Analysis Overview
SHA256
9b5dc34e2808725b6b2c131d2a0ce4d2f4525269b9da6c60fcfcd93e83d40f27
Threat Level: Known bad
The file Nursultan 1.16.5 (Creator Shake).exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
RedLine
Reads user/profile data of web browsers
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies registry class
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-22 19:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-22 19:51
Reported
2024-05-22 19:59
Platform
win11-20240419-en
Max time kernel
197s
Max time network
201s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "143" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 948 -ip 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 948 -s 784
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe
"C:\Users\Admin\Desktop\Nursultan 1.16.5 (Creator Shake).exe"
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a33855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| GB | 92.123.128.171:443 | tcp | |
| GB | 51.104.15.253:443 | browser.pipe.aria.microsoft.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
| NL | 23.62.61.131:443 | www.bing.com | tcp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| FI | 65.21.63.6:3306 | trafsell.top | tcp |
| GB | 92.123.128.171:443 | tcp | |
| US | 150.171.69.254:443 | mcr-ring.msedge.net | tcp |
| SE | 92.123.135.89:443 | ow1.res.office365.com | tcp |
| US | 13.107.49.254:443 | q-ring.msedge.net | tcp |
| NL | 23.62.61.129:443 | r.bing.com | tcp |
Files
memory/948-0-0x00000000008A0000-0x00000000008C2000-memory.dmp
memory/948-4-0x0000000074DBE000-0x0000000074DBF000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 18951ad4190ed728ba23e932e0c6e0db |
| SHA1 | fa2d16fcbc3defd07cb8f21d8ea4793a21f261f0 |
| SHA256 | 66607b009c345a8e70fc1e58ab8a13bbea0e370c8d75f16d2cce5b876a748915 |
| SHA512 | a67237089efa8615747bdc6cfe0afc977dc54cfd624a8d2e5124a441c204f1ec58ee7cfbbc105ddc2c18d4f254b9e124d71630bcdba0253d41a96890104f2fff |
memory/2596-14-0x0000000001660000-0x0000000001682000-memory.dmp
memory/2596-18-0x0000000005A30000-0x0000000005A96000-memory.dmp
memory/2596-19-0x0000000006540000-0x0000000006B58000-memory.dmp
memory/2596-20-0x0000000005F90000-0x0000000005FA2000-memory.dmp
memory/2596-21-0x00000000060C0000-0x00000000061CA000-memory.dmp
memory/2596-22-0x0000000007020000-0x000000000705C000-memory.dmp
memory/2596-23-0x0000000007060000-0x00000000070AC000-memory.dmp
memory/2596-24-0x0000000007380000-0x0000000007542000-memory.dmp
memory/2596-25-0x0000000007A80000-0x0000000007FAC000-memory.dmp
memory/2596-26-0x0000000007550000-0x00000000075E2000-memory.dmp
memory/2596-27-0x0000000008560000-0x0000000008B06000-memory.dmp
memory/2596-28-0x00000000075F0000-0x0000000007666000-memory.dmp
memory/2596-29-0x0000000007670000-0x000000000768E000-memory.dmp
memory/2596-30-0x00000000078F0000-0x0000000007940000-memory.dmp
memory/4328-35-0x0000000000F30000-0x0000000000F52000-memory.dmp
memory/1932-39-0x0000000000750000-0x0000000000772000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 32187696b66da17688a541b3e3dab127 |
| SHA1 | 0006eb3805253dc2723b7ee7ea8b1394db2c67f0 |
| SHA256 | 99f86281eb8dd1014e99844434e21d7a43ec66422e24e615282cbd1ef7b4c37a |
| SHA512 | 12248261d83a406176cfaa76410d095ca6ccb5aa3fd7853755c35c78dcc4cd9d4bc27e07da2f349868b7be7b7a754be5630090376ee93a7f2c957b2f41bb3332 |
memory/3452-47-0x00000000016B0000-0x00000000016D2000-memory.dmp
memory/3912-52-0x0000000000F40000-0x0000000000F62000-memory.dmp
memory/4328-54-0x0000000000160000-0x00000000001DA000-memory.dmp
memory/1932-56-0x0000000000160000-0x00000000001DA000-memory.dmp
memory/1484-57-0x00000000011D0000-0x00000000011F2000-memory.dmp
memory/3452-62-0x0000000000160000-0x00000000001DA000-memory.dmp
memory/4780-67-0x0000000001190000-0x00000000011B2000-memory.dmp
memory/3912-69-0x0000000000160000-0x00000000001DA000-memory.dmp
memory/2068-74-0x0000000000900000-0x0000000000922000-memory.dmp
memory/4744-77-0x00000000009B0000-0x00000000009D2000-memory.dmp
memory/2052-86-0x0000000000F00000-0x0000000000F22000-memory.dmp
memory/3392-91-0x0000000000720000-0x0000000000742000-memory.dmp
memory/2212-92-0x0000000000880000-0x00000000008A2000-memory.dmp
memory/3824-100-0x00000000013B0000-0x00000000013D2000-memory.dmp
memory/2972-105-0x0000000000C90000-0x0000000000CB2000-memory.dmp
memory/4724-110-0x00000000010E0000-0x0000000001102000-memory.dmp
memory/904-115-0x00000000007C0000-0x00000000007E2000-memory.dmp
memory/1900-120-0x0000000001340000-0x0000000001362000-memory.dmp