Malware Analysis Report

2024-09-23 03:00

Sample ID 240627-2vv62awemg
Target 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
SHA256 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
Tags
asyncrat njrat stormkitty default hacked evasion persistence privilege_escalation rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb

Threat Level: Known bad

The file 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb was found to be: Known bad.

Malicious Activity Summary

asyncrat njrat stormkitty default hacked evasion persistence privilege_escalation rat stealer trojan

AsyncRat

StormKitty payload

njRAT/Bladabindi

StormKitty

Modifies Windows Firewall

Drops startup file

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Drops desktop.ini file(s)

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-27 22:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 22:54

Reported

2024-06-27 23:00

Platform

win10-20240404-en

Max time kernel

295s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

Signatures

AsyncRat

rat asyncrat

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Google Chrome sandbox.exe.lnk C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\windows defender (2).exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
File created C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Looks up geolocation information via web service

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4560 set thread context of 4232 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Program Files (x86)\windows defender (2).exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: 33 N/A C:\Program Files (x86)\windows defender (2).exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\windows defender (2).exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4680 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4680 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4680 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4680 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4680 wrote to memory of 3504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\PING.EXE
PID 4680 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 4680 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 4680 wrote to memory of 4560 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Google Chrome sandbox.exe.exe
PID 4560 wrote to memory of 3600 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 4560 wrote to memory of 3600 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 4560 wrote to memory of 3600 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Program Files (x86)\windows defender (2).exe
PID 3600 wrote to memory of 756 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 3600 wrote to memory of 756 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 3600 wrote to memory of 756 N/A C:\Program Files (x86)\windows defender (2).exe C:\Windows\SysWOW64\netsh.exe
PID 4560 wrote to memory of 2856 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 2856 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 2856 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 2856 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 2856 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 2856 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 2856 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 2856 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 4232 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 4232 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 4232 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 4232 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 4232 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 4232 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 4232 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4560 wrote to memory of 4232 N/A C:\Program Files (x86)\Google Chrome sandbox.exe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4232 wrote to memory of 3772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 3772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 3772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 3772 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3772 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3772 wrote to memory of 432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3772 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3772 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3772 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3772 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3772 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3772 wrote to memory of 3932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 4232 wrote to memory of 4832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 4832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4232 wrote to memory of 4832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4832 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4832 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4832 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4832 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4832 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4832 wrote to memory of 3120 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c ping 127.0.0.1 -n 42 > nul && copy "C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe" "C:\Program Files (x86)\Google Chrome sandbox.exe.exe" && ping 127.0.0.1 -n 42 > nul && "C:\Program Files (x86)\Google Chrome sandbox.exe.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 42

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 42

C:\Program Files (x86)\Google Chrome sandbox.exe.exe

"C:\Program Files (x86)\Google Chrome sandbox.exe.exe"

C:\Program Files (x86)\windows defender (2).exe

"C:\Program Files (x86)\windows defender (2).exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Program Files (x86)\windows defender (2).exe" "windows defender (2).exe" ENABLE

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
NL 194.26.192.92:5552 tcp
US 8.8.8.8:53 92.192.26.194.in-addr.arpa udp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.185.241:80 icanhazip.com tcp
US 8.8.8.8:53 api.mylnikov.org udp
US 172.67.196.114:443 api.mylnikov.org tcp
US 8.8.8.8:53 241.185.16.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 114.196.67.172.in-addr.arpa udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:7707 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:6606 tcp

Files

memory/2304-0-0x000000007393E000-0x000000007393F000-memory.dmp

memory/2304-1-0x0000000000320000-0x0000000000478000-memory.dmp

memory/2304-2-0x0000000004BA0000-0x0000000004C32000-memory.dmp

memory/2304-3-0x0000000004CC0000-0x0000000004D5C000-memory.dmp

memory/2304-4-0x00000000053B0000-0x00000000058AE000-memory.dmp

memory/2304-5-0x0000000073930000-0x000000007401E000-memory.dmp

memory/2304-6-0x0000000005C30000-0x0000000005C74000-memory.dmp

memory/2304-7-0x0000000005EA0000-0x0000000005EAA000-memory.dmp

memory/2304-9-0x0000000073930000-0x000000007401E000-memory.dmp

memory/2304-10-0x000000007393E000-0x000000007393F000-memory.dmp

memory/2304-11-0x0000000073930000-0x000000007401E000-memory.dmp

memory/2304-13-0x0000000073930000-0x000000007401E000-memory.dmp

C:\Program Files (x86)\Google Chrome sandbox.exe.exe

MD5 b7ca45674c6b8a24a6a71315e0e51397
SHA1 79516b1bd2227f08ff333b950dafb29707916828
SHA256 63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb
SHA512 f390c2d017c041b60c57a67508341512785efbd25cb93a5c2849b4a5adb52931ea92eca7bbbef3e0cae0c919525770582e4c5e2518033c1c61542c0c2c1ebf2f

memory/4560-19-0x0000000073900000-0x0000000073FEE000-memory.dmp

memory/4560-20-0x0000000001180000-0x00000000012D8000-memory.dmp

memory/4560-21-0x0000000073900000-0x0000000073FEE000-memory.dmp

C:\Program Files (x86)\windows defender (2).exe

MD5 71185c6ea449b6062eae832f6c5589ae
SHA1 94e783519f5a2011bb7ed000b8a9a038ce0ed675
SHA256 23e1e6534d9494648fd798356f5c16e223f3c8c1d5b1f33ce47757d54d4eac57
SHA512 972ac1fe01dd0963cb03d1379d845377ef2f5de777baf7b2ae97b98292293a96c519cbe8bd89c5a7797d0480bf6251955f9709d5ef7cd4490968af22a679f8cb

memory/4560-27-0x0000000073900000-0x0000000073FEE000-memory.dmp

memory/4560-28-0x00000000072A0000-0x00000000072BA000-memory.dmp

memory/4560-29-0x0000000007880000-0x0000000007886000-memory.dmp

memory/4232-30-0x0000000000400000-0x0000000000432000-memory.dmp

memory/4232-31-0x00000000053B0000-0x0000000005416000-memory.dmp

C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\System\Process.txt

MD5 ad77d04b69a734defb35d513707e44f4
SHA1 c6a59eb124d29f30698d1503c326ff18ea684a53
SHA256 c0f31d85fd28a05ab229f1c408c0a4d1022b5e5d3f9db65a59ade1b7b1168486
SHA512 c590f76adf54056188f186a1858780d085e513ac3a386a2a1ddf807a0e3a620ec5615d931cd653d963ccb55232a2142689ec708d15dde1fe546acde7283a6ea4

memory/4232-153-0x0000000005FA0000-0x0000000005FAA000-memory.dmp

C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\msgid.dat

MD5 cfcd208495d565ef66e7dff9f98764da
SHA1 b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA256 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA512 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

memory/4232-159-0x00000000058D0000-0x00000000058E2000-memory.dmp

C:\Users\Admin\AppData\Local\12e6b8b512431c8077ddcbe96f9931bd\Admin@YBQDFVLH_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 22:54

Reported

2024-06-27 22:59

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe

"C:\Users\Admin\AppData\Local\Temp\63d2c37fdb370cf6e743bd75e7408f5eded5bc823a29401eeafe0bea921657bb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp

Files

memory/1656-0-0x000000007462E000-0x000000007462F000-memory.dmp

memory/1656-1-0x0000000001090000-0x00000000011E8000-memory.dmp

memory/1656-2-0x0000000074620000-0x0000000074D0E000-memory.dmp

memory/1656-3-0x0000000074620000-0x0000000074D0E000-memory.dmp