Malware Analysis Report

2024-08-06 12:41

Sample ID 240528-swf9tsbd55
Target Stealerium.zip
SHA256 49d8c623abc37dff7af7d7ea15fa66b27504f166b5bf7a2d486c41ce7923a722
Tags
stealerium stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

49d8c623abc37dff7af7d7ea15fa66b27504f166b5bf7a2d486c41ce7923a722

Threat Level: Known bad

The file Stealerium.zip was found to be: Known bad.

Malicious Activity Summary

stealerium stealer

Stealerium family

Stealerium

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Kills process with taskkill

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-28 15:28

Signatures

Stealerium family

stealerium

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

107s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

Signatures

Stealerium

stealer stealerium

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1428 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1428 wrote to memory of 3008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 1428 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1428 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1428 wrote to memory of 3960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1428 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1428 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1428 wrote to memory of 2104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmp5B01.tmp.bat

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\taskkill.exe

TaskKill /F /IM 2940

C:\Windows\SysWOW64\timeout.exe

Timeout /T 2 /Nobreak

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.131:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 131.61.62.23.in-addr.arpa udp
NL 23.62.61.131:443 www.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2940-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

memory/2940-1-0x00000000000B0000-0x0000000000242000-memory.dmp

memory/2940-2-0x0000000004BD0000-0x0000000004C36000-memory.dmp

memory/2940-3-0x00000000747A0000-0x0000000074F50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5B01.tmp.bat

MD5 02bfc092eb77a63fbb13d8fdc5e89e78
SHA1 c35c44f2e34efa63e0dc9ff876de447c499b15c8
SHA256 6f1a26bbfeb5feb87527f38f72c5c9f1af419d5dfdc0198c577dd5806c00e3cf
SHA512 d372bdf1e8df51cd6c9ebf0d9f1ce82f37effc738b268c3578a690810f719627279e788bec8494b3f95ab9e9f9d43a21a967cbda65bce760c73120449bb6774e

memory/2940-6-0x00000000747A0000-0x0000000074F50000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win7-20240215-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\SixLabors.ImageSharp.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.ImageSharp.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4440 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win7-20240220-en

Max time kernel

118s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Mdb.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win7-20240221-en

Max time kernel

141s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 406392c913b1da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d079414a45204449857a43f0cd38c409000000000200000000001066000000010000200000003fc940f2b6552430bcde2380b880e9a5b924a8ba2df7c080d2c2cbb2572ebb13000000000e80000000020000200000003a68e4effe241f67eae73587603f409ca870982cf3c20f5fd50132381c0e3bc9200000001518113e71ae1a8fa62f7dcf58178f162b23fcadc9b7b129b4272b08e7cf131140000000dbd862969e09c50536297cf4c4b0631b0485993a5afbb4a1d6a491221b1f94f2dd9d54f16fc0b90cc1113319f5022a7effa2500b64025d5c403eeb1bffd6a194 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F3921871-1D06-11EF-A293-4AADDC6219DF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d079414a45204449857a43f0cd38c40900000000020000000000106600000001000020000000f8ad89e706c446c9f377b27ec1dafb584ca7c9966c6ed9a091e5118faaf749bf000000000e8000000002000020000000123c3844531749125ff3595f605884922c84f18dcfedb7c648495962d578ade99000000013b38035662255a726690a192c160bf972dffb752f72ee6738d4ea68b067c43c85e531d6bf0937caa5a4e8ee7b8489fc1b8ddfb25a1b6b35b2a881043b9cdd506ddc527b19b231ab1aa1f1325c2dc54032190c9e1738ed5b04a4c92f454d97dc6c64fec097409a93251e481b5f33a02b222f4725d7574615c96bb05e93d03841066e2a4e20f37da0d50ea4640a2122364000000071ec153b592aedcb00c584297bd05c748d0c2e5516a54976aaaca70df0a0ce7ecd456b954408bdbef4cee29c4d3a652547ed3042ac1446722b607445f7912880 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423071984" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2172 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2172 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2172 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2780 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2780 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2780 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2780 wrote to memory of 2620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe

"C:\Users\Admin\AppData\Local\Temp\Stub\stub.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=stub.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2780 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar352B.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7841ebe132c459215e841f299b5fc006
SHA1 fb242e0956d9002cb4d3fd2345e6bc844b9458ab
SHA256 bf8e56a7acd750a9cf59bcb621772301b35bf83f68e0dcf31871846671688065
SHA512 e25e96113a8340fad80a9f30051b0e9109e6f61428df3bb525c9c51427d27e4dc45b43de56ca85bbb1959f306dce07bb73cf84b2c5b4cf02d7e8f30e9ba622d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1cf186639d45c5f579c95b575566060a
SHA1 85499774e4a7b4c616c6f6841e295f835e1d10d3
SHA256 870ed9d6e12041784fb241302cbd5e523a627a23ae9aab95a3bd1ae13eaaf176
SHA512 fe13ee236e3ee836378e47835c0787746c0ea30146e08cad2e5843d10908111b9eaabc9cc4ab7402e2e83939152fd9e0044dab0c240ed241f12e9333793178d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be8a4de93ae0dbaa5fe09fd9524e55bd
SHA1 d25e139129d60b59af4df485d45b3e205a1c1031
SHA256 41e202c1f1269a9d516e6aa1c7a54a563cca3b5f7e19456961e2a3cd748cb916
SHA512 1601705e9d175caf56b4ea36377dc7aceb30c26557839a375b25c3ca1d358f6ba5af8ab3d710fd8d9f9572e06e749c9dec05b0d2146822902468986bf72d2a33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a1e6058e03a7889ac3866b3940e61fb
SHA1 f40b498f7076f693909c6935c6e3be978fed8c74
SHA256 352e202d15b19c2c6e844ba11296e40a6612c930cb9af048b70b10d19f7c56d4
SHA512 234c296e7c9e621c1372b5b272605ad4c7f036bca9768b57fa9a704f1d177120e440a4ac0c29d8186f6a38d80ddaa29ea4a51f2a899c584259877c01e6f6033b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9766fa20113508895e3383cb9c86216b
SHA1 99d670ce2b86ea3d9f985454d88e925d18aa7b18
SHA256 3d7f21b733c7452fa67bdba2a38ccf737e1890633365b5cd1f718da6bcb85098
SHA512 fdc42b2bc3065717a077edeeb1f3bef98b9b0291024122c2e31fcab738c242d754398246ffe710a550c403329847141fd0b3007668f8e9c636d180626f3f9d66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c1d9b6504a18e6058792dd4677b3702
SHA1 0ade974c6a9bada3cf20a7ca793c5c6ae2d3c6c9
SHA256 723845ba266ecdde7ec3b31f014eb4da072baf62f97a35775443d2eccb75db0d
SHA512 df4dfa6be8f54596711fc7f27dee2da763c7a8fbcf1722645671c1b7baf373317ca523076bd57ab5c004aae09c0c3011553a83ae020490694da23cc68ef294f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a49b5e6109c776bb577e0aefc96b836
SHA1 b064e5ebaba8aa7b9b84f5e4e5bbfb7089b40dc8
SHA256 caae2054062e77c9855c41c4962ad5eb8f3ad470817fb412da1ce3a1bc930308
SHA512 c4f4a9b502c98b3016365837840b78f78aeb05ec289474370184b4f4cfbba6c48647d7ad1d95954aac70b9524b567d84dd4b21d71a42d38edbfb6c213d47d0d4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bf72619d0020b4ebe44b18279c54661
SHA1 96c2bcccc053563ee0a1fe3e1a71438230ee0754
SHA256 4c98fe9a9c05903c280d42ffe655cb72c14f2ddbef568519884f54c2ea7cb171
SHA512 10cf98d31cbe0726ea8f8315860ccdd001e3d0fd4bbc3892caa25a2e7f87be4557c11a68061cfdc6e439231f69c31908f99ecfdc228227dfda3e55eb48837ed5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7f9579dcc29c03efdb4b7b11ad0209b
SHA1 334c2e1fd2be258c2df0f611fb0cbfc36a44fa72
SHA256 2b098cc79f5a44e0e5f3afb6ed814980461fecf6d16ac50ba034956207daffc0
SHA512 aef6dcb951f64b2de022b168459e9d933a6e8f37bcd88a4999557055b2c516186121dbdd234fb9f5c30c7a3aaa6db7e4c4f4b20208f2d3fc4dfcd81168238be7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ed32518c37bd0fba24f989c65a5f295
SHA1 444da9425077af1a864d60e1951570e012e5da59
SHA256 32871f0a1a73d8611b87dd5318a5c9233d574f7f67587f3647b40a619e707374
SHA512 e207babc0033f5fa2b55a73610aa1d691c7d5853dcbfc476f3991fbdb55f692f1a12d2400ea83dabac723f41ae11a2e03ad27e088a91ddb03da9ea477daae412

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a4e1009b0b3bae06507621bf2d13f8d6
SHA1 f6dc3dda57e4251f7ef897252d6c21158aa495d0
SHA256 623c917017d1e01f1bf402779282a84b33def002f5de72f1677d584bb12ef742
SHA512 54ae63db3f1ca6f7ab3c342bd24b55706f214c9ef40ebf16c04dbd0bd3f5d07014bb5058b45f9cbc96a9e23b6def951e257742b28068bc6ea318f06e0de2b437

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 573d6f9ac3d2a4a5e02703ccd9d80cff
SHA1 933fe4f70c578057529fd0dc8b5fdbad16c15e9c
SHA256 f1f070351f5c7b9ac065d9ed39c9aeaf897771d175b01e61f24fe8bfc4148fb4
SHA512 d43441bdf9d74df1a232f43299d0070400c0cd813627871cd103124fa12e6802de58bb3511f0bceff9b4b15b2073e073dcab26f865cf31194edf0a6c55a8a157

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b16d91f88d23b3fece535e4f6b9ef7b1
SHA1 dabcb5f61f04a859a0a84fce3c7635647208cf1b
SHA256 43bc31812ee0f08e41e433703d46aba0057d306420b74419ba0237b89d7a6002
SHA512 87c7b5bf3f584dc333ec4d8d539bacdb4d4dd9b3a6004d0b7bb3a0e98069ed6a4a60ae6091a5ebe28ef317145d75233cb792c21e26497aba4218b2a84fd9eb77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2f42e08bc7eca66e34cd518e29a32410
SHA1 2f9f160d3db80b648dd5157f931fc9123c91cf4e
SHA256 807ba81b1eec9ca2dd714365a4efb8284bef335c29f139f29a5974c8bf237cab
SHA512 e16757c9622985142ecdd113c09ba038875322c149a7d8bfb0c98aa6b71cd02fd5c7239e2b8a8fd597434561b17f3b5f1112a42bd1265339aff64fc49f646c52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f71e4c54da156dd6f8dfe57f43613deb
SHA1 804020b9e4cb6affd6ba7f35545afdb2be1a56f8
SHA256 a19eaf4ca6f7e5198157d80b5eca45079b21c3bb25eb08c21fa995778504f461
SHA512 d4481ec8e7d5ff80a84aee3bb3c4d2ba2595e726a55fa6c08a47b6d7d7426a6d117062dadb1f5ac990e4bb76785c93ae21145ecad29d5b8b1cdffca08524e383

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bee84554047d50e77b437802d75d4174
SHA1 5d444271a734f1ed7b608f2eadb3c5c157ff192e
SHA256 4d61a7328f333d0af59cb8271c5cf1cd302be5cc4eac976284798009ded87608
SHA512 29f9d9015b4fbb3889d219f21d5e87174ae64b3bb0dbe141467164a1004b24bfeb8ecf35c6959dc7c65214018e75bffc4313c630d3c69d489781802b3676c464

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdb18d55604f5d3573e173f711eee9ea
SHA1 ebea0006201f7d25a806e27d49bc7bd7f8e2612d
SHA256 b72a490ab51e83f76afd44b2b8282e9c812908ed0caa9cb477c4645656240b96
SHA512 8c1b5a6231c5c5d471313ad28c3c8de4a65b29e6ba3c4175db1b7e0a84b8ae7f7cde4dd6b6532af2108232763731b4284c1be328cf3e5e10ae653059dd45b04f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5d243873534bd66bd4eded73ce80e9d8
SHA1 0388f0c753844e3929f7ce4fe80cfb0f6b00ebd3
SHA256 363446714dfed4be3376df7f32690b97b911da3e74fb3f25a04dad7bcb4a308f
SHA512 b31ecdb965ff211669a98846a752b61e155ce2ac9d44c2d264fa4f90ba96146ecb85a0e1eeb84e7f2663df10b0d9726b821339798ea71d9219e5266c9f9be3de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46eff0a7f8c3cb29bb7f3f816de6221f
SHA1 e938e18097b74ac02bbf6af2d611b2d92b09b7e1
SHA256 371588935eec1d26c9fa55301e8bdc31a7386003ae99897a3b7e89638cbeeebf
SHA512 7908327c4ae44fafc230ffa20f63cf9456b08902246df87edcc935af25f1a99bba5a9b30c7425b2f8f79a87cbe89e9c8754522e8e1eaf184e792e02628235c52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47fc62a1adfee66d7132c3ab498727fb
SHA1 13a94a8a051eea8c065f598ae9fe78f066da76b7
SHA256 3ae8d262702137b6ca3a414deeb52125810096058ec031406e3c906936608eee
SHA512 5d4a861de27d26e11337583a512853004f7e2a1e3e00904ada25e58e8a951013b186b4f49df6165d6c259f6d7d8bb327c360d1b822a4c800a6bf1bf45cd7d19d

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/3748-0-0x00007FFCDC0DB000-0x00007FFCDC0DC000-memory.dmp

memory/3748-1-0x00007FFCDC0DB000-0x00007FFCDC0DC000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win7-20240508-en

Max time kernel

122s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Pdb.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

106s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
NL 23.62.61.162:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 162.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

94s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Spectre.Console.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win7-20240508-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win7-20240508-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Mono.Cecil.Rocks.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win7-20240220-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-28 15:28

Reported

2024-05-28 15:31

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Builder.exe

"C:\Users\Admin\AppData\Local\Temp\Builder.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 96.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
NL 23.62.61.73:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.61.62.23.in-addr.arpa udp
NL 23.62.61.73:443 www.bing.com tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

N/A