Malware Analysis Report

2024-11-16 13:49

Sample ID 240629-b969qsybna
Target e3f61f01d319d83d17da2eca4a7c2b04aa51bdf84ec780f80be7698bdfded535.zip
SHA256 e3f61f01d319d83d17da2eca4a7c2b04aa51bdf84ec780f80be7698bdfded535
Tags
execution stealc vidar stealer discovery spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3f61f01d319d83d17da2eca4a7c2b04aa51bdf84ec780f80be7698bdfded535

Threat Level: Known bad

The file e3f61f01d319d83d17da2eca4a7c2b04aa51bdf84ec780f80be7698bdfded535.zip was found to be: Known bad.

Malicious Activity Summary

execution stealc vidar stealer discovery spyware

Detect Vidar Stealer

Stealc

Vidar

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects Windows executables referencing non-Windows User-Agents

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detect binaries embedding considerable number of MFA browser extension IDs.

Downloads MZ/PE file

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Checks computer location settings

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Command and Scripting Interpreter: JavaScript

Program crash

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 01:52

Signatures

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

155s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4bfd2d106.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4bfd2d106.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
BE 23.41.178.51:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 51.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 235.17.178.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240611-en

Max time kernel

121s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~00299a408.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~00299a408.js

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240508-en

Max time kernel

117s

Max time network

120s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~114e7a4e2.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~114e7a4e2.js

Network

N/A

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240611-en

Max time kernel

121s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~2dcc5aaf7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~2dcc5aaf7.js

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~3fde5681b.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~3fde5681b.js

Network

N/A

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4bfd2d106.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4bfd2d106.js

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~05c32d390.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~05c32d390.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240221-en

Max time kernel

121s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~643d02cb5.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~643d02cb5.js

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240611-en

Max time kernel

132s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~074e593a7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~074e593a7.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
BE 23.41.178.51:443 www.bing.com tcp
US 8.8.8.8:53 51.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4611591fd.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4611591fd.js

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240611-en

Max time kernel

121s

Max time network

126s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~57063afaa.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~57063afaa.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

52s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~643d02cb5.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~643d02cb5.js

Network

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240508-en

Max time kernel

149s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1688 set thread context of 2484 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 1688 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 1688 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 1688 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 1688 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com
PID 2484 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2484 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2484 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2484 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2484 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2484 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3
PID 2660 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2660 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2660 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2660 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2484 wrote to memory of 2660 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Processes

C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2660 -s 148

Network

N/A

Files

memory/1688-0-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/1688-1-0x0000000000400000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e748d98e

MD5 e9036df928c31d7ba3f8ed63275a9dc2
SHA1 d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256 f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512 841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d

memory/1688-7-0x000007FEF6BD0000-0x000007FEF6D28000-memory.dmp

memory/1688-8-0x000007FEF6BE8000-0x000007FEF6BE9000-memory.dmp

memory/1688-9-0x000007FEF6BD0000-0x000007FEF6D28000-memory.dmp

memory/1688-10-0x000007FEF6BD0000-0x000007FEF6D28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e9a5e509

MD5 259a510140a5ca1fb7d8c620025947c8
SHA1 77c23f8083a6872d16f9df3d25d0a7f00d3ab920
SHA256 fa920ff6ca68fd1db5d420266474232ec47af7ba185dcc99bc2656f4d88e9963
SHA512 ac3d5efec81919d1dd16ad76de24624c8ef8062d04a193336b6e7ed41385a691052f75709b0b0149b06f2310fc8146a6676077b1092ae2bfe6107b40d8692c53

memory/2484-14-0x0000000077500000-0x00000000776A9000-memory.dmp

memory/2484-16-0x0000000074E90000-0x0000000075004000-memory.dmp

memory/2484-17-0x0000000074E9E000-0x0000000074EA0000-memory.dmp

memory/2484-21-0x0000000074E90000-0x0000000075004000-memory.dmp

\Users\Admin\AppData\Local\Temp\VIDA.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2660-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2660-23-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2484-25-0x0000000074E90000-0x0000000075004000-memory.dmp

memory/2660-27-0x00000000005F0000-0x0000000000839000-memory.dmp

memory/2660-34-0x00000000005F0000-0x0000000000839000-memory.dmp

memory/2484-36-0x0000000074E9E000-0x0000000074EA0000-memory.dmp

memory/2660-37-0x00000000005F0000-0x0000000000839000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

152s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~114e7a4e2.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~114e7a4e2.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
BE 23.41.178.51:443 www.bing.com tcp
US 8.8.8.8:53 51.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240221-en

Max time kernel

119s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~1e47f672e.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~1e47f672e.js

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240508-en

Max time kernel

49s

Max time network

52s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~1e47f672e.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~1e47f672e.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240508-en

Max time kernel

146s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~3fde5681b.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~3fde5681b.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3140 set thread context of 4972 N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\VIDA.au3 N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
BE 23.41.178.51:443 www.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 51.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 214.251.201.195.in-addr.arpa udp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
DE 195.201.251.214:9000 195.201.251.214 tcp
US 8.8.8.8:53 professionalresources.pw udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3140-0-0x00000000028C0000-0x00000000028C1000-memory.dmp

memory/3140-1-0x0000000000400000-0x0000000000B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ace27665

MD5 e9036df928c31d7ba3f8ed63275a9dc2
SHA1 d1effabbdb38682cf73f6ddb5f0170112efe6381
SHA256 f2516f2ea49297ceb88651eec0815035cf3961543891571f62a013df3a3400b2
SHA512 841cfceda5f9cbbb2689e158918c3c44071928ef6c96f20651b8aeae1211c423a8ff6fd3f4d50b7e9ce01b1cc12bcb020cbe941430376c991521c93ca49afe6d

memory/3140-7-0x00007FFD08960000-0x00007FFD08AD2000-memory.dmp

memory/3140-8-0x00007FFD08978000-0x00007FFD08979000-memory.dmp

memory/3140-9-0x00007FFD08960000-0x00007FFD08AD2000-memory.dmp

memory/3140-10-0x00007FFD08960000-0x00007FFD08AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\afbfc86b

MD5 a5c36660c5d69ecd8e796b65843f682e
SHA1 10e7176a897a1268d12686eccb0acc11553da82e
SHA256 61c8831a1d3b915cff6e933602881e1beeeca08d6bc87bfcfee1506cbcb52769
SHA512 fc804dbdef88ffd223259ecbf8b21832914e38a88d8e6a55fa08cf613fe25e420f333a1b291bc8e75b623436528d1457b106dd92aaf588b36380b4ecbe9f1019

memory/4972-14-0x00007FFD17AF0000-0x00007FFD17CE5000-memory.dmp

memory/4972-17-0x00000000756EE000-0x00000000756F0000-memory.dmp

memory/4972-16-0x00000000756E0000-0x000000007585B000-memory.dmp

memory/4972-18-0x00000000756E0000-0x000000007585B000-memory.dmp

memory/4972-23-0x00000000756E0000-0x000000007585B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VIDA.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4208-26-0x0000000000C90000-0x0000000000ED9000-memory.dmp

memory/4208-27-0x00007FFD17AF0000-0x00007FFD17CE5000-memory.dmp

memory/4208-37-0x0000000000C90000-0x0000000000ED9000-memory.dmp

memory/4208-41-0x000000001D5A0000-0x000000001D7FF000-memory.dmp

memory/4972-83-0x00000000756EE000-0x00000000756F0000-memory.dmp

memory/4208-82-0x0000000000C90000-0x0000000000ED9000-memory.dmp

memory/4208-84-0x0000000000C90000-0x0000000000ED9000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

153s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~00299a408.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~00299a408.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~5303f55e9.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~5303f55e9.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~57063afaa.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~57063afaa.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 235.17.178.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~074e593a7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~074e593a7.js

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240611-en

Max time kernel

118s

Max time network

132s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~13bdaad06.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~13bdaad06.js

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240611-en

Max time kernel

130s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4611591fd.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~4611591fd.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
BE 23.41.178.51:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 51.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240611-en

Max time kernel

119s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~5303f55e9.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~5303f55e9.js

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~05c32d390.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~05c32d390.js

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240508-en

Max time kernel

123s

Max time network

130s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~11d764003.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~11d764003.js

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240611-en

Max time kernel

146s

Max time network

150s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~11d764003.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~11d764003.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 23.41.178.51:443 www.bing.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 23.41.178.51:443 www.bing.com tcp
US 8.8.8.8:53 51.178.41.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240226-en

Max time kernel

132s

Max time network

158s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~13bdaad06.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~13bdaad06.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1852 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~2dcc5aaf7.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~2dcc5aaf7.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~32b5733f1.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~32b5733f1.js

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-29 01:51

Reported

2024-06-29 01:55

Platform

win10v2004-20240611-en

Max time kernel

133s

Max time network

154s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~32b5733f1.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\!!fUlLSetup_3355_P@ssKeys!!\autocompletion\libraries\libraries~32b5733f1.js

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2816,i,6522675234395427298,2952738987384583032,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8

Network

Country Destination Domain Proto
US 13.107.42.16:443 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 199.232.210.172:80 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

N/A