b919d98da01 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe N/A
N/A N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A
N/A N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A
N/A N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2636 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2636 wrote to memory of 2796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2608 wrote to memory of 2184 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2184 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2184 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2184 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2184 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2184 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2184 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2184 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2184 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2180 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2180 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2180 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2180 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2608 wrote to memory of 2180 N/A C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe C:\Windows\system32\conhost.exe
PID 2500 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2500 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 2500 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\tool.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "BAZVYEGL"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "BAZVYEGL" binpath= "C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "BAZVYEGL"

C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe

C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 pool.supportxmr.com udp
CH 141.94.96.195:3333 pool.supportxmr.com tcp

Files

memory/1700-4-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

memory/1700-5-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

memory/1700-6-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

memory/1700-8-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

memory/1700-7-0x0000000002C10000-0x0000000002C90000-memory.dmp

memory/1700-10-0x0000000002C10000-0x0000000002C90000-memory.dmp

memory/1700-9-0x0000000002C10000-0x0000000002C90000-memory.dmp

memory/1700-11-0x000007FEF58C0000-0x000007FEF625D000-memory.dmp

C:\ProgramData\disoegcocrwp\xqkwufftkosu.exe

MD5 5eb488fde8ae946dbe2ee631a44e2264
SHA1 7a7c0b9d4dfb605bed6d6f1fe256cb2b9e8799db
SHA256 f4894d1b685f8b6a53bfcbc23869c806258c0b7e7def3f4f946c2d6a7019dfad
SHA512 29fe591da31225aeb09490ddfed86e3a48c47bc17d2110ca63a7a1b243516cc8fc7f5c3a33e364c718183a4872d145b7ab8d80a5c8b932d69229cae065318c06

memory/2208-16-0x0000000019D20000-0x000000001A002000-memory.dmp

memory/2208-17-0x0000000001440000-0x0000000001448000-memory.dmp

memory/2184-19-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2184-18-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2184-22-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2184-21-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2184-20-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2180-29-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-31-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-34-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/2180-28-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-33-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-35-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-37-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-39-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-38-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-36-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-32-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-30-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2180-25-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2184-26-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2180-40-0x0000000140000000-0x0000000140848000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win7-20240419-en

Max time kernel

131s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix.exe"

Network

Country Destination Domain Proto
FR 163.5.160.27:51523 tcp
FR 163.5.160.27:51523 tcp
FR 163.5.160.27:51523 tcp
FR 163.5.160.27:51523 tcp
FR 163.5.160.27:51523 tcp
FR 163.5.160.27:51523 tcp

Files

memory/1760-0-0x0000000001320000-0x000000000133E000-memory.dmp

memory/1760-1-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/1760-2-0x0000000000B90000-0x0000000000BD0000-memory.dmp

memory/1760-3-0x0000000074850000-0x0000000074F3E000-memory.dmp

memory/1760-4-0x0000000000B90000-0x0000000000BD0000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win10v2004-20240419-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix.exe"

Network

Country Destination Domain Proto
FR 163.5.160.27:51523 tcp
US 8.8.8.8:53 g.bing.com udp
FR 163.5.160.27:51523 tcp
US 8.8.8.8:53 g.bing.com udp
FR 163.5.160.27:51523 tcp
FR 163.5.160.27:51523 tcp
FR 163.5.160.27:51523 tcp
FR 163.5.160.27:51523 tcp

Files

memory/1824-0-0x0000000000580000-0x000000000059E000-memory.dmp

memory/1824-1-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/1824-2-0x00000000056A0000-0x0000000005CB8000-memory.dmp

memory/1824-3-0x0000000004F40000-0x0000000004F52000-memory.dmp

memory/1824-4-0x0000000004FA0000-0x0000000004FDC000-memory.dmp

memory/1824-5-0x0000000005070000-0x0000000005080000-memory.dmp

memory/1824-6-0x0000000004FE0000-0x000000000502C000-memory.dmp

memory/1824-7-0x0000000005250000-0x000000000535A000-memory.dmp

memory/1824-8-0x0000000075140000-0x00000000758F0000-memory.dmp

memory/1824-9-0x0000000005070000-0x0000000005080000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win7-20231129-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix1.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix1.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix1.exe"

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix1.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\x64\fix1.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI21482\python312.dll

MD5 550288a078dffc3430c08da888e70810
SHA1 01b1d31f37fb3fd81d893cc5e4a258e976f5884f
SHA256 789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d
SHA512 7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\ConsoleApp1.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\Cracking Tool\ConsoleApp1.exe

"C:\Users\Admin\AppData\Local\Temp\Cracking Tool\ConsoleApp1.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1548 -s 500

Network

N/A

Files

memory/1548-0-0x00000000010B0000-0x00000000010B8000-memory.dmp

memory/1548-1-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

memory/1548-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-27 12:21

Reported

2024-04-27 12:24

Platform

win10v2004-20240419-en

Max time kernel

67s

Max time network

55s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\Mono.Cecil.Pdb.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cracking Tool\Mono.Cecil.Pdb.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 g.bing.com udp

Files

N/A