Malware Analysis Report

2024-11-16 13:48

Sample ID 240629-dcnr8szane
Target Setup.zip
SHA256 d688113f745fbdea695db3f1c441431617fd6e07dba111d61c24126c0b0314a4
Tags
stealc vidar bd7a7ef85507e39998176b88b253bdb9 persistence privilege_escalation stealer discovery spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d688113f745fbdea695db3f1c441431617fd6e07dba111d61c24126c0b0314a4

Threat Level: Known bad

The file Setup.zip was found to be: Known bad.

Malicious Activity Summary

stealc vidar bd7a7ef85507e39998176b88b253bdb9 persistence privilege_escalation stealer discovery spyware

Stealc

Detect Vidar Stealer

Vidar

Loads dropped DLL

Reads user/profile data of local email clients

Checks computer location settings

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of SetThreadContext

Program crash

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-29 02:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:55

Platform

win7-20240508-en

Max time kernel

143s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 876 set thread context of 300 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\coml.au3

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 876 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 876 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 876 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 876 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 876 wrote to memory of 300 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 300 wrote to memory of 2644 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 300 wrote to memory of 2644 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 300 wrote to memory of 2644 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 300 wrote to memory of 2644 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 300 wrote to memory of 2644 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 300 wrote to memory of 2644 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2644 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2644 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2644 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2644 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 148

Network

N/A

Files

memory/876-0-0x0000000140000000-0x00000001407DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b47a9051

MD5 957edcb00ce0b522499f6c799ea11053
SHA1 b1c91d93701d206820e45118e0df50d34790d27d
SHA256 e4456eea3e2fca53bc2a06fd247eba74bf668c39069d5c821d082ef7dfa03f5d
SHA512 167cb1c01f28bc40f85d0d8f895346d147a286811550142ebdf659cc4ba92f015d4def386d58adf4c48b1946ee31ddd8dcbef50ba09533889e9ad161c9867eb6

memory/876-6-0x000007FEF60E0000-0x000007FEF6238000-memory.dmp

memory/876-7-0x000007FEF60F8000-0x000007FEF60F9000-memory.dmp

memory/876-8-0x000007FEF60E0000-0x000007FEF6238000-memory.dmp

memory/876-9-0x000007FEF60E0000-0x000007FEF6238000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b8acc765

MD5 70d544ea90499a5404a8298a98f5a355
SHA1 be8ce8d3791656ed8833e9884b1584231bfee8e6
SHA256 9a03bcf5e6c9e1caf20f8773e9438acc627e797b23db8ef6d27704d4b975ac34
SHA512 0715a68babaf4e18f3b2522b657c728c2a03af2ade1cbf1479d477914794c64ce765139fd5786d821c3e7b1a302d7deb230ea94a2dfa59cdd8742a7abfb0e331

memory/300-12-0x0000000077210000-0x00000000773B9000-memory.dmp

memory/300-15-0x00000000734EE000-0x00000000734F0000-memory.dmp

memory/300-14-0x00000000734E0000-0x0000000073654000-memory.dmp

\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/300-18-0x00000000734E0000-0x0000000073654000-memory.dmp

memory/2644-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2644-21-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/300-23-0x00000000734E0000-0x0000000073654000-memory.dmp

memory/2644-25-0x0000000000670000-0x0000000000DBB000-memory.dmp

memory/2644-32-0x0000000000670000-0x0000000000DBB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:55

Platform

win10-20240404-en

Max time kernel

131s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5064 set thread context of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 5064 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 5064 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 5064 wrote to memory of 5028 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 5028 wrote to memory of 1016 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5028 wrote to memory of 1016 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5028 wrote to memory of 1016 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5028 wrote to memory of 1016 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 5028 wrote to memory of 1016 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1016 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 1016 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 4668 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4668 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4668 wrote to memory of 4540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AAKJEGCFBGDH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 138.115.119.168.in-addr.arpa udp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
DE 168.119.115.138:9000 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/5064-0-0x00007FF66C310000-0x00007FF66CAEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\feb27f54

MD5 957edcb00ce0b522499f6c799ea11053
SHA1 b1c91d93701d206820e45118e0df50d34790d27d
SHA256 e4456eea3e2fca53bc2a06fd247eba74bf668c39069d5c821d082ef7dfa03f5d
SHA512 167cb1c01f28bc40f85d0d8f895346d147a286811550142ebdf659cc4ba92f015d4def386d58adf4c48b1946ee31ddd8dcbef50ba09533889e9ad161c9867eb6

memory/5064-6-0x00007FFA313B0000-0x00007FFA3151A000-memory.dmp

memory/5064-7-0x00007FFA313C8000-0x00007FFA313C9000-memory.dmp

memory/5064-8-0x00007FFA313B0000-0x00007FFA3151A000-memory.dmp

memory/5064-9-0x00007FFA313B0000-0x00007FFA3151A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2be006b

MD5 79d6cd0a6fa70df57844f76a30cfe8cf
SHA1 d44d41bc8314a68800714af798080bbd6971c696
SHA256 3ee5c71955bd714b73ca800d3b5b840427e5d8bcd0e224fe202663c17d7413a7
SHA512 3209fc4ba40e585960ddbc5e6c01130a2a1ccee5202847ebca92de93d987a4e8159ab3fbbf50f3fb5067ad2071898cf521efafc6d12f03eb4562c169679c1908

memory/5028-12-0x00007FFA3E6A0000-0x00007FFA3E87B000-memory.dmp

memory/5028-15-0x000000007317E000-0x0000000073180000-memory.dmp

memory/5028-16-0x0000000073171000-0x000000007317F000-memory.dmp

memory/5028-19-0x0000000073171000-0x000000007317F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1016-21-0x00007FFA3E6A0000-0x00007FFA3E87B000-memory.dmp

memory/1016-27-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\ProgramData\AAKJEGCFBGDH\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\AAKJEGCFBGDH\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1016-70-0x0000000000EF0000-0x000000000163B000-memory.dmp

memory/1016-74-0x0000000000EF0000-0x000000000163B000-memory.dmp

memory/1016-83-0x0000000000EF0000-0x000000000163B000-memory.dmp

C:\ProgramData\AAKJEGCFBGDH\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\AAKJEGCFBGDH\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\AAKJEGCFBGDH\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:55

Platform

win10v2004-20240611-en

Max time kernel

133s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1904 set thread context of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1904 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1904 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1904 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1904 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 2160 wrote to memory of 3000 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2160 wrote to memory of 3000 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2160 wrote to memory of 3000 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2160 wrote to memory of 3000 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2160 wrote to memory of 3000 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 3000 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 3000 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 3700 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3700 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3700 wrote to memory of 4548 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3060,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4064 /prefetch:8

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3612,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=3416 /prefetch:3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\CBGCBKFBGIII" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 138.115.119.168.in-addr.arpa udp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
DE 168.119.115.138:9000 168.119.115.138 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/1904-0-0x00007FF6384F0000-0x00007FF638CCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b5df97f2

MD5 957edcb00ce0b522499f6c799ea11053
SHA1 b1c91d93701d206820e45118e0df50d34790d27d
SHA256 e4456eea3e2fca53bc2a06fd247eba74bf668c39069d5c821d082ef7dfa03f5d
SHA512 167cb1c01f28bc40f85d0d8f895346d147a286811550142ebdf659cc4ba92f015d4def386d58adf4c48b1946ee31ddd8dcbef50ba09533889e9ad161c9867eb6

memory/1904-6-0x00007FFCB1700000-0x00007FFCB1872000-memory.dmp

memory/1904-7-0x00007FFCB1718000-0x00007FFCB1719000-memory.dmp

memory/1904-8-0x00007FFCB1700000-0x00007FFCB1872000-memory.dmp

memory/1904-9-0x00007FFCB1700000-0x00007FFCB1872000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bb7083d5

MD5 1d88c4434779a424cdc3383613851f80
SHA1 cc0b88adab15e067d943b4551f8f2af79f205ac3
SHA256 236206c5cf0e197614ad6663422da4d07a1720c3de1309b03c74367277995a00
SHA512 01dd009b6e69ad5a9e376c18148a6a9f078c45b8dcad1c28951a71445d543704591c161f4722856c3673d6fa2955ca088dd090a9cdc5c6f57fac69f30407bd7e

memory/2160-12-0x00007FFCCF470000-0x00007FFCCF665000-memory.dmp

memory/2160-15-0x0000000074271000-0x000000007427F000-memory.dmp

memory/2160-14-0x000000007427E000-0x0000000074280000-memory.dmp

memory/2160-19-0x0000000074271000-0x000000007427F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3000-21-0x0000000001200000-0x000000000194B000-memory.dmp

memory/3000-23-0x00007FFCCF470000-0x00007FFCCF665000-memory.dmp

memory/3000-26-0x0000000001200000-0x000000000194B000-memory.dmp

memory/3000-27-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\CBGCBKFBGIII\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\CBGCBKFBGIII\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3000-97-0x0000000001200000-0x000000000194B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

memory/3000-103-0x0000000001200000-0x000000000194B000-memory.dmp

memory/3000-118-0x0000000001200000-0x000000000194B000-memory.dmp

memory/3000-119-0x0000000001200000-0x000000000194B000-memory.dmp

C:\ProgramData\CBGCBKFBGIII\VCRUNT~1.DLL

MD5 a37ee36b536409056a86f50e67777dd7
SHA1 1cafa159292aa736fc595fc04e16325b27cd6750
SHA256 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA512 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

C:\ProgramData\CBGCBKFBGIII\softokn3.dll

MD5 4e52d739c324db8225bd9ab2695f262f
SHA1 71c3da43dc5a0d2a1941e874a6d015a071783889
SHA256 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a
SHA512 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

C:\ProgramData\CBGCBKFBGIII\msvcp140.dll

MD5 5ff1fca37c466d6723ec67be93b51442
SHA1 34cc4e158092083b13d67d6d2bc9e57b798a303b
SHA256 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA512 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:53

Platform

debian9-mipsbe-20240418-en

Max time kernel

0s

Command Line

[/tmp/Setup.exe]

Signatures

N/A

Processes

/tmp/Setup.exe

[/tmp/Setup.exe]

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:53

Platform

debian9-mipsel-20240611-en

Max time kernel

0s

Command Line

[/tmp/Setup.exe]

Signatures

N/A

Processes

/tmp/Setup.exe

[/tmp/Setup.exe]

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:53

Platform

ubuntu1804-amd64-20240611-en

Max time kernel

0s

Max time network

3s

Command Line

[/tmp/Setup.exe]

Signatures

N/A

Processes

/tmp/Setup.exe

[/tmp/Setup.exe]

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:53

Platform

debian9-armhf-20240418-en

Max time kernel

0s

Command Line

[/tmp/Setup.exe]

Signatures

N/A

Processes

/tmp/Setup.exe

[/tmp/Setup.exe]

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:55

Platform

win11-20240508-en

Max time kernel

144s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Reads data files stored by FTP clients

spyware stealer

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\coml.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1692 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\netsh.exe
PID 1364 wrote to memory of 2260 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1364 wrote to memory of 2260 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1364 wrote to memory of 2260 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1364 wrote to memory of 2260 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 1364 wrote to memory of 2260 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\coml.au3
PID 2260 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\Temp\coml.au3 C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1320 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1320 wrote to memory of 1680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Users\Admin\AppData\Local\Temp\coml.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\coml.au3" & rd /s /q "C:\ProgramData\KFCGDBAKKKFB" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 steamcommunity.com udp

Files

memory/1692-0-0x00007FF7B0F00000-0x00007FF7B16DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c18cdc02

MD5 957edcb00ce0b522499f6c799ea11053
SHA1 b1c91d93701d206820e45118e0df50d34790d27d
SHA256 e4456eea3e2fca53bc2a06fd247eba74bf668c39069d5c821d082ef7dfa03f5d
SHA512 167cb1c01f28bc40f85d0d8f895346d147a286811550142ebdf659cc4ba92f015d4def386d58adf4c48b1946ee31ddd8dcbef50ba09533889e9ad161c9867eb6

memory/1692-6-0x00007FFDA9A60000-0x00007FFDA9BDA000-memory.dmp

memory/1692-7-0x00007FFDA9A78000-0x00007FFDA9A79000-memory.dmp

memory/1692-8-0x00007FFDA9A60000-0x00007FFDA9BDA000-memory.dmp

memory/1692-9-0x00007FFDA9A60000-0x00007FFDA9BDA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c5b29c33

MD5 9722acf580727032fc0ee7e15405cb81
SHA1 e1c22a06014956a1c4318e30e1e2f06204a2df0c
SHA256 d21a368256d953ef7bb8e2365bc0609af23b511ef4f135e83a79c7515a1fc3b0
SHA512 ef850b27d74da5598bffc4c989ee9ff14b4df680c960acb9505eaba81aee124c5be067b67626ba92b96b0ddba202d7498d7305e62e409d33e66a326b91f3728e

memory/1364-12-0x00007FFDB8E20000-0x00007FFDB9029000-memory.dmp

memory/1364-16-0x0000000073AA1000-0x0000000073AAF000-memory.dmp

memory/1364-15-0x0000000073AAE000-0x0000000073AB0000-memory.dmp

memory/1364-19-0x0000000073AA1000-0x0000000073AAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coml.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2260-21-0x0000000001600000-0x0000000001D4B000-memory.dmp

memory/2260-23-0x00007FFDB8E20000-0x00007FFDB9029000-memory.dmp

memory/2260-24-0x0000000001600000-0x0000000001D4B000-memory.dmp

memory/2260-25-0x0000000001600000-0x0000000001D4B000-memory.dmp

memory/2260-26-0x0000000001600000-0x0000000001D4B000-memory.dmp

memory/2260-27-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2260-39-0x0000000001600000-0x0000000001D4B000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:53

Platform

android-x86-arm-20240624-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:53

Platform

android-x64-20240624-en

Max time network

7s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
N/A 224.0.0.251:5353 udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:53

Platform

android-x64-arm64-20240624-en

Max time network

9s

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

Country Destination Domain Proto
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
GB 142.250.180.14:443 tcp
N/A 224.0.0.251:5353 udp
GB 216.58.213.10:443 tcp
GB 216.58.213.10:443 tcp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-29 02:51

Reported

2024-06-29 02:55

Platform

macos-20240611-en

Max time kernel

132s

Max time network

148s

Command Line

[sh -c sudo /bin/zsh -c "/Users/run/Setup.exe"]

Signatures

N/A

Processes

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/Setup.exe"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/Setup.exe"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/Setup.exe]

/bin/zsh

[/bin/zsh -c /Users/run/Setup.exe]

/Users/run/Setup.exe

[/Users/run/Setup.exe]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater0B4C966A/OneDrive.app]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/usr/libexec/xpcproxy

[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService

[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]

Network

Country Destination Domain Proto
US 151.101.3.6:443 tcp
US 151.101.195.6:443 tcp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.apple-cloudkit.fe2.apple-dns.net udp
US 8.8.8.8:53 h3.apis.apple.map.fastly.net udp
US 8.8.8.8:53 cds.apple.com udp
US 23.219.244.63:443 cds.apple.com tcp
US 8.8.8.8:53 help.apple.com udp
GB 2.21.189.171:443 help.apple.com tcp
GB 2.21.189.171:443 help.apple.com tcp
N/A 224.0.0.251:5353 udp

Files

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20