Analysis Overview
SHA256
85cda4eab3f66406d0d1ca1b6d83957a05fcbe4772bc61088262e3e4c893e304
Threat Level: Known bad
The file @^FulLFile_PCSetup_33221_ṔḁṨSKey_^$.zip was found to be: Known bad.
Malicious Activity Summary
Stealc
Detect Vidar Stealer
xmrig
Amadey
Vidar
XMRig Miner payload
Blocklisted process makes network request
Checks computer location settings
Reads user/profile data of local email clients
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Loads dropped DLL
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Command and Scripting Interpreter: PowerShell
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-17 16:24
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-17 16:24
Reported
2024-06-17 16:26
Platform
win11-20240611-en
Max time kernel
115s
Max time network
119s
Command Line
Signatures
Amadey
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\KFBGDBFBKK.exe | N/A |
| N/A | N/A | C:\ProgramData\BAKEBFBAKK.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5068 set thread context of 1904 | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
| PID 2076 set thread context of 4332 | N/A | C:\ProgramData\KFBGDBFBKK.exe | C:\Windows\SysWOW64\ftp.exe |
| PID 1332 set thread context of 1504 | N/A | C:\ProgramData\BAKEBFBAKK.exe | C:\Windows\SysWOW64\ftp.exe |
| PID 1504 set thread context of 2476 | N/A | C:\Windows\SysWOW64\ftp.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe |
| PID 2476 set thread context of 2396 | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\TWI Cloud Host.job | C:\Windows\SysWOW64\ftp.exe | N/A |
| File created | C:\Windows\Tasks\Watcher Com SH.job | C:\Windows\SysWOW64\ftp.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\ProgramData\KFBGDBFBKK.exe | N/A |
| N/A | N/A | C:\ProgramData\BAKEBFBAKK.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ftp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\ProgramData\KFBGDBFBKK.exe
"C:\ProgramData\KFBGDBFBKK.exe"
C:\ProgramData\BAKEBFBAKK.exe
"C:\ProgramData\BAKEBFBAKK.exe"
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\ftp.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGIJJKKJJDAA" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | poocoin.online | udp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 172.67.212.123:443 | businessdownloads.ltd | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 199.232.196.193:443 | i.imgur.com | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| US | 104.21.63.137:443 | poocoin.online | tcp |
| NL | 52.111.243.30:443 | tcp | |
| FI | 135.181.22.88:80 | 135.181.22.88 | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp | |
| US | 45.152.112.146:80 | proresupdate.com | tcp |
| US | 104.21.76.173:443 | contur2fa.recipeupdates.rest | tcp |
| US | 104.21.76.173:443 | contur2fa.recipeupdates.rest | tcp |
| FI | 65.109.127.181:3333 | tcp | |
| FI | 65.109.127.181:3333 | tcp |
Files
memory/5068-0-0x0000000002530000-0x0000000002531000-memory.dmp
memory/5068-1-0x00000000734B0000-0x000000007362D000-memory.dmp
memory/5068-2-0x00007FFFA30E0000-0x00007FFFA32E9000-memory.dmp
memory/5068-6-0x00000000734C2000-0x00000000734C4000-memory.dmp
memory/5068-7-0x00000000734B0000-0x000000007362D000-memory.dmp
memory/5068-8-0x00000000734B0000-0x000000007362D000-memory.dmp
memory/5068-10-0x0000000000400000-0x000000000099A000-memory.dmp
memory/1904-11-0x00000000734B1000-0x00000000734BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7c4784ad
| MD5 | e6f15e2a877243794d15fac78bcf7a64 |
| SHA1 | 958f2dcb074e35790738bd88a53e7e23e59a064e |
| SHA256 | 7c3b8b02799aafdd6bc019006e489ecc9892786f531a4801a32ec632b1b73b74 |
| SHA512 | 5e14054d29184219da1e1c694c1bfb636fb53b67cc78f8b01aa6cef997aaf74edc89b669e614974e52522484076e5e6c7e8b44741cd3a738b71d0967a5b1dade |
memory/1904-13-0x00007FFFA30E0000-0x00007FFFA32E9000-memory.dmp
memory/1904-16-0x00000000734BE000-0x00000000734C0000-memory.dmp
memory/1904-17-0x00000000734B1000-0x00000000734BF000-memory.dmp
memory/1904-20-0x00000000734B1000-0x00000000734BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dcom.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2784-22-0x0000000000E80000-0x00000000015CC000-memory.dmp
memory/2784-24-0x00007FFFA30E0000-0x00007FFFA32E9000-memory.dmp
memory/2784-33-0x0000000000E80000-0x00000000015CC000-memory.dmp
memory/2784-34-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\BGIJJKKJJDAA\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\BGIJJKKJJDAA\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\KFBGDBFBKK.exe
| MD5 | 6cfddd5ce9ca4bb209bd5d8c2cd80025 |
| SHA1 | 424da82e9edbb6b39a979ab97d84239a1d67c48b |
| SHA256 | 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7 |
| SHA512 | d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8 |
memory/2076-112-0x00000000005D0000-0x0000000000AE3000-memory.dmp
C:\ProgramData\BAKEBFBAKK.exe
| MD5 | daaff76b0baf0a1f9cec253560c5db20 |
| SHA1 | 0311cf0eeb4beddd2c69c6e97462595313a41e78 |
| SHA256 | 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c |
| SHA512 | 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3 |
memory/2076-125-0x00000000729D0000-0x0000000072B4D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6fdb557c
| MD5 | 8d443e7cb87cacf0f589ce55599e008f |
| SHA1 | c7ff0475a3978271e0a8417ac4a826089c083772 |
| SHA256 | e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a |
| SHA512 | c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5 |
memory/1332-129-0x0000000000960000-0x0000000000BA8000-memory.dmp
memory/2076-134-0x00007FFFA30E0000-0x00007FFFA32E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71a12e3c
| MD5 | c62f812e250409fbd3c78141984270f2 |
| SHA1 | 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806 |
| SHA256 | d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8 |
| SHA512 | 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092 |
memory/1332-136-0x00000000729D0000-0x0000000072B4D000-memory.dmp
memory/1332-137-0x00007FFFA30E0000-0x00007FFFA32E9000-memory.dmp
memory/2784-144-0x0000000000E80000-0x00000000015CC000-memory.dmp
C:\ProgramData\BGIJJKKJJDAA\BAKEBF
| MD5 | 59071590099d21dd439896592338bf95 |
| SHA1 | 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c |
| SHA256 | 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541 |
| SHA512 | eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668 |
memory/2784-175-0x0000000000E80000-0x00000000015CC000-memory.dmp
C:\ProgramData\BGIJJKKJJDAA\BAAFBF
| MD5 | ca23305ef4d62a55954792dbd2db5515 |
| SHA1 | 8edb048fb64333652e2822c12eff2fa888744078 |
| SHA256 | f08f37de0b404daabed9a3628273e365e4053d26a106524ecb50c87c5770e269 |
| SHA512 | 9a447dd0f9efc13d09cec9a730cd3fa6cae67bc60c2ae6177164bd2b9386561ce8b8ad05c47bc0d31d72102ecc24d7aa0c1cfb0e90d2bdc3807091836e76db7d |
C:\ProgramData\BGIJJKKJJDAA\CAKKKJ
| MD5 | 2f1fbfad1066597e737207a2d16faf16 |
| SHA1 | f333d44e22b338d323d0380aa77ce8e4488b4d6f |
| SHA256 | b7fbbbb769f5936261f62d88facf412bad21329a9ebc91b30ff8effe113233f5 |
| SHA512 | c5f1845ee78c6a1a75d62ed0b808501e3bb28deea670e41bb334dfb8ee8800316735f5f6a93da508e963a5b808d2945a87d4ff85efac8ef6c1149a1cb06b2c99 |
memory/2784-191-0x0000000000E80000-0x00000000015CC000-memory.dmp
memory/2076-192-0x00000000729D0000-0x0000000072B4D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71fe0cee
| MD5 | 98452f5ab39fb586ac38f97440cd8e10 |
| SHA1 | 64dba09f9896cd41a134be663d6bafa90f7d6d6b |
| SHA256 | b5429f3e11b3a6083a1c2a704e5d93a4e0a5a6df4239f1573d8b959cd9bf30f4 |
| SHA512 | d73f7ea69381052e260482ba13cd6eb6f4439f37faaac36d12067aca055c63f6b45190d9f3ed307883ed3f876089f86f4c98a93d1683bd0c2f86eee1c957e99a |
memory/1332-195-0x00000000729D0000-0x0000000072B4D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\759097c0
| MD5 | 07a3db97638f236da9f3d72299505392 |
| SHA1 | 9a78bcf0d8eac23056b6fad19f5d19bdadb010b1 |
| SHA256 | 0e324e18ce08e40757dd4549d12d88b0e39c675903f0a5c486900256a77eda06 |
| SHA512 | ffee3b3df50b9d9fd2d0ff72d6b0eb80b719ac70fe1ba7be45b477653856c4fff98a2de9372c4419e444368bdb1c5736ff1e614aa61d727951af54d40247e2e3 |
memory/4332-198-0x00007FFFA30E0000-0x00007FFFA32E9000-memory.dmp
memory/1504-199-0x00007FFFA30E0000-0x00007FFFA32E9000-memory.dmp
C:\ProgramData\BGIJJKKJJDAA\VCRUNT~1.DLL
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\BGIJJKKJJDAA\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\BGIJJKKJJDAA\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
memory/4332-205-0x00000000729D0000-0x0000000072B4D000-memory.dmp
memory/4332-215-0x00000000729D0000-0x0000000072B4D000-memory.dmp
memory/2476-219-0x00007FFF816C0000-0x00007FFF82D60000-memory.dmp
memory/2476-222-0x0000000000400000-0x000000000040A000-memory.dmp
memory/4076-223-0x00007FFFA30E0000-0x00007FFFA32E9000-memory.dmp
memory/2396-227-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/2396-229-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/2396-231-0x000001D560DD0000-0x000001D560DF0000-memory.dmp
memory/2396-230-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/2396-235-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/2396-236-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/2396-234-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/2396-232-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/2396-233-0x0000000140000000-0x00000001407DC000-memory.dmp
memory/4076-237-0x0000000000C50000-0x0000000000CC1000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 9d295053d6747c76166ea281d5497dc3 |
| SHA1 | 1440624dee41074bd01762a94285cec390cc3c8e |
| SHA256 | 5d9979956a068b79526b1c75dac348ffaefc422a03b637c8a3b2b7935345a072 |
| SHA512 | 2805e503e1f3be8b7481c959f1532a1deb223e4b5fe68599a7c48af071fef3c065047a74cbcc75f3942d22a77dd2d0a5145ba017c979564a614515e289ead157 |
C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1
| MD5 | 1e49c49df1e9bb5a3646fbdd72fff72d |
| SHA1 | ca3b2f92797030ad96341c5551812e679e9746d3 |
| SHA256 | df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10 |
| SHA512 | b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d |
memory/1388-251-0x00000000053F0000-0x0000000005426000-memory.dmp
memory/1388-252-0x0000000005AC0000-0x00000000060EA000-memory.dmp
memory/1388-253-0x0000000005A20000-0x0000000005A42000-memory.dmp
memory/1388-254-0x0000000006220000-0x0000000006286000-memory.dmp
memory/1388-255-0x0000000006390000-0x00000000063F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tqor3uit.agl.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1388-264-0x00000000064D0000-0x0000000006827000-memory.dmp
memory/1388-265-0x00000000068A0000-0x00000000068BE000-memory.dmp
memory/1388-266-0x00000000068E0000-0x000000000692C000-memory.dmp
memory/4076-268-0x0000000000C50000-0x0000000000CC1000-memory.dmp
memory/1388-269-0x0000000007B10000-0x0000000007BA6000-memory.dmp
memory/1388-270-0x0000000006E40000-0x0000000006E5A000-memory.dmp
memory/1388-271-0x0000000006E90000-0x0000000006EB2000-memory.dmp
memory/1388-272-0x0000000008160000-0x0000000008706000-memory.dmp
memory/1388-273-0x0000000008D90000-0x000000000940A000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-17 16:24
Reported
2024-06-17 16:26
Platform
win7-20240611-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2000 set thread context of 2436 | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\dcom.au3 |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2720 -s 148
Network
Files
memory/2000-0-0x0000000000400000-0x000000000099A000-memory.dmp
memory/2000-1-0x0000000077000000-0x00000000771A9000-memory.dmp
memory/2000-5-0x0000000000400000-0x000000000099A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\90b0e451
| MD5 | c8f8d60e2827ad1274c1aeb56b8a1811 |
| SHA1 | 0f9245a8f1e7847289676b75c7c0cbbc90b9a9c9 |
| SHA256 | 2b6ec36da72b26e30568ef20cff04cfb32d60fcf3657fb293c52168f7d2a27c9 |
| SHA512 | f930da3006895a92ba9c14d5b7a53db115b835ea5a748b8dd83b3c4bbc2ea64cd8a69650a3a10dd5ae59f1cedb7a4c2610b524551db82009a959e72eecb64102 |
memory/2436-9-0x0000000073FD1000-0x0000000073FDF000-memory.dmp
memory/2436-10-0x0000000077000000-0x00000000771A9000-memory.dmp
memory/2436-12-0x0000000073FD0000-0x0000000074144000-memory.dmp
memory/2436-13-0x0000000073FD0000-0x0000000074144000-memory.dmp
\Users\Admin\AppData\Local\Temp\dcom.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2720-19-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2720-18-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2436-23-0x0000000073FD1000-0x0000000073FDF000-memory.dmp
memory/2720-21-0x0000000000760000-0x0000000000EAC000-memory.dmp
memory/2720-29-0x0000000000760000-0x0000000000EAC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-17 16:24
Reported
2024-06-17 16:26
Platform
win10v2004-20240508-en
Max time kernel
79s
Max time network
100s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
Reads data files stored by FTP clients
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2816 set thread context of 3388 | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcom.au3 | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\Users\Admin\AppData\Local\Temp\dcom.au3
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\@^FulLFile_PCSetup_33221____SKey_^$\Setup.exe" & rd /s /q "C:\ProgramData\GCFBAKKJDBKJ" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 10
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | poocoin.online | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 52.111.229.43:443 | tcp |
Files
memory/2816-0-0x0000000002B10000-0x0000000002B11000-memory.dmp
memory/2816-1-0x0000000073080000-0x00000000731FB000-memory.dmp
memory/2816-2-0x00007FFDED870000-0x00007FFDEDA65000-memory.dmp
memory/2816-6-0x0000000073092000-0x0000000073094000-memory.dmp
memory/2816-7-0x0000000073080000-0x00000000731FB000-memory.dmp
memory/2816-8-0x0000000073080000-0x00000000731FB000-memory.dmp
memory/2816-10-0x0000000000400000-0x000000000099A000-memory.dmp
memory/3388-11-0x0000000073081000-0x000000007308F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8b45f77b
| MD5 | 7abb7a4a77a5c25264585d7f08828a49 |
| SHA1 | 5fee2066a683030a3b305ffb0fbbf965a8715619 |
| SHA256 | 8391d476827d06381b1ab1b5a11e49efb79296b63bd88d9f94f1009fa068a091 |
| SHA512 | 26328ad0d5f4e64d913a3770bfc0735cf3e26030c3a601aabcf91c8100b5dfbc614af9a21c6fad938d3635a08754ec9e820dbabbefd29c6c3be3093f873ec6fb |
memory/3388-13-0x00007FFDED870000-0x00007FFDEDA65000-memory.dmp
memory/3388-16-0x0000000073081000-0x000000007308F000-memory.dmp
memory/3388-15-0x000000007308E000-0x0000000073090000-memory.dmp
memory/3388-20-0x0000000073081000-0x000000007308F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dcom.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2720-22-0x0000000000C00000-0x000000000134C000-memory.dmp
memory/2720-24-0x00007FFDED870000-0x00007FFDEDA65000-memory.dmp
memory/2720-25-0x0000000000C00000-0x000000000134C000-memory.dmp
memory/2720-26-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2720-38-0x0000000000C00000-0x000000000134C000-memory.dmp