Malware Analysis Report

2024-09-11 16:06

Sample ID 240614-wh26xs1arf
Target ##!!SetUp_5566_Pa$sW0rd$$!!.zip
SHA256 25cbba8cb4b96c8b9e6c8490c2460eb8fecb3b6dd4eb8fc2a06392cb018dda5b
Tags
stealc vidar stealer amadey xmrig ffb1b9 discovery execution miner spyware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25cbba8cb4b96c8b9e6c8490c2460eb8fecb3b6dd4eb8fc2a06392cb018dda5b

Threat Level: Known bad

The file ##!!SetUp_5566_Pa$sW0rd$$!!.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar stealer amadey xmrig ffb1b9 discovery execution miner spyware trojan upx

Stealc

Amadey

xmrig

Vidar

Detect Vidar Stealer

XMRig Miner payload

Blocklisted process makes network request

Downloads MZ/PE file

Reads data files stored by FTP clients

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Reads user/profile data of local email clients

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Enumerates physical storage devices

Unsigned PE

Program crash

Delays execution with timeout.exe

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 17:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

61s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\msvcp140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\msvcp140_1.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140_1.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3020 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 163.126.19.2.in-addr.arpa udp
GB 142.250.200.42:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240220-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\libssl-1_1-x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\libssl-1_1-x64.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140_1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2380 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2380 wrote to memory of 2332 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140_1.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2380 -s 80

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240508-en

Max time kernel

120s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\VSLauncher_[0MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\VSLauncher_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\VSLauncher_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\VSLauncher_[0MB]_[1].exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4088,i,10925946972013221578,8820669985803190952,262144 --variations-seed-version --mojo-platform-channel-handle=1820 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 105.77.117.104.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\api-ms-win-core-processthreads-l1-1-1.dll,#1

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Qt5Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Qt5Core.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240220-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Qt5Network.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Qt5Network.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240508-en

Max time kernel

142s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\msvcp140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\msvcp140.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4432,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240611-en

Max time kernel

119s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\msvcp140_1.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\msvcp140_1.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:58

Platform

win10v2004-20240508-en

Max time kernel

79s

Max time network

100s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140.dll,#1

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\HDHelper_[0MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\api-ms-win-core-profile-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240508-en

Max time kernel

150s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 2232 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\coml.au3

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2232 wrote to memory of 2816 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2232 wrote to memory of 2816 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2232 wrote to memory of 2816 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2232 wrote to memory of 2816 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2232 wrote to memory of 2816 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2232 wrote to memory of 2816 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2816 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2816 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2816 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2816 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 148

Network

N/A

Files

memory/1692-0-0x000007FEF5DF0000-0x000007FEF5F48000-memory.dmp

memory/1692-12-0x000007FEF5E08000-0x000007FEF5E09000-memory.dmp

memory/1692-13-0x000007FEF5DF0000-0x000007FEF5F48000-memory.dmp

memory/1692-14-0x000007FEF5DF0000-0x000007FEF5F48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b4251ed9

MD5 77c941a44a77827abf467070248e1df7
SHA1 47b15b6e82f26ff72f07720d41591f4aea12b3d4
SHA256 676e85a255699891ecfcb62eb65b67d60db64604d66ad0b10dc4b6cd962ea372
SHA512 00074567750b86452f9f9474b5d6c7355e30ae7c5afb66da91c48bf81655ccafec84bd020c3b7fc42b9d97caa32fcdf3301267df3c2b52dab33f21ee3a3e22e2

memory/2232-17-0x0000000077730000-0x00000000778D9000-memory.dmp

memory/2232-20-0x0000000073A2E000-0x0000000073A30000-memory.dmp

memory/2232-19-0x0000000073A20000-0x0000000073B94000-memory.dmp

memory/2232-21-0x0000000073A20000-0x0000000073B94000-memory.dmp

\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2816-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2816-26-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2232-28-0x0000000073A20000-0x0000000073B94000-memory.dmp

memory/2816-30-0x0000000000C40000-0x000000000138C000-memory.dmp

memory/2816-37-0x0000000000C40000-0x000000000138C000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\IECGHJKKJD.exe N/A
N/A N/A C:\ProgramData\DGCAAAFCBF.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2868 set thread context of 1788 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 4596 set thread context of 2460 N/A C:\ProgramData\DGCAAAFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4624 set thread context of 1168 N/A C:\ProgramData\IECGHJKKJD.exe C:\Windows\SysWOW64\ftp.exe
PID 2460 set thread context of 1648 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1648 set thread context of 5036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\ProgramData\IECGHJKKJD.exe N/A
N/A N/A C:\ProgramData\DGCAAAFCBF.exe N/A
N/A N/A C:\ProgramData\DGCAAAFCBF.exe N/A
N/A N/A C:\ProgramData\IECGHJKKJD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\ProgramData\DGCAAAFCBF.exe N/A
N/A N/A C:\ProgramData\IECGHJKKJD.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2868 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1788 wrote to memory of 2960 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1788 wrote to memory of 2960 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1788 wrote to memory of 2960 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1788 wrote to memory of 2960 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1788 wrote to memory of 2960 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2960 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\IECGHJKKJD.exe
PID 2960 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\IECGHJKKJD.exe
PID 2960 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\IECGHJKKJD.exe
PID 2960 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\DGCAAAFCBF.exe
PID 2960 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\DGCAAAFCBF.exe
PID 2960 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\ProgramData\DGCAAAFCBF.exe
PID 4596 wrote to memory of 2460 N/A C:\ProgramData\DGCAAAFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4596 wrote to memory of 2460 N/A C:\ProgramData\DGCAAAFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4596 wrote to memory of 2460 N/A C:\ProgramData\DGCAAAFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4624 wrote to memory of 1168 N/A C:\ProgramData\IECGHJKKJD.exe C:\Windows\SysWOW64\ftp.exe
PID 4624 wrote to memory of 1168 N/A C:\ProgramData\IECGHJKKJD.exe C:\Windows\SysWOW64\ftp.exe
PID 4624 wrote to memory of 1168 N/A C:\ProgramData\IECGHJKKJD.exe C:\Windows\SysWOW64\ftp.exe
PID 4596 wrote to memory of 2460 N/A C:\ProgramData\DGCAAAFCBF.exe C:\Windows\SysWOW64\ftp.exe
PID 4624 wrote to memory of 1168 N/A C:\ProgramData\IECGHJKKJD.exe C:\Windows\SysWOW64\ftp.exe
PID 2960 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2960 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 3644 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3644 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3644 wrote to memory of 1092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1168 wrote to memory of 4440 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1168 wrote to memory of 4440 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1168 wrote to memory of 4440 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2460 wrote to memory of 1648 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2460 wrote to memory of 1648 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1168 wrote to memory of 4440 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 2460 wrote to memory of 1648 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 2460 wrote to memory of 1648 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1648 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1648 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1648 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1648 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1648 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1648 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1648 wrote to memory of 5036 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4440 wrote to memory of 4172 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4172 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4440 wrote to memory of 4172 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3904 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3880,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:3

C:\ProgramData\IECGHJKKJD.exe

"C:\ProgramData\IECGHJKKJD.exe"

C:\ProgramData\DGCAAAFCBF.exe

"C:\ProgramData\DGCAAAFCBF.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\KKKJKEBKFCAA" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 137.126.19.2.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 feeldog.xyz udp
US 172.67.133.78:443 feeldog.xyz tcp
US 8.8.8.8:53 78.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 58.251.201.195.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 193.192.232.199.in-addr.arpa udp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
DE 195.201.251.58:9000 195.201.251.58 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
FI 135.181.22.88:80 135.181.22.88 tcp
US 8.8.8.8:53 88.22.181.135.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 proresupdate.com udp
US 45.152.112.146:80 proresupdate.com tcp
US 8.8.8.8:53 contur2fa.recipeupdates.rest udp
US 104.21.76.173:443 contur2fa.recipeupdates.rest tcp
US 8.8.8.8:53 146.112.152.45.in-addr.arpa udp
US 8.8.8.8:53 173.76.21.104.in-addr.arpa udp
US 104.21.76.173:443 contur2fa.recipeupdates.rest tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp

Files

memory/2868-0-0x00007FF9683D0000-0x00007FF968542000-memory.dmp

memory/2868-12-0x00007FF9683E8000-0x00007FF9683E9000-memory.dmp

memory/2868-13-0x00007FF9683D0000-0x00007FF968542000-memory.dmp

memory/2868-14-0x00007FF9683D0000-0x00007FF968542000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\804b2981

MD5 b5174b44c63b3ba51b0e8f88e5b9a2ca
SHA1 0d372c64fad4f0823f38d40d607819fd4e16c2f6
SHA256 b9702a0d10838de2adbf0858ca8c074852be30de18050441b69b557c43f99a3e
SHA512 03d3e8dc1f1f80e9711aab7ae310caf71dca75225f953fbfde45404a6a4a8c7621fd1422a3837106bdcdec99e5fcfbe498aa2a5db245712e782642891bf41283

memory/1788-17-0x00007FF986E10000-0x00007FF987005000-memory.dmp

memory/1788-19-0x000000007469E000-0x00000000746A0000-memory.dmp

memory/1788-20-0x0000000074691000-0x000000007469F000-memory.dmp

memory/1788-24-0x0000000074691000-0x000000007469F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2960-26-0x0000000000E10000-0x000000000155C000-memory.dmp

memory/2960-28-0x00007FF986E10000-0x00007FF987005000-memory.dmp

memory/2960-29-0x0000000000E10000-0x000000000155C000-memory.dmp

memory/2960-32-0x0000000000E10000-0x000000000155C000-memory.dmp

memory/2960-33-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\KKKJKEBKFCAA\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\KKKJKEBKFCAA\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\IECGHJKKJD.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/4624-120-0x0000000000E70000-0x0000000001383000-memory.dmp

C:\ProgramData\DGCAAAFCBF.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/4596-131-0x0000000000B90000-0x0000000000DD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11657bbd

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/4596-137-0x0000000072AF0000-0x0000000072C6B000-memory.dmp

memory/4596-138-0x00007FF986E10000-0x00007FF987005000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\14b18468

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/4624-144-0x0000000072AF0000-0x0000000072C6B000-memory.dmp

memory/4624-145-0x00007FF986E10000-0x00007FF987005000-memory.dmp

memory/2960-149-0x0000000000E10000-0x000000000155C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/2960-155-0x0000000000E10000-0x000000000155C000-memory.dmp

memory/4596-156-0x0000000072AF0000-0x0000000072C6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1444dcea

MD5 50e38e6fbbaf9b62d16a377d5c062165
SHA1 c21f2f778772fd03731ed5dcd1dce7d9c73e4888
SHA256 a2be13bb1582db0a8e5f252ffda3de8b97a5046ac25fdda7c15634d33378d791
SHA512 4f43ca27dd41934d2e55b3451a70e9222fdb4f8b594f9a9ddcbe36930d8578660a1004f3bbdeba15304ca9bd57650c9525198663226e6511edd6f4c274f23690

memory/4624-159-0x0000000072AF0000-0x0000000072C6B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\169bb0a1

MD5 c20fb027354d97a9ea006674487de51d
SHA1 7606ac4d946303eac221b47d424d2aa78ea3f1ec
SHA256 68ba82198e6b3f8f16a9ff13db5674b7056b4f736ba65921fbec5b520b962ab2
SHA512 cc3aebc547dc63770d8cd104529aeb62624156b6222d65551609b03b2b528545b5bad8e0d24f525a102994a9dbf007cb2f96ad777a74121bef9559849aa09d91

memory/2960-168-0x0000000000E10000-0x000000000155C000-memory.dmp

memory/2960-171-0x0000000000E10000-0x000000000155C000-memory.dmp

memory/2460-172-0x00007FF986E10000-0x00007FF987005000-memory.dmp

memory/1168-173-0x00007FF986E10000-0x00007FF987005000-memory.dmp

memory/2460-174-0x0000000072AF0000-0x0000000072C6B000-memory.dmp

C:\ProgramData\KKKJKEBKFCAA\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\KKKJKEBKFCAA\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\KKKJKEBKFCAA\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

memory/1168-189-0x0000000072AF0000-0x0000000072C6B000-memory.dmp

memory/4440-192-0x00007FF986E10000-0x00007FF987005000-memory.dmp

memory/1648-194-0x00007FF9679F0000-0x00007FF969067000-memory.dmp

memory/4440-197-0x0000000000A60000-0x0000000000AD1000-memory.dmp

memory/1648-198-0x0000000000400000-0x000000000040A000-memory.dmp

memory/5036-202-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/5036-204-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/5036-206-0x000002425FCD0000-0x000002425FCF0000-memory.dmp

memory/1648-207-0x0000021365F60000-0x0000021366062000-memory.dmp

memory/5036-205-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/5036-209-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/5036-211-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/5036-212-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/5036-210-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/5036-208-0x0000000140000000-0x00000001407DC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 0ca198496ae9c71d8a11fc61ab11472a
SHA1 386955fc6537ea20109bb04437fe80a19bd62ea0
SHA256 e0c9da3f956846b99165a2715fe33e0e74634e69afdeb2c0fe848cfe50e4c781
SHA512 2024e726e339a6428c7afcc0c8df2fea3e26a34ffa4a65d12c74b1958aa56a4343c8e0f12bfc08c8ee230044d877e5839408dbd3ee82f9b357334b41fa2a6190

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 3cb29b0eb5f77f8c90045cf2538a6a0a
SHA1 37daf3259265cdf4e8d4374395313fb02b976116
SHA256 797976f28efb48bcc532693938bbf47e6975588efa801bab2baa897a25a3600b
SHA512 b414f86cedac9f2384d19725188b3a1d691b46743d26f256253918e10da8797b2346c4b025ccfe2189ebc8700610b9020c4260f89c759f7e244ef4d53adb33af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 549d89e9b177fb9091039dc4dad55e1d
SHA1 68cf90f4999f93c668896d98f3659adfb8ab5f5b
SHA256 672fa586110abd5b5e16db74282b5ad1385d154e3a005656d9e2ba6ec2abd53c
SHA512 b6e4880c7f27ad87ab315be41103d0cf30f933eca948d3baf28a07563316d6585e2f9df90f81f7edbfc1450d9447f3d185f1462640d0950cc13888aa138c16d8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 1e49c49df1e9bb5a3646fbdd72fff72d
SHA1 ca3b2f92797030ad96341c5551812e679e9746d3
SHA256 df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10
SHA512 b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d

memory/4172-226-0x0000000002250000-0x0000000002286000-memory.dmp

memory/4172-227-0x0000000004DF0000-0x0000000005418000-memory.dmp

memory/4172-228-0x0000000004CB0000-0x0000000004CD2000-memory.dmp

memory/4172-229-0x0000000005490000-0x00000000054F6000-memory.dmp

memory/4172-230-0x0000000005500000-0x0000000005566000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p5hd2chz.ssk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4172-240-0x00000000056F0000-0x0000000005A44000-memory.dmp

memory/4172-241-0x0000000005B60000-0x0000000005B7E000-memory.dmp

memory/4172-242-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

memory/4172-244-0x0000000006DD0000-0x0000000006E66000-memory.dmp

memory/4172-245-0x00000000060C0000-0x00000000060DA000-memory.dmp

memory/4172-246-0x0000000006120000-0x0000000006142000-memory.dmp

memory/4172-247-0x0000000007420000-0x00000000079C4000-memory.dmp

memory/4172-248-0x0000000008050000-0x00000000086CA000-memory.dmp

memory/4440-249-0x0000000000A60000-0x0000000000AD1000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:58

Platform

win7-20240508-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\hogg.pptx"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1796 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 1796 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 1796 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe
PID 1796 wrote to memory of 2236 N/A C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE C:\Windows\splwow64.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\hogg.pptx"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

N/A

Files

memory/1796-0-0x000000002DB21000-0x000000002DB22000-memory.dmp

memory/1796-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1796-2-0x0000000072ABD000-0x0000000072AC8000-memory.dmp

memory/1796-5-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1796-6-0x0000000072ABD000-0x0000000072AC8000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:58

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\steam_api64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\steam_api64.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240611-en

Max time kernel

120s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140_app.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2016 wrote to memory of 3008 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 1892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3008 wrote to memory of 1892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3008 wrote to memory of 1892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe
PID 3008 wrote to memory of 1892 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:58

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\hogg.pptx" /ou ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE

"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\hogg.pptx" /ou ""

Network

Files

memory/4336-0-0x00007FFB33550000-0x00007FFB33560000-memory.dmp

memory/4336-2-0x00007FFB33550000-0x00007FFB33560000-memory.dmp

memory/4336-3-0x00007FFB33550000-0x00007FFB33560000-memory.dmp

memory/4336-4-0x00007FFB7356D000-0x00007FFB7356E000-memory.dmp

memory/4336-1-0x00007FFB33550000-0x00007FFB33560000-memory.dmp

memory/4336-5-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-6-0x00007FFB33550000-0x00007FFB33560000-memory.dmp

memory/4336-7-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-8-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-9-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-10-0x00007FFB30E60000-0x00007FFB30E70000-memory.dmp

memory/4336-11-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-12-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-16-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-15-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-14-0x00007FFB30E60000-0x00007FFB30E70000-memory.dmp

memory/4336-18-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-19-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-21-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-22-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-20-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-17-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-13-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

memory/4336-32-0x00007FFB33550000-0x00007FFB33560000-memory.dmp

memory/4336-33-0x00007FFB33550000-0x00007FFB33560000-memory.dmp

memory/4336-35-0x00007FFB33550000-0x00007FFB33560000-memory.dmp

memory/4336-34-0x00007FFB33550000-0x00007FFB33560000-memory.dmp

memory/4336-36-0x00007FFB734D0000-0x00007FFB736C5000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\libcrypto-1_1-x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\libcrypto-1_1-x64.dll,#1

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Qt5Network.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Qt5Network.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:58

Platform

win7-20240508-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\libcrypto-1_1-x64.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3008 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 3008 wrote to memory of 1704 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\libcrypto-1_1-x64.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3008 -s 104

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240221-en

Max time kernel

117s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\msvcp140.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2340 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2340 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2340 wrote to memory of 1948 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\msvcp140.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2340 -s 80

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140_app.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2024 wrote to memory of 916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 916 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140_app.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 916 -ip 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 604

Network

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\HDHelper_[0MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\HDHelper_[0MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\HDHelper_[0MB]_[1].exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:58

Platform

win7-20231129-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:58

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Qt5Core.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\Qt5Core.dll,#1

Network

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe

Processes

C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe

"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\x86\NvStereoUtilityOGL_[1MB]_[1].exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2716 -ip 2716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2716 -ip 2716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4376,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win7-20240611-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1640 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1640 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\vcruntime140.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1640 -s 80

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:59

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\libssl-1_1-x64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\libssl-1_1-x64.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1352 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 216.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 92.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-14 17:56

Reported

2024-06-14 17:58

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\steam_api64.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\##!!SetUp_5566_Pa$sW0rd$$!!\steam_api64.dll,#1

Network

N/A

Files

N/A