Analysis Overview
SHA256
8d2410c9bfb3a1f474b1788b1ceef5e08e46492d2f1ced167ac15ce9612cc66c
Threat Level: Known bad
The file VELOCITY SPOOFER.rar was found to be: Known bad.
Malicious Activity Summary
Agenttesla family
AgentTesla
AgentTesla payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
AgentTesla payload
Looks for VirtualBox Guest Additions in registry
Looks for VMWare Tools registry key
Executes dropped EXE
Loads dropped DLL
Checks BIOS information in registry
Themida packer
Maps connected drives based on registry
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Unsigned PE
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-16 05:21
Signatures
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Agenttesla family
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-16 05:21
Reported
2024-06-16 05:24
Platform
win11-20240611-en
Max time kernel
89s
Max time network
95s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\681eb157d5c1627b33\Setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\681eb157d5c1627b33\Setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
| N/A | N/A | C:\681eb157d5c1627b33\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1432 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\net472.exe | C:\681eb157d5c1627b33\Setup.exe |
| PID 1432 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\net472.exe | C:\681eb157d5c1627b33\Setup.exe |
| PID 1432 wrote to memory of 864 | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\net472.exe | C:\681eb157d5c1627b33\Setup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\net472.exe
"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\net472.exe"
C:\681eb157d5c1627b33\Setup.exe
C:\681eb157d5c1627b33\\Setup.exe /x86 /x64 /web
Network
Files
C:\681eb157d5c1627b33\Setup.exe
| MD5 | 9f409f3f3a03d2f0d0c47c1916722b1e |
| SHA1 | 2553e3e85a09029398875bfd3983232a1223a22d |
| SHA256 | a175b72bbbf835b648e4a075490cdfa7ecf3e499281b9ecc8b8b9834747968af |
| SHA512 | 0b9dabd8bfe996d3a51c20e819d79cd4892f77c45cb285e4829119074840e5735c2164f885ffa0dee2f555f4bfb32a2c333c696e0bff71d28cbab731ab72a1ad |
C:\681eb157d5c1627b33\SetupEngine.dll
| MD5 | 8edfa746bcaa4a1d45c02163edd42153 |
| SHA1 | 98c833a3122133a69f1e14c51c850f4ea3017f75 |
| SHA256 | 48af6e91a55abca83072200b07e22864f891af80ea99b55e2f755bca786d3d55 |
| SHA512 | 60436c90cb87f579d3538a3af1487a9122810eb7bd29b4fe12f42550ac18817795b4669423def9c2d4f5b2f66e249f19cd9f23eb6a3972ddbaaf5050706c4240 |
C:\681eb157d5c1627b33\sqmapi.dll
| MD5 | 0c0e41efeec8e4e78b43d7812857269a |
| SHA1 | 846033946013f959e29cd27ff3f0eaa17cb9e33f |
| SHA256 | 048d51885874d62952e150d69489bcfb643a5131ce8b70a49f10dfb34832702c |
| SHA512 | e11da01852a92833c1632e121a2f2b6588b58f4f2166339a28dd02dad6af231a2260a7e5fc92e415d05aa65b71e8bbda065e82a2db49bb94b6cf2fe82b646c28 |
C:\Users\Admin\AppData\Local\Temp\HFI4B62.tmp.html
| MD5 | 98a936a09e62a4f16acbefeb4129a254 |
| SHA1 | 4578028aa54f28d1e67cf741c8c1c7028a758802 |
| SHA256 | 8dfedbd518fcf52a309cb821b9a0311414b6d1977cf0497bd32be14f24ff9ba1 |
| SHA512 | 7dc2eb14e486b27f49a9522ad239147f7e49b860786f6c087d916684e45de1af93281ab8a7662e7be8b169dea9b4fb83b4387b0618152cf18f7d1d910944189c |
C:\681eb157d5c1627b33\DHTMLHeader.html
| MD5 | cd131d41791a543cc6f6ed1ea5bd257c |
| SHA1 | f42a2708a0b42a13530d26515274d1fcdbfe8490 |
| SHA256 | e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb |
| SHA512 | a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a |
C:\681eb157d5c1627b33\UiInfo.xml
| MD5 | cb78d0ca2b26ab8ed781819e722567a2 |
| SHA1 | 65b909a6420aae40193ef591565873c6e73a868c |
| SHA256 | 7e6d551037d889ee3eb5fab8b84f23cc9ce459c6150104a5d7f5c78ecf81c6d0 |
| SHA512 | c6c9ea01dc90e7099a5baa543c1784e18a703cb2a733db92abd7e4be0e19453a765bc0da85054eab1c5452b1f58ae4892cd9e0820fd8b71d4a03cf0b25315ab3 |
C:\681eb157d5c1627b33\ParameterInfo.xml
| MD5 | 36837cdb9209e5924ff65a69e9be7534 |
| SHA1 | a31dedd58d65755cfd3b8edbecf49ee0bc7e2edc |
| SHA256 | 1d395b3d453d14f95c80dbd69a66f5b82caee182d3ac5c2cccedf0fe2ab4ee12 |
| SHA512 | 44c6a4a7131bc30c97e07698b3be7d418880b8940b77e635b503a104bab6916a3a254c48f9e9d58999204995cc278e4a3efdf45f06b0927fd304b68d95e5d1a4 |
C:\681eb157d5c1627b33\SplashScreen.bmp
| MD5 | bc32088bfaa1c76ba4b56639a2dec592 |
| SHA1 | 84b47aa37bda0f4cd196bd5f4bd6926a594c5f82 |
| SHA256 | b05141dbc71669a7872a8e735e5e43a7f9713d4363b7a97543e1e05dcd7470a7 |
| SHA512 | 4708015aa57f1225d928bfac08ed835d31fd7bdf2c0420979fd7d0311779d78c392412e8353a401c1aa1885568174f6b9a1e02b863095fa491b81780d99d0830 |
C:\681eb157d5c1627b33\1033\LocalizedData.xml
| MD5 | 2640d0f6737cb3d2a6bdb85bd7cec3d4 |
| SHA1 | 4948ab621477ae6609d2c87e49f7a6c421b91acf |
| SHA256 | 47a78abb0463514e38f58dc852033b3d6a860b6ff78e9eb840252b811ca07b43 |
| SHA512 | 94fd8a425253861fed41ce4c48b04a298fa9b40ba2b99e16bc5cb52c02d84c405586c805279bc66111ba8fa076dbaf8e3d4c309d9601708206fc632d1c0c8136 |
C:\681eb157d5c1627b33\1025\LocalizedData.xml
| MD5 | 02ab15e715c7d1ae4ece7690cdf5a294 |
| SHA1 | 6c998ab25338f369c474ac9e2ac47c5c8538db60 |
| SHA256 | 954c175f9adb86be3a0f8e9ac3ff8518fa7b6ca18d08aa5ef69b8bccdf90197d |
| SHA512 | bc7bee61267c65c1ba3ddaddf241e4e44201bfbb8f568dcb1f8e69eff338309cdd0dc4f7099da6f2300eb82487ae420701d5819955c5327da1be87d48a926cd0 |
C:\681eb157d5c1627b33\1032\LocalizedData.xml
| MD5 | 57650e70903871e960b49e65dce6e9f9 |
| SHA1 | 4574188dfa8d28bfadcf58572e800f1171f89fde |
| SHA256 | 1014aedc8e8af3094df5ee650264b5e3a0405e7ff15f9cc2e93c20c2eeb0e48a |
| SHA512 | 8158e041b731b53c42d77022b3551049cb8998ff7be7471d874b8b246718392e1a222215dbe44a5f23cb8cec1c86d3abda38d266ed37c2b853e0e65ba8c04e19 |
C:\681eb157d5c1627b33\1031\LocalizedData.xml
| MD5 | 6dbdfcd42c445771a1be1d6a979e5749 |
| SHA1 | d4f9ca38ada2959eb9f1170c7f8186f1146d4cb1 |
| SHA256 | 1160e3c01d50c4c2a9975e33eb79fd567a6b82f0e68270d705f8abc1f30c2e23 |
| SHA512 | 5fe927ef6e13ee1386d131f20c265026c9f8977a20c97144d8110c33b7757d626d190c9fb7768cef58666197e2d4a7228eda6eb776e8cade456067ea78479b67 |
C:\681eb157d5c1627b33\1030\LocalizedData.xml
| MD5 | 8d00b037478dd7d49f71762737240958 |
| SHA1 | 832772a63671209fba379caa17b2786e5a45e41b |
| SHA256 | 3afc5c85a625d9526c13e7a5c088f44ba0ae8155b93f006c7f65cf1cf807dff6 |
| SHA512 | 024e8430ada12f0e7960fa9f33ab2b6b4f2241afb4b40a883f2344fc04aa0916d3000429fda2059331cf7bd78983c3397a700b1c14dc26af3b1c67c0182e3560 |
C:\681eb157d5c1627b33\1029\LocalizedData.xml
| MD5 | f3920542a960c87163a56c543cefd324 |
| SHA1 | 7d3d3fd793a7d6d9b51c3186f248e85ee2bba926 |
| SHA256 | bc268ae7c59a667831d4146e075c31dad36ec7a37d2f4cb786e738c79771252d |
| SHA512 | 3dee2ba996a325ab1f42e21de3300307c600d8c1032af0c7282de352805fdde2e07fd2f2336fe2a23ea3ac91cf45a7914f1cb97cf3f5d7e47c879f7c0054ac3e |
C:\681eb157d5c1627b33\1028\LocalizedData.xml
| MD5 | 76f7b1cef1a49c82b47b90d04cb039d7 |
| SHA1 | 4ac2ae25878c6a598b9cb355a59c060ab9f61497 |
| SHA256 | 05327b7a1c41170fe226ff9079752e26a3a91b5c98e66317e1d90b216df100fc |
| SHA512 | 434059db641a566e791868f67248cad551f1d3151b82493fd5beaee05005ae79374b851860b4cb69aeda12a9d6b1daccf9b6f294e5cf3353af1aa044a871f1d3 |
C:\681eb157d5c1627b33\1040\LocalizedData.xml
| MD5 | 08d44237c079905a1790ce4f248766d1 |
| SHA1 | 8b7731a0d2353bc196f4baf882963dcd63208f7f |
| SHA256 | 4496e4f201007336d7074e69f489512ed972f22bb7824d6912cf5393ab84aa5a |
| SHA512 | bbc145ef2e9af63c32e43102b6164eda0e6389ab60671ff4cc23606afa743fb07c762711d58fa35d94bd2c1f3354eace6f7642dcd969ec2c56f49f73b8a4b0bf |
C:\681eb157d5c1627b33\1038\LocalizedData.xml
| MD5 | 4e4a8d918f7d6f9c7f703d32e02b0616 |
| SHA1 | 54aa1acaa00e2fed592d9fca89019d5e20953490 |
| SHA256 | e7d59bd7f25e498c1beaff4410c99915cf9196a64bcaed65ee78c2050e775265 |
| SHA512 | 4b5b6db2de1380a11c31f3f70d44740594557c2b36c5aefd8a9b7fcf045821605afb5adc36c5884501af070fd74efeac7e5e6d87e54758574617fd6153fe1f6f |
C:\681eb157d5c1627b33\1037\LocalizedData.xml
| MD5 | 56329f193fdd4cb90668342ba38b8bbe |
| SHA1 | 9471a902509ad3229a8dff03cee2fa092af2e8b8 |
| SHA256 | f40ecf915e020f5e80da0f4507563e6e986d0082e32388e419bb2cb9ab278ba0 |
| SHA512 | 017d9b2ff58cc3236c4eca34cc502930b69bdb9f77b89ea5075305492437740819375247017d9000932d898f05b526679c879415a243e3da7abb1b39815b33b2 |
C:\681eb157d5c1627b33\1036\LocalizedData.xml
| MD5 | c4e7d53b6230a96a51a9229a38649f6b |
| SHA1 | e8803c413e849c2284ecb4e6413a9c806aff4356 |
| SHA256 | 5063961620f393ec42aca367543bbac7ab060ce755bb21893961c7ed3e0b8181 |
| SHA512 | 6c55d234cb9016526690c83bc37280bf35bb3e0dd931bc8a8c2042f6544c1411795d1d4c5b4cda8699151c6de50350bb14ea8262ee47a6b630c808650bbc66bc |
C:\681eb157d5c1627b33\1035\LocalizedData.xml
| MD5 | 6db3905aa9cdbb5218945b2f039bd918 |
| SHA1 | 8b083a073476c33619f1a7e59143e834a0aaeba8 |
| SHA256 | 3b2ae103414d88df359138e6300a42b4b81a4a9ec029647cd92a91507f6790e4 |
| SHA512 | 0758f118d25177a5b25ea3a28ff1980047006f3635da8f606c2da444e43978d3caf9576a0d40da5fdd06d4b3c93d19b6f3a6ea0ff7a2a4dcf84b12ba5a3d0285 |
C:\681eb157d5c1627b33\1044\LocalizedData.xml
| MD5 | 0aec9e12bdc036632554bfa7acf02364 |
| SHA1 | 52fc4760f0b177e02162dbd2e8f864f09dd40b46 |
| SHA256 | ca7402592b3d15c1a0cc489e8c6e3bedbe686e6c25491f1d3dfdb8991ca2aeea |
| SHA512 | ed97c2a059dc54cf4952060ec6415b3a3b437c7e4255bcb326789f5977532660bbb9d05a59c9e567742d225e875a88aa5fabb545166460ad8eb108304b666b9b |
C:\681eb157d5c1627b33\1045\LocalizedData.xml
| MD5 | 41e0beb3b84b4c515914361d4d0faca2 |
| SHA1 | abd800e9b47ea64a1d59ece318e346d17c0a36d9 |
| SHA256 | 3dc70b6cc40369c955fc93e452d890372375758bd74fae2093c19f79c65c0add |
| SHA512 | 39057093b3e698d3a6abd25a25a04a3cd0813ee7803ae818f5c26d150b76cc0474a22521d468bfd1012c99d85a410b16668db4b460894b5d255a0028dc9c0bf5 |
C:\681eb157d5c1627b33\1043\LocalizedData.xml
| MD5 | 7ed59b3f7090880fdca53615aaf0b1b8 |
| SHA1 | ed741c332e76e42dc84e44872fb320679b39d528 |
| SHA256 | 15896789b0db777822afeab092f5875f1ec34427c149d9a76a73c7d4c305c8a7 |
| SHA512 | 74b5ad365e208f25d1023b9db5cb450ae8c1a3cc52ae8e850a537010cfea6d47940ddc725638c90413ba4b4e81859cb5f924a894f90e568da76345a26cd09f67 |
C:\681eb157d5c1627b33\1042\LocalizedData.xml
| MD5 | bd35a3f092019cdda9aed34580aad75b |
| SHA1 | 2716acf6f85be4b98e8b113f053e072a437b9aea |
| SHA256 | 08bd53d0c3500faf56aca1aaa3066887415581977d3b1dc87c82d7243a0fc74c |
| SHA512 | fd2110ead353f46bda1c055deaaebdd3fd6c72df274ec1826e1e1429d8ed87dfbe24c2e0aa09d32271161d136515cf31ddca334041c71d355aafb995d2fd6a98 |
C:\681eb157d5c1627b33\1041\LocalizedData.xml
| MD5 | cd14395e8e607de625a274651eb5a52b |
| SHA1 | 402dc99037a2cc2c8da53f52dc9559782bcc1851 |
| SHA256 | 4c5ead9dbe4444405f9d9cfe1d400996f336251d75c264f31521d634cb0095ca |
| SHA512 | 32accc7cfd5b3a2973db995d4c846844e72d5d6ff7adddb89b7a4fb274e4acb18478e7e357e5151bfd99fafe43e1e55ca0518d79d9b8ffdff06484a5c6c627df |
C:\681eb157d5c1627b33\3082\LocalizedData.xml
| MD5 | 9dd24f4d210e2139badbb7e0ea897c87 |
| SHA1 | 4aace4240fcc09d433bd82684064136e2145ac4f |
| SHA256 | 509cfa220321582a56ec21959dfd8a7c55bb3070ad5bb738b074a14188e80593 |
| SHA512 | 97af7279463e4dd69344745dbe7a29b7bd536e795524ce0c24b5672e4c7a4203d3ae0cf6c46f69d491edfcb3efe3a57ddc27ea9f6e213fbc0f4a537cf93d2949 |
C:\681eb157d5c1627b33\2070\LocalizedData.xml
| MD5 | 4c00a85cd7bf97400b70d1de3859e061 |
| SHA1 | fd5e38e0c92da14373e28600a8396a17102b15fe |
| SHA256 | 93039cf880eaca54ccc48f159848a17f2c30fa70d334cf2b9eedbcc5aefb27fb |
| SHA512 | 7005b3c8c6b775a31bce1cea6924bcb929217d288e6bce390a5e591098a39ac0de321474591b56333b6d84167862bcfa12cbb65b9fa0b767961248ae3eae0f64 |
C:\681eb157d5c1627b33\2052\LocalizedData.xml
| MD5 | ef091f3efb7b9270502f2eb939c970cf |
| SHA1 | 62f0a992fe9f032bc8197b89daf0a37a34e34a40 |
| SHA256 | 6063d64a1d09d1a33ea3c4fe0a9446bafd5ca69786351f3bdbbd9a9ddc283676 |
| SHA512 | 1713da86ea18be10984314139d3fa78d55de47c04e51c2e869875fec313a5ac8d9da9850a0c1295dc95b62b43351aa735fe407446ed3c8a5a590e64a98378e30 |
C:\681eb157d5c1627b33\1055\LocalizedData.xml
| MD5 | 9b47a98c389ced8315fe4b477c9ad06d |
| SHA1 | a52933f5e3e40fa5bb871a3ce33e41342d751ecd |
| SHA256 | 979d4402c8ba85a265cdabda3de7e0f5ab0715fb83faa63c8484095e866ed4ef |
| SHA512 | 32e2c5bed2c18122bbd434f983dffb4ee318aa28200e4a2e1343591387c81acd4af063874787e4eb9ff110bc456ea888420f59f5afbfe7e0a5fac62213deb597 |
C:\681eb157d5c1627b33\1053\LocalizedData.xml
| MD5 | a6c1f2a9c0c3367bb484a0322392ecf3 |
| SHA1 | 26887a144de9e1961be84cec5aab58225967dd77 |
| SHA256 | 8abcf315769b6fae1751133bb2dbcba6bf0b0ef4c37304dc466824c77db22ba9 |
| SHA512 | cb39a1435c0721bac2c44b8ca8873218a1dfda849d478de0e5e75f8fd6762b556a869de3646c5a3394e5367914a87170d5743bcb5c2f91773561d8a526eaa487 |
C:\681eb157d5c1627b33\1049\LocalizedData.xml
| MD5 | 1bc37bac6c635d56bd68e785950955d1 |
| SHA1 | 4e16ed5dde6f2d37449137f2e414761718e4e6f5 |
| SHA256 | 5c6eeb4c977a4c371dbc787d0cf1ad503fbe5d13c10d9b69664954974e15a899 |
| SHA512 | 9a7ae5e495a9863ca0c44107b253d387b8a4c442081974acb030593e98895cdcd80f93b16397a244e45b80d99d2b22edca8b7bdfff5715cb633bf040e7a35192 |
C:\681eb157d5c1627b33\1046\LocalizedData.xml
| MD5 | 11776bf8799541b1fe275f316800f736 |
| SHA1 | 67b2b1893ce2d4ea3a7db5bbc9276d1a5b19ac01 |
| SHA256 | 9139f6acae8399628c522e8bd1d714e92be225bc33e696c1bfbeccd6d0e233de |
| SHA512 | b7bdb2c9f4f81d21281ccd553f7882e4475c2e01c9c37a2045e5caa48974a7dd796806ae1a76286360e9d314d4da18f4a4cac77e73ca84c9eb3705097c881879 |
C:\681eb157d5c1627b33\SetupUi.dll
| MD5 | 21efe4d0b6ffb7caf7a6ea256877e930 |
| SHA1 | 5aaef5d7a4541b579555e8f913565a0ad77b7494 |
| SHA256 | 4a01bcc389fe637af4d79b698c77e2cc2d73f1acca3b5e654b9ba4123311de1a |
| SHA512 | 43f8bb6eef60425292eb2d4afdaa178213c7d6c2a116d8d280608baceb7a7d4e6875a809e68419fcd5aa087ca6ce78c1ea48e2cc231812033ecc858dc54addd4 |
C:\681eb157d5c1627b33\SetupUi.xsd
| MD5 | a9f6a028e93f3f6822eb900ec3fda7ad |
| SHA1 | 8ff2e8f36d690a687233dbd2e72d98e16e7ef249 |
| SHA256 | aaf8cb1a9af89d250cbc0893a172e2c406043b1f81a211cb93604f165b051848 |
| SHA512 | 1c51392c334aea17a25b20390cd4e7e99aa6373e2c2b97e7304cf7ec1a16679051a41e124c7bc890b02b890d4044b576b666ef50d06671f7636e4701970e8ddc |
C:\681eb157d5c1627b33\1033\SetupResources.dll
| MD5 | c860fc21966746cfaf204ec887bb50ba |
| SHA1 | 2a4f6056ea39406dd4dfdb7904813dee8b5fb78a |
| SHA256 | cc7305f65b9d6468330a9e7f8f95f78044202832b9fe681423ed880293d82ef3 |
| SHA512 | 4a5c4ca0d009411fd5f0d9d6c4b11ab2e7094938f3d5be618b1bde4e919f8dcaa5663110a31d0de82a2c8111804b3bbd22a973b6aec66c0e5657a60c76511019 |
C:\681eb157d5c1627b33\Strings.xml
| MD5 | 8a28b474f4849bee7354ba4c74087cea |
| SHA1 | c17514dfc33dd14f57ff8660eb7b75af9b2b37b0 |
| SHA256 | 2a7a44fb25476886617a1ec294a20a37552fd0824907f5284fade3e496ed609b |
| SHA512 | a7927700d8050623bc5c761b215a97534c2c260fcab68469b7a61c85e2dff22ed9cf57e7cb5a6c8886422abe7ac89b5c71e569741db74daa2dcb4152f14c2369 |
memory/864-256-0x0000000002E70000-0x0000000002E71000-memory.dmp
C:\681eb157d5c1627b33\graphics\setup.ico
| MD5 | 6125f32aa97772afdff2649bd403419b |
| SHA1 | d84da82373b599aed496e0d18901e3affb6cfaca |
| SHA256 | a0c7b4b17a69775e1d94123dfceec824744901d55b463ba9dca9301088f12ea5 |
| SHA512 | c4bdcd72fa4f2571c505fdb0adc69f7911012b6bdeb422dca64f79f7cc1286142e51b8d03b410735cd2bd7bc7c044c231a3a31775c8e971270beb4763247850f |
C:\681eb157d5c1627b33\graphics\print.ico
| MD5 | d39bad9dda7b91613cb29b6bd55f0901 |
| SHA1 | 6d079df41e31fbc836922c19c5be1a7fc38ac54e |
| SHA256 | d80ffeb020927f047c11fc4d9f34f985e0c7e5dfea9fb23f2bc134874070e4e6 |
| SHA512 | fad8cb2b9007a7240421fbc5d621c3092d742417c60e8bb248e2baa698dcade7ca54b24452936c99232436d92876e9184eaf79d748c96aa1fe8b29b0e384eb82 |
C:\681eb157d5c1627b33\graphics\save.ico
| MD5 | c66bbe8f84496ef85f7af6bed5212cec |
| SHA1 | 1e4eab9cc728916a8b1c508f5ac8ae38bb4e7bf1 |
| SHA256 | 1372c7f132595ddad210c617e44fedff7a990a9e8974cc534ca80d897dd15abd |
| SHA512 | 5dabf65ec026d8884e1d80dcdacb848c1043ef62c9ebd919136794b23be0deb3f7f1acdff5a4b25a53424772b32bd6f91ba1bd8c5cf686c41477dd65cb478187 |
C:\681eb157d5c1627b33\graphics\warn.ico
| MD5 | c8824ea3ce0a54ff1e89f8a296b4e64b |
| SHA1 | 333feb78e9bb088650ce90dea0f0ccc57d54a803 |
| SHA256 | 4bb9ea033f4e93dbf42fc74e6faf94fe8b777a34836f7d537436cbe409fd743f |
| SHA512 | c40e40e0cb2aaa7cf7cccbe29ca4530ff0e0a4de9a7328996305db6dfd6994cbe085fab7b8f666bbd3d1efd95406ea26b1376aa81908ace60dc131a4e9c32d40 |
memory/864-261-0x0000000002E70000-0x0000000002E71000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-16 05:21
Reported
2024-06-16 05:24
Platform
win11-20240611-en
Max time kernel
88s
Max time network
93s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Serial Checker\Checker.bat"
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get model, serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_computersystemproduct get uuid
C:\Windows\system32\getmac.exe
getmac
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-16 05:21
Reported
2024-06-16 05:24
Platform
win11-20240508-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\Guna.UI2.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-16 05:21
Reported
2024-06-16 05:24
Platform
win11-20240611-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
AgentTesla
AgentTesla payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe
"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\VELOCITY SPOOFER\VELOCITYSPOOFER V3.0.3 .exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 5.0.26.104.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3724-0-0x0000000000400000-0x0000000001C1E000-memory.dmp
memory/3724-2-0x00000000771B0000-0x00000000772A0000-memory.dmp
memory/3724-1-0x00000000771C6000-0x00000000771C7000-memory.dmp
memory/3724-3-0x00000000771B0000-0x00000000772A0000-memory.dmp
memory/3724-4-0x00000000771B0000-0x00000000772A0000-memory.dmp
memory/3724-6-0x0000000000400000-0x0000000001C1E000-memory.dmp
memory/3724-7-0x0000000000400000-0x0000000001C1E000-memory.dmp
memory/3724-8-0x0000000006290000-0x0000000006836000-memory.dmp
memory/3724-9-0x0000000006840000-0x00000000068D2000-memory.dmp
memory/3724-10-0x0000000006220000-0x0000000006232000-memory.dmp
memory/3724-11-0x0000000006A80000-0x0000000006C94000-memory.dmp
memory/3724-12-0x0000000007000000-0x000000000700A000-memory.dmp
memory/3724-13-0x000000000A120000-0x000000000A15C000-memory.dmp
memory/3724-14-0x00000000771B0000-0x00000000772A0000-memory.dmp
memory/3724-16-0x000000000A230000-0x000000000A296000-memory.dmp
memory/3724-17-0x0000000000400000-0x0000000001C1E000-memory.dmp
memory/3724-18-0x00000000771C6000-0x00000000771C7000-memory.dmp
memory/3724-20-0x00000000771B0000-0x00000000772A0000-memory.dmp
memory/3724-21-0x00000000771B0000-0x00000000772A0000-memory.dmp
memory/3724-22-0x00000000771B0000-0x00000000772A0000-memory.dmp
memory/3724-23-0x00000000771B0000-0x00000000772A0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-16 05:21
Reported
2024-06-16 05:24
Platform
win11-20240611-en
Max time kernel
91s
Max time network
95s
Command Line
Signatures
Checks installed software on the system
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 332 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\VC_redist.x64.exe | C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe |
| PID 332 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\VC_redist.x64.exe | C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe |
| PID 332 wrote to memory of 944 | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\VC_redist.x64.exe | C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\VC_redist.x64.exe
"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\VC_redist.x64.exe"
C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe
"C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\VC_redist.x64.exe" -burn.filehandle.attached=560 -burn.filehandle.self=684
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Windows\Temp\{93DCFEF4-1364-40B8-9048-458DC1FAB7B0}\.cr\VC_redist.x64.exe
| MD5 | ae0540106cfd901b091d3d241e5cb4b0 |
| SHA1 | 97f93b6e00a5069155a52aa5551e381b6b4221eb |
| SHA256 | 8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c |
| SHA512 | 29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177 |
C:\Windows\Temp\{9CB81274-3340-401E-B7FC-44A354D28761}\.ba\wixstdba.dll
| MD5 | eab9caf4277829abdf6223ec1efa0edd |
| SHA1 | 74862ecf349a9bedd32699f2a7a4e00b4727543d |
| SHA256 | a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041 |
| SHA512 | 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2 |
C:\Windows\Temp\{9CB81274-3340-401E-B7FC-44A354D28761}\.ba\logo.png
| MD5 | d6bd210f227442b3362493d046cea233 |
| SHA1 | ff286ac8370fc655aea0ef35e9cf0bfcb6d698de |
| SHA256 | 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef |
| SHA512 | 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-16 05:21
Reported
2024-06-16 05:24
Platform
win11-20240508-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\dxwebsetup.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup32.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\DirectX\WebSetup | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SETA0A5.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SETA0A5.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\dsetup.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\directx\websetup\SETA0B5.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
| File created | C:\Windows\SysWOW64\directx\websetup\SETA0B5.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DirectX.log | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1028 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\dxwebsetup.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
| PID 1028 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\dxwebsetup.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
| PID 1028 wrote to memory of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\dxwebsetup.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\dxwebsetup.exe
"C:\Users\Admin\AppData\Local\Temp\VELOCITY SPOOFER\Install These\dxwebsetup.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
| MD5 | ac3a5f7be8cd13a863b50ab5fe00b71c |
| SHA1 | eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9 |
| SHA256 | 8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da |
| SHA512 | c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
| MD5 | ad8982eaa02c7ad4d7cdcbc248caa941 |
| SHA1 | 4ccd8e038d73a5361d754c7598ed238fc040d16b |
| SHA256 | d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00 |
| SHA512 | 5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dsetup.dll
| MD5 | 984cad22fa542a08c5d22941b888d8dc |
| SHA1 | 3e3522e7f3af329f2235b0f0850d664d5377b3cd |
| SHA256 | 57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308 |
| SHA512 | 8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef |
C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
| MD5 | a5412a144f63d639b47fcc1ba68cb029 |
| SHA1 | 81bd5f1c99b22c0266f3f59959dfb4ea023be47e |
| SHA256 | 8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6 |
| SHA512 | 2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405 |