Analysis Overview
SHA256
06fa7e3221aa6f67eeefa8b807a6abb0b4c385d7eb61434ccec55ad2a5d3a1dd
Threat Level: Known bad
The file BlitzedGrabberV12.rar was found to be: Known bad.
Malicious Activity Summary
Stormkitty family
StormKitty payload
StormKitty
Orcus main payload
Orcus
Orcurs Rat Executable
Reads user/profile data of web browsers
Checks computer location settings
Obfuscated with Agile.Net obfuscator
Loads dropped DLL
Executes dropped EXE
Drops desktop.ini file(s)
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Unsigned PE
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Modifies system certificate store
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-05 13:21
Signatures
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win10v2004-20240419-en
Max time kernel
444s
Max time network
448s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\APIFOR.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:46
Platform
win7-20240221-en
Max time kernel
361s
Max time network
370s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.anonfiles.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
Files
memory/2096-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp
memory/2096-1-0x00000000013B0000-0x00000000013C6000-memory.dmp
memory/2096-2-0x0000000000370000-0x000000000037A000-memory.dmp
memory/2096-3-0x0000000000380000-0x000000000039A000-memory.dmp
memory/2096-4-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\TarD9B3.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Local\Temp\passwords.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
memory/2096-61-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win10v2004-20240419-en
Max time kernel
446s
Max time network
450s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.anonfiles.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/2060-0-0x00007FF8029C3000-0x00007FF8029C5000-memory.dmp
memory/2060-1-0x0000000000160000-0x0000000000176000-memory.dmp
memory/2060-2-0x00000000009C0000-0x00000000009CA000-memory.dmp
memory/2060-3-0x00000000023F0000-0x000000000240A000-memory.dmp
memory/2060-4-0x00007FF8029C0000-0x00007FF803481000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\passwords.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
memory/2060-24-0x000000001BFF0000-0x000000001C002000-memory.dmp
memory/2060-25-0x000000001C060000-0x000000001C09C000-memory.dmp
memory/2060-27-0x00007FF8029C0000-0x00007FF803481000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win7-20240220-en
Max time kernel
359s
Max time network
364s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win10v2004-20240419-en
Max time kernel
454s
Max time network
458s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:46
Platform
win10v2004-20240426-en
Max time kernel
604s
Max time network
608s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mxfix.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\mxfix.EXE | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe"
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jm04dzwl.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E2C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6E2B.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\ProgramData\Chrome\chromedriver.exe
"C:\ProgramData\Chrome\chromedriver.exe"
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 2172 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 2172 "/protectFile"
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp |
Files
memory/5096-0-0x00007FFD2F5A3000-0x00007FFD2F5A5000-memory.dmp
memory/5096-1-0x00000000009D0000-0x0000000000C14000-memory.dmp
memory/5096-3-0x00007FFD2F5A0000-0x00007FFD30061000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
| MD5 | b4ec612c441786aa614ce5f32edae475 |
| SHA1 | 3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d |
| SHA256 | e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd |
| SHA512 | c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16 |
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
| MD5 | 3926c7b8fdfb0ab3b92303760b14d402 |
| SHA1 | b33e12ef4bdcd418139db59d048609c45fe8f9eb |
| SHA256 | c101904ec19b45612213c2b398892a4523f63862bb3e24c245509db2417585e7 |
| SHA512 | 4a022be27f58b1735f3a0ac9abdedbd769adb4e3ca1dacdcdc98700b17e138b647f9059585c8ef37fdd7072ad6283e95f10def171584097eb8c70e7d1212ce0e |
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
| MD5 | 228a69dc15032fd0fb7100ff8561185e |
| SHA1 | f8dbc89fed8078da7f306cb78b92ce04a0bdeb00 |
| SHA256 | 920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709 |
| SHA512 | 373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1 |
memory/3848-48-0x0000000000A20000-0x0000000000A30000-memory.dmp
memory/5096-49-0x00007FFD2F5A0000-0x00007FFD30061000-memory.dmp
memory/1620-50-0x0000000000EA0000-0x000000000104C000-memory.dmp
memory/3924-43-0x000001BAD4A80000-0x000001BAD4AA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vye2wpq.0jo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1620-51-0x0000000005F30000-0x00000000064D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1
| MD5 | 5d792fc7c4e2fd3eb595fce4883dcb2d |
| SHA1 | ee2a88f769ad746f119e144bd06832cb55ef1e0f |
| SHA256 | 41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb |
| SHA512 | 4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e |
memory/1620-53-0x00000000058C0000-0x0000000005952000-memory.dmp
memory/3848-54-0x000000001B140000-0x000000001B19C000-memory.dmp
memory/3848-57-0x000000001B340000-0x000000001B34E000-memory.dmp
memory/3848-58-0x000000001B820000-0x000000001BCEE000-memory.dmp
memory/3848-59-0x000000001BD90000-0x000000001BE2C000-memory.dmp
memory/1620-62-0x0000000005A80000-0x0000000005A8A000-memory.dmp
memory/1620-63-0x0000000005C40000-0x0000000005E32000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/1620-79-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-120-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-130-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-135-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-132-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-129-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-126-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-124-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-122-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-119-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-110-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-108-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-106-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-104-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-102-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-101-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-100-0x0000000071020000-0x0000000071057000-memory.dmp
memory/1620-116-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-114-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/3848-993-0x000000001C450000-0x000000001C466000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\jm04dzwl.dll
| MD5 | 9e69d9742178a93327db22b3a50f04e1 |
| SHA1 | 3cf9d56f835b94f966a4f66c590ec3f41808bfdb |
| SHA256 | 111708aa7f4eac2a94778eff202dbdc5d1533c12729a0e2b589c6664f51e8277 |
| SHA512 | f4acca8f2a020bf65cccf24039e4695bbc370015457be18971dfbd5564e701f8cafa6e28cb677695ec58b2ddb75b3eb9bc90c821072ae1072d7d4d0db328ae89 |
memory/3848-997-0x000000001C490000-0x000000001C4B0000-memory.dmp
memory/5016-1011-0x00000000003A0000-0x00000000003AC000-memory.dmp
memory/5016-1012-0x0000000002330000-0x0000000002342000-memory.dmp
memory/5016-1013-0x00000000024D0000-0x000000000250C000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
memory/3848-996-0x0000000000A50000-0x0000000000A58000-memory.dmp
memory/4224-1637-0x0000000019E30000-0x0000000019F3A000-memory.dmp
memory/3848-995-0x0000000000A70000-0x0000000000A82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RES6E2C.tmp
| MD5 | 37aaad44ff0609e6dc07bb43dbb2f644 |
| SHA1 | 004d375f46062ae14c97eca0f82582b3fe0b3e94 |
| SHA256 | 52d9f5e2920a3a135dd75c1747d4de24af54223dc31aecaf8840b7a97fa5fe27 |
| SHA512 | ea04f36385e6762f553c8297700367934c772cd2055787f1b56e112031e70cd428a9b80a66b5f1a3c978e002ab792947d4a65138c9bc349e779520d929584000 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC6E2B.tmp
| MD5 | db128937584638af5aa90d92388eb390 |
| SHA1 | 5a49a6c30ced2d052e23011302b22a077a757bc7 |
| SHA256 | eec4486441352e4c2290a9ca3af94f0b048750abdea572f80fb48777cad0c828 |
| SHA512 | c89047d6951759b52637c43ab80ea20a8263de01f83e872dc9945a1efbc42997370d7e33fadf50dff613eec3a4e568c531814717588dfc15c2a626c0f3066355 |
\??\c:\Users\Admin\AppData\Local\Temp\jm04dzwl.0.cs
| MD5 | bff75aea68db40b522152984ecb0dadb |
| SHA1 | 425036c5d5c1b505eb683c8bd0446b901e5e313e |
| SHA256 | 5d3c8fe9dc3d9b63998c07c152a395a2a4cfc5421d820485c649369721e672bf |
| SHA512 | 8dddb2e7dfce5424957b923affa2e2b4468e09edf18c9acb834fe611b4b068e011518321e27fd6e55b7f6a805b28dadfdc1aafa7f0ee6ffc77b77d35b16da037 |
\??\c:\Users\Admin\AppData\Local\Temp\jm04dzwl.cmdline
| MD5 | 7b4410589913c5f753aa4db02aa90260 |
| SHA1 | 853667a019d7281cf150aeda9b892190aa478e36 |
| SHA256 | 713dc1dbaa0946ac61cc713da53373f96cd72cc4cc09facf63ecc99e4796451e |
| SHA512 | dd190017161a9792357aa1750e968d22fab46e0d0e3714fe7e70c654216ea417c2335825e37ffc0984f9bf0bbe4efe2b5c688ac3583919ffc9523cc7073e7854 |
memory/1620-112-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-97-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-95-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-93-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-91-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-89-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/2172-2589-0x0000000000670000-0x000000000076C000-memory.dmp
memory/1620-87-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-85-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-83-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-81-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-77-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-75-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-73-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/1620-72-0x0000000005C40000-0x0000000005E2E000-memory.dmp
memory/2172-3134-0x0000000002740000-0x000000000278E000-memory.dmp
memory/2172-3133-0x0000000002710000-0x0000000002722000-memory.dmp
memory/1620-71-0x0000000073330000-0x00000000733B9000-memory.dmp
memory/2172-3519-0x000000001B8D0000-0x000000001B8E8000-memory.dmp
memory/2172-3750-0x000000001B9F0000-0x000000001BA00000-memory.dmp
memory/2172-3749-0x000000001BC10000-0x000000001BDD2000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/2512-4368-0x0000000000C30000-0x0000000000C38000-memory.dmp
memory/1620-11804-0x0000000006A80000-0x0000000006B1C000-memory.dmp
memory/1620-11810-0x0000000071020000-0x0000000071057000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chromedriver.exe.log
| MD5 | 9be3069b2cf9222dde6c28dd9180a35a |
| SHA1 | 14b76614ed5c94c513b10ada5bd642e888fc1231 |
| SHA256 | 5e4c38466764be178ea21ba3149d0580d25d035b57e081b3abb9c06a19cfd67a |
| SHA512 | 043256f38c20d8765ddf2f1d5912249bfbb017c0b630d24d9e4894f4a759dec66bf0ffaf878ac69e9dfd6db7ec5e090dd69de2333d83299ef43888c394398885 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win7-20240220-en
Max time kernel
361s
Max time network
366s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\APIFOR.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win10v2004-20240426-en
Max time kernel
450s
Max time network
455s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win10v2004-20240419-en
Max time kernel
449s
Max time network
454s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.anonfiles.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 73.247.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/3004-1-0x0000000000A30000-0x0000000000A46000-memory.dmp
memory/3004-0-0x00007FFBB1833000-0x00007FFBB1835000-memory.dmp
memory/3004-2-0x0000000002B80000-0x0000000002B8A000-memory.dmp
memory/3004-3-0x0000000002BB0000-0x0000000002BCA000-memory.dmp
memory/3004-4-0x00007FFBB1830000-0x00007FFBB22F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\passwords.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
memory/3004-26-0x000000001D880000-0x000000001D892000-memory.dmp
memory/3004-27-0x000000001D8E0000-0x000000001D91C000-memory.dmp
memory/3004-29-0x00007FFBB1830000-0x00007FFBB22F1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win7-20240221-en
Max time kernel
600s
Max time network
602s
Command Line
Signatures
Orcus
Orcus main payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Orcurs Rat Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mxfix.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
Obfuscated with Agile.Net obfuscator
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\mxfix.EXE | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\WindowsInput.exe | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.exe.config | C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsInput.InstallState | C:\Windows\SysWOW64\WindowsInput.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe | N/A |
| N/A | N/A | C:\ProgramData\Chrome\chromedriver.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe"
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8zrx5yir.cmdline"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3277.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3276.tmp"
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
C:\ProgramData\Chrome\chromedriver.exe
"C:\ProgramData\Chrome\chromedriver.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {89C86F86-0EA9-45B0-9E93-F9643AC05D5F} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 4688 /protectFile
C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 4688 "/protectFile"
C:\ProgramData\Chrome\chromedriver.exe
C:\ProgramData\Chrome\chromedriver.exe
Network
| Country | Destination | Domain | Proto |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp | |
| PL | 209.25.141.181:40489 | tcp |
Files
memory/1808-0-0x000007FEF5603000-0x000007FEF5604000-memory.dmp
memory/1808-1-0x0000000001140000-0x0000000001384000-memory.dmp
memory/1808-6-0x000007FEF5600000-0x000007FEF5FEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
| MD5 | b4ec612c441786aa614ce5f32edae475 |
| SHA1 | 3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d |
| SHA256 | e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd |
| SHA512 | c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16 |
C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
| MD5 | 3926c7b8fdfb0ab3b92303760b14d402 |
| SHA1 | b33e12ef4bdcd418139db59d048609c45fe8f9eb |
| SHA256 | c101904ec19b45612213c2b398892a4523f63862bb3e24c245509db2417585e7 |
| SHA512 | 4a022be27f58b1735f3a0ac9abdedbd769adb4e3ca1dacdcdc98700b17e138b647f9059585c8ef37fdd7072ad6283e95f10def171584097eb8c70e7d1212ce0e |
memory/3028-15-0x000007FEF1FAE000-0x000007FEF1FAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
| MD5 | 228a69dc15032fd0fb7100ff8561185e |
| SHA1 | f8dbc89fed8078da7f306cb78b92ce04a0bdeb00 |
| SHA256 | 920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709 |
| SHA512 | 373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1 |
memory/2920-26-0x000000001B770000-0x000000001BA52000-memory.dmp
memory/3028-27-0x000000001AE20000-0x000000001AE7C000-memory.dmp
memory/3028-28-0x0000000001DC0000-0x0000000001DCE000-memory.dmp
memory/2920-30-0x0000000001F40000-0x0000000001F48000-memory.dmp
memory/1808-29-0x000007FEF5600000-0x000007FEF5FEC000-memory.dmp
memory/3028-31-0x000007FEF1CF0000-0x000007FEF268D000-memory.dmp
memory/2776-32-0x00000000010E0000-0x000000000128C000-memory.dmp
memory/3028-33-0x000007FEF1CF0000-0x000007FEF268D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1
| MD5 | 5d792fc7c4e2fd3eb595fce4883dcb2d |
| SHA1 | ee2a88f769ad746f119e144bd06832cb55ef1e0f |
| SHA256 | 41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb |
| SHA512 | 4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e |
\??\c:\Users\Admin\AppData\Local\Temp\8zrx5yir.cmdline
| MD5 | b5675fd3e963a1657429b7cb8eec29bf |
| SHA1 | a2eadabe5edc1c6ce271b4ded76ef284c6066f49 |
| SHA256 | 14e39b71ccd38ef104d56f8db76d02d8b27d726ec240302da81ceb5a2444c0bc |
| SHA512 | 0cb63420e88ffc204069cba8a424f2f2c1d71238e6287d85dc826816cc8130c1db1dfaf577b44ad7592a08a258fd17d9246f1b5dd7bfa61cc4fb0d3c02b74417 |
\??\c:\Users\Admin\AppData\Local\Temp\8zrx5yir.0.cs
| MD5 | 250321226bbc2a616d91e1c82cb4ab2b |
| SHA1 | 7cffd0b2e9c842865d8961386ab8fcfac8d04173 |
| SHA256 | ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d |
| SHA512 | bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1 |
memory/2776-40-0x0000000005060000-0x0000000005252000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8zrx5yir.dll
| MD5 | e87c0303464da2ff36a5083a83c5f859 |
| SHA1 | e10a08a52a0c5c3b3d354f089fdb5ebe4f6cc5fc |
| SHA256 | b495065cc12ae18d162f7ffeb29741bdef96be8241a72b41a801230ff52abfcd |
| SHA512 | 0858498911123c1073dd39bc10c744e2537a96f4f63df40a4bed23742d97ab326e1b8a6e8851097559c61776ffff335bee41927471e4c0e19301a77c3db260bb |
C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll
| MD5 | 9af5eb006bb0bab7f226272d82c896c7 |
| SHA1 | c2a5bb42a5f08f4dc821be374b700652262308f0 |
| SHA256 | 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db |
| SHA512 | 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a |
memory/3028-49-0x000000001AD60000-0x000000001AD76000-memory.dmp
memory/2776-62-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-66-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-70-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-72-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-74-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-68-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-64-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-60-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-58-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-57-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-56-0x0000000073EC0000-0x0000000073F40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RES3277.tmp
| MD5 | 90464bb28caf4f618dd1067bce53e2ad |
| SHA1 | bd314f049a409551a9948bd983b16d46d00d7c9a |
| SHA256 | 06b7b7bef7b2913120ce858e9a4746706aabf7b5568fa19d42e991ec510e1f1c |
| SHA512 | 88ba3d9e5961f4cd62ddc59d03736c48b3cc72bcce3bfe6b37e5552a73ec32542ed2e333da4faaba31367de5065a708119411889ca366f5df27acda2d1887609 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC3276.tmp
| MD5 | 73ceeedb37c8be6bbc6ba1ef1ac6fae4 |
| SHA1 | 8ffa8068d6068e9966f034eac2b1d4fc968d1c36 |
| SHA256 | a8c230f5026d455b8ddef1edbe6fa1b5983c2d6c648c61b33b8a4a667620affb |
| SHA512 | 8d079271569f02d39afad97943d1339e3c02d6c7b0c4181fffc5f013fbbc12803c2a6b0dd058efa52b0f20a6478980027e3f3099eecd991658db61bad41f9044 |
memory/2776-84-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-82-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-150-0x0000000073B90000-0x0000000073BC7000-memory.dmp
memory/2776-118-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-116-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-114-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-112-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-110-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-109-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-106-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-104-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-102-0x0000000005060000-0x000000000524E000-memory.dmp
memory/3028-11712-0x0000000001DF0000-0x0000000001E02000-memory.dmp
memory/3028-11713-0x0000000001E60000-0x0000000001E68000-memory.dmp
memory/2776-100-0x0000000005060000-0x000000000524E000-memory.dmp
C:\Windows\SysWOW64\WindowsInput.exe
| MD5 | e6fcf516d8ed8d0d4427f86e08d0d435 |
| SHA1 | c7691731583ab7890086635cb7f3e4c22ca5e409 |
| SHA256 | 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337 |
| SHA512 | c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e |
C:\Windows\SysWOW64\WindowsInput.exe.config
| MD5 | a2b76cea3a59fa9af5ea21ff68139c98 |
| SHA1 | 35d76475e6a54c168f536e30206578babff58274 |
| SHA256 | f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839 |
| SHA512 | b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad |
memory/2776-98-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-96-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-94-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-92-0x0000000005060000-0x000000000524E000-memory.dmp
memory/4416-11721-0x0000000000D30000-0x0000000000D3C000-memory.dmp
memory/2776-91-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-88-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-86-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-80-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-78-0x0000000005060000-0x000000000524E000-memory.dmp
memory/2776-76-0x0000000005060000-0x000000000524E000-memory.dmp
memory/4508-11725-0x0000000000F20000-0x0000000000F2C000-memory.dmp
memory/4688-11735-0x00000000000E0000-0x00000000001DC000-memory.dmp
memory/3028-11736-0x000007FEF1CF0000-0x000007FEF268D000-memory.dmp
memory/4688-11741-0x0000000002030000-0x000000000207E000-memory.dmp
memory/4688-11740-0x0000000000570000-0x0000000000582000-memory.dmp
memory/4688-11743-0x0000000002170000-0x0000000002188000-memory.dmp
memory/4688-11744-0x0000000002190000-0x00000000021A0000-memory.dmp
memory/4940-11754-0x0000000000E20000-0x0000000000E28000-memory.dmp
C:\Users\Admin\AppData\Roaming\svchost.exe
| MD5 | 913967b216326e36a08010fb70f9dba3 |
| SHA1 | 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf |
| SHA256 | 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a |
| SHA512 | c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33 |
memory/2776-11756-0x0000000073B90000-0x0000000073BC7000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win10v2004-20240419-en
Max time kernel
539s
Max time network
586s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4844 -ip 4844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 872
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.191.110.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 239.249.30.184.in-addr.arpa | udp |
Files
memory/4844-0-0x000000007513E000-0x000000007513F000-memory.dmp
memory/4844-1-0x00000000006F0000-0x000000000076A000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win7-20240221-en
Max time kernel
359s
Max time network
361s
Command Line
Signatures
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe"
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\findstr.exe
findstr All
C:\Windows\system32\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\netsh.exe
netsh wlan show profile name=65001 key=clear
C:\Windows\system32\findstr.exe
findstr Key
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | api.anonfiles.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
Files
memory/2240-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp
memory/2240-1-0x0000000000DB0000-0x0000000000DC6000-memory.dmp
memory/2240-2-0x0000000000460000-0x000000000046A000-memory.dmp
memory/2240-3-0x0000000000490000-0x00000000004AA000-memory.dmp
memory/2240-4-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar26BA.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Local\Temp\passwords.txt
| MD5 | 68b329da9893e34099c7d8ad5cb9c940 |
| SHA1 | adc83b19e793491b1c6ea0fd8b46cd9f32e592fc |
| SHA256 | 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b |
| SHA512 | be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09 |
memory/2240-63-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win7-20240221-en
Max time kernel
357s
Max time network
361s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-05 13:20
Reported
2024-05-05 13:45
Platform
win7-20240215-en
Max time kernel
359s
Max time network
363s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2744 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2744 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2744 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2744 wrote to memory of 3008 | N/A | C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe
"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 552
Network
Files
memory/2744-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp
memory/2744-1-0x0000000000E30000-0x0000000000EAA000-memory.dmp