Malware Analysis Report

2024-09-11 09:56

Sample ID 240626-bqfbxawbmg
Target 7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe
SHA256 7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb
Tags
redline sectoprat cheat discovery infostealer rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb

Threat Level: Known bad

The file 7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe was found to be: Known bad.

Malicious Activity Summary

redline sectoprat cheat discovery infostealer rat spyware stealer trojan

RedLine

RedLine payload

SectopRAT payload

SectopRAT

Detects executables packed with SmartAssembly

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Reads user/profile data of web browsers

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Unsigned PE

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Subvert Trust Controls
T1553
Install Root Certificate
T1553.004
Modify Registry
T1112
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-26 01:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 01:20

Reported

2024-06-26 01:23

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2868 set thread context of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe
PID 2868 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe
PID 2868 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe
PID 2868 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe
PID 2868 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe
PID 2868 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe
PID 2868 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe
PID 2868 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe
PID 2868 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe

"C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe"

C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe

"C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe"

Network

Country Destination Domain Proto
NL 213.227.129.32:4483 213.227.129.32 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp

Files

memory/2868-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/2868-1-0x0000000000030000-0x00000000000B6000-memory.dmp

memory/2868-2-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2868-3-0x00000000003E0000-0x00000000003F0000-memory.dmp

memory/2868-4-0x00000000005A0000-0x00000000005AC000-memory.dmp

memory/2868-5-0x0000000001FC0000-0x0000000002020000-memory.dmp

memory/2536-14-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2536-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2536-11-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2536-10-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2536-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2536-8-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2536-18-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2536-16-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2536-20-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2868-19-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2536-21-0x00000000745B0000-0x0000000074C9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab655A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar665A.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75343d1e6351bf4daa3cbb74550e7cdf
SHA1 0bcb5dafc753a88be2bd54994cccbe41e3f50a0c
SHA256 74839c76ea343db9de3f0f932727df60a4642855a6e06040fd42d9153f3e7f37
SHA512 3a72d6da1241be3b3125bba50130c08680f80ca051d4d924b98bab8e4943151694c4ca49fbc7f82f39ecb811a97538455338bb434868086e352329741933aea9

C:\Users\Admin\AppData\Local\Temp\tmp6845.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp685B.tmp

MD5 bbe71b58e84c50336ee2d3bad3609c39
SHA1 bdd3227b48977e583127425cbc2f86ff4077ba10
SHA256 b25b7e57924b2382d3178696782b51fa62b68fa7e763081d7a53471cccc1ff3c
SHA512 07fcac6778f114fb372dac7ed489624b8e0aed347bc14af77ec36b5201df8b3d99e2a69a384756606030bb146f5c0780f39a274dc5a4b4f6863746ec7fa2ca2a

memory/2536-172-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 01:20

Reported

2024-06-26 01:23

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe"

Signatures

Detects executables packed with SmartAssembly

Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe

"C:\Users\Admin\AppData\Local\Temp\7571ed6e3695bda8a03c039b44eca04081151362ab31340fcfb31523bf0084bb.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4004 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/3508-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

memory/3508-1-0x00000000747CE000-0x00000000747CF000-memory.dmp

memory/3508-2-0x00000000009D0000-0x0000000000A56000-memory.dmp

memory/3508-3-0x0000000005950000-0x0000000005EF4000-memory.dmp

memory/3508-4-0x0000000005540000-0x00000000055D2000-memory.dmp

memory/3508-5-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/3508-6-0x00000000054F0000-0x00000000054FA000-memory.dmp

memory/3508-7-0x00000000747C0000-0x0000000074F70000-memory.dmp

memory/3508-8-0x00000000012D0000-0x00000000012E0000-memory.dmp