Malware Analysis Report

2024-09-11 16:27

Sample ID 240619-ya8pvasgpm
Target files.zip
SHA256 dea471b5ef81e7de2db1209136c2d2b483b9c86df632823f61e8d2be08822abc
Tags
amadey stealc vidar xmrig ffb1b9 discovery miner spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dea471b5ef81e7de2db1209136c2d2b483b9c86df632823f61e8d2be08822abc

Threat Level: Known bad

The file files.zip was found to be: Known bad.

Malicious Activity Summary

amadey stealc vidar xmrig ffb1b9 discovery miner spyware stealer trojan upx

Detect Vidar Stealer

xmrig

Stealc

Amadey

Vidar

XMRig Miner payload

UPX packed file

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Downloads MZ/PE file

Checks computer location settings

Suspicious use of SetThreadContext

Drops file in Windows directory

Checks installed software on the system

Loads dropped DLL

Executes dropped EXE

Program crash

Enumerates physical storage devices

Checks processor information in registry

Modifies Internet Explorer settings

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-19 19:36

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-19 19:36

Reported

2024-06-19 19:38

Platform

win11-20240508-en

Max time kernel

113s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 436 set thread context of 1612 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 340 set thread context of 1932 N/A C:\ProgramData\EBAKFIIJJK.exe C:\Windows\SysWOW64\ftp.exe
PID 1412 set thread context of 4920 N/A C:\ProgramData\HDBGHIDGDG.exe C:\Windows\SysWOW64\ftp.exe
PID 4920 set thread context of 4364 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4364 set thread context of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\TWI Cloud Host.job C:\Windows\SysWOW64\ftp.exe N/A
File created C:\Windows\Tasks\Watcher Com SH.job C:\Windows\SysWOW64\ftp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\EBAKFIIJJK.exe N/A
N/A N/A C:\ProgramData\HDBGHIDGDG.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\ProgramData\EBAKFIIJJK.exe N/A
N/A N/A C:\ProgramData\EBAKFIIJJK.exe N/A
N/A N/A C:\ProgramData\HDBGHIDGDG.exe N/A
N/A N/A C:\ProgramData\HDBGHIDGDG.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\ProgramData\EBAKFIIJJK.exe N/A
N/A N/A C:\ProgramData\HDBGHIDGDG.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 436 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 436 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 436 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 436 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 1612 wrote to memory of 424 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1612 wrote to memory of 424 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1612 wrote to memory of 424 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1612 wrote to memory of 424 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1612 wrote to memory of 424 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 424 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\EBAKFIIJJK.exe
PID 424 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\EBAKFIIJJK.exe
PID 424 wrote to memory of 340 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\EBAKFIIJJK.exe
PID 340 wrote to memory of 1932 N/A C:\ProgramData\EBAKFIIJJK.exe C:\Windows\SysWOW64\ftp.exe
PID 340 wrote to memory of 1932 N/A C:\ProgramData\EBAKFIIJJK.exe C:\Windows\SysWOW64\ftp.exe
PID 340 wrote to memory of 1932 N/A C:\ProgramData\EBAKFIIJJK.exe C:\Windows\SysWOW64\ftp.exe
PID 424 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\HDBGHIDGDG.exe
PID 424 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\HDBGHIDGDG.exe
PID 424 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\HDBGHIDGDG.exe
PID 1412 wrote to memory of 4920 N/A C:\ProgramData\HDBGHIDGDG.exe C:\Windows\SysWOW64\ftp.exe
PID 1412 wrote to memory of 4920 N/A C:\ProgramData\HDBGHIDGDG.exe C:\Windows\SysWOW64\ftp.exe
PID 1412 wrote to memory of 4920 N/A C:\ProgramData\HDBGHIDGDG.exe C:\Windows\SysWOW64\ftp.exe
PID 424 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 424 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 424 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3624 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3624 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 340 wrote to memory of 1932 N/A C:\ProgramData\EBAKFIIJJK.exe C:\Windows\SysWOW64\ftp.exe
PID 1412 wrote to memory of 4920 N/A C:\ProgramData\HDBGHIDGDG.exe C:\Windows\SysWOW64\ftp.exe
PID 4920 wrote to memory of 4364 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4920 wrote to memory of 4364 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1932 wrote to memory of 4108 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1932 wrote to memory of 4108 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 1932 wrote to memory of 4108 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4920 wrote to memory of 4364 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 4920 wrote to memory of 4364 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
PID 1932 wrote to memory of 4108 N/A C:\Windows\SysWOW64\ftp.exe C:\Windows\SysWOW64\explorer.exe
PID 4364 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4364 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4364 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4364 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4364 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4364 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
PID 4364 wrote to memory of 760 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

Processes

C:\Users\Admin\AppData\Local\Temp\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\ProgramData\EBAKFIIJJK.exe

"C:\ProgramData\EBAKFIIJJK.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\ProgramData\HDBGHIDGDG.exe

"C:\ProgramData\HDBGHIDGDG.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAKJEGCFBGDH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=65.109.127.181:3333 -u PLAYA -p PLAYA -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

Network

Country Destination Domain Proto
US 8.8.8.8:53 poocoin.online udp
NL 149.154.167.99:443 t.me tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 8.8.8.8:53 18.53.55.162.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 172.67.212.123:443 businessdownloads.ltd tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 199.232.196.193:443 i.imgur.com tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
FI 135.181.22.88:80 135.181.22.88 tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp
US 45.152.112.146:80 proresupdate.com tcp
FI 65.109.127.181:3333 tcp
FI 65.109.127.181:3333 tcp

Files

memory/436-0-0x00007FF992700000-0x00007FF992909000-memory.dmp

memory/436-9-0x0000000073432000-0x0000000073434000-memory.dmp

memory/436-10-0x0000000073421000-0x0000000073433000-memory.dmp

memory/436-12-0x0000000073421000-0x0000000073433000-memory.dmp

memory/1612-13-0x0000000073420000-0x000000007359D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a1e2ffbc

MD5 89ea865469f88e0728f8e9e88e45026b
SHA1 ae3e1d22cb44d23c0ea3c7997f8f78d03e057517
SHA256 7bec2b64ba50b6c7a4d46ebfc2698adfde2de01bd5622d8e37003554b8faf98e
SHA512 03ace8c3eb1f596d6caea000cf3321a01392805d7af92f850f97cacc56865c8b503a645c08a562a62e51b908d93ea404594a495bf47a0866bb1d20de1741b89d

memory/1612-15-0x00007FF992700000-0x00007FF992909000-memory.dmp

memory/1612-17-0x0000000073420000-0x000000007359D000-memory.dmp

memory/1612-18-0x0000000073420000-0x000000007359D000-memory.dmp

memory/1612-23-0x0000000073420000-0x000000007359D000-memory.dmp

memory/424-25-0x0000000001400000-0x0000000001B4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUF.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/424-27-0x00007FF992700000-0x00007FF992909000-memory.dmp

memory/424-41-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/424-82-0x0000000001400000-0x0000000001B4B000-memory.dmp

C:\ProgramData\AAKJEGCFBGDH\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\AAKJEGCFBGDH\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\EBAKFIIJJK.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/340-129-0x0000000001000000-0x0000000001513000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7c3aea0c

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/340-135-0x0000000071FD0000-0x000000007214D000-memory.dmp

memory/340-136-0x00007FF992700000-0x00007FF992909000-memory.dmp

C:\ProgramData\HDBGHIDGDG.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/1412-147-0x0000000000DB0000-0x0000000000FF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81d26d88

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/1412-153-0x0000000071FD0000-0x000000007214D000-memory.dmp

memory/1412-154-0x00007FF992700000-0x00007FF992909000-memory.dmp

C:\ProgramData\AAKJEGCFBGDH\IIEGHJ

MD5 59071590099d21dd439896592338bf95
SHA1 6a521e1d2a632c26e53b83d2cc4b0edecfc1e68c
SHA256 07854d2fef297a06ba81685e660c332de36d5d18d546927d30daad6d7fda1541
SHA512 eedb6cadbceb2c991fc6f68dccb80463b3f660c5358acd7d705398ae2e3df2b4327f0f6c6746486848bd2992b379776483a98063ae96edb45877bb0314874668

memory/424-188-0x0000000001400000-0x0000000001B4B000-memory.dmp

C:\ProgramData\AAKJEGCFBGDH\CFHDBF

MD5 544977b473ab90edc1ff50bc05ac63fa
SHA1 7042e5375167ba9b5503ffb91663c88a74faeb75
SHA256 b9daeab1ddfe32ef5539e28cd719f8064395de69ec9a1b180ce74c88890c6cb5
SHA512 51e3a0e8d2921f72f81974e6cad89c7856b0a549473defe46b9e5300a36330198b2d0a12af66a4fc0f80aba2c7d413e6e2ad776420614d183dbfd9b443eeee25

C:\ProgramData\AAKJEGCFBGDH\KJEBKJ

MD5 17c68f413cd198954a32a8ae4e72314c
SHA1 e46d1da0ae38baa702a92553ffeb6e8a40fade62
SHA256 63b05ad30d875c3d9f0225556cd7de950d2b9bdeb763886e35ab721a24e9c454
SHA512 cad1aacc64e60a65a80654c5af61caa9b2db12fb63e2bf2d34641dfb9c713507022e613e3d1aec1c662546bae164d63b84ca43083beee06e2e83a422fbdeddf3

memory/424-214-0x0000000001400000-0x0000000001B4B000-memory.dmp

memory/340-215-0x0000000071FD0000-0x000000007214D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\813cbb50

MD5 b02132b0ce85eb68f95d6b3ec1730b42
SHA1 b3cd11536899643c8277fefa24f9482e1bf0c6f1
SHA256 600a2c1c66b0af9a4f1dc2e5ca169d17e66f653cde4e5d6a8289e3d2b9fd3f96
SHA512 4da5ca026437c84dfee06c944529c5777d25c4b8ca973658632b06b95cb9e2011243fb9f66794f11d22620668dabc5de07dd6b9f0c9567990e397c51efc9363a

memory/1412-218-0x0000000071FD0000-0x000000007214D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\85148aca

MD5 e327de3e31acc09c7700e047cbe00141
SHA1 9a4647be3b0e56921badb6928edd3c515b0bc998
SHA256 fd9f8ecc3f782422cba0791f8c84d7caa9173ba6ca40a64fe519b44a66b0c0f0
SHA512 f0d97df7ef62a973c46b3a62b00cee779a1ffb55b53daf4313232841f08ef8fba4f89dec05f48adba33936b42bd648b8ab528748bc28e62e7b3eae9bb65a61fa

memory/1932-221-0x00007FF992700000-0x00007FF992909000-memory.dmp

memory/4920-222-0x00007FF992700000-0x00007FF992909000-memory.dmp

C:\ProgramData\AAKJEGCFBGDH\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\AAKJEGCFBGDH\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\AAKJEGCFBGDH\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

memory/1932-228-0x0000000071FD0000-0x000000007214D000-memory.dmp

memory/4920-238-0x0000000071FD0000-0x000000007214D000-memory.dmp

memory/4364-241-0x00007FF970C40000-0x00007FF9722E0000-memory.dmp

memory/4364-245-0x0000000000400000-0x000000000040A000-memory.dmp

memory/4108-248-0x00007FF992700000-0x00007FF992909000-memory.dmp

memory/760-250-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/760-252-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/760-254-0x000001887E060000-0x000001887E080000-memory.dmp

memory/760-253-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/760-257-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/760-256-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/760-255-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/760-258-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/760-259-0x0000000140000000-0x00000001407DC000-memory.dmp

memory/4108-260-0x0000000000F40000-0x0000000000FB1000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 19:36

Reported

2024-06-19 19:38

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2088 set thread context of 1816 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\CUF.au3

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 2088 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 2088 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 2088 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 2088 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 1816 wrote to memory of 2656 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1816 wrote to memory of 2656 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1816 wrote to memory of 2656 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1816 wrote to memory of 2656 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1816 wrote to memory of 2656 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 1816 wrote to memory of 2656 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 148

Network

N/A

Files

memory/2088-0-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2088-1-0x0000000077070000-0x0000000077219000-memory.dmp

memory/2088-10-0x00000000735A2000-0x00000000735A4000-memory.dmp

memory/2088-11-0x0000000073591000-0x00000000735A3000-memory.dmp

memory/2088-13-0x0000000073591000-0x00000000735A3000-memory.dmp

memory/1816-14-0x0000000073590000-0x0000000073704000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ae52a50c

MD5 271393aa311597c9b527c69dd6a7779a
SHA1 e75a79ddaba9bb39728b53cc9c0e542ba52fd7c3
SHA256 939ee92b0d0d3be2184403062e13592f6525a8f34bc4836cf7dcfdb4bf70d0ce
SHA512 e06765cb3c37cf5d8536e599c19f147d9087051efe17cf79714b3c01e897e240931797eb88e94cc91214aee1cfe7d1e5c13b38d9766399f766497439bd3734ad

memory/1816-16-0x0000000077070000-0x0000000077219000-memory.dmp

memory/1816-18-0x0000000073590000-0x0000000073704000-memory.dmp

memory/1816-19-0x0000000073590000-0x0000000073704000-memory.dmp

\Users\Admin\AppData\Local\Temp\CUF.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2656-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2656-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1816-26-0x0000000073590000-0x0000000073704000-memory.dmp

memory/2656-28-0x0000000000730000-0x0000000000E7B000-memory.dmp

memory/2656-35-0x0000000000730000-0x0000000000E7B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 19:36

Reported

2024-06-19 19:38

Platform

win10v2004-20240226-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 536 set thread context of 868 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 3200 set thread context of 3544 N/A C:\ProgramData\IDBFHJDAAF.exe C:\Windows\SysWOW64\ftp.exe
PID 1500 set thread context of 716 N/A C:\ProgramData\HCAEHJJKFC.exe C:\Windows\SysWOW64\ftp.exe

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\IDBFHJDAAF.exe N/A
N/A N/A C:\ProgramData\HCAEHJJKFC.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 N/A
N/A N/A C:\ProgramData\IDBFHJDAAF.exe N/A
N/A N/A C:\ProgramData\HCAEHJJKFC.exe N/A
N/A N/A C:\ProgramData\IDBFHJDAAF.exe N/A
N/A N/A C:\ProgramData\IDBFHJDAAF.exe N/A
N/A N/A C:\ProgramData\HCAEHJJKFC.exe N/A
N/A N/A C:\ProgramData\HCAEHJJKFC.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A
N/A N/A C:\Windows\SysWOW64\ftp.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\ProgramData\IDBFHJDAAF.exe N/A
N/A N/A C:\ProgramData\HCAEHJJKFC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 536 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 536 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 536 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\files\Setup.exe C:\Windows\SysWOW64\more.com
PID 868 wrote to memory of 2996 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 868 wrote to memory of 2996 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 868 wrote to memory of 2996 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 868 wrote to memory of 2996 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 868 wrote to memory of 2996 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\CUF.au3
PID 2996 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\IDBFHJDAAF.exe
PID 2996 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\IDBFHJDAAF.exe
PID 2996 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\IDBFHJDAAF.exe
PID 2996 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\HCAEHJJKFC.exe
PID 2996 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\HCAEHJJKFC.exe
PID 2996 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\CUF.au3 C:\ProgramData\HCAEHJJKFC.exe
PID 3200 wrote to memory of 3544 N/A C:\ProgramData\IDBFHJDAAF.exe C:\Windows\SysWOW64\ftp.exe
PID 3200 wrote to memory of 3544 N/A C:\ProgramData\IDBFHJDAAF.exe C:\Windows\SysWOW64\ftp.exe
PID 3200 wrote to memory of 3544 N/A C:\ProgramData\IDBFHJDAAF.exe C:\Windows\SysWOW64\ftp.exe
PID 1500 wrote to memory of 716 N/A C:\ProgramData\HCAEHJJKFC.exe C:\Windows\SysWOW64\ftp.exe
PID 1500 wrote to memory of 716 N/A C:\ProgramData\HCAEHJJKFC.exe C:\Windows\SysWOW64\ftp.exe
PID 1500 wrote to memory of 716 N/A C:\ProgramData\HCAEHJJKFC.exe C:\Windows\SysWOW64\ftp.exe
PID 3200 wrote to memory of 3544 N/A C:\ProgramData\IDBFHJDAAF.exe C:\Windows\SysWOW64\ftp.exe
PID 1500 wrote to memory of 716 N/A C:\ProgramData\HCAEHJJKFC.exe C:\Windows\SysWOW64\ftp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\files\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\files\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Users\Admin\AppData\Local\Temp\CUF.au3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2800 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:3

C:\ProgramData\IDBFHJDAAF.exe

"C:\ProgramData\IDBFHJDAAF.exe"

C:\ProgramData\HCAEHJJKFC.exe

"C:\ProgramData\HCAEHJJKFC.exe"

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

C:\Windows\SysWOW64\ftp.exe

Network

Country Destination Domain Proto
GB 172.217.169.74:443 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 poocoin.online udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 18.53.55.162.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 businessdownloads.ltd udp
US 104.21.16.123:443 businessdownloads.ltd tcp
US 8.8.8.8:53 123.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 i.imgur.com udp
US 199.232.196.193:443 i.imgur.com tcp
US 8.8.8.8:53 193.196.232.199.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp
DE 162.55.53.18:9000 162.55.53.18 tcp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
DE 162.55.53.18:9000 162.55.53.18 tcp

Files

memory/536-0-0x0000000073660000-0x00000000737DB000-memory.dmp

memory/536-1-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp

memory/536-10-0x0000000073672000-0x0000000073674000-memory.dmp

memory/536-11-0x0000000073660000-0x00000000737DB000-memory.dmp

memory/536-12-0x0000000073660000-0x00000000737DB000-memory.dmp

memory/868-14-0x0000000073660000-0x00000000737DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4276c2b4

MD5 db99a29c78184fc8f9c481ea17b4d0b8
SHA1 574b95016a5c65660226f1e4579194fa7ca67d61
SHA256 8dfb7df0df3db974b238e243c46d0cc3fa9ee38b243077ecca9e809d1c251839
SHA512 d63f380380ff5ef96e35eec27fce79b4cca481aa039aad2d0aa66df87bce36d35ade482722cba48d2307ae16306b7862927c787e16b4edd79b5a5e84eb594179

memory/868-16-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp

memory/868-18-0x0000000073660000-0x00000000737DB000-memory.dmp

memory/868-19-0x0000000073660000-0x00000000737DB000-memory.dmp

memory/868-24-0x0000000073660000-0x00000000737DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CUF.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2996-26-0x0000000000C80000-0x00000000013CB000-memory.dmp

memory/2996-28-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp

memory/2996-31-0x0000000000C80000-0x00000000013CB000-memory.dmp

memory/2996-32-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\BAEHIEBGHDAF\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\BAEHIEBGHDAF\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2996-117-0x0000000000C80000-0x00000000013CB000-memory.dmp

C:\ProgramData\IDBFHJDAAF.exe

MD5 6cfddd5ce9ca4bb209bd5d8c2cd80025
SHA1 424da82e9edbb6b39a979ab97d84239a1d67c48b
SHA256 376e1802b979514ba0e9c73933a8c6a09dd3f1d2a289f420c2202e64503d08a7
SHA512 d861130d87bfedc38a97019cba17724067f397e6ffe7e1384175db48c0a177a2e7e256c3c933d0f42766e8077f767d6d4dc8758200852e8ec135736daee7c0f8

memory/3200-126-0x00000000006D0000-0x0000000000BE3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\ProgramData\HCAEHJJKFC.exe

MD5 daaff76b0baf0a1f9cec253560c5db20
SHA1 0311cf0eeb4beddd2c69c6e97462595313a41e78
SHA256 5706c6f5421a6a34fdcb67e9c9e71283c8fc1c33499904519cbdc6a21e6b071c
SHA512 987ca2d67903c65ee1075c4a5250c85840aea26647b1d95a3e73a26dcad053bd4c31df4ca01d6cc0c196fa7e8e84ab63ed4a537f72fc0b1ee4ba09cdb549ddf3

memory/1500-146-0x0000000000070000-0x00000000002B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5e690eb0

MD5 8d443e7cb87cacf0f589ce55599e008f
SHA1 c7ff0475a3978271e0a8417ac4a826089c083772
SHA256 e2aaaa1a0431aab1616e2b612e9b68448107e6ce71333f9c0ec1763023b72b2a
SHA512 c7d0ced6eb9e203d481d1dbdd5965278620c10cdc81c02da9c4f7f99f3f8c61dfe975cf48d4b93ccde9857edb881a77ebe9cd13ae7ef029285d770d767aa74a5

memory/3200-152-0x00000000723E0000-0x000000007255B000-memory.dmp

memory/3200-153-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5eb1614c

MD5 c62f812e250409fbd3c78141984270f2
SHA1 9c7c70bb78aa0de4ccf0c2b5d87b37c8a40bd806
SHA256 d8617477c800cc10f9b52e90b885117a27266831fb5033647b6b6bd6025380a8
SHA512 7573ecac1725f395bbb1661f743d8ee6b029f357d3ef07d0d96ee4ff3548fe06fab105ee72be3e3964d2053de2f44245cca9a061d47c1411949840c84f6e9092

memory/1500-155-0x00000000723E0000-0x000000007255B000-memory.dmp

memory/1500-156-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp

memory/2996-157-0x0000000000C80000-0x00000000013CB000-memory.dmp

memory/2996-164-0x0000000000C80000-0x00000000013CB000-memory.dmp

memory/3200-165-0x00000000723E0000-0x000000007255B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5f17fe98

MD5 17e9159101149d54ff723b7507cd128c
SHA1 961ddd96eaaa9cf80de5ae2396bf064d9363b4ca
SHA256 ceb2a09bedfd2412e5ae088e105beba4bef2260b9853637c1ed00b6ac1632b1b
SHA512 9d3641a4d6813dd026ad4f2680a79cda5c11af3f74c2ccf95401d2d0387205918b8fb06f2d484b3a9e0197847451b24c584998d1c0bd239447b0f86674012fe3

memory/1500-168-0x00000000723E0000-0x000000007255B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5f92ae00

MD5 ce0fe98ccb9d48896b4e333797e82aad
SHA1 000c067697ae178507be7b958fa2aebdbc71509d
SHA256 3a5bdfe90abf95948bebc7b945a3df366adfc59ef2b3acbfa950abaadbcbc860
SHA512 2d8bbad9eafa96c43257262fb4e00351c0a5b907e59483fa8e7e5ca0debbb8318e697a5b3cc69b8e147d6b1b73b23010396f0e693293080858253e56fa513f9c

memory/2996-171-0x0000000000C80000-0x00000000013CB000-memory.dmp

memory/3544-172-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp

memory/716-173-0x00007FF84DBB0000-0x00007FF84DDA5000-memory.dmp