Malware Analysis Report

2024-09-11 16:49

Sample ID 240615-q6pmvawhln
Target #Active_Setup_2233_P@ssWord#.rar
SHA256 cdb8b9d0d3cbe1cfa7158fcaa598d1297a90029706d72d9da6b63a1624494536
Tags
stealc vidar stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cdb8b9d0d3cbe1cfa7158fcaa598d1297a90029706d72d9da6b63a1624494536

Threat Level: Known bad

The file #Active_Setup_2233_P@ssWord#.rar was found to be: Known bad.

Malicious Activity Summary

stealc vidar stealer

Stealc

Detect Vidar Stealer

Vidar

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 13:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 13:52

Reported

2024-06-15 13:55

Platform

win7-20240221-en

Max time kernel

115s

Max time network

61s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\#Active_Setup_2233_P@ssWord#.rar

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 884 set thread context of 2320 N/A C:\Users\Admin\Desktop\file\Setup.exe C:\Windows\SysWOW64\netsh.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\coml.au3

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\file\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2176 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2176 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2176 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\Desktop\file\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\Desktop\file\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\Desktop\file\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\Desktop\file\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 884 wrote to memory of 2320 N/A C:\Users\Admin\Desktop\file\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2320 wrote to memory of 2512 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2320 wrote to memory of 2512 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2320 wrote to memory of 2512 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2320 wrote to memory of 2512 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2320 wrote to memory of 2512 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2320 wrote to memory of 2512 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2512 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2512 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2512 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2512 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\#Active_Setup_2233_P@ssWord#.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Active_Setup_2233_P@ssWord#.rar"

C:\Windows\system32\verclsid.exe

"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x401

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\ASPNETSetup_00001.log

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Active_Setup_2233_P@ssWord#.rar"

C:\Users\Admin\Desktop\file\Setup.exe

"C:\Users\Admin\Desktop\file\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 148

Network

N/A

Files

\Users\Admin\Desktop\file\Setup.exe

MD5 c637e5ecf625b72f4bef9d28cd81d612
SHA1 a2c1329d290e508ee9fd0eb81e7f25d57e450f8c
SHA256 111c56593668be63e1e0c79a2d33d9e2d49cdf0c5100663c72045bc6b76e9fe6
SHA512 727d78bab4fab3674eec92ca5f07df6a0095ab3b973dd227c599c70e8493592bb53bb9208cc6270713283ef0065acfad3203ddcf4dcb6d43f8727f09ceaaf2e4

\Users\Admin\Desktop\file\tray_manager_plugin.dll

MD5 65dcbb76cbb2bbb1684186f1520e888d
SHA1 25d656c1cb3c814776779bc53e0e2b937d8441f4
SHA256 9c7e0de576932c8b2149849c96f3493bcae215f6db5996dbaf5ae1788697e8f0
SHA512 e351547e551943db0267828e283797c81b593ec303cee4d4447226e86927acac93b87226e79e1a913a1ec397b4183b7ee81a2af8764f71d7fa73c41bb102d9ca

C:\Users\Admin\Desktop\file\flutter_desktop_sleep_plugin.dll

MD5 ae8bbd77a997d05c06e459f0f3faa5af
SHA1 843ae129debba252eaebce0459adccddc1315826
SHA256 9600697c57da5a1411a227eb5fc135f20d0ea292f458290d15fb959c1f75537e
SHA512 13067ed69244f94206e642b408143409b48fb976221dbbbbdd86f0b357a8b7b0cad334a6259751a718f2149e183d322bb8b03e26abff2cdcac2826a551e27d2f

C:\Users\Admin\Desktop\file\flutter_windows.dll

MD5 9a2d29e60f24ca70eaa24d10c67258c0
SHA1 56939d04faf49f1bf22a07446d217b7ffa3f9ba0
SHA256 a2916ec602bad9e0798019b96fcfe9d26b880c310402e913294c19bd700c429e
SHA512 c030d6a6a3e34c0e9af1925e4be7c84dd47f8523cc130985d0ced419d1d3f4a05c34082b21cc468c3e44e58fddc982f7592b1ce76a552ab146f079524b68b6d1

C:\Users\Admin\Desktop\file\MSVCP140.dll

MD5 1ba6d1cf0508775096f9e121a24e5863
SHA1 df552810d779476610da3c8b956cc921ed6c91ae
SHA256 74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA512 9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

C:\Users\Admin\Desktop\file\VCRUNTIME140.dll

MD5 49c96cecda5c6c660a107d378fdfc3d4
SHA1 00149b7a66723e3f0310f139489fe172f818ca8e
SHA256 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512 e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

C:\Users\Admin\Desktop\file\VCRUNTIME140_1.dll

MD5 cf0a1c4776ffe23ada5e570fc36e39fe
SHA1 2050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA256 6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512 d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

C:\Users\Admin\Desktop\file\url_launcher_windows_plugin.dll

MD5 7e6a40e0083af22b186b662553d679fc
SHA1 b74c38d1d33004fb27b1df8003ecd4b87a5739c1
SHA256 578323ec0b492e72987778af3811cd00b71171b1e84b92e720964543f8f3a183
SHA512 3ac74e807bddffc2965cb3878a51e5c7c3b5eab2dcf8bc1ffaa41a56e20460cd01ff6b9a00d78e1aa021f5b9c38ba4f4726d37bf42749da4fa208e3f8985c114

C:\Users\Admin\Desktop\file\windows_single_instance_plugin.dll

MD5 00c451a17ddfcd810086fb2ad794125a
SHA1 feba77a0ca91f828099a3444a93ff11b6ce40fe5
SHA256 f1430479210c19093d76435e5826e3578420933248b51164e11f0992f77ed1f1
SHA512 6ea4d2556e0b82d017cde2a3c5c9b2881daca6b5af0e92cd10be886047eb6303085244ac1bb764e96595b3ca448504591c976dfefbffca8c6cbabe28f81e78c3

C:\Users\Admin\Desktop\file\covalency.dwg

MD5 5592c01b512749d9dce7c6d5861ee385
SHA1 ad19e91e76aadda703ae31e7bcc7602c5f67fc00
SHA256 77c5dfbc5c124b1e8acb65db529b5c2ef672aa5eb39d8d1ee89325db16efa6d7
SHA512 6811ca9ffe9fdbd7bf8ed56ab95f39b2d125054578105c1561b9c428960f771d31cc49367e43a86648f04e6b4bd3cd3ffbd2b403c89a8da5574265cd48c6b855

C:\Users\Admin\Desktop\file\hermit.txt

MD5 1c9e57f556f8b1365f755dea9ae368ac
SHA1 2cdde22689c2301245b2bfc79f42e39895d25e8f
SHA256 72d1f9bf1f669b2308e28522a00a689f960d5c38bc794d17b09d8552cd8906bc
SHA512 c2b434add9c23ec97a7a98b89a1814fc0ca2ba601501a569b2a5525da4940769f49548195969b6ccf82182b2f8e5ce0930d281799484c99418add7c65fbe2eb2

memory/2028-213-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2028-214-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4ac4075e

MD5 0d91ffa72b4bdd27ea58d759f8942506
SHA1 8b9e411558ab95841497e8dfc407b60996475c62
SHA256 3f845a6f2b30cf23a34f1751400bb7ae12b9a4aa2114a8ae978f12df82290650
SHA512 1d575b32a2e7c9814abc7f25127abf30326c93a049624051302cd15aa8f582c6f00b75438887992ac0d929e14482c8343d0f4dda7dc21cac52d74ab185964e16

memory/2320-217-0x0000000077CA0000-0x0000000077E49000-memory.dmp

memory/2320-219-0x0000000073C40000-0x0000000073DB4000-memory.dmp

\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2512-226-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2512-225-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2512-228-0x0000000000810000-0x0000000000F5B000-memory.dmp

memory/2028-235-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-236-0x0000000000810000-0x0000000000F5B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 13:52

Reported

2024-06-15 14:13

Platform

win11-20240611-en

Max time kernel

458s

Max time network

462s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\#Active_Setup_2233_P@ssWord#.rar

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\#Active_Setup_2233_P@ssWord#.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
NL 52.111.243.30:443 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A