Malware Analysis Report

2024-10-10 09:53

Sample ID 240702-q86ddavglc
Target ElectricLauncher.7z
SHA256 01342213b45659a27b48f65b73b7043b84faba91ca8f80963560d824097e5ed1
Tags
persistence privilege_escalation umbral execution spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01342213b45659a27b48f65b73b7043b84faba91ca8f80963560d824097e5ed1

Threat Level: Known bad

The file ElectricLauncher.7z was found to be: Known bad.

Malicious Activity Summary

persistence privilege_escalation umbral execution spyware stealer

Umbral family

Detect Umbral payload

Umbral

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Executes dropped EXE

Reads user/profile data of web browsers

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Event Triggered Execution: Component Object Model Hijacking

Unsigned PE

Enumerates physical storage devices

Detects videocard installed

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-02 13:58

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral family

umbral

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-process-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-process-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-string-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-string-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-time-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-time-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240508-en

Max time kernel

118s

Max time network

53s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-private-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-private-l1-1-0.dll,#1

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:03

Platform

win10v2004-20240508-en

Max time kernel

127s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-stdio-l1-1-0.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3916,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1036 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:03

Platform

win10v2004-20240611-en

Max time kernel

145s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\bci.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\bci.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:03

Platform

win10v2004-20240508-en

Max time kernel

118s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-environment-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-environment-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:03

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-heap-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-heap-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.99:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 99.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240611-en

Max time kernel

132s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\awt.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\awt.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4544,i,8660989700097327804,17931739887231169645,262144 --variations-seed-version --mojo-platform-channel-handle=1300 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win7-20240419-en

Max time kernel

119s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dcpr.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dcpr.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win7-20240220-en

Max time kernel

119s

Max time network

127s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dt_socket.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dt_socket.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:03

Platform

win10v2004-20240508-en

Max time kernel

144s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-math-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-math-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-utility-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-utility-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:03

Platform

win7-20240611-en

Max time kernel

125s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\awt.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\awt.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win7-20240508-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\bci.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2132 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2132 wrote to memory of 2156 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\bci.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2132 -s 80

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win7-20240508-en

Max time kernel

121s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dt_shmem.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1244 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1244 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dt_shmem.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1244 -s 80

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win7-20240611-en

Max time kernel

118s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dtplugin\deployJava1.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\InprocServer32\C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dtplugin\deployJava1.dll = "0" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA} C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\Deployment Toolkit = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\InprocServer32\Apartment = "4134571864" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dtplugin\deployJava1.dll

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:01

Platform

win7-20240221-en

Max time kernel

60s

Max time network

44s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z

Signatures

Detect Umbral payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Umbral

stealer umbral

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe N/A
File opened for modification C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A
N/A N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\wmic.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1640 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1640 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 1756 wrote to memory of 2864 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2864 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2864 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 1488 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 1488 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 1488 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 620 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 620 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 620 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 1932 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 1932 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 1932 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 1676 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 1676 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 1676 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 2924 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 2924 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 2924 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 2516 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 2516 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 2516 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 1732 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 1732 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 1732 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2532 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 2532 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1756 wrote to memory of 2532 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 312 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 312 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 312 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 780 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 780 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 780 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 1844 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 1844 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 1844 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2216 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2216 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2216 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 656 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 656 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 656 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 2952 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 2952 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 2952 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 2864 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 2864 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 2864 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 1292 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 1292 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 1292 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1800 wrote to memory of 2928 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 2928 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe
PID 1800 wrote to memory of 2928 N/A C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe C:\Windows\System32\Wbem\wmic.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z"

C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe

"C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe

"C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" os get Caption

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" computersystem get totalphysicalmemory

C:\Windows\System32\Wbem\wmic.exe

"wmic.exe" csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\System32\Wbem\wmic.exe

"wmic" path win32_VideoController get name

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 172.217.16.227:443 gstatic.com tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\7zE81AEB516\ElectricLauncher\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

MD5 1e9d8f133a442da6b0c74d49bc84a341
SHA1 259edc45b4569427e8319895a444f4295d54348f
SHA256 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b
SHA512 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

C:\Users\Admin\Desktop\ElectricLauncher\ElectrickLauncher.exe

MD5 3c764a3a72eefe5074751c4955df77ad
SHA1 670efacebbeab02a31b69cde6d3f949816c45946
SHA256 c8413e399a6ebd847f90bb3cde101d647aeef296baf4157141ab47fc2ae82b14
SHA512 c640dec6bb9cb980cdf998d93736759ecb0a0a7b124a5dc0cd08b15ac984d5d131044d64d154a18ccf2bf07c39cd29aecaecef48873c41fcb85e82fd3f59120f

memory/1756-592-0x0000000000BA0000-0x0000000000C22000-memory.dmp

memory/2864-597-0x000000001B620000-0x000000001B902000-memory.dmp

memory/2864-598-0x00000000028E0000-0x00000000028E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 3cf3df757aa231b29717f7517370b482
SHA1 68359ea9397f9dcecd2bc67bf972665ff73cace7
SHA256 22bd9800dd6904d2d6e1d5c0ff1594256709682415a3dc2d38ed593f9451e16c
SHA512 8b67b131ebd8ea81648cb4add0233fae4dc25419fa6abd9ce9dca27e2db5997d87dd087bf98312aa1ee72be8f142a272b1965e473e68d30698806db09a3a1939

memory/1488-604-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/1488-605-0x0000000001D20000-0x0000000001D28000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1732-630-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/1800-635-0x0000000001130000-0x00000000011B2000-memory.dmp

memory/312-641-0x0000000002920000-0x0000000002928000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 577f27e6d74bd8c5b7b0371f2b1e991c
SHA1 b334ccfe13792f82b698960cceaee2e690b85528
SHA256 0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9
SHA512 944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

memory/2976-678-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2976-677-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240508-en

Max time kernel

41s

Max time network

53s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ElectricLauncher.7z

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-locale-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-locale-l1-1-0.dll,#1

Network

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:03

Platform

win10v2004-20240611-en

Max time kernel

147s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:03

Platform

win7-20240611-en

Max time kernel

120s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\deploy.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\deploy.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

155s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dtplugin\deployJava1.dll

Signatures

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\Implemented Categories C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\Deployment Toolkit = "0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\InprocServer32\C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dtplugin\deployJava1.dll = "0" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\InprocServer32\Apartment = "1289588568" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dtplugin\deployJava1.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240611-en

Max time kernel

148s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-filesystem-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240611-en

Max time kernel

141s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-runtime-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

161s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dcpr.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dcpr.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\decora_sse.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\decora_sse.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dt_socket.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dt_socket.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
NL 23.62.61.171:443 www.bing.com tcp
US 8.8.8.8:53 149.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 171.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-convert-l1-1-0.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\api-ms-win-crt-convert-l1-1-0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win7-20240611-en

Max time kernel

121s

Max time network

131s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\decora_sse.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2484 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2484 wrote to memory of 2232 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\decora_sse.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2484 -s 80

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:02

Platform

win10v2004-20240508-en

Max time kernel

145s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\deploy.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\deploy.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-07-02 13:56

Reported

2024-07-02 14:03

Platform

win10v2004-20240508-en

Max time kernel

90s

Max time network

159s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dt_shmem.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ElectricLauncher\jre\bin\dt_shmem.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A