Malware Analysis Report

2024-09-23 00:17

Sample ID 240505-qlgrhaed26
Target BlitzedGrabberV12.rar
SHA256 06fa7e3221aa6f67eeefa8b807a6abb0b4c385d7eb61434ccec55ad2a5d3a1dd
Tags
stormkitty spyware stealer orcus agilenet execution persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06fa7e3221aa6f67eeefa8b807a6abb0b4c385d7eb61434ccec55ad2a5d3a1dd

Threat Level: Known bad

The file BlitzedGrabberV12.rar was found to be: Known bad.

Malicious Activity Summary

stormkitty spyware stealer orcus agilenet execution persistence rat

Stormkitty family

StormKitty payload

StormKitty

Orcus main payload

Orcus

Orcurs Rat Executable

Reads user/profile data of web browsers

Checks computer location settings

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies system certificate store

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-05 13:21

Signatures

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win10v2004-20240419-en

Max time kernel

444s

Max time network

448s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 137.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:46

Platform

win7-20240221-en

Max time kernel

361s

Max time network

370s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe C:\Windows\system32\cmd.exe
PID 1592 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1592 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1592 wrote to memory of 2884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1592 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1592 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1592 wrote to memory of 240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1592 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1592 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1592 wrote to memory of 520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2096 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe C:\Windows\system32\cmd.exe
PID 1072 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1072 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1072 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1072 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1072 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1072 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1072 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1072 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1072 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile name=65001 key=clear

C:\Windows\system32\findstr.exe

findstr Key

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.anonfiles.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp

Files

memory/2096-0-0x000007FEF5573000-0x000007FEF5574000-memory.dmp

memory/2096-1-0x00000000013B0000-0x00000000013C6000-memory.dmp

memory/2096-2-0x0000000000370000-0x000000000037A000-memory.dmp

memory/2096-3-0x0000000000380000-0x000000000039A000-memory.dmp

memory/2096-4-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarD9B3.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\passwords.txt

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

memory/2096-61-0x000007FEF5570000-0x000007FEF5F5C000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win10v2004-20240419-en

Max time kernel

446s

Max time network

450s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe C:\Windows\SYSTEM32\cmd.exe
PID 2060 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe C:\Windows\SYSTEM32\cmd.exe
PID 444 wrote to memory of 5020 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 444 wrote to memory of 5020 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 444 wrote to memory of 5060 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 444 wrote to memory of 5060 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 444 wrote to memory of 3936 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 444 wrote to memory of 3936 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2060 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe C:\Windows\SYSTEM32\cmd.exe
PID 2060 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe C:\Windows\SYSTEM32\cmd.exe
PID 2220 wrote to memory of 3064 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2220 wrote to memory of 3064 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 2220 wrote to memory of 3972 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2220 wrote to memory of 3972 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 2220 wrote to memory of 3996 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 2220 wrote to memory of 3996 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\yhyty5.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile name=65001 key=clear

C:\Windows\system32\findstr.exe

findstr Key

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 api.anonfiles.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 165.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/2060-0-0x00007FF8029C3000-0x00007FF8029C5000-memory.dmp

memory/2060-1-0x0000000000160000-0x0000000000176000-memory.dmp

memory/2060-2-0x00000000009C0000-0x00000000009CA000-memory.dmp

memory/2060-3-0x00000000023F0000-0x000000000240A000-memory.dmp

memory/2060-4-0x00007FF8029C0000-0x00007FF803481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\passwords.txt

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

memory/2060-24-0x000000001BFF0000-0x000000001C002000-memory.dmp

memory/2060-25-0x000000001C060000-0x000000001C09C000-memory.dmp

memory/2060-27-0x00007FF8029C0000-0x00007FF803481000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win7-20240220-en

Max time kernel

359s

Max time network

364s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win10v2004-20240419-en

Max time kernel

454s

Max time network

458s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 165.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:46

Platform

win10v2004-20240426-en

Max time kernel

604s

Max time network

608s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\ProgramData\Chrome\chromedriver.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\mxfix.EXE N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Chrome\chromedriver.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5096 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\ProgramData\Chrome\chromedriver.exe
PID 5096 wrote to memory of 844 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\ProgramData\Chrome\chromedriver.exe
PID 844 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\mxfix.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 844 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\mxfix.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5096 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
PID 5096 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
PID 5096 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
PID 5096 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
PID 5096 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
PID 3848 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3848 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2540 wrote to memory of 4520 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2540 wrote to memory of 4520 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3848 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 3848 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 3848 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\ProgramData\Chrome\chromedriver.exe
PID 3848 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\ProgramData\Chrome\chromedriver.exe
PID 2172 wrote to memory of 2512 N/A C:\ProgramData\Chrome\chromedriver.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2172 wrote to memory of 2512 N/A C:\ProgramData\Chrome\chromedriver.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2172 wrote to memory of 2512 N/A C:\ProgramData\Chrome\chromedriver.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2512 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2512 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2512 wrote to memory of 6104 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe"

C:\Users\Admin\AppData\Local\Temp\mxfix.EXE

"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jm04dzwl.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6E2C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6E2B.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\ProgramData\Chrome\chromedriver.exe

"C:\ProgramData\Chrome\chromedriver.exe"

C:\ProgramData\Chrome\chromedriver.exe

C:\ProgramData\Chrome\chromedriver.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 2172 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 2172 "/protectFile"

C:\ProgramData\Chrome\chromedriver.exe

C:\ProgramData\Chrome\chromedriver.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
PL 209.25.141.181:40489 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
PL 209.25.141.181:40489 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
PL 209.25.141.181:40489 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
PL 209.25.141.181:40489 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp

Files

memory/5096-0-0x00007FFD2F5A3000-0x00007FFD2F5A5000-memory.dmp

memory/5096-1-0x00000000009D0000-0x0000000000C14000-memory.dmp

memory/5096-3-0x00007FFD2F5A0000-0x00007FFD30061000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mxfix.EXE

MD5 b4ec612c441786aa614ce5f32edae475
SHA1 3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d
SHA256 e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd
SHA512 c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

MD5 3926c7b8fdfb0ab3b92303760b14d402
SHA1 b33e12ef4bdcd418139db59d048609c45fe8f9eb
SHA256 c101904ec19b45612213c2b398892a4523f63862bb3e24c245509db2417585e7
SHA512 4a022be27f58b1735f3a0ac9abdedbd769adb4e3ca1dacdcdc98700b17e138b647f9059585c8ef37fdd7072ad6283e95f10def171584097eb8c70e7d1212ce0e

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

MD5 228a69dc15032fd0fb7100ff8561185e
SHA1 f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256 920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512 373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1

memory/3848-48-0x0000000000A20000-0x0000000000A30000-memory.dmp

memory/5096-49-0x00007FFD2F5A0000-0x00007FFD30061000-memory.dmp

memory/1620-50-0x0000000000EA0000-0x000000000104C000-memory.dmp

memory/3924-43-0x000001BAD4A80000-0x000001BAD4AA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vye2wpq.0jo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1620-51-0x0000000005F30000-0x00000000064D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1

MD5 5d792fc7c4e2fd3eb595fce4883dcb2d
SHA1 ee2a88f769ad746f119e144bd06832cb55ef1e0f
SHA256 41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb
SHA512 4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

memory/1620-53-0x00000000058C0000-0x0000000005952000-memory.dmp

memory/3848-54-0x000000001B140000-0x000000001B19C000-memory.dmp

memory/3848-57-0x000000001B340000-0x000000001B34E000-memory.dmp

memory/3848-58-0x000000001B820000-0x000000001BCEE000-memory.dmp

memory/3848-59-0x000000001BD90000-0x000000001BE2C000-memory.dmp

memory/1620-62-0x0000000005A80000-0x0000000005A8A000-memory.dmp

memory/1620-63-0x0000000005C40000-0x0000000005E32000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/1620-79-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-120-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-130-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-135-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-132-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-129-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-126-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-124-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-122-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-119-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-110-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-108-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-106-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-104-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-102-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-101-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-100-0x0000000071020000-0x0000000071057000-memory.dmp

memory/1620-116-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-114-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/3848-993-0x000000001C450000-0x000000001C466000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jm04dzwl.dll

MD5 9e69d9742178a93327db22b3a50f04e1
SHA1 3cf9d56f835b94f966a4f66c590ec3f41808bfdb
SHA256 111708aa7f4eac2a94778eff202dbdc5d1533c12729a0e2b589c6664f51e8277
SHA512 f4acca8f2a020bf65cccf24039e4695bbc370015457be18971dfbd5564e701f8cafa6e28cb677695ec58b2ddb75b3eb9bc90c821072ae1072d7d4d0db328ae89

memory/3848-997-0x000000001C490000-0x000000001C4B0000-memory.dmp

memory/5016-1011-0x00000000003A0000-0x00000000003AC000-memory.dmp

memory/5016-1012-0x0000000002330000-0x0000000002342000-memory.dmp

memory/5016-1013-0x00000000024D0000-0x000000000250C000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

memory/3848-996-0x0000000000A50000-0x0000000000A58000-memory.dmp

memory/4224-1637-0x0000000019E30000-0x0000000019F3A000-memory.dmp

memory/3848-995-0x0000000000A70000-0x0000000000A82000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES6E2C.tmp

MD5 37aaad44ff0609e6dc07bb43dbb2f644
SHA1 004d375f46062ae14c97eca0f82582b3fe0b3e94
SHA256 52d9f5e2920a3a135dd75c1747d4de24af54223dc31aecaf8840b7a97fa5fe27
SHA512 ea04f36385e6762f553c8297700367934c772cd2055787f1b56e112031e70cd428a9b80a66b5f1a3c978e002ab792947d4a65138c9bc349e779520d929584000

\??\c:\Users\Admin\AppData\Local\Temp\CSC6E2B.tmp

MD5 db128937584638af5aa90d92388eb390
SHA1 5a49a6c30ced2d052e23011302b22a077a757bc7
SHA256 eec4486441352e4c2290a9ca3af94f0b048750abdea572f80fb48777cad0c828
SHA512 c89047d6951759b52637c43ab80ea20a8263de01f83e872dc9945a1efbc42997370d7e33fadf50dff613eec3a4e568c531814717588dfc15c2a626c0f3066355

\??\c:\Users\Admin\AppData\Local\Temp\jm04dzwl.0.cs

MD5 bff75aea68db40b522152984ecb0dadb
SHA1 425036c5d5c1b505eb683c8bd0446b901e5e313e
SHA256 5d3c8fe9dc3d9b63998c07c152a395a2a4cfc5421d820485c649369721e672bf
SHA512 8dddb2e7dfce5424957b923affa2e2b4468e09edf18c9acb834fe611b4b068e011518321e27fd6e55b7f6a805b28dadfdc1aafa7f0ee6ffc77b77d35b16da037

\??\c:\Users\Admin\AppData\Local\Temp\jm04dzwl.cmdline

MD5 7b4410589913c5f753aa4db02aa90260
SHA1 853667a019d7281cf150aeda9b892190aa478e36
SHA256 713dc1dbaa0946ac61cc713da53373f96cd72cc4cc09facf63ecc99e4796451e
SHA512 dd190017161a9792357aa1750e968d22fab46e0d0e3714fe7e70c654216ea417c2335825e37ffc0984f9bf0bbe4efe2b5c688ac3583919ffc9523cc7073e7854

memory/1620-112-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-97-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-95-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-93-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-91-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-89-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/2172-2589-0x0000000000670000-0x000000000076C000-memory.dmp

memory/1620-87-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-85-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-83-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-81-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-77-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-75-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-73-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/1620-72-0x0000000005C40000-0x0000000005E2E000-memory.dmp

memory/2172-3134-0x0000000002740000-0x000000000278E000-memory.dmp

memory/2172-3133-0x0000000002710000-0x0000000002722000-memory.dmp

memory/1620-71-0x0000000073330000-0x00000000733B9000-memory.dmp

memory/2172-3519-0x000000001B8D0000-0x000000001B8E8000-memory.dmp

memory/2172-3750-0x000000001B9F0000-0x000000001BA00000-memory.dmp

memory/2172-3749-0x000000001BC10000-0x000000001BDD2000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2512-4368-0x0000000000C30000-0x0000000000C38000-memory.dmp

memory/1620-11804-0x0000000006A80000-0x0000000006B1C000-memory.dmp

memory/1620-11810-0x0000000071020000-0x0000000071057000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chromedriver.exe.log

MD5 9be3069b2cf9222dde6c28dd9180a35a
SHA1 14b76614ed5c94c513b10ada5bd642e888fc1231
SHA256 5e4c38466764be178ea21ba3149d0580d25d035b57e081b3abb9c06a19cfd67a
SHA512 043256f38c20d8765ddf2f1d5912249bfbb017c0b630d24d9e4894f4a759dec66bf0ffaf878ac69e9dfd6db7ec5e090dd69de2333d83299ef43888c394398885

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win7-20240220-en

Max time kernel

361s

Max time network

366s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win10v2004-20240426-en

Max time kernel

450s

Max time network

455s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 107.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win10v2004-20240419-en

Max time kernel

449s

Max time network

454s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3004 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe C:\Windows\SYSTEM32\cmd.exe
PID 3004 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe C:\Windows\SYSTEM32\cmd.exe
PID 1924 wrote to memory of 1496 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1924 wrote to memory of 1496 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1924 wrote to memory of 3056 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1924 wrote to memory of 3056 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1924 wrote to memory of 920 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1924 wrote to memory of 920 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 3004 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe C:\Windows\SYSTEM32\cmd.exe
PID 3004 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe C:\Windows\SYSTEM32\cmd.exe
PID 1900 wrote to memory of 1512 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1900 wrote to memory of 1512 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 1900 wrote to memory of 4696 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1900 wrote to memory of 4696 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 1900 wrote to memory of 832 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 1900 wrote to memory of 832 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe"

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile name=65001 key=clear

C:\Windows\system32\findstr.exe

findstr Key

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 api.anonfiles.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 137.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

memory/3004-1-0x0000000000A30000-0x0000000000A46000-memory.dmp

memory/3004-0-0x00007FFBB1833000-0x00007FFBB1835000-memory.dmp

memory/3004-2-0x0000000002B80000-0x0000000002B8A000-memory.dmp

memory/3004-3-0x0000000002BB0000-0x0000000002BCA000-memory.dmp

memory/3004-4-0x00007FFBB1830000-0x00007FFBB22F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\passwords.txt

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

memory/3004-26-0x000000001D880000-0x000000001D892000-memory.dmp

memory/3004-27-0x000000001D8E0000-0x000000001D91C000-memory.dmp

memory/3004-29-0x00007FFBB1830000-0x00007FFBB22F1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win7-20240221-en

Max time kernel

600s

Max time network

602s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcus main payload

Description Indicator Process Target
N/A N/A N/A N/A

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\mxfix.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Chrome\chromedriver.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe N/A
N/A N/A C:\ProgramData\Chrome\chromedriver.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
PID 1808 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
PID 1808 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\mxfix.EXE
PID 1808 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
PID 1808 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
PID 1808 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe
PID 1856 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\mxfix.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\mxfix.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1856 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\mxfix.EXE C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1808 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
PID 1808 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
PID 1808 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
PID 1808 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe
PID 3028 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3028 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 3028 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
PID 2488 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2488 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 2488 wrote to memory of 2928 N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
PID 3028 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 3028 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 3028 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 3028 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\ProgramData\Chrome\chromedriver.exe
PID 3028 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\ProgramData\Chrome\chromedriver.exe
PID 3028 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe C:\ProgramData\Chrome\chromedriver.exe
PID 4840 wrote to memory of 4908 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\Chrome\chromedriver.exe
PID 4840 wrote to memory of 4908 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\Chrome\chromedriver.exe
PID 4840 wrote to memory of 4908 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\Chrome\chromedriver.exe
PID 4688 wrote to memory of 4940 N/A C:\ProgramData\Chrome\chromedriver.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4688 wrote to memory of 4940 N/A C:\ProgramData\Chrome\chromedriver.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4688 wrote to memory of 4940 N/A C:\ProgramData\Chrome\chromedriver.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4688 wrote to memory of 4940 N/A C:\ProgramData\Chrome\chromedriver.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4940 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4940 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4940 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4940 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4840 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\Chrome\chromedriver.exe
PID 4840 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\Chrome\chromedriver.exe
PID 4840 wrote to memory of 2732 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\Chrome\chromedriver.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\BlitzedGrabberV12.exe"

C:\Users\Admin\AppData\Local\Temp\mxfix.EXE

"C:\Users\Admin\AppData\Local\Temp\mxfix.EXE"

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

"C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -File mxfixer.ps1

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8zrx5yir.cmdline"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3277.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3276.tmp"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\ProgramData\Chrome\chromedriver.exe

"C:\ProgramData\Chrome\chromedriver.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {89C86F86-0EA9-45B0-9E93-F9643AC05D5F} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]

C:\ProgramData\Chrome\chromedriver.exe

C:\ProgramData\Chrome\chromedriver.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /launchSelfAndExit "C:\ProgramData\Chrome\chromedriver.exe" 4688 /protectFile

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe" /watchProcess "C:\ProgramData\Chrome\chromedriver.exe" 4688 "/protectFile"

C:\ProgramData\Chrome\chromedriver.exe

C:\ProgramData\Chrome\chromedriver.exe

Network

Country Destination Domain Proto
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp
PL 209.25.141.181:40489 tcp

Files

memory/1808-0-0x000007FEF5603000-0x000007FEF5604000-memory.dmp

memory/1808-1-0x0000000001140000-0x0000000001384000-memory.dmp

memory/1808-6-0x000007FEF5600000-0x000007FEF5FEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\mxfix.EXE

MD5 b4ec612c441786aa614ce5f32edae475
SHA1 3a264f8daeec9b156ddb5ed576d490dd8fbd8e7d
SHA256 e18ba6573b9aa2d139ed5c30f18ac2ece3ce8287d1651db4bc632dbc816f53bd
SHA512 c6800371cdc2b571061e6e755a2c95f49dcb233c3999976f180cb7cf95fa2c62d03b52a3c497a2cd7ae46ec72eaf823db25bd291ca676724194c05966f2bce16

C:\Users\Admin\AppData\Local\Temp\UnityCrashHandlerV2.exe

MD5 3926c7b8fdfb0ab3b92303760b14d402
SHA1 b33e12ef4bdcd418139db59d048609c45fe8f9eb
SHA256 c101904ec19b45612213c2b398892a4523f63862bb3e24c245509db2417585e7
SHA512 4a022be27f58b1735f3a0ac9abdedbd769adb4e3ca1dacdcdc98700b17e138b647f9059585c8ef37fdd7072ad6283e95f10def171584097eb8c70e7d1212ce0e

memory/3028-15-0x000007FEF1FAE000-0x000007FEF1FAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12.exe

MD5 228a69dc15032fd0fb7100ff8561185e
SHA1 f8dbc89fed8078da7f306cb78b92ce04a0bdeb00
SHA256 920bec9d500f6446b84399ab4c84858d0f0d7d1abb2e0377399ebbc4bafad709
SHA512 373621c4743fa72571b3c8375aa6f7852303a821558b016b002d2af07154787d978f66696db89eeed8fe41f4aed5d66b690d4f87469939f9b1dea2ac2b9101f1

memory/2920-26-0x000000001B770000-0x000000001BA52000-memory.dmp

memory/3028-27-0x000000001AE20000-0x000000001AE7C000-memory.dmp

memory/3028-28-0x0000000001DC0000-0x0000000001DCE000-memory.dmp

memory/2920-30-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/1808-29-0x000007FEF5600000-0x000007FEF5FEC000-memory.dmp

memory/3028-31-0x000007FEF1CF0000-0x000007FEF268D000-memory.dmp

memory/2776-32-0x00000000010E0000-0x000000000128C000-memory.dmp

memory/3028-33-0x000007FEF1CF0000-0x000007FEF268D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\mxfixer.ps1

MD5 5d792fc7c4e2fd3eb595fce4883dcb2d
SHA1 ee2a88f769ad746f119e144bd06832cb55ef1e0f
SHA256 41eccaa8649345b33e57f5d494429276e9f2eb23ca981f018da33a34aabfd8eb
SHA512 4b85fe8205c705914867227c97aa1333421970d8e6f11b2ac6be8e95fef1a0f31f985547eafe52e382f13c2a16afa05462bd614b75bee250464c50734d59a92e

\??\c:\Users\Admin\AppData\Local\Temp\8zrx5yir.cmdline

MD5 b5675fd3e963a1657429b7cb8eec29bf
SHA1 a2eadabe5edc1c6ce271b4ded76ef284c6066f49
SHA256 14e39b71ccd38ef104d56f8db76d02d8b27d726ec240302da81ceb5a2444c0bc
SHA512 0cb63420e88ffc204069cba8a424f2f2c1d71238e6287d85dc826816cc8130c1db1dfaf577b44ad7592a08a258fd17d9246f1b5dd7bfa61cc4fb0d3c02b74417

\??\c:\Users\Admin\AppData\Local\Temp\8zrx5yir.0.cs

MD5 250321226bbc2a616d91e1c82cb4ab2b
SHA1 7cffd0b2e9c842865d8961386ab8fcfac8d04173
SHA256 ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d
SHA512 bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

memory/2776-40-0x0000000005060000-0x0000000005252000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8zrx5yir.dll

MD5 e87c0303464da2ff36a5083a83c5f859
SHA1 e10a08a52a0c5c3b3d354f089fdb5ebe4f6cc5fc
SHA256 b495065cc12ae18d162f7ffeb29741bdef96be8241a72b41a801230ff52abfcd
SHA512 0858498911123c1073dd39bc10c744e2537a96f4f63df40a4bed23742d97ab326e1b8a6e8851097559c61776ffff335bee41927471e4c0e19301a77c3db260bb

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/3028-49-0x000000001AD60000-0x000000001AD76000-memory.dmp

memory/2776-62-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-66-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-70-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-72-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-74-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-68-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-64-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-60-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-58-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-57-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-56-0x0000000073EC0000-0x0000000073F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES3277.tmp

MD5 90464bb28caf4f618dd1067bce53e2ad
SHA1 bd314f049a409551a9948bd983b16d46d00d7c9a
SHA256 06b7b7bef7b2913120ce858e9a4746706aabf7b5568fa19d42e991ec510e1f1c
SHA512 88ba3d9e5961f4cd62ddc59d03736c48b3cc72bcce3bfe6b37e5552a73ec32542ed2e333da4faaba31367de5065a708119411889ca366f5df27acda2d1887609

\??\c:\Users\Admin\AppData\Local\Temp\CSC3276.tmp

MD5 73ceeedb37c8be6bbc6ba1ef1ac6fae4
SHA1 8ffa8068d6068e9966f034eac2b1d4fc968d1c36
SHA256 a8c230f5026d455b8ddef1edbe6fa1b5983c2d6c648c61b33b8a4a667620affb
SHA512 8d079271569f02d39afad97943d1339e3c02d6c7b0c4181fffc5f013fbbc12803c2a6b0dd058efa52b0f20a6478980027e3f3099eecd991658db61bad41f9044

memory/2776-84-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-82-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-150-0x0000000073B90000-0x0000000073BC7000-memory.dmp

memory/2776-118-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-116-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-114-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-112-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-110-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-109-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-106-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-104-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-102-0x0000000005060000-0x000000000524E000-memory.dmp

memory/3028-11712-0x0000000001DF0000-0x0000000001E02000-memory.dmp

memory/3028-11713-0x0000000001E60000-0x0000000001E68000-memory.dmp

memory/2776-100-0x0000000005060000-0x000000000524E000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 e6fcf516d8ed8d0d4427f86e08d0d435
SHA1 c7691731583ab7890086635cb7f3e4c22ca5e409
SHA256 8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512 c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2776-98-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-96-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-94-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-92-0x0000000005060000-0x000000000524E000-memory.dmp

memory/4416-11721-0x0000000000D30000-0x0000000000D3C000-memory.dmp

memory/2776-91-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-88-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-86-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-80-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-78-0x0000000005060000-0x000000000524E000-memory.dmp

memory/2776-76-0x0000000005060000-0x000000000524E000-memory.dmp

memory/4508-11725-0x0000000000F20000-0x0000000000F2C000-memory.dmp

memory/4688-11735-0x00000000000E0000-0x00000000001DC000-memory.dmp

memory/3028-11736-0x000007FEF1CF0000-0x000007FEF268D000-memory.dmp

memory/4688-11741-0x0000000002030000-0x000000000207E000-memory.dmp

memory/4688-11740-0x0000000000570000-0x0000000000582000-memory.dmp

memory/4688-11743-0x0000000002170000-0x0000000002188000-memory.dmp

memory/4688-11744-0x0000000002190000-0x00000000021A0000-memory.dmp

memory/4940-11754-0x0000000000E20000-0x0000000000E28000-memory.dmp

C:\Users\Admin\AppData\Roaming\svchost.exe

MD5 913967b216326e36a08010fb70f9dba3
SHA1 7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA256 8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512 c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

memory/2776-11756-0x0000000073B90000-0x0000000073BC7000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win10v2004-20240419-en

Max time kernel

539s

Max time network

586s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4844 -ip 4844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 872

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 165.191.110.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 239.249.30.184.in-addr.arpa udp

Files

memory/4844-0-0x000000007513E000-0x000000007513F000-memory.dmp

memory/4844-1-0x00000000006F0000-0x000000000076A000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win7-20240221-en

Max time kernel

359s

Max time network

361s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe C:\Windows\system32\cmd.exe
PID 2876 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2876 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2876 wrote to memory of 3056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2876 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2876 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2876 wrote to memory of 2896 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2876 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2876 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2876 wrote to memory of 2036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2240 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe C:\Windows\system32\cmd.exe
PID 2240 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe C:\Windows\system32\cmd.exe
PID 2608 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2608 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2608 wrote to memory of 2604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 2608 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2608 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2608 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2608 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2608 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2608 wrote to memory of 2708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\ww.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile name=65001 key=clear | findstr Key

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile name=65001 key=clear

C:\Windows\system32\findstr.exe

findstr Key

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 api.anonfiles.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp

Files

memory/2240-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

memory/2240-1-0x0000000000DB0000-0x0000000000DC6000-memory.dmp

memory/2240-2-0x0000000000460000-0x000000000046A000-memory.dmp

memory/2240-3-0x0000000000490000-0x00000000004AA000-memory.dmp

memory/2240-4-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar26BA.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\passwords.txt

MD5 68b329da9893e34099c7d8ad5cb9c940
SHA1 adc83b19e793491b1c6ea0fd8b46cd9f32e592fc
SHA256 01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b
SHA512 be688838ca8686e5c90689bf2ab585cef1137c999b48c70b92f67a5c34dc15697b5d11c982ed6d71be1e1e7f7b4e0733884aa97c3f7a339a8ed03577cf74be09

memory/2240-63-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win7-20240221-en

Max time kernel

357s

Max time network

361s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-05 13:20

Reported

2024-05-05 13:45

Platform

win7-20240215-en

Max time kernel

359s

Max time network

363s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 552

Network

N/A

Files

memory/2744-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

memory/2744-1-0x0000000000E30000-0x0000000000EAA000-memory.dmp