Analysis Overview
SHA256
c2986293fd3df49bad0878f59433be96eb97b16cfe259932bfa780855c50789b
Threat Level: Known bad
The file 5cb4491917b380b33e06098568d2f9de.bin was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Vidar
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Program crash
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Enumerates processes with tasklist
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Runs ping.exe
Suspicious use of SendNotifyMessage
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 01:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 01:47
Reported
2024-06-12 01:50
Platform
win7-20240508-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe
"C:\Users\Admin\AppData\Local\Temp\d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Graduation Graduation.bat && Graduation.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 2762
C:\Windows\SysWOW64\findstr.exe
findstr /V "GnomeWednesdayAuburnGreenhouse" Recorded
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 2762\Interpreted.pif + Supervisor + Essay + Evaluating + Masters + He 2762\Interpreted.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Radical + Vcr + Began 2762\D
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif
2762\Interpreted.pif 2762\D
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xkuxLBGKgTMvCnBwZilmshTeA.xkuxLBGKgTMvCnBwZilmshTeA | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | t.me | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Graduation
| MD5 | da02baea87a774e563b759962c831ea3 |
| SHA1 | d65ee5057a6974da4ff5815647b6354db3ac7010 |
| SHA256 | 411217f7cdacd2134b937255cf31400f15bb92b6550cf663f67447118898baac |
| SHA512 | 5c1405245714578862718480118a637510bd9ad7585e85e9089a9d4e83784d736a7d13fa1e996a9c2a9a3e282afb6fc8435ece8734c4b954483e51b83a2d020e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Recorded
| MD5 | 5b493864bb88a3e8b5bec29f03079481 |
| SHA1 | 512cb1273824209741ec7edff4b44ba1021906e1 |
| SHA256 | efeb5b344808ebd2f5fae26dade7e472f3d64d106a9e7ef23da5f751899b6e72 |
| SHA512 | 419ab7a48eba12702e748618b21a69a8f4fcb57b998061506af3963d2b2cbd370b161b2ad9d6643dc0ce217b97f69621d783ccee658d038007b8e1cbcfb125b6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif
| MD5 | fd52a26cc53d5dfce3bfaf0aca96d85a |
| SHA1 | 295cb026b9fc87fb41fcb5911831cf7ec8986aa0 |
| SHA256 | 9e7be5dc178aa7a50c756baf297b0c5a5b3c13ce35a3723af5dba8ee5eb39b2e |
| SHA512 | b2f83892ab09d73d36a8d28e6f53b88ba4f0c4632143b7f84e4da333960cac6969719bda23c173cf03665ce8bc36c533a41080240aa53bac3975c94d79403d26 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Supervisor
| MD5 | 995f9dfbb78bbc6ff6e9052d4339723b |
| SHA1 | 442c477bd7ffe4c307f24f1a6cd1a7a697b7cc89 |
| SHA256 | 7003d3092db436f9d544f57e743701006c5f23c326faaa36af5accddc61a4c16 |
| SHA512 | 686dc6d5ae76a6f31eabb48644af466b1201b0fefcdb0ec350570114ec2f798bbbe3df6030a9dd9a6faf8e6624fbcb966698a8977799ed704122506d6b1c5770 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Essay
| MD5 | 11c50adff3c20b5b868d4bfacc3c08af |
| SHA1 | ec8896a174c85c984ee94a02ac1d70b92a14252e |
| SHA256 | d777d67f3646834596fd3aa8dafdefb049fc258512a27dff2a58749b51c982ef |
| SHA512 | 8d1936edd50661841dbe25c15ea7e9d8c01263054e92dbfad9a018df241bd6d64b273e258d3f8069f64c419479e98c4dad02369ffb84ebeda14fca355ce14046 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Evaluating
| MD5 | b20ec0246a0098216b7b1f21dcb632d3 |
| SHA1 | d6f1c7d6261ce60c2cbc66b0ef798dbde80b60d7 |
| SHA256 | be541fd93f849c92060d2a22a8a8afea4b2fe1d21436a1c8be860f7080f5681c |
| SHA512 | e029c1adff333c1488256df14f1a979b736f1a34e6740e4315d99cc38d1f3098004e1a643937d8ca92cb043ca78e75ed4756515d21f9fe34b573d56bf8f23e01 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Masters
| MD5 | 297667b5ffbac79814bb1b8725a4fa71 |
| SHA1 | cc0e1f0cc4f460088b6d0649068c143734657263 |
| SHA256 | a822143e9fdbaa44cf4971a42f94bf82bebef96b86a8c89651aad45db6a03fe0 |
| SHA512 | 7e53ad1fd548f66bb841bd831030d54016646018457015c0b8f65358b53a080f614a0d82964da5388bb14818c7ef955708717bcfc9a29ade0265e7e5099e985f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\He
| MD5 | 6b322202c85be84c449354b8ffb72486 |
| SHA1 | 9fc8af9a7d8c084b1861b06f7c593924b7d7e06c |
| SHA256 | e869264685bb4951c93f81cba8697d2b714bcde80a8d7791cee5764efb6710e7 |
| SHA512 | df8a425797897dd4a7a50af229edf168da0f7158b6da2957c5976a2d4278ae60655864ec3b2c4d88ea8b45691eda3cbb6be59d00a544a06d6eb6c7e3907ae3d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Vcr
| MD5 | d09c285ed3170cd8bc77814fbe1bfc46 |
| SHA1 | 02d88276965458d97f68b55df4c136bdfa7cbdf8 |
| SHA256 | 2a579e89be6e5800a865d3a7ec7191418d24c33cba0f95664d6c138405a95ebc |
| SHA512 | e4498b3dd3fe931cfea3ae1ad4f93b06814cc3c582117041bb69d5dc527b1523787fbb5d2d726e621d2b0432e1977a8e0e1707391a6822fc79b8feeaf5d6435f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Radical
| MD5 | 9ab2ca2a20e5f2bd316208a1217c3467 |
| SHA1 | 89a541c6151199a54a8789771fc8abca0d008934 |
| SHA256 | 203a18bc06969b91597b1c6f77646a109f17bd533d71bb52cf3b4144e920f7c0 |
| SHA512 | 8bc69f6ff0f7db2ab54b7b9534b8a15e744d70dece274cf0365f8cdaf1793778a1897f0311a640b5774189c08dbd3f56fd1eb915da7a93d38fb159fd47482753 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Began
| MD5 | c77b16e97f7769108cef3aeeb9144412 |
| SHA1 | 38a369ccde64420a2824b9af2e60aa8795fc2007 |
| SHA256 | ad233869d1b63220d128ee84914215c456ed4e58711886778ff3ab138e092dea |
| SHA512 | 05422dcda50c156a3846702c6dc90903bd78a36bac8b4a8783341e997a633ce988acc996997898e07ca56350fd6b184027b441672a60775216cd2bc281eaee12 |
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\Interpreted.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\2762\D
| MD5 | 8215d0f66e1bf9713f31e642f16bb9d8 |
| SHA1 | ed8e83037cafa91328e393d0b918b02af23a0192 |
| SHA256 | 916a6ace04f4670a8893c504c54fa29ec90a53602bc57c09582f4acfbc52991d |
| SHA512 | b3925a6686feb3f22dea621a42265105f0c54ce98fb5339941b772d86e0f13de0847605b8d132bd245901b0a9aca353f51dcc304b6772343d402f6dd405a8f2f |
memory/2652-29-0x0000000003D30000-0x0000000003F78000-memory.dmp
memory/2652-28-0x0000000003D30000-0x0000000003F78000-memory.dmp
memory/2652-33-0x0000000003D30000-0x0000000003F78000-memory.dmp
memory/2652-32-0x0000000003D30000-0x0000000003F78000-memory.dmp
memory/2652-31-0x0000000003D30000-0x0000000003F78000-memory.dmp
memory/2652-30-0x0000000003D30000-0x0000000003F78000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 01:47
Reported
2024-06-12 01:50
Platform
win10v2004-20240611-en
Max time kernel
120s
Max time network
55s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Vidar
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe
"C:\Users\Admin\AppData\Local\Temp\d159901426c9d9c00934d53977abff7932b37f69febdb6cab2a80333e79c3f1a.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c move Graduation Graduation.bat && Graduation.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 2802
C:\Windows\SysWOW64\findstr.exe
findstr /V "GnomeWednesdayAuburnGreenhouse" Recorded
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b 2802\Interpreted.pif + Supervisor + Essay + Evaluating + Masters + He 2802\Interpreted.pif
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Radical + Vcr + Began 2802\D
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif
2802\Interpreted.pif 2802\D
C:\Windows\SysWOW64\PING.EXE
ping -n 5 127.0.0.1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2672 -ip 2672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2672 -ip 2672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 1508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | xkuxLBGKgTMvCnBwZilmshTeA.xkuxLBGKgTMvCnBwZilmshTeA | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| US | 8.8.8.8:53 | t.me | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Graduation
| MD5 | da02baea87a774e563b759962c831ea3 |
| SHA1 | d65ee5057a6974da4ff5815647b6354db3ac7010 |
| SHA256 | 411217f7cdacd2134b937255cf31400f15bb92b6550cf663f67447118898baac |
| SHA512 | 5c1405245714578862718480118a637510bd9ad7585e85e9089a9d4e83784d736a7d13fa1e996a9c2a9a3e282afb6fc8435ece8734c4b954483e51b83a2d020e |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Recorded
| MD5 | 5b493864bb88a3e8b5bec29f03079481 |
| SHA1 | 512cb1273824209741ec7edff4b44ba1021906e1 |
| SHA256 | efeb5b344808ebd2f5fae26dade7e472f3d64d106a9e7ef23da5f751899b6e72 |
| SHA512 | 419ab7a48eba12702e748618b21a69a8f4fcb57b998061506af3963d2b2cbd370b161b2ad9d6643dc0ce217b97f69621d783ccee658d038007b8e1cbcfb125b6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif
| MD5 | fd52a26cc53d5dfce3bfaf0aca96d85a |
| SHA1 | 295cb026b9fc87fb41fcb5911831cf7ec8986aa0 |
| SHA256 | 9e7be5dc178aa7a50c756baf297b0c5a5b3c13ce35a3723af5dba8ee5eb39b2e |
| SHA512 | b2f83892ab09d73d36a8d28e6f53b88ba4f0c4632143b7f84e4da333960cac6969719bda23c173cf03665ce8bc36c533a41080240aa53bac3975c94d79403d26 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Supervisor
| MD5 | 995f9dfbb78bbc6ff6e9052d4339723b |
| SHA1 | 442c477bd7ffe4c307f24f1a6cd1a7a697b7cc89 |
| SHA256 | 7003d3092db436f9d544f57e743701006c5f23c326faaa36af5accddc61a4c16 |
| SHA512 | 686dc6d5ae76a6f31eabb48644af466b1201b0fefcdb0ec350570114ec2f798bbbe3df6030a9dd9a6faf8e6624fbcb966698a8977799ed704122506d6b1c5770 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Essay
| MD5 | 11c50adff3c20b5b868d4bfacc3c08af |
| SHA1 | ec8896a174c85c984ee94a02ac1d70b92a14252e |
| SHA256 | d777d67f3646834596fd3aa8dafdefb049fc258512a27dff2a58749b51c982ef |
| SHA512 | 8d1936edd50661841dbe25c15ea7e9d8c01263054e92dbfad9a018df241bd6d64b273e258d3f8069f64c419479e98c4dad02369ffb84ebeda14fca355ce14046 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Evaluating
| MD5 | b20ec0246a0098216b7b1f21dcb632d3 |
| SHA1 | d6f1c7d6261ce60c2cbc66b0ef798dbde80b60d7 |
| SHA256 | be541fd93f849c92060d2a22a8a8afea4b2fe1d21436a1c8be860f7080f5681c |
| SHA512 | e029c1adff333c1488256df14f1a979b736f1a34e6740e4315d99cc38d1f3098004e1a643937d8ca92cb043ca78e75ed4756515d21f9fe34b573d56bf8f23e01 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Masters
| MD5 | 297667b5ffbac79814bb1b8725a4fa71 |
| SHA1 | cc0e1f0cc4f460088b6d0649068c143734657263 |
| SHA256 | a822143e9fdbaa44cf4971a42f94bf82bebef96b86a8c89651aad45db6a03fe0 |
| SHA512 | 7e53ad1fd548f66bb841bd831030d54016646018457015c0b8f65358b53a080f614a0d82964da5388bb14818c7ef955708717bcfc9a29ade0265e7e5099e985f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\He
| MD5 | 6b322202c85be84c449354b8ffb72486 |
| SHA1 | 9fc8af9a7d8c084b1861b06f7c593924b7d7e06c |
| SHA256 | e869264685bb4951c93f81cba8697d2b714bcde80a8d7791cee5764efb6710e7 |
| SHA512 | df8a425797897dd4a7a50af229edf168da0f7158b6da2957c5976a2d4278ae60655864ec3b2c4d88ea8b45691eda3cbb6be59d00a544a06d6eb6c7e3907ae3d8 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Radical
| MD5 | 9ab2ca2a20e5f2bd316208a1217c3467 |
| SHA1 | 89a541c6151199a54a8789771fc8abca0d008934 |
| SHA256 | 203a18bc06969b91597b1c6f77646a109f17bd533d71bb52cf3b4144e920f7c0 |
| SHA512 | 8bc69f6ff0f7db2ab54b7b9534b8a15e744d70dece274cf0365f8cdaf1793778a1897f0311a640b5774189c08dbd3f56fd1eb915da7a93d38fb159fd47482753 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vcr
| MD5 | d09c285ed3170cd8bc77814fbe1bfc46 |
| SHA1 | 02d88276965458d97f68b55df4c136bdfa7cbdf8 |
| SHA256 | 2a579e89be6e5800a865d3a7ec7191418d24c33cba0f95664d6c138405a95ebc |
| SHA512 | e4498b3dd3fe931cfea3ae1ad4f93b06814cc3c582117041bb69d5dc527b1523787fbb5d2d726e621d2b0432e1977a8e0e1707391a6822fc79b8feeaf5d6435f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Began
| MD5 | c77b16e97f7769108cef3aeeb9144412 |
| SHA1 | 38a369ccde64420a2824b9af2e60aa8795fc2007 |
| SHA256 | ad233869d1b63220d128ee84914215c456ed4e58711886778ff3ab138e092dea |
| SHA512 | 05422dcda50c156a3846702c6dc90903bd78a36bac8b4a8783341e997a633ce988acc996997898e07ca56350fd6b184027b441672a60775216cd2bc281eaee12 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\Interpreted.pif
| MD5 | 78ba0653a340bac5ff152b21a83626cc |
| SHA1 | b12da9cb5d024555405040e65ad89d16ae749502 |
| SHA256 | 05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7 |
| SHA512 | efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\2802\D
| MD5 | 8215d0f66e1bf9713f31e642f16bb9d8 |
| SHA1 | ed8e83037cafa91328e393d0b918b02af23a0192 |
| SHA256 | 916a6ace04f4670a8893c504c54fa29ec90a53602bc57c09582f4acfbc52991d |
| SHA512 | b3925a6686feb3f22dea621a42265105f0c54ce98fb5339941b772d86e0f13de0847605b8d132bd245901b0a9aca353f51dcc304b6772343d402f6dd405a8f2f |
memory/2672-29-0x0000000005030000-0x0000000005278000-memory.dmp
memory/2672-28-0x0000000005030000-0x0000000005278000-memory.dmp
memory/2672-27-0x0000000005030000-0x0000000005278000-memory.dmp
memory/2672-32-0x0000000005030000-0x0000000005278000-memory.dmp
memory/2672-31-0x0000000005030000-0x0000000005278000-memory.dmp
memory/2672-30-0x0000000005030000-0x0000000005278000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-12 01:47
Reported
2024-06-12 01:50
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Radical.ps1
Network
Files
memory/2164-4-0x000007FEF5AAE000-0x000007FEF5AAF000-memory.dmp
memory/2164-5-0x000000001B6A0000-0x000000001B982000-memory.dmp
memory/2164-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
memory/2164-7-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp
memory/2164-9-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp
memory/2164-8-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp
memory/2164-10-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp
memory/2164-11-0x000007FEF57F0000-0x000007FEF618D000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-12 01:47
Reported
2024-06-12 01:50
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Processes
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\$INTERNET_CACHE\Radical.ps1
Network
Files
memory/528-0-0x00007FF85B423000-0x00007FF85B425000-memory.dmp
memory/528-1-0x00000226C63D0000-0x00000226C63F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dpuu32j.pe4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/528-11-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/528-12-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/528-13-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp
memory/528-16-0x00007FF85B420000-0x00007FF85BEE1000-memory.dmp