Analysis Overview
SHA256
1383b3b8f79d369214e2b537d15b77b3b362aee0f509c856c0f88a98e8500447
Threat Level: Known bad
The file !_ANDROID.zip was found to be: Known bad.
Malicious Activity Summary
xmrig
Spynote payload
Spynote family
XMRig Miner payload
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Declares services with permission to bind to the system
Requests dangerous framework permissions
Declares broadcast receivers with permission to handle system events
AutoIT Executable
Drops file in System32 directory
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-02 05:12
Signatures
Spynote family
Spynote payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Declares broadcast receivers with permission to handle system events
| Description | Indicator | Process | Target |
| Required by device admin receivers to bind with the system. Allows apps to manage device administration features. | android.permission.BIND_DEVICE_ADMIN | N/A | N/A |
Declares services with permission to bind to the system
| Description | Indicator | Process | Target |
| Required by accessibility services to bind with the system. Allows apps to access accessibility features. | android.permission.BIND_ACCESSIBILITY_SERVICE | N/A | N/A |
Requests dangerous framework permissions
| Description | Indicator | Process | Target |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows an application to read from external storage. | android.permission.READ_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to write and read the user's call log data. | android.permission.WRITE_CALL_LOG | N/A | N/A |
| Allows an application to read or write the system settings. | android.permission.WRITE_SETTINGS | N/A | N/A |
| Allows an app to create windows using the type LayoutParams.TYPE_APPLICATION_OVERLAY, shown on top of all other apps. | android.permission.SYSTEM_ALERT_WINDOW | N/A | N/A |
| Allows an application to write to external storage. | android.permission.WRITE_EXTERNAL_STORAGE | N/A | N/A |
| Allows an application to send SMS messages. | android.permission.SEND_SMS | N/A | N/A |
| Required to be able to access the camera device. | android.permission.CAMERA | N/A | N/A |
| Allows access to the list of accounts in the Accounts Service. | android.permission.GET_ACCOUNTS | N/A | N/A |
| Allows an application to write the user's contacts data. | android.permission.WRITE_CONTACTS | N/A | N/A |
| Allows an application to read the user's contacts data. | android.permission.READ_CONTACTS | N/A | N/A |
| Allows an application to record audio. | android.permission.RECORD_AUDIO | N/A | N/A |
| Allows an application to read SMS messages. | android.permission.READ_SMS | N/A | N/A |
| Allows an application to read the user's call log. | android.permission.READ_CALL_LOG | N/A | N/A |
| Allows read only access to phone state, including the current cellular network information, the status of any ongoing calls, and a list of any PhoneAccounts registered on the device. | android.permission.READ_PHONE_STATE | N/A | N/A |
| Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call. | android.permission.CALL_PHONE | N/A | N/A |
| Allows an app to access approximate location. | android.permission.ACCESS_COARSE_LOCATION | N/A | N/A |
| Allows an app to access precise location. | android.permission.ACCESS_FINE_LOCATION | N/A | N/A |
| Allows an application to receive SMS messages. | android.permission.RECEIVE_SMS | N/A | N/A |
| Allows an application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether. | android.permission.PROCESS_OUTGOING_CALLS | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral12
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:15
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TiWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\MicrosoftWindows.xml | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MicrosoftWindows.xml | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| File created | C:\Windows\SysWOW64\TiWorker.exe | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TiWorker.exe | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| File created | C:\Windows\SysWOW64\config.json | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config.json | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\TiWorker.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe
"C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit
C:\Windows\system32\schtasks.exe
schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"
C:\Windows\system32\schtasks.exe
schtasks /End /TN "WindowsUpdate"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "WindowsUpdate" /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit
C:\Windows\system32\schtasks.exe
schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"
C:\Windows\system32\schtasks.exe
schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"
C:\Windows\SysWOW64\TiWorker.exe
C:\Windows\SysWOW64\TiWorker.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit
C:\Windows\system32\certutil.exe
certutil –addstore –f root MicrosoftWindows.crt
C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe
"C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4744,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\autEAFC.tmp
| MD5 | ecede3c32ce83ff76ae584c938512c5a |
| SHA1 | 090b15025e131cc03098f6f0d8fa5366bc5fa1f0 |
| SHA256 | 366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d |
| SHA512 | 61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d |
C:\Windows\SysWOW64\MicrosoftWindows.xml
| MD5 | b1cbfcc7b7a5716a30b77f5dc5bb6135 |
| SHA1 | 5c397ffd7a845b2fdf9e82ff73698784a91a2fb9 |
| SHA256 | 96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430 |
| SHA512 | d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7 |
memory/4348-19-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-20-0x0000000000400000-0x0000000000DCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crt
| MD5 | 1bb617d3aab1dbe2ec2e4a90bf824846 |
| SHA1 | bbe179f1bdc4466661da3638420e6ca862bd50ca |
| SHA256 | 1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580 |
| SHA512 | ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52 |
memory/4348-23-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-29-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-30-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-31-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-32-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-33-0x0000000000400000-0x0000000000DCB000-memory.dmp
C:\Windows\SysWOW64\config.json
| MD5 | 3da156f2d3307118a8e2c569be30bc87 |
| SHA1 | 335678ca235af3736677bd8039e25a6c1ee5efca |
| SHA256 | f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb |
| SHA512 | 59748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0 |
C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe
| MD5 | 48e1bf0b6df63a18187e57348b06ad7e |
| SHA1 | 605402f1d2ce5a04dd205412ab9edd8f90261967 |
| SHA256 | 8e154ba521608bcf09bba26189e9e1bf86cae70ef7f283579518a641a0ea955f |
| SHA512 | 54dd1dd4d9e2c7a849fe7576f66870978153976e05b029246ebdf8ae43a70a390c9377296d34dd439530609a42047d8bb8cf6be9a1bb7eff9c4e9d91f5041233 |
memory/232-44-0x0000028EBC2E0000-0x0000028EBC39C000-memory.dmp
memory/232-46-0x0000028ED6B90000-0x0000028ED6D39000-memory.dmp
memory/4348-45-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-47-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-49-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-51-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/232-52-0x0000028ED6B90000-0x0000028ED6D39000-memory.dmp
memory/4348-53-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-55-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-57-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-59-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-61-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-63-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-65-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-67-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-69-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/4348-71-0x0000000000400000-0x0000000000DCB000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:15
Platform
win10v2004-20240611-en
Max time kernel
132s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\Interop.WMPLib.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 88.221.83.232:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:13
Platform
android-x86-arm-20240624-en
Max time network
4s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:13
Platform
android-x64-20240624-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:13
Platform
android-x64-20240624-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:13
Platform
android-x64-arm64-20240624-en
Max time network
8s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 172.217.16.238:443 | tcp | |
| GB | 172.217.16.238:443 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:15
Platform
win7-20240220-en
Max time kernel
65s
Max time network
149s
Command Line
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\AxInterop.WMPLib.dll",#1
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5eb9758,0x7fef5eb9768,0x7fef5eb9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1492 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1568 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2268 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2276 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1452 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3240 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3580 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=3744 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3632 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1812 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2504 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2276 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2756 --field-trial-handle=1356,i,5956741989909308859,12411688464446081193,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ogs.google.com | udp |
| GB | 142.250.187.238:443 | ogs.google.com | tcp |
| US | 8.8.8.8:53 | ssl.gstatic.com | udp |
| GB | 172.217.169.3:443 | ssl.gstatic.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 8.8.8.8:53 | waa-pa.clients6.google.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 172.217.16.234:443 | waa-pa.clients6.google.com | tcp |
| GB | 172.217.16.234:443 | waa-pa.clients6.google.com | tcp |
| GB | 172.217.16.234:443 | waa-pa.clients6.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 192.178.49.163:443 | beacons.gcp.gvt2.com | tcp |
| US | 192.178.49.163:443 | beacons.gcp.gvt2.com | tcp |
| US | 192.178.49.163:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | beacons4.gvt2.com | udp |
| US | 216.239.32.116:443 | beacons4.gvt2.com | tcp |
| US | 216.239.32.116:443 | beacons4.gvt2.com | udp |
Files
\??\pipe\crashpad_2708_FKXMMKLZLOWHIEJE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | ba05348f25d90ff9539c0d751cabe1fe |
| SHA1 | d876723470b9c3fb4167b1a3873dc8dbba75c8ad |
| SHA256 | 3268c7d2809c6da51b5dd500a38f605e2d3922cc47c44fa8d98497754c16d35a |
| SHA512 | 0a831e8c89192d4783e445e11becd0c7d4b86f9cfe5a009e60d7474d467f3c67b81aa778107785a77b5265c76b4c5ba1034c597f5f7bb5cd2c13bd73391ca910 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | fafdfce914a028f641a0befc3fc523d1 |
| SHA1 | cf162c6a7afe968c222812b067e53cb143ad186f |
| SHA256 | a10d672829d2be2b871fd8b363af5461d4bf0b7b2e2ca8b5f4ee729c50360ef3 |
| SHA512 | 8f145d1b2a641ce6080d0f33c46832601a23371b14b08d631011e6ff13c55b896a5166ba4b8eb0fcd7526b61ac0062d2facb3a176700913e2332032b8f06dd82 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar12DC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 491a04974369d193bfd975d698367f4c |
| SHA1 | 0909b19cd4c1051b3489fec7438850947eb6df78 |
| SHA256 | 314ad8108c6f4dd66fb023216933837cc7c1bb89781914cce4bc716180c4728e |
| SHA512 | 9ae8781733cdd44a1d1c8dee2bf0be2c6aa7cfa2c82d5f45c5e1b2e6ba51f85b0e97a6fb6c64f347ea6858851b752c2b8c5003d04f2bea1c0827073f6ad5807a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | eee585279306ddf9673a6382b74a68cf |
| SHA1 | 7d1f04445e5ad01b1c0eae55e591139ae87c357f |
| SHA256 | 938227ed09b8d539d8efcc17456653ff4ffdd44edfbce8c37a2d9fe2f3b24750 |
| SHA512 | 7884243139987899f8a7cc43931971b01bb7c6c33d5740fcfb8b202d198b4df8721ecc56479a361965ed1d626a57d56e8938bbe04d0f3a45c8a88430dbaecbc8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1202f7281d320a95ebc97b717ee728eb |
| SHA1 | 2f1e078385c805587fe89ac4136eaf325ae92ad1 |
| SHA256 | 18ef43a8d303c9279b639e04a7b2e861dc67ea9262d1f789e80d9b9886034738 |
| SHA512 | 6345fd53b849040f1f6af92328b8260f8a2aea15399fabe81e256386593b53ffcf4ff68258b3f89eb9de7569701c19a3581cc1fcf1251fbba53eb4a5aa4637dd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95676518deb95557a4e382490b63ac34 |
| SHA1 | 6877eca72e4c4dc7800cc038141d5ebea5759c9e |
| SHA256 | ba8b1ab411015a0b3fb1abf732b6f8d2513f3285ea2421a32927fb7901d31c72 |
| SHA512 | c80dc5ba08e603e6c4d5869d3e157ae99b7f99c1c1cb4d1dbc3fc923fcbbc6b9b61999ca68d50a0f29448291730c372183866e49a8fbc77080502ee1d9b73cf5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4a4260dc1d2404aa9660d9ca1e8cccfb |
| SHA1 | 6dfcddf1bbad0b159278b085fd7dda307ae6e5e7 |
| SHA256 | 15460826a0b308aa3af8e658e0006ea6d5de6df2764c4ed6b87ee0659782ee93 |
| SHA512 | 6c5b0dd09971f75c85ab483d9496e25c5305447f4eb30bf6c5436b178b7fca98568698ce83a31225bc5f3ce1a9e7b32e657b94fe703a301956538256e56ac778 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | f2dd59fc30402e12a1274165960a6eee |
| SHA1 | ba9db008eea4f21ddcb2755a5490d58072db37c5 |
| SHA256 | 00412021fbecb91cda578736e15c8f3c9dfd6d662f4d78e89c4946c826ded576 |
| SHA512 | 0f3f189e5acd63ad42c6a8a3b0e91563c54e19d44ecd64a7f414fefd025c597097d4e5fb46b70e33951498e93381c80e378178d8b6a50cda8e7fb4275ad63970 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 84cbf73cf5d27bcf71195fdf66bae845 |
| SHA1 | 874e04572bdaf18d854ad7b1a34e4c9333bfdd13 |
| SHA256 | 12bfcaabb8d49ef6c4d2600cb28d14a846b7057ebe0a9af029bfc503a5d97c0b |
| SHA512 | 79d057f94dbe0ff88277a30eacd8ca851f82db9bbc956a1099ccd3749699c19c8e7325202e273e24fb6180fa25a9b067f76e613ea3eba7cbf47992aee0992ed4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:15
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\AxInterop.WMPLib.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| BE | 88.221.83.225:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 225.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:13
Platform
android-x86-arm-20240624-en
Max time network
5s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| N/A | 224.0.0.251:5353 | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:15
Platform
win7-20240508-en
Max time kernel
145s
Max time network
123s
Command Line
Signatures
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\TiWorker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\TiWorker.exe | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\TiWorker.exe | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| File created | C:\Windows\SysWOW64\config.json | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config.json | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| File created | C:\Windows\SysWOW64\MicrosoftWindows.xml | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\MicrosoftWindows.xml | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\TiWorker.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe
"C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNotex.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate" & schtasks /End /TN "WindowsUpdate" & exit
C:\Windows\system32\schtasks.exe
schtasks /End /TN "Microsoft\Windows\MUI\WindowsUpdate"
C:\Windows\system32\schtasks.exe
schtasks /End /TN "WindowsUpdate"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Delete /TN "WindowsUpdate" /F & exit
C:\Windows\system32\schtasks.exe
schtasks /Delete /TN "WindowsUpdate" /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=out action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="System" dir=out action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System" dir=in action=allow program="%windir%\SysWOW64\TiWorker.exe" enable=yes & exit
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="System" dir=in action=allow program="C:\Windows\SysWOW64\TiWorker.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Create /XML "%windir%\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F & exit
C:\Windows\system32\schtasks.exe
schtasks /Create /XML "C:\Windows\SysWOW64\MicrosoftWindows.xml" /TN "Microsoft\Windows\MUI\WindowsUpdate" /F
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "%windir%\SysWOW64\TiWorker.exe" & schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate" & exit
C:\Windows\system32\schtasks.exe
schtasks /Change /TN "Microsoft\Windows\MUI\WindowsUpdate" /TR "C:\Windows\SysWOW64\TiWorker.exe"
C:\Windows\system32\schtasks.exe
schtasks /Run /TN "Microsoft\Windows\MUI\WindowsUpdate"
C:\Windows\system32\taskeng.exe
taskeng.exe {DA244595-F473-41EC-8A40-BB0628130DC3} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\SysWOW64\TiWorker.exe
C:\Windows\SysWOW64\TiWorker.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil –addstore –f root MicrosoftWindows.crt & exit
C:\Windows\system32\certutil.exe
certutil –addstore –f root MicrosoftWindows.crt
C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe
"C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pool.minexmr.com | udp |
Files
C:\Windows\SysWOW64\TiWorker.exe
| MD5 | ecede3c32ce83ff76ae584c938512c5a |
| SHA1 | 090b15025e131cc03098f6f0d8fa5366bc5fa1f0 |
| SHA256 | 366f1e9f9c99aa81034bada3cc344f2fb5a74246e1d5851441244df1ecc9ae6d |
| SHA512 | 61ca6075c8a2086d42b58698484afc0005645507474831cacafc10126f47c8f0cda10c1c215557f9391865b55b16ae881a593d7547cbad560b54369684b23d1d |
C:\Windows\SysWOW64\MicrosoftWindows.xml
| MD5 | b1cbfcc7b7a5716a30b77f5dc5bb6135 |
| SHA1 | 5c397ffd7a845b2fdf9e82ff73698784a91a2fb9 |
| SHA256 | 96f2ff4ddcadf6421071daa6cdda2ce866fb7b10d12cc1b20bd07cb131210430 |
| SHA512 | d08516e7610e5a08d1c5c2d1cc5a22b1cd2d6b7c890f895caee0cf65577a1315d575d91a8f7f78ffc7bd0dd77b23ece46fadf58ba44257a115330a54a3ebfcf7 |
memory/2516-20-0x0000000001630000-0x0000000001FFB000-memory.dmp
memory/2924-26-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-27-0x0000000000400000-0x0000000000DCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MicrosoftWindows.crt
| MD5 | 1bb617d3aab1dbe2ec2e4a90bf824846 |
| SHA1 | bbe179f1bdc4466661da3638420e6ca862bd50ca |
| SHA256 | 1bf4ce2aedc0cfb1365ab15c7e0c8c26b87890ad4008d56317b756b8745ff580 |
| SHA512 | ed91750bec3aed806088c271e295550dac1c8cae91569f278d40fbd671b486e70cc9b28f7a9a70e9f340fbe8a038f1ed18f666de4246fc1d60e015e0dd3f1c52 |
memory/2924-30-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-32-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-31-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-34-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-33-0x0000000000400000-0x0000000000DCB000-memory.dmp
C:\Windows\SysWOW64\config.json
| MD5 | 3da156f2d3307118a8e2c569be30bc87 |
| SHA1 | 335678ca235af3736677bd8039e25a6c1ee5efca |
| SHA256 | f86ab68eaddd22fbe679ea5ab9cc54775e74081beffd758b30776ba103f396eb |
| SHA512 | 59748e02cc4b7f280471b411d6ca3c9986f4c12f84b039bae25269634fc825cde417fe46246f58538668c19cca91e698e31d9f32df69aad89e68423f86bb00c0 |
memory/2924-35-0x0000000000400000-0x0000000000DCB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\SpyNote.exe
| MD5 | 48e1bf0b6df63a18187e57348b06ad7e |
| SHA1 | 605402f1d2ce5a04dd205412ab9edd8f90261967 |
| SHA256 | 8e154ba521608bcf09bba26189e9e1bf86cae70ef7f283579518a641a0ea955f |
| SHA512 | 54dd1dd4d9e2c7a849fe7576f66870978153976e05b029246ebdf8ae43a70a390c9377296d34dd439530609a42047d8bb8cf6be9a1bb7eff9c4e9d91f5041233 |
memory/1940-45-0x00000000002C0000-0x000000000037C000-memory.dmp
memory/2924-46-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2516-47-0x0000000001630000-0x0000000001FFB000-memory.dmp
memory/2924-48-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-49-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-50-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-51-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-52-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-53-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-54-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-55-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-56-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-57-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-58-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-59-0x0000000000400000-0x0000000000DCB000-memory.dmp
memory/2924-60-0x0000000000400000-0x0000000000DCB000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:15
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\!_ANDROID\Spy Note 5\Interop.WMPLib.dll",#1
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-02 05:12
Reported
2024-07-02 05:13
Platform
android-x64-arm64-20240624-en
Max time network
7s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.212.238:443 | tcp | |
| GB | 216.58.212.238:443 | tcp | |
| US | 1.1.1.1:53 | android.apis.google.com | udp |
| GB | 142.250.178.14:443 | android.apis.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp |