Analysis Overview
SHA256
2a4aee03d0e31745e786611470be3ad45d8c9f35b141f6e364542ab3ca6f5519
Threat Level: Known bad
The file FlashBTC core 2024 Full Edition.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
StormKitty
StormKitty payload
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Looks up geolocation information via web service
Drops desktop.ini file(s)
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of SetThreadContext
Enumerates physical storage devices
Command and Scripting Interpreter: JavaScript
Unsigned PE
Modifies system certificate store
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: SetClipboardViewer
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-08 12:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:32
Platform
win10v2004-20240419-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe | C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe | C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk | C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe" | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe" | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\1XDHRO6P4.5.exe\" .." | C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\R4TQUSL42.0.exe\" .." | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2980 set thread context of 3116 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\crack.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe"
C:\Users\Admin\AppData\Roaming\crack.exe
"C:\Users\Admin\AppData\Roaming\crack.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
"C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
"C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe"
C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
"C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"
C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
"C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp685F.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:3389 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 172.67.196.114:443 | api.mylnikov.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 241.185.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.196.67.172.in-addr.arpa | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:6606 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
memory/668-0-0x00000000751D2000-0x00000000751D3000-memory.dmp
memory/668-1-0x00000000751D0000-0x0000000075781000-memory.dmp
memory/668-2-0x00000000751D0000-0x0000000075781000-memory.dmp
C:\Users\Admin\AppData\Roaming\crack.exe
| MD5 | 9215015740c937980b6b53cee5087769 |
| SHA1 | a0bfe95486944f1548620d4de472c3758e95d36a |
| SHA256 | a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541 |
| SHA512 | 5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2 |
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
| MD5 | e7f8c4ea62d6c4ae774f981480c6b232 |
| SHA1 | 2dad33c36ad472cee4ca8231c723e92bd7033b7d |
| SHA256 | c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b |
| SHA512 | f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7 |
C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
| MD5 | 8d17fae8b6efcdf310021c21ba21a253 |
| SHA1 | 5824d9a7e709c2fbff3fe1b77d46ce8da12fb76b |
| SHA256 | 2666146118425d99aa65f5b01a0687f3f54007f01d63366c4b945b6dd25f37d7 |
| SHA512 | 6ebe1e8c5a17ac0d26ff8fb6c8c65d7baf7fc349558ee899ee0586f6b0448b93660f61cc633518ce7449938d6bb862b5fa9e81a03482fbee57c9999269a99997 |
memory/2980-40-0x00000000723AE000-0x00000000723AF000-memory.dmp
memory/3576-39-0x00007FFCA3FB3000-0x00007FFCA3FB5000-memory.dmp
memory/1532-38-0x00000000723AE000-0x00000000723AF000-memory.dmp
memory/3576-41-0x0000029946860000-0x000002994686A000-memory.dmp
memory/1532-42-0x0000000000070000-0x0000000000078000-memory.dmp
memory/2980-43-0x0000000000490000-0x00000000004C6000-memory.dmp
memory/2980-44-0x0000000005250000-0x00000000057F4000-memory.dmp
memory/2980-46-0x0000000004D90000-0x0000000004E22000-memory.dmp
memory/2980-47-0x0000000004F60000-0x0000000004FFC000-memory.dmp
memory/2980-49-0x0000000004D20000-0x0000000004D2A000-memory.dmp
memory/3116-52-0x0000000000400000-0x0000000000430000-memory.dmp
memory/668-67-0x00000000751D0000-0x0000000075781000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe.log
| MD5 | a5dcc7c9c08af7dddd82be5b036a4416 |
| SHA1 | 4f998ca1526d199e355ffb435bae111a2779b994 |
| SHA256 | e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5 |
| SHA512 | 56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a |
C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
| MD5 | bb2f6ec73b6646fb1d674763a060b42b |
| SHA1 | dbdaed5d56e6a54bdefc352a12f8436a73c3cd9d |
| SHA256 | 0f5c554a665e05341d97ffbe3b7facbcb2043e50d079457fc54cd762cdeb11de |
| SHA512 | 9df8a285a80a8d1a6ea43163cd32dba72a8ee3bfbc96cc4a96917a60b9fd07a13da8c7abac41052db1b263e64dd5acf62820cbafad685d36e3c9ae3f607c56f8 |
C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
| MD5 | 081247dd185e8d1a9d8aaf745fe103ca |
| SHA1 | 24cc30dd55d0519a9b2561243ddb55512824e7c7 |
| SHA256 | b5f56facdbb2d5ae278eb31ff16a226b73da97afd62d385b2798e949d12b54c3 |
| SHA512 | ad2600dcafecfbc0473db9011f8d3969a1d1a2ac8affd1fc1430145c6b0c21ce9ade1a2e208ef808b05ca421706800839ed618486e3a421b8d14762736631c27 |
memory/4380-90-0x00000000003C0000-0x00000000003C8000-memory.dmp
memory/444-94-0x000000001BAC0000-0x000000001BB5C000-memory.dmp
memory/444-91-0x000000001C130000-0x000000001C5FE000-memory.dmp
memory/444-96-0x000000001C700000-0x000000001C7A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp685F.tmp.cmd
| MD5 | 9a04ca91ecc0f633d40cfb7bce019502 |
| SHA1 | 49afccf1469626f6f6557e04f887ea2904bbbd1c |
| SHA256 | ea664967abbcac44480ee89c24549a5f0fb088008d5f52bb7de2aa14ebb0ed07 |
| SHA512 | 22f91da6156b004858ce6ce914f5e607629e12e395cd6d6a70ad378e9dc527059a30134122aa999d2e9f69301db2b8f86906bab3de15810bbab64b603aab00c5 |
memory/444-98-0x00000000013D0000-0x00000000013D8000-memory.dmp
memory/3116-100-0x0000000005200000-0x0000000005266000-memory.dmp
C:\Users\Admin\AppData\Local\64fb991ecae307a090807bf70d30eeea\Admin@HNOPMLPY_en-US\System\Process.txt
| MD5 | 4f43a74b245aa370e8b37c70eeacfcc7 |
| SHA1 | b1b891846db29032f8c9687f5d173a6220c83ac3 |
| SHA256 | f2853a1ae023f4cbef11ee88108eede2b50d92c2be59c56437ff39eba566bb8e |
| SHA512 | 55c02cc0e2046563cf5c604ebb0a4cf602e32a67b9b2e03ada40f4c02d0edcbdb589aa5832cb5a0ec52f3fceacdc3329a8cbeb2c492dce77ac9ea60c50c8a765 |
memory/3116-268-0x0000000005EA0000-0x0000000005EAA000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk
| MD5 | 3ed327d4ce8aaab5cddda9bd667147d8 |
| SHA1 | 0edd65c69aa3562d79c1028957beb7d8c76370a3 |
| SHA256 | 025632bc09d31d651cabeb41f989d006b33ee49e9df43248f5310949cc58fcfa |
| SHA512 | f541a387bb18c1e231d25acab1eebc98de55a1d86f11f5b759fb50187b1357897be5ae12fd3095890b79286a207c21c67086170db305634388c40a59689fdbd6 |
C:\Users\Admin\AppData\Local\fef01719289d6c9a40f97f935e5890f1\msgid.dat
| MD5 | be527e944a7f140a0288cad9ac818fc5 |
| SHA1 | fc350a28c9f9e0251bf229466e5797a5f7e74839 |
| SHA256 | 229ad98c757f1191de326602ba9e8037ec1d79beaad26d3ebc5ddcd4ada7e251 |
| SHA512 | a5820c63b7591e794d8959206aa35f345050366c057c53c77fc20bdd36a0caab9cc9f24eb449905f3a6abe01cabad1eebb75f2baf8f511f4aeadf50b935b2912 |
memory/3116-278-0x0000000005F30000-0x0000000005F42000-memory.dmp
memory/3576-303-0x00007FFCA3FB3000-0x00007FFCA3FB5000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:32
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Recover Shell Script.js"
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:32
Platform
win7-20231129-en
Max time kernel
122s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MessagingToolkit.QRCode.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:33
Platform
win10v2004-20240226-en
Max time kernel
128s
Max time network
171s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\QRCoder.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:32
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
152s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\Recover Shell Script.js"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:32
Platform
win7-20240221-en
Max time kernel
119s
Max time network
130s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fr\Microsoft.VisualBasic.PowerPacks.Vs.resources.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:31
Platform
win7-20240221-en
Max time kernel
65s
Max time network
23s
Command Line
Signatures
AsyncRat
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\R4TQUSL42.0.exe | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe | C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1XDHRO6P4.5.exe | C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk | C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe" | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\AdobeUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\AdobeUpdate.exe" | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\1XDHRO6P4.5.exe\" .." | C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\R4TQUSL42.0.exe\" .." | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\26cdbef624bc3fba77aea56cd1553792\Admin@HKULBIBU_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | icanhazip.com | N/A | N/A |
Looks up geolocation information via web service
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2576 set thread context of 2696 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
Suspicious behavior: SetClipboardViewer
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\crack.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe"
C:\Users\Admin\AppData\Roaming\crack.exe
"C:\Users\Admin\AppData\Roaming\crack.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
"C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe"
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe
"C:\Users\Admin\AppData\Roaming\Flash BTC Transaction (Core Network) Full Version 10.0.1.exe"
C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe
"C:\Users\Admin\AppData\Roaming\AdobeUpdate.exe"
C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
"C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3A71.tmp.cmd""
C:\Windows\SysWOW64\timeout.exe
timeout 4
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
C:\Windows\SysWOW64\findstr.exe
findstr All
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
C:\Windows\SysWOW64\chcp.com
chcp 65001
C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:3389 | tcp | |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | icanhazip.com | udp |
| US | 104.16.185.241:80 | icanhazip.com | tcp |
| US | 8.8.8.8:53 | api.mylnikov.org | udp |
| US | 104.21.44.66:443 | api.mylnikov.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp |
Files
memory/2060-0-0x0000000074CA1000-0x0000000074CA2000-memory.dmp
memory/2060-1-0x0000000074CA0000-0x000000007524B000-memory.dmp
memory/2060-2-0x0000000074CA0000-0x000000007524B000-memory.dmp
\Users\Admin\AppData\Roaming\crack.exe
| MD5 | 9215015740c937980b6b53cee5087769 |
| SHA1 | a0bfe95486944f1548620d4de472c3758e95d36a |
| SHA256 | a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541 |
| SHA512 | 5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2 |
\Users\Admin\AppData\Roaming\Microsoft Edge.exe
| MD5 | e7f8c4ea62d6c4ae774f981480c6b232 |
| SHA1 | 2dad33c36ad472cee4ca8231c723e92bd7033b7d |
| SHA256 | c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b |
| SHA512 | f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7 |
C:\Users\Admin\AppData\Roaming\1XDHRO6P4.5.exe
| MD5 | 8d17fae8b6efcdf310021c21ba21a253 |
| SHA1 | 5824d9a7e709c2fbff3fe1b77d46ce8da12fb76b |
| SHA256 | 2666146118425d99aa65f5b01a0687f3f54007f01d63366c4b945b6dd25f37d7 |
| SHA512 | 6ebe1e8c5a17ac0d26ff8fb6c8c65d7baf7fc349558ee899ee0586f6b0448b93660f61cc633518ce7449938d6bb862b5fa9e81a03482fbee57c9999269a99997 |
memory/2576-24-0x0000000001120000-0x0000000001156000-memory.dmp
memory/1648-23-0x0000000001290000-0x0000000001298000-memory.dmp
memory/2612-25-0x0000000000AA0000-0x0000000000AAA000-memory.dmp
memory/2576-27-0x00000000005B0000-0x00000000005BA000-memory.dmp
memory/2696-29-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2696-31-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2696-35-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2696-40-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2696-42-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2696-38-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2696-37-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2696-33-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2060-55-0x0000000074CA0000-0x000000007524B000-memory.dmp
\Users\Admin\AppData\Roaming\AdobeUpdate.exe
| MD5 | bb2f6ec73b6646fb1d674763a060b42b |
| SHA1 | dbdaed5d56e6a54bdefc352a12f8436a73c3cd9d |
| SHA256 | 0f5c554a665e05341d97ffbe3b7facbcb2043e50d079457fc54cd762cdeb11de |
| SHA512 | 9df8a285a80a8d1a6ea43163cd32dba72a8ee3bfbc96cc4a96917a60b9fd07a13da8c7abac41052db1b263e64dd5acf62820cbafad685d36e3c9ae3f607c56f8 |
memory/2736-65-0x00000000011C0000-0x00000000011C8000-memory.dmp
C:\Users\Admin\AppData\Roaming\R4TQUSL42.0.exe
| MD5 | 081247dd185e8d1a9d8aaf745fe103ca |
| SHA1 | 24cc30dd55d0519a9b2561243ddb55512824e7c7 |
| SHA256 | b5f56facdbb2d5ae278eb31ff16a226b73da97afd62d385b2798e949d12b54c3 |
| SHA512 | ad2600dcafecfbc0473db9011f8d3969a1d1a2ac8affd1fc1430145c6b0c21ce9ade1a2e208ef808b05ca421706800839ed618486e3a421b8d14762736631c27 |
C:\Users\Admin\AppData\Local\Temp\tmp3A71.tmp.cmd
| MD5 | e62514a52244df3258fb221ad17a918d |
| SHA1 | 1f08ab9680f05ae54a7a74535d0ba8b98e2cee02 |
| SHA256 | 1fa921ffdef9e3c3f31ad9790b880b6864eaa29b67125c0c4ec06d1b95840d34 |
| SHA512 | d788ace562d479f5c5cccab9acb5f5cb86bc6ef8ff905dec5f51975acfb0ab8c7e59074bc73b2f63e77188a7b5730e9260072a12d3ed57b1b476a5e772f70d0c |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk
| MD5 | 4441676aa95904e452ed0def6b15328b |
| SHA1 | 05bc279bb85cb57a4610b35aae7a6d2e2170664f |
| SHA256 | c9caac7b92b6f4c3ae1f733446f9abeb5755a88cd7c2be698a0e40c5da8a1fda |
| SHA512 | 2341b979ced3bf9f0d1cbefcecfded5b43bc51869e9cf1580e8390ed7fec02fa93799589e2efcbd70512008bcce6ad640afb358ab86cca0e07da17a838a71524 |
C:\Users\Admin\AppData\Local\Temp\Cab6561.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar6633.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd74aca7b52f72b37e35a3284f5a3ca6 |
| SHA1 | 807603ae5089defa777364c011937e7c739492fe |
| SHA256 | 7e894391cd4fdff563d2df2026aaa874006d07cff5d6b9edb821bc421b52b577 |
| SHA512 | 3a419201cedccd774880b1ac9062395ce954fca9595689cac513d83c1fef3e4c3977f75d154215768010a3f14df3f78843c00f46b65d83f8443b6f6e520fed67 |
C:\Users\Admin\AppData\Local\af504c90833bdfb1884cb467bcb35e48\msgid.dat
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:32
Platform
win10v2004-20240419-en
Max time kernel
134s
Max time network
161s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\MessagingToolkit.QRCode.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:32
Platform
win10v2004-20240419-en
Max time kernel
132s
Max time network
157s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualBasic.PowerPacks.Vs.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:32
Platform
win7-20240220-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\QRCoder.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:32
Platform
win10v2004-20240419-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\fr\Microsoft.VisualBasic.PowerPacks.Vs.resources.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.251.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-08 12:25
Reported
2024-05-08 12:32
Platform
win7-20240221-en
Max time kernel
118s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.VisualBasic.PowerPacks.Vs.dll,#1