Analysis Overview
SHA256
5695a75d96e56497ab5f7175d5c1da59a4565df668cb89db774eefbb5bfb6cf5
Threat Level: Known bad
The file 2023-09-04.zip was found to be: Known bad.
Malicious Activity Summary
Redline family
DCRat payload
Agenttesla family
Metasploit family
Irata payload
Lumma family
Strrat family
Asyncrat family
Detect Lumma Stealer payload V4
Njrat family
RedLine payload
RedLine
Dcrat family
AsyncRat
Detect Neshta payload
Mirai family
Darkcloud family
Neshta family
Irata family
Lokibot
Async RAT payload
Formbook
Nanocore family
AgentTesla
Formbook payload
Suspicious Office macro
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VMProtect packed file
Reads WinSCP keys stored on the system
Checks QEMU agent file
UPX packed file
Loads dropped DLL
Declares services with permission to bind to the system
Declares broadcast receivers with permission to handle system events
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Adds Run key to start application
Requests dangerous framework permissions
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Detects Pyinstaller
NSIS installer
Suspicious use of WriteProcessMemory
Office document contains embedded OLE objects
outlook_office_path
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
outlook_win_path
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-24 01:22
Signatures
Agenttesla family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Darkcloud family
Dcrat family
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Neshta payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Irata family
Irata payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma family
Metasploit family
Mirai family
Nanocore family
Neshta family
Njrat family
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
Strrat family
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
| Required by notification listener services to bind with the system. Allows apps to listen to and interact with notifications on the device. | android.permission.BIND_NOTIFICATION_LISTENER_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Office document contains embedded OLE objects
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral30
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240426-en
Max time kernel
96s
Max time network
109s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e91296156cd506f7a152db4e4beac1c56ce03676f16db637c97cd135038409ff.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5080 wrote to memory of 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\e91296156cd506f7a152db4e4beac1c56ce03676f16db637c97cd135038409ff.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5080 wrote to memory of 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\e91296156cd506f7a152db4e4beac1c56ce03676f16db637c97cd135038409ff.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5080 wrote to memory of 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\e91296156cd506f7a152db4e4beac1c56ce03676f16db637c97cd135038409ff.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e91296156cd506f7a152db4e4beac1c56ce03676f16db637c97cd135038409ff.exe
"C:\Users\Admin\AppData\Local\Temp\e91296156cd506f7a152db4e4beac1c56ce03676f16db637c97cd135038409ff.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /u /S J9SMW.NXS
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r0z.pw | udp |
| NL | 5.79.71.205:80 | r0z.pw | tcp |
| US | 8.8.8.8:53 | 205.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\J9SMW.NXS
| MD5 | e53a4ae918b729caeeef26f1fb762c2c |
| SHA1 | 689e76a00d4d4957d63823b873f5277f6c8d0eb2 |
| SHA256 | 0b18993e39094c2f85590ac4abcac3539bcf3f28d1e4c291567860992977459c |
| SHA512 | 919bd69b5eeb76e8a20b52d01b2df760a044610fafd336a22493cb707e28eab28308524dc9cc7e21ae5d3d0d08c68b9d13d5f5c8ad380e3648c27b3c9fd5c5c3 |
memory/3280-6-0x0000000000C30000-0x0000000000C36000-memory.dmp
memory/3280-4-0x0000000000400000-0x0000000000618000-memory.dmp
memory/3280-7-0x0000000002870000-0x000000000296C000-memory.dmp
memory/3280-11-0x0000000002970000-0x0000000002A53000-memory.dmp
memory/3280-8-0x0000000002970000-0x0000000002A53000-memory.dmp
memory/3280-12-0x0000000002970000-0x0000000002A53000-memory.dmp
memory/3280-13-0x0000000002A60000-0x0000000003D31000-memory.dmp
memory/3280-14-0x0000000000400000-0x0000000000618000-memory.dmp
memory/3280-15-0x0000000003D40000-0x0000000003E17000-memory.dmp
memory/3280-16-0x0000000003E20000-0x0000000003EFC000-memory.dmp
memory/3280-19-0x0000000003E20000-0x0000000003EFC000-memory.dmp
memory/3280-20-0x0000000000680000-0x0000000000681000-memory.dmp
memory/3280-21-0x0000000000690000-0x0000000000694000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240221-en
Max time kernel
39s
Max time network
28s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54.exe
"C:\Users\Admin\AppData\Local\Temp\ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | simesmile.xyz | udp |
| US | 8.8.8.8:53 | gapi-node.io | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240215-en
Max time kernel
150s
Max time network
159s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e57bff75d5dff87a5a965e50d9acdfb8237419c14a102b78493d893e11b1adad.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e57bff75d5dff87a5a965e50d9acdfb8237419c14a102b78493d893e11b1adad.exe
"C:\Users\Admin\AppData\Local\Temp\e57bff75d5dff87a5a965e50d9acdfb8237419c14a102b78493d893e11b1adad.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | tcp |
Files
memory/2156-0-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/2156-1-0x0000000000030000-0x000000000003C000-memory.dmp
memory/2156-2-0x00000000746D0000-0x0000000074DBE000-memory.dmp
memory/2156-3-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/2156-4-0x00000000746D0000-0x0000000074DBE000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240426-en
Max time kernel
101s
Max time network
110s
Command Line
Signatures
Formbook
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5008 set thread context of 3624 | N/A | C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe | C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe
"C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe"
C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe
"C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/5008-0-0x000000007504E000-0x000000007504F000-memory.dmp
memory/5008-1-0x0000000000980000-0x0000000000A10000-memory.dmp
memory/5008-2-0x00000000059E0000-0x0000000005F84000-memory.dmp
memory/5008-3-0x0000000005430000-0x00000000054C2000-memory.dmp
memory/5008-4-0x0000000005400000-0x000000000540A000-memory.dmp
memory/5008-5-0x00000000056D0000-0x000000000576C000-memory.dmp
memory/5008-6-0x0000000075040000-0x00000000757F0000-memory.dmp
memory/5008-7-0x00000000056B0000-0x00000000056C4000-memory.dmp
memory/5008-8-0x000000007504E000-0x000000007504F000-memory.dmp
memory/5008-9-0x0000000075040000-0x00000000757F0000-memory.dmp
memory/5008-10-0x0000000005930000-0x000000000593E000-memory.dmp
memory/5008-11-0x0000000006CE0000-0x0000000006D4E000-memory.dmp
memory/3624-12-0x0000000000400000-0x000000000042F000-memory.dmp
memory/5008-14-0x0000000075040000-0x00000000757F0000-memory.dmp
memory/3624-15-0x0000000001960000-0x0000000001CAA000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20231129-en
Max time kernel
117s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d92b5b079600e4b7db2b17374ce0f2e20e077a28f9275c5054b857de09377745.exe
"C:\Users\Admin\AppData\Local\Temp\d92b5b079600e4b7db2b17374ce0f2e20e077a28f9275c5054b857de09377745.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -U /s 883c9DGW.5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | r0z.pw | udp |
| DE | 178.162.217.107:80 | r0z.pw | tcp |
| NL | 5.79.71.205:80 | r0z.pw | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\883c9DGW.5
| MD5 | bc2c32e53a85a89cf9e3328a980a1c37 |
| SHA1 | fcbfe0bce8b255df14fe911a05a43aa23b22d710 |
| SHA256 | 3e1118bbc0450d6def003c209962eb29d2f7622b578c94089b7023786fecfb97 |
| SHA512 | 0c1de5c89e3f026287ad96f08a7e4e9973b4ce95efa516135ddd00df40611cc4d8c7234d95422ee5e8794a83b60a6bf22b6ed88b09807fdc2290ac087b8dd440 |
memory/2904-4-0x00000000022E0000-0x00000000024F9000-memory.dmp
memory/2904-5-0x00000000022E0000-0x00000000024F9000-memory.dmp
memory/2904-8-0x0000000002870000-0x000000000296C000-memory.dmp
memory/2904-9-0x0000000002970000-0x0000000002A53000-memory.dmp
memory/2904-12-0x0000000002970000-0x0000000002A53000-memory.dmp
memory/2904-13-0x00000000022E0000-0x00000000024F9000-memory.dmp
memory/2904-14-0x0000000002970000-0x0000000002A53000-memory.dmp
memory/2904-15-0x0000000002A60000-0x0000000003D31000-memory.dmp
memory/2904-16-0x0000000003D40000-0x0000000003E17000-memory.dmp
memory/2904-17-0x0000000003E20000-0x0000000003EFC000-memory.dmp
memory/2904-20-0x0000000003E20000-0x0000000003EFC000-memory.dmp
memory/2904-21-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2904-22-0x0000000000120000-0x0000000000124000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240220-en
Max time kernel
122s
Max time network
132s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MmRKwR = "C:\\Users\\Admin\\AppData\\Roaming\\MmRKwR\\MmRKwR.exe" | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1992 set thread context of 308 | N/A | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe
"C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HbNtXpFugh.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbNtXpFugh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD3D3.tmp"
C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe
"C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe"
C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe
"C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe"
C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe
"C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe"
C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe
"C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe"
C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe
"C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe"
Network
Files
memory/1992-0-0x00000000747CE000-0x00000000747CF000-memory.dmp
memory/1992-1-0x0000000000170000-0x0000000000232000-memory.dmp
memory/1992-2-0x00000000747C0000-0x0000000074EAE000-memory.dmp
memory/1992-3-0x0000000000550000-0x0000000000566000-memory.dmp
memory/1992-4-0x00000000747CE000-0x00000000747CF000-memory.dmp
memory/1992-5-0x00000000747C0000-0x0000000074EAE000-memory.dmp
memory/1992-6-0x0000000000580000-0x000000000058C000-memory.dmp
memory/1992-7-0x00000000005E0000-0x00000000005EE000-memory.dmp
memory/1992-8-0x0000000007E00000-0x0000000007E7C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD3D3.tmp
| MD5 | 82ea628fe6be30a44b8e68247154baa2 |
| SHA1 | 52835eff4a689a3eb9cfbc37cad3438c63a02e99 |
| SHA256 | 2356f3284b122d0f4c30c38c474d24d225254997489ec30f36f9fa65c8d2685f |
| SHA512 | 6578fe5d275d7b51a11b931fc6e70f8b09fb7ab412e6a7eaad476caf66baf2a5ccd1f991d858705dbf9a1f43cb2acc6ab9706bd7e6e4c45f9b8db93afe1ff9d3 |
memory/308-23-0x0000000000400000-0x0000000000442000-memory.dmp
memory/308-24-0x0000000000400000-0x0000000000442000-memory.dmp
memory/308-26-0x0000000000400000-0x0000000000442000-memory.dmp
memory/308-20-0x0000000000400000-0x0000000000442000-memory.dmp
memory/308-18-0x0000000000400000-0x0000000000442000-memory.dmp
memory/308-16-0x0000000000400000-0x0000000000442000-memory.dmp
memory/308-14-0x0000000000400000-0x0000000000442000-memory.dmp
memory/308-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1992-29-0x00000000747C0000-0x0000000074EAE000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240426-en
Max time kernel
126s
Max time network
109s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54.exe
"C:\Users\Admin\AppData\Local\Temp\ea6ec9be3aea67056e4564a9b3ce8d6e92eda54db32e710043de98d7d65ffd54.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | simesmile.xyz | udp |
| US | 8.8.8.8:53 | gapi-node.io | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240508-en
Max time kernel
106s
Max time network
117s
Command Line
Signatures
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2748 set thread context of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe
"C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe"
C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe
"C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe"
Network
| Country | Destination | Domain | Proto |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp |
Files
\Users\Admin\AppData\Local\Temp\nst5A80.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
memory/2748-11-0x0000000077131000-0x0000000077232000-memory.dmp
memory/2748-12-0x0000000077130000-0x00000000772D9000-memory.dmp
memory/2656-13-0x0000000077130000-0x00000000772D9000-memory.dmp
memory/2656-14-0x00000000726B0000-0x0000000073712000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240215-en
Max time kernel
145s
Max time network
156s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e1051e77a093d4fd5c81b43914bff83dce8662374f1c7e4b3a082ce2094870c0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e1051e77a093d4fd5c81b43914bff83dce8662374f1c7e4b3a082ce2094870c0.exe
"C:\Users\Admin\AppData\Local\Temp\e1051e77a093d4fd5c81b43914bff83dce8662374f1c7e4b3a082ce2094870c0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finecare.lk | udp |
Files
memory/2024-0-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/2024-1-0x0000000000F00000-0x0000000000F1A000-memory.dmp
memory/2024-2-0x00000000746D0000-0x0000000074DBE000-memory.dmp
memory/2024-3-0x00000000746DE000-0x00000000746DF000-memory.dmp
memory/2024-4-0x00000000746D0000-0x0000000074DBE000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
151s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e1051e77a093d4fd5c81b43914bff83dce8662374f1c7e4b3a082ce2094870c0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e1051e77a093d4fd5c81b43914bff83dce8662374f1c7e4b3a082ce2094870c0.exe
"C:\Users\Admin\AppData\Local\Temp\e1051e77a093d4fd5c81b43914bff83dce8662374f1c7e4b3a082ce2094870c0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | finecare.lk | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
memory/4368-0-0x000000007461E000-0x000000007461F000-memory.dmp
memory/4368-1-0x0000000000A80000-0x0000000000A9A000-memory.dmp
memory/4368-2-0x0000000074610000-0x0000000074DC0000-memory.dmp
memory/4368-3-0x000000007461E000-0x000000007461F000-memory.dmp
memory/4368-4-0x0000000074610000-0x0000000074DC0000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240419-en
Max time kernel
119s
Max time network
130s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\eqGrE = "C:\\Users\\Admin\\AppData\\Roaming\\eqGrE\\eqGrE.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1680 set thread context of 2588 | N/A | C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe
"C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YxTQbd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YxTQbd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
Files
memory/1680-0-0x000000007450E000-0x000000007450F000-memory.dmp
memory/1680-1-0x00000000003E0000-0x0000000000488000-memory.dmp
memory/1680-2-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/1680-3-0x0000000000530000-0x0000000000544000-memory.dmp
memory/1680-4-0x000000007450E000-0x000000007450F000-memory.dmp
memory/1680-5-0x0000000074500000-0x0000000074BEE000-memory.dmp
memory/1680-6-0x0000000000660000-0x000000000066E000-memory.dmp
memory/1680-7-0x0000000005E90000-0x0000000005F0C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDF48.tmp
| MD5 | 6ee9a4894bae06bbab41bcb1b524d471 |
| SHA1 | 1d760750a9c2c6d596ffed29dfaadf9e3d992ba8 |
| SHA256 | c6e13f06a369177ab41c563d094d338aed87aad4323f9f4caf57f82b8c631511 |
| SHA512 | 636f48e2fc1f86b1f3e9a6db903e99592f0078f056b3f765c2e9bb516f433fd5b425924c1b1542b47feb0eccc5c78f13e56c794b2912e47362335e4232fadac3 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N7O9MPNXF1K6PC7BB8DE.temp
| MD5 | 2dd29ee64c11a0c5597b93381961930e |
| SHA1 | 2f55c3258590548801e682fadcbd330763b7fdc5 |
| SHA256 | 3f7ed67e08601af70023fa4ea2331ef0ff9f9441cb24cbcdd0d32a177deebe68 |
| SHA512 | 06ae01aff0bb29759a1b19d43c40bec669d996a8c407239cd5e826bf40a526746871404923ee6fb0d3394b8871267392eb28c4db1114cb47805a4944f979227e |
memory/2588-20-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2588-26-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2588-29-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2588-32-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2588-30-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2588-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2588-24-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2588-22-0x0000000000400000-0x0000000000442000-memory.dmp
memory/1680-33-0x0000000074500000-0x0000000074BEE000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240508-en
Max time kernel
141s
Max time network
160s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eqGrE = "C:\\Users\\Admin\\AppData\\Roaming\\eqGrE\\eqGrE.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2424 set thread context of 3204 | N/A | C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe
"C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e5370d47a36c3b7af18e4c8e1adb4a08f18bf9ee424f821ccfd585dfb7c111e0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YxTQbd.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YxTQbd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2E7D.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
Files
memory/2424-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp
memory/2424-1-0x00000000009F0000-0x0000000000A98000-memory.dmp
memory/2424-2-0x0000000005850000-0x0000000005DF4000-memory.dmp
memory/2424-3-0x0000000005380000-0x0000000005412000-memory.dmp
memory/2424-4-0x0000000005360000-0x000000000536A000-memory.dmp
memory/2424-5-0x00000000056A0000-0x000000000573C000-memory.dmp
memory/2424-6-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/2424-7-0x00000000055D0000-0x00000000055E4000-memory.dmp
memory/2424-8-0x0000000074C9E000-0x0000000074C9F000-memory.dmp
memory/2424-9-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/2424-10-0x0000000005680000-0x000000000568E000-memory.dmp
memory/2424-11-0x0000000007EC0000-0x0000000007F3C000-memory.dmp
memory/4216-16-0x0000000002800000-0x0000000002836000-memory.dmp
memory/4216-17-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/4216-18-0x0000000005390000-0x00000000059B8000-memory.dmp
memory/4216-19-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/892-20-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/892-21-0x0000000074C90000-0x0000000075440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2E7D.tmp
| MD5 | a00f9ba36d362b2f675e98685effae94 |
| SHA1 | f26bbe1150618ea5f59da021b51cab576889f6da |
| SHA256 | 96dfae6f2b588336ccd390b3a0da5751e4ac34a3087ccc5a50c7004c91ff57b4 |
| SHA512 | 73408f009b37a08ca4ebfe0876ff7165e8af458f4e06045ece3635adc9a9705162b5b5b1bc7831acec30ca9ccc5e2bcafb2f18ff5d8b4e2dc1f5042f9aebd49b |
memory/4216-25-0x0000000005AA0000-0x0000000005B06000-memory.dmp
memory/4216-24-0x0000000005A30000-0x0000000005A96000-memory.dmp
memory/4216-23-0x0000000005330000-0x0000000005352000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2bbrn3kw.v4h.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4216-26-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/3204-47-0x0000000000400000-0x0000000000442000-memory.dmp
memory/892-37-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/4216-36-0x0000000005C10000-0x0000000005F64000-memory.dmp
memory/4216-49-0x00000000060E0000-0x00000000060FE000-memory.dmp
memory/4216-50-0x0000000006190000-0x00000000061DC000-memory.dmp
memory/2424-51-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/4216-52-0x00000000070A0000-0x00000000070D2000-memory.dmp
memory/4216-53-0x0000000070200000-0x000000007024C000-memory.dmp
memory/892-62-0x0000000070200000-0x000000007024C000-memory.dmp
memory/892-73-0x00000000079E0000-0x00000000079FE000-memory.dmp
memory/892-74-0x0000000007A10000-0x0000000007AB3000-memory.dmp
memory/4216-75-0x0000000007A80000-0x00000000080FA000-memory.dmp
memory/4216-76-0x0000000007430000-0x000000000744A000-memory.dmp
memory/892-77-0x0000000007BC0000-0x0000000007BCA000-memory.dmp
memory/892-78-0x0000000007DD0000-0x0000000007E66000-memory.dmp
memory/4216-79-0x0000000007630000-0x0000000007641000-memory.dmp
memory/3204-81-0x0000000005ED0000-0x0000000005F20000-memory.dmp
memory/4216-82-0x0000000007660000-0x000000000766E000-memory.dmp
memory/4216-83-0x0000000007670000-0x0000000007684000-memory.dmp
memory/4216-84-0x0000000007770000-0x000000000778A000-memory.dmp
memory/4216-85-0x0000000007750000-0x0000000007758000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5a889bb218d2dc61b92b4813efba879d |
| SHA1 | e59c5dbcd8aa27f1d681ea1ce03b4fcbcdd644ef |
| SHA256 | 758164b6a9845ab6cd2dc72a2f68095ef157348824cc877ebd0b0caa4ba787a4 |
| SHA512 | 36c67023ac9e9454749ba83b4f617d2cade085f7f88d0cdfc8c9bd85c9575934bec0d3fa82a86da1f59fd5b1ca5087a619d5965f0996f3d5f7b483c8a60adf94 |
memory/4216-92-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/892-91-0x0000000074C90000-0x0000000075440000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240508-en
Max time kernel
88s
Max time network
102s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3564 set thread context of 1028 | N/A | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe
"C:\Users\Admin\AppData\Local\Temp\e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe"
C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
"C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe"
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
"C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe"
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1028 -ip 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 80
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
| MD5 | 3ffae71fdf23a86018fdf1e1b846eb2d |
| SHA1 | 4d8aaffca026d3a0336d996c21ae392022fcb00c |
| SHA256 | 5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15 |
| SHA512 | 676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b |
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
| MD5 | 39900a5f5037440f1380eb5efbdbd70d |
| SHA1 | c661153d06c90c848694819095de0e57bc1bef25 |
| SHA256 | ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0 |
| SHA512 | 19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376 |
memory/3564-21-0x000000007328E000-0x000000007328F000-memory.dmp
memory/3564-24-0x00000000008A0000-0x00000000008F2000-memory.dmp
memory/3564-25-0x0000000007590000-0x00000000075DA000-memory.dmp
memory/3564-26-0x00000000052B0000-0x000000000534C000-memory.dmp
memory/3564-27-0x0000000073280000-0x0000000073A30000-memory.dmp
memory/3564-30-0x0000000073280000-0x0000000073A30000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240508-en
Max time kernel
134s
Max time network
154s
Command Line
Signatures
AsyncRat
Processes
C:\Users\Admin\AppData\Local\Temp\de558a924a89a755f2d660f864d164c81e62ddf7da400fe771c0febbe1858aa1.exe
"C:\Users\Admin\AppData\Local\Temp\de558a924a89a755f2d660f864d164c81e62ddf7da400fe771c0febbe1858aa1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4Mekey.myftp.biz | udp |
| US | 192.227.228.34:7707 | 4Mekey.myftp.biz | tcp |
| US | 192.227.228.34:7707 | 4Mekey.myftp.biz | tcp |
| US | 192.227.228.34:7707 | 4Mekey.myftp.biz | tcp |
| US | 8.8.8.8:53 | 4Mekey.myftp.biz | udp |
| US | 192.227.228.34:6606 | 4Mekey.myftp.biz | tcp |
| US | 192.227.228.34:7707 | 4Mekey.myftp.biz | tcp |
| US | 192.227.228.34:8808 | 4Mekey.myftp.biz | tcp |
Files
memory/1548-0-0x00000000744FE000-0x00000000744FF000-memory.dmp
memory/1548-1-0x00000000000F0000-0x0000000000102000-memory.dmp
memory/1548-2-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/1548-3-0x00000000744F0000-0x0000000074BDE000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:27
Platform
win10v2004-20240508-en
Max time kernel
82s
Max time network
99s
Command Line
Signatures
AsyncRat
Processes
C:\Users\Admin\AppData\Local\Temp\de558a924a89a755f2d660f864d164c81e62ddf7da400fe771c0febbe1858aa1.exe
"C:\Users\Admin\AppData\Local\Temp\de558a924a89a755f2d660f864d164c81e62ddf7da400fe771c0febbe1858aa1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4Mekey.myftp.biz | udp |
| US | 192.227.228.34:8808 | 4Mekey.myftp.biz | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 192.227.228.34:6606 | 4Mekey.myftp.biz | tcp |
| US | 192.227.228.34:8808 | 4Mekey.myftp.biz | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4Mekey.myftp.biz | udp |
| US | 192.227.228.34:7707 | 4Mekey.myftp.biz | tcp |
Files
memory/1080-0-0x0000000074EEE000-0x0000000074EEF000-memory.dmp
memory/1080-1-0x00000000002F0000-0x0000000000302000-memory.dmp
memory/1080-2-0x0000000074EE0000-0x0000000075690000-memory.dmp
memory/1080-3-0x0000000074EEE000-0x0000000074EEF000-memory.dmp
memory/1080-4-0x0000000074EE0000-0x0000000075690000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240221-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e4d72d8ddc51c3881aac8e689eeb381b4c97a87cf7dc973c97e5fe35feaa80a8.exe
"C:\Users\Admin\AppData\Local\Temp\e4d72d8ddc51c3881aac8e689eeb381b4c97a87cf7dc973c97e5fe35feaa80a8.exe"
Network
Files
memory/2944-1-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2944-3-0x0000000000400000-0x0000000000453000-memory.dmp
memory/2944-2-0x00000000013D0000-0x0000000001420000-memory.dmp
memory/2944-5-0x0000000000400000-0x00000000013C3000-memory.dmp
memory/2944-4-0x0000000005840000-0x00000000058A6000-memory.dmp
memory/2944-6-0x00000000058A0000-0x0000000005902000-memory.dmp
memory/2944-7-0x0000000000400000-0x00000000013C3000-memory.dmp
memory/2944-8-0x0000000000400000-0x0000000000453000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240508-en
Max time kernel
138s
Max time network
160s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\e4d72d8ddc51c3881aac8e689eeb381b4c97a87cf7dc973c97e5fe35feaa80a8.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e4d72d8ddc51c3881aac8e689eeb381b4c97a87cf7dc973c97e5fe35feaa80a8.exe
"C:\Users\Admin\AppData\Local\Temp\e4d72d8ddc51c3881aac8e689eeb381b4c97a87cf7dc973c97e5fe35feaa80a8.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1148 -ip 1148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 1180
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/1148-1-0x00000000015D0000-0x00000000016D0000-memory.dmp
memory/1148-3-0x0000000000400000-0x0000000000453000-memory.dmp
memory/1148-2-0x0000000001550000-0x00000000015A0000-memory.dmp
memory/1148-4-0x0000000003590000-0x00000000035F6000-memory.dmp
memory/1148-5-0x0000000000400000-0x00000000013C3000-memory.dmp
memory/1148-6-0x0000000005CD0000-0x0000000006274000-memory.dmp
memory/1148-7-0x0000000006280000-0x00000000062E2000-memory.dmp
memory/1148-8-0x00000000062E0000-0x0000000006372000-memory.dmp
memory/1148-10-0x0000000000400000-0x00000000013C3000-memory.dmp
memory/1148-11-0x0000000000400000-0x0000000000453000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
164s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3108 set thread context of 2680 | N/A | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe
"C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe"
C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe
"C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/3108-0-0x000000007453E000-0x000000007453F000-memory.dmp
memory/3108-1-0x0000000000C70000-0x0000000000D10000-memory.dmp
memory/3108-2-0x0000000005D60000-0x0000000006304000-memory.dmp
memory/3108-3-0x0000000005700000-0x0000000005792000-memory.dmp
memory/3108-4-0x00000000057C0000-0x00000000057CA000-memory.dmp
memory/3108-5-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/3108-6-0x0000000005A70000-0x0000000005A8A000-memory.dmp
memory/3108-7-0x000000007453E000-0x000000007453F000-memory.dmp
memory/3108-8-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/3108-9-0x0000000006B70000-0x0000000006B7A000-memory.dmp
memory/3108-10-0x0000000006F40000-0x0000000006FBC000-memory.dmp
memory/3108-11-0x0000000009590000-0x000000000962C000-memory.dmp
memory/2680-12-0x0000000000400000-0x0000000000442000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/2680-15-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/3108-16-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/2680-17-0x0000000074530000-0x0000000074CE0000-memory.dmp
memory/2680-18-0x0000000005620000-0x0000000005686000-memory.dmp
memory/2680-19-0x0000000006B10000-0x0000000006B60000-memory.dmp
memory/2680-20-0x0000000074530000-0x0000000074CE0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:27
Platform
win7-20240508-en
Max time kernel
65s
Max time network
77s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe
"C:\Users\Admin\AppData\Local\Temp\d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -U -s .\Z3UQNGA5.78
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | r0z.pw | udp |
| NL | 5.79.71.225:80 | r0z.pw | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Z3UQNGA5.78
| MD5 | 5dfcb241b7de6db07e66f74011f5da37 |
| SHA1 | 399c362ae5ccf758ecabbc9ec71a8b653d86186d |
| SHA256 | 0874659ed8ac8d80c4b54db37480af6563009eaaf6dec8dde14c18119516149c |
| SHA512 | 86cacba0f897499ec8120435241685cdd260875ff57b1a8dbf16122d9f2d7ec38c798df1f1dda738813bfd5a332c40d10eff5a06319f35b1ea6dd51a36d6266b |
memory/2068-4-0x0000000002390000-0x00000000025B2000-memory.dmp
memory/2068-5-0x0000000002390000-0x00000000025B2000-memory.dmp
memory/2068-8-0x00000000025C0000-0x00000000026BD000-memory.dmp
memory/2068-9-0x0000000000A40000-0x0000000000B25000-memory.dmp
memory/2068-12-0x0000000000A40000-0x0000000000B25000-memory.dmp
memory/2068-13-0x0000000002390000-0x00000000025B2000-memory.dmp
memory/2068-16-0x0000000000A40000-0x0000000000B25000-memory.dmp
memory/2068-17-0x0000000002A30000-0x0000000004B05000-memory.dmp
memory/2068-18-0x0000000004B10000-0x0000000004BE6000-memory.dmp
memory/2068-19-0x0000000004BF0000-0x0000000004CC9000-memory.dmp
memory/2068-20-0x0000000004BF0000-0x0000000004CC9000-memory.dmp
memory/2068-22-0x0000000004BF0000-0x0000000004CC9000-memory.dmp
memory/2068-23-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2068-24-0x0000000000150000-0x0000000000154000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
159s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d92b5b079600e4b7db2b17374ce0f2e20e077a28f9275c5054b857de09377745.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2360 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\d92b5b079600e4b7db2b17374ce0f2e20e077a28f9275c5054b857de09377745.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2360 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\d92b5b079600e4b7db2b17374ce0f2e20e077a28f9275c5054b857de09377745.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2360 wrote to memory of 2044 | N/A | C:\Users\Admin\AppData\Local\Temp\d92b5b079600e4b7db2b17374ce0f2e20e077a28f9275c5054b857de09377745.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d92b5b079600e4b7db2b17374ce0f2e20e077a28f9275c5054b857de09377745.exe
"C:\Users\Admin\AppData\Local\Temp\d92b5b079600e4b7db2b17374ce0f2e20e077a28f9275c5054b857de09377745.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -U /s 883c9DGW.5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r0z.pw | udp |
| NL | 5.79.71.205:80 | r0z.pw | tcp |
| US | 8.8.8.8:53 | 205.71.79.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\883c9DGW.5
| MD5 | bc2c32e53a85a89cf9e3328a980a1c37 |
| SHA1 | fcbfe0bce8b255df14fe911a05a43aa23b22d710 |
| SHA256 | 3e1118bbc0450d6def003c209962eb29d2f7622b578c94089b7023786fecfb97 |
| SHA512 | 0c1de5c89e3f026287ad96f08a7e4e9973b4ce95efa516135ddd00df40611cc4d8c7234d95422ee5e8794a83b60a6bf22b6ed88b09807fdc2290ac087b8dd440 |
memory/2044-4-0x0000000000400000-0x0000000000619000-memory.dmp
memory/2044-6-0x0000000002B20000-0x0000000002B26000-memory.dmp
memory/2044-7-0x0000000002B30000-0x0000000002C2C000-memory.dmp
memory/2044-8-0x0000000002F90000-0x0000000003073000-memory.dmp
memory/2044-11-0x0000000002F90000-0x0000000003073000-memory.dmp
memory/2044-12-0x0000000000400000-0x0000000000619000-memory.dmp
memory/2044-13-0x0000000002F90000-0x0000000003073000-memory.dmp
memory/2044-14-0x0000000003080000-0x0000000004351000-memory.dmp
memory/2044-15-0x0000000004360000-0x0000000004437000-memory.dmp
memory/2044-16-0x0000000004440000-0x000000000451C000-memory.dmp
memory/2044-19-0x0000000004440000-0x000000000451C000-memory.dmp
memory/2044-20-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
memory/2044-21-0x0000000000CF0000-0x0000000000CF4000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
161s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e57bff75d5dff87a5a965e50d9acdfb8237419c14a102b78493d893e11b1adad.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e57bff75d5dff87a5a965e50d9acdfb8237419c14a102b78493d893e11b1adad.exe
"C:\Users\Admin\AppData\Local\Temp\e57bff75d5dff87a5a965e50d9acdfb8237419c14a102b78493d893e11b1adad.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | files.catbox.moe | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 37.20.181.108.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | files.catbox.moe | tcp |
| US | 108.181.20.37:443 | tcp | |
| US | 108.181.20.37:443 | tcp |
Files
memory/5028-0-0x000000007501E000-0x000000007501F000-memory.dmp
memory/5028-2-0x0000000005EF0000-0x0000000006494000-memory.dmp
memory/5028-1-0x0000000000E60000-0x0000000000E6C000-memory.dmp
memory/5028-3-0x0000000005850000-0x00000000058E2000-memory.dmp
memory/5028-4-0x00000000058F0000-0x00000000058FA000-memory.dmp
memory/5028-5-0x0000000075010000-0x00000000757C0000-memory.dmp
memory/5028-6-0x000000007501E000-0x000000007501F000-memory.dmp
memory/5028-7-0x0000000075010000-0x00000000757C0000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240220-en
Max time kernel
120s
Max time network
153s
Command Line
Signatures
AgentTesla
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3040 set thread context of 2376 | N/A | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe
"C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe"
C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe
"C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe"
C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe
"C:\Users\Admin\AppData\Local\Temp\e65128450ff1d82705658fe9599d02d0f3b3500542c156eff284e64d80a24dea.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
Files
memory/3040-0-0x00000000742AE000-0x00000000742AF000-memory.dmp
memory/3040-1-0x0000000000210000-0x00000000002B0000-memory.dmp
memory/3040-2-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/3040-3-0x0000000000700000-0x000000000071A000-memory.dmp
memory/3040-4-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/3040-5-0x0000000000730000-0x000000000073A000-memory.dmp
memory/3040-6-0x0000000005660000-0x00000000056DC000-memory.dmp
memory/2376-7-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2376-21-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2376-19-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2376-17-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2376-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2376-13-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2376-11-0x0000000000400000-0x0000000000442000-memory.dmp
memory/2376-9-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3040-24-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2376-22-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2376-23-0x00000000742A0000-0x000000007498E000-memory.dmp
memory/2376-25-0x00000000742A0000-0x000000007498E000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240221-en
Max time kernel
15s
Max time network
34s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e91296156cd506f7a152db4e4beac1c56ce03676f16db637c97cd135038409ff.exe
"C:\Users\Admin\AppData\Local\Temp\e91296156cd506f7a152db4e4beac1c56ce03676f16db637c97cd135038409ff.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /u /S J9SMW.NXS
Network
Files
C:\Users\Admin\AppData\Local\Temp\J9SMW.NXS
| MD5 | e53a4ae918b729caeeef26f1fb762c2c |
| SHA1 | 689e76a00d4d4957d63823b873f5277f6c8d0eb2 |
| SHA256 | 0b18993e39094c2f85590ac4abcac3539bcf3f28d1e4c291567860992977459c |
| SHA512 | 919bd69b5eeb76e8a20b52d01b2df760a044610fafd336a22493cb707e28eab28308524dc9cc7e21ae5d3d0d08c68b9d13d5f5c8ad380e3648c27b3c9fd5c5c3 |
memory/2608-4-0x0000000001EE0000-0x00000000020F8000-memory.dmp
memory/2608-5-0x0000000001EE0000-0x00000000020F8000-memory.dmp
memory/2608-7-0x00000000024D0000-0x00000000025CC000-memory.dmp
memory/2608-11-0x00000000025D0000-0x00000000026B3000-memory.dmp
memory/2608-8-0x00000000025D0000-0x00000000026B3000-memory.dmp
memory/2608-12-0x00000000025D0000-0x00000000026B3000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:29
Platform
win10v2004-20240426-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5028 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5028 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5028 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe
"C:\Users\Admin\AppData\Local\Temp\d7deda9897282437fa0da638c09ce0a66a147d6c0ff6e05e5694eff45072a48d.exe"
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" -U -s .\Z3UQNGA5.78
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r0z.pw | udp |
| NL | 85.17.31.122:80 | r0z.pw | tcp |
| US | 8.8.8.8:53 | 122.31.17.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.197.79.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Z3UQNGA5.78
| MD5 | 5dfcb241b7de6db07e66f74011f5da37 |
| SHA1 | 399c362ae5ccf758ecabbc9ec71a8b653d86186d |
| SHA256 | 0874659ed8ac8d80c4b54db37480af6563009eaaf6dec8dde14c18119516149c |
| SHA512 | 86cacba0f897499ec8120435241685cdd260875ff57b1a8dbf16122d9f2d7ec38c798df1f1dda738813bfd5a332c40d10eff5a06319f35b1ea6dd51a36d6266b |
memory/4292-4-0x0000000000400000-0x0000000000622000-memory.dmp
memory/4292-5-0x0000000001040000-0x0000000001046000-memory.dmp
memory/4292-7-0x0000000002E30000-0x0000000002F2D000-memory.dmp
memory/4292-8-0x0000000002F30000-0x0000000003015000-memory.dmp
memory/4292-11-0x0000000002F30000-0x0000000003015000-memory.dmp
memory/4292-12-0x0000000000400000-0x0000000000622000-memory.dmp
memory/4292-16-0x0000000002F30000-0x0000000003015000-memory.dmp
memory/4292-17-0x0000000003020000-0x00000000050F5000-memory.dmp
memory/4292-18-0x0000000005100000-0x00000000051D6000-memory.dmp
memory/4292-19-0x00000000051E0000-0x00000000052B9000-memory.dmp
memory/4292-20-0x00000000051E0000-0x00000000052B9000-memory.dmp
memory/4292-22-0x00000000051E0000-0x00000000052B9000-memory.dmp
memory/4292-23-0x0000000000E40000-0x0000000000E41000-memory.dmp
memory/4292-24-0x0000000000E50000-0x0000000000E54000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240508-en
Max time kernel
136s
Max time network
151s
Command Line
Signatures
Checks QEMU agent file
| Description | Indicator | Process | Target |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
| File opened (read-only) | C:\Program Files\Qemu-ga\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1548 set thread context of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe |
Enumerates physical storage devices
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe
"C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe"
C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe
"C:\Users\Admin\AppData\Local\Temp\d80d51404cf247d308a927c553201bffc89b06d8ff1c2590e031f46476671c20.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 172.93.187.72:80 | tcp | |
| US | 52.111.229.43:443 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 172.93.187.72:80 | tcp | |
| US | 8.8.8.8:53 | 90.16.208.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsf9480.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
memory/1548-10-0x0000000076FE1000-0x0000000077101000-memory.dmp
memory/1548-11-0x0000000073E45000-0x0000000073E46000-memory.dmp
memory/1784-12-0x0000000077068000-0x0000000077069000-memory.dmp
memory/1784-13-0x0000000077085000-0x0000000077086000-memory.dmp
memory/1784-14-0x0000000072940000-0x0000000073B94000-memory.dmp
memory/1784-16-0x0000000076FE1000-0x0000000077101000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240221-en
Max time kernel
67s
Max time network
78s
Command Line
Signatures
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2900 set thread context of 2196 | N/A | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe
"C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe"
C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe
"C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
Files
memory/2900-0-0x0000000074A4E000-0x0000000074A4F000-memory.dmp
memory/2900-1-0x0000000000C30000-0x0000000000CE8000-memory.dmp
memory/2900-2-0x0000000074A40000-0x000000007512E000-memory.dmp
memory/2900-3-0x00000000006D0000-0x00000000006EA000-memory.dmp
memory/2900-4-0x0000000074A4E000-0x0000000074A4F000-memory.dmp
memory/2900-5-0x0000000074A40000-0x000000007512E000-memory.dmp
memory/2900-6-0x0000000000800000-0x000000000080A000-memory.dmp
memory/2900-7-0x0000000005070000-0x00000000050EA000-memory.dmp
memory/2196-8-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2196-14-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2196-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2196-11-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2196-10-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2196-9-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2196-18-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2196-16-0x0000000000400000-0x0000000000440000-memory.dmp
memory/2196-19-0x0000000074A40000-0x000000007512E000-memory.dmp
memory/2900-20-0x0000000074A40000-0x000000007512E000-memory.dmp
memory/2196-21-0x0000000074A40000-0x000000007512E000-memory.dmp
memory/2196-22-0x0000000074A40000-0x000000007512E000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
161s
Command Line
Signatures
AgentTesla
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MmRKwR = "C:\\Users\\Admin\\AppData\\Roaming\\MmRKwR\\MmRKwR.exe" | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3180 set thread context of 3568 | N/A | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe
"C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HbNtXpFugh.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HbNtXpFugh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E60.tmp"
C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe
"C:\Users\Admin\AppData\Local\Temp\e1ae0e66e2ad4ee07faec69a41c3aaf6982e5a5c6fe9af7403310c43519227be.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
Files
memory/3180-0-0x000000007483E000-0x000000007483F000-memory.dmp
memory/3180-1-0x00000000007B0000-0x0000000000872000-memory.dmp
memory/3180-2-0x00000000056E0000-0x0000000005C84000-memory.dmp
memory/3180-3-0x00000000051D0000-0x0000000005262000-memory.dmp
memory/3180-4-0x0000000005140000-0x000000000514A000-memory.dmp
memory/3180-5-0x0000000005450000-0x00000000054EC000-memory.dmp
memory/3180-6-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/3180-7-0x0000000005440000-0x0000000005456000-memory.dmp
memory/3180-8-0x000000007483E000-0x000000007483F000-memory.dmp
memory/3180-9-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/3180-10-0x00000000056C0000-0x00000000056CC000-memory.dmp
memory/3180-11-0x0000000006710000-0x000000000671E000-memory.dmp
memory/3180-12-0x0000000008120000-0x000000000819C000-memory.dmp
memory/4508-17-0x0000000002600000-0x0000000002636000-memory.dmp
memory/4508-19-0x0000000074830000-0x0000000074FE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1E60.tmp
| MD5 | 72140d676003467fcd6da6d027265366 |
| SHA1 | db43b55ff7c939c219c2799cf9fc3cf16cd28c4d |
| SHA256 | a3b9c1f21ec9e5acc8772849491e28a91245c39f2db3df225d5209a933e969b9 |
| SHA512 | 1ded22803e98f524d2b8bd41641bf8a4a17731465c07004dbfeffecea57d0bf2a59845548cd2bc3e272456077ac8ca6fff2df2d8524247b4be7492fb842ac654 |
memory/4508-20-0x0000000005100000-0x0000000005728000-memory.dmp
memory/4508-21-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/4508-22-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/4508-25-0x0000000005810000-0x0000000005876000-memory.dmp
memory/4508-24-0x0000000005730000-0x0000000005796000-memory.dmp
memory/3568-26-0x0000000000400000-0x0000000000442000-memory.dmp
memory/4508-23-0x0000000004F30000-0x0000000004F52000-memory.dmp
memory/4508-37-0x00000000058F0000-0x0000000005C44000-memory.dmp
memory/3180-39-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/3568-38-0x0000000074830000-0x0000000074FE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0tlszui0.4k1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4508-40-0x0000000005EE0000-0x0000000005EFE000-memory.dmp
memory/4508-41-0x0000000005FA0000-0x0000000005FEC000-memory.dmp
memory/4508-42-0x00000000070C0000-0x00000000070F2000-memory.dmp
memory/4508-43-0x00000000750E0000-0x000000007512C000-memory.dmp
memory/4508-53-0x00000000064A0000-0x00000000064BE000-memory.dmp
memory/4508-54-0x0000000007100000-0x00000000071A3000-memory.dmp
memory/4508-56-0x0000000007860000-0x0000000007EDA000-memory.dmp
memory/4508-57-0x0000000007220000-0x000000000723A000-memory.dmp
memory/4508-58-0x0000000007290000-0x000000000729A000-memory.dmp
memory/3568-59-0x00000000065C0000-0x0000000006610000-memory.dmp
memory/4508-60-0x00000000074A0000-0x0000000007536000-memory.dmp
memory/4508-61-0x0000000007420000-0x0000000007431000-memory.dmp
memory/4508-62-0x0000000007450000-0x000000000745E000-memory.dmp
memory/4508-63-0x0000000007460000-0x0000000007474000-memory.dmp
memory/4508-64-0x0000000007560000-0x000000000757A000-memory.dmp
memory/4508-65-0x0000000007540000-0x0000000007548000-memory.dmp
memory/4508-68-0x0000000074830000-0x0000000074FE0000-memory.dmp
memory/3568-69-0x0000000074830000-0x0000000074FE0000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240221-en
Max time kernel
122s
Max time network
132s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe
"C:\Users\Admin\AppData\Local\Temp\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | phonevronlene.xyz | udp |
| US | 8.8.8.8:53 | gapi-node.io | udp |
Files
memory/3000-35-0x0000000000160000-0x0000000000161000-memory.dmp
memory/3000-39-0x0000000000DC0000-0x0000000001882000-memory.dmp
memory/3000-36-0x0000000000DC0000-0x0000000001882000-memory.dmp
memory/3000-33-0x0000000000160000-0x0000000000161000-memory.dmp
memory/3000-31-0x0000000000160000-0x0000000000161000-memory.dmp
memory/3000-30-0x0000000000E37000-0x00000000011C3000-memory.dmp
memory/3000-29-0x0000000000150000-0x0000000000151000-memory.dmp
memory/3000-27-0x0000000000150000-0x0000000000151000-memory.dmp
memory/3000-24-0x0000000000140000-0x0000000000141000-memory.dmp
memory/3000-22-0x0000000000140000-0x0000000000141000-memory.dmp
memory/3000-19-0x0000000000130000-0x0000000000131000-memory.dmp
memory/3000-17-0x0000000000130000-0x0000000000131000-memory.dmp
memory/3000-14-0x0000000000120000-0x0000000000121000-memory.dmp
memory/3000-12-0x0000000000120000-0x0000000000121000-memory.dmp
memory/3000-9-0x0000000000110000-0x0000000000111000-memory.dmp
memory/3000-7-0x0000000000110000-0x0000000000111000-memory.dmp
memory/3000-5-0x0000000000110000-0x0000000000111000-memory.dmp
memory/3000-4-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/3000-2-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/3000-0-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/3000-40-0x0000000000E37000-0x00000000011C3000-memory.dmp
memory/3000-41-0x0000000000DC0000-0x0000000001882000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
160s
Command Line
Signatures
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2412 set thread context of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe
"C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe"
C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe
"C:\Users\Admin\AppData\Local\Temp\d8a40fff2ed2312089771a05fd488f25b3a0c4805354a765793e0c70d5412076.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 242.44.101.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
Files
memory/2412-0-0x000000007495E000-0x000000007495F000-memory.dmp
memory/2412-1-0x0000000000330000-0x00000000003E8000-memory.dmp
memory/2412-2-0x00000000053E0000-0x0000000005984000-memory.dmp
memory/2412-3-0x0000000004E30000-0x0000000004EC2000-memory.dmp
memory/2412-4-0x0000000004DF0000-0x0000000004DFA000-memory.dmp
memory/2412-5-0x0000000004E00000-0x0000000004E1A000-memory.dmp
memory/2412-6-0x0000000074950000-0x0000000075100000-memory.dmp
memory/2412-7-0x000000007495E000-0x000000007495F000-memory.dmp
memory/2412-8-0x0000000074950000-0x0000000075100000-memory.dmp
memory/2412-9-0x0000000005010000-0x000000000501A000-memory.dmp
memory/2412-10-0x0000000005D90000-0x0000000005E0A000-memory.dmp
memory/2412-11-0x0000000008360000-0x00000000083FC000-memory.dmp
memory/1784-12-0x0000000000400000-0x0000000000440000-memory.dmp
memory/1784-14-0x0000000074950000-0x0000000075100000-memory.dmp
memory/2412-15-0x0000000074950000-0x0000000075100000-memory.dmp
memory/1784-16-0x0000000074950000-0x0000000075100000-memory.dmp
memory/1784-17-0x0000000006680000-0x00000000066D0000-memory.dmp
memory/1784-18-0x00000000068A0000-0x0000000006A62000-memory.dmp
memory/1784-19-0x0000000074950000-0x0000000075100000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
161s
Command Line
Signatures
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Processes
C:\Users\Admin\AppData\Local\Temp\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe
"C:\Users\Admin\AppData\Local\Temp\e4d5b043f5c9e0894a5f4a21c93cd7347a609a900da8f56f55a0dd84269e81f1.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | phonevronlene.xyz | udp |
| US | 8.8.8.8:53 | gapi-node.io | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
memory/4420-2-0x0000000001920000-0x0000000001921000-memory.dmp
memory/4420-6-0x0000000001980000-0x0000000001981000-memory.dmp
memory/4420-5-0x0000000001970000-0x0000000001971000-memory.dmp
memory/4420-4-0x0000000001960000-0x0000000001961000-memory.dmp
memory/4420-7-0x0000000001990000-0x0000000001991000-memory.dmp
memory/4420-3-0x0000000001950000-0x0000000001951000-memory.dmp
memory/4420-1-0x00000000008F7000-0x0000000000C83000-memory.dmp
memory/4420-0-0x0000000001910000-0x0000000001911000-memory.dmp
memory/4420-10-0x0000000000880000-0x0000000001342000-memory.dmp
memory/4420-12-0x0000000000880000-0x0000000001342000-memory.dmp
memory/4420-13-0x00000000008F7000-0x0000000000C83000-memory.dmp
memory/4420-14-0x0000000000880000-0x0000000001342000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:27
Platform
win7-20240508-en
Max time kernel
122s
Max time network
131s
Command Line
Signatures
Lokibot
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2652 set thread context of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe
"C:\Users\Admin\AppData\Local\Temp\e800a3ce2466445ee0414d5eeb436cbc23c580fd8eae4c61e6f092bf3f2992c8.exe"
C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
"C:\Users\Admin\AppData\Local\Temp\AhmetOdem.exe"
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
"C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
C:\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | fiorentcamcycle.redirectme.net | udp |
Files
\Users\Admin\AppData\Local\Temp\AhmetOdem.exe
| MD5 | 3ffae71fdf23a86018fdf1e1b846eb2d |
| SHA1 | 4d8aaffca026d3a0336d996c21ae392022fcb00c |
| SHA256 | 5e97214323f0f0b4ca064cce70fcff18e77da7a332bbf78ae811e3a317433b15 |
| SHA512 | 676642223a51258665a981e043a31b929a0b0b39b6c0c7f5d0d109d1da01d7c84426b00f74ca919e5763e155c952018a3fbf10c888c19077b6eccbacec1b9a7b |
\Users\Admin\AppData\Local\Temp\Ahmetoiuv.exe
| MD5 | 39900a5f5037440f1380eb5efbdbd70d |
| SHA1 | c661153d06c90c848694819095de0e57bc1bef25 |
| SHA256 | ddc83d9bbced158709a73d681d451da0d26e861986d1ecf1d53f65d9994bb4c0 |
| SHA512 | 19491d2cf7f7ff796c3b237d8952faa843c8c1016553df60593c853513d856ab12d1f4acb68d4d45b9889c945053c2337b2e04829a4577437c793bf5456a7376 |
memory/2652-32-0x0000000000E20000-0x0000000000E72000-memory.dmp
memory/2764-33-0x0000000002460000-0x0000000002462000-memory.dmp
memory/2728-34-0x0000000000130000-0x0000000000132000-memory.dmp
memory/2652-35-0x0000000000460000-0x00000000004AA000-memory.dmp
memory/2936-37-0x0000000000400000-0x00000000004A2000-memory.dmp
memory/2936-39-0x0000000000400000-0x00000000004A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AhmetOdem.jpg
| MD5 | d012e63ffee27b2f473ec4b0e89080b8 |
| SHA1 | 7e7f3d5b27ef2382ff287465d84f81c1092ef046 |
| SHA256 | 6a5e42e58f2b883ca3a2055090649ed8e1af1e7b11bbde4d76d1bfaef3b7a625 |
| SHA512 | 5586baefc85b71170ee224f819854bdb75756e3b22eb4f74f408054dd015db84444d119efa06d8651a8cd6b726ec0d0a442ce503b4caf602645cdfdc6295a414 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2737914667-933161113-3798636211-1000\0f5007522459c86e95ffcc62f32308f1_07cfaa2b-05f3-43ad-9a8b-0541b0b16272
| MD5 | d898504a722bff1524134c6ab6a5eaa5 |
| SHA1 | e0fdc90c2ca2a0219c99d2758e68c18875a3e11e |
| SHA256 | 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9 |
| SHA512 | 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2737914667-933161113-3798636211-1000\0f5007522459c86e95ffcc62f32308f1_07cfaa2b-05f3-43ad-9a8b-0541b0b16272
| MD5 | c07225d4e7d01d31042965f048728a0a |
| SHA1 | 69d70b340fd9f44c89adb9a2278df84faa9906b7 |
| SHA256 | 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a |
| SHA512 | 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b |
Analysis: behavioral27
Detonation Overview
Submitted
2024-05-24 01:20
Reported
2024-05-24 01:28
Platform
win7-20240508-en
Max time kernel
35s
Max time network
16s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe
"C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe"
C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe
"C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe"
C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe
"C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe"
C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe
"C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe"
C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe
"C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe"
C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe
"C:\Users\Admin\AppData\Local\Temp\e8412c49890da839070b49b7eb8f364b408557fd35ab5fc593637e4e8e496dcb.exe"
Network
Files
memory/2432-0-0x00000000742EE000-0x00000000742EF000-memory.dmp
memory/2432-1-0x0000000000380000-0x0000000000410000-memory.dmp
memory/2432-2-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/2432-3-0x00000000002C0000-0x00000000002D4000-memory.dmp
memory/2432-4-0x00000000742EE000-0x00000000742EF000-memory.dmp
memory/2432-5-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/2432-6-0x0000000000330000-0x000000000033E000-memory.dmp
memory/2432-7-0x0000000004F20000-0x0000000004F8E000-memory.dmp
memory/2432-8-0x00000000742E0000-0x00000000749CE000-memory.dmp