Malware Analysis Report

2024-11-15 06:25

Sample ID 240706-bajdma1bpm
Target f3544211710d293dfe623411feb7e121f5a8b2ea8b9e5e545d1f51b1aa9aabe3
SHA256 f3544211710d293dfe623411feb7e121f5a8b2ea8b9e5e545d1f51b1aa9aabe3
Tags
upx lumma stealc vidar discovery spyware stealer evasion execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f3544211710d293dfe623411feb7e121f5a8b2ea8b9e5e545d1f51b1aa9aabe3

Threat Level: Known bad

The file f3544211710d293dfe623411feb7e121f5a8b2ea8b9e5e545d1f51b1aa9aabe3 was found to be: Known bad.

Malicious Activity Summary

upx lumma stealc vidar discovery spyware stealer evasion execution persistence

Vidar

Lumma Stealer

Stealc

Detect Vidar Stealer

Stops running service(s)

Downloads MZ/PE file

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

AutoIT Executable

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 00:56

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-06 00:56

Reported

2024-07-06 00:59

Platform

win10v2004-20240704-en

Max time kernel

131s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\software.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\BGDAAEHDHI.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1456 set thread context of 3552 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 688 set thread context of 2892 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\BGDAAEHDHI.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\software.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1456 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3552 wrote to memory of 688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\BGDAAEHDHI.exe
PID 3552 wrote to memory of 688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\BGDAAEHDHI.exe
PID 3552 wrote to memory of 688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\BGDAAEHDHI.exe
PID 688 wrote to memory of 1244 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 1244 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 1244 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 2892 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 2892 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 2892 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 2892 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 2892 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 2892 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 2892 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 2892 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 688 wrote to memory of 2892 N/A C:\ProgramData\BGDAAEHDHI.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3552 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 3552 wrote to memory of 1376 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 1376 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1376 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1376 wrote to memory of 4668 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\software.exe

"C:\Users\Admin\AppData\Local\Temp\software.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,7252135083366563450,1411796122645726339,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=3100,i,7252135083366563450,1411796122645726339,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:3

C:\ProgramData\BGDAAEHDHI.exe

"C:\ProgramData\BGDAAEHDHI.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 688 -ip 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 280

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\GCGDGHCBGDHJ" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 23.249.124.192.in-addr.arpa udp
DE 5.75.221.27:5432 5.75.221.27 tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
US 8.8.8.8:53 27.221.75.5.in-addr.arpa udp
DE 5.75.221.27:5432 5.75.221.27 tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
DE 5.75.221.27:5432 tcp
DE 5.75.221.27:5432 tcp
DE 5.75.221.27:5432 tcp
DE 5.75.221.27:5432 tcp
DE 5.75.221.27:5432 tcp
DE 5.75.221.27:5432 tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
FI 77.105.132.27:80 77.105.132.27 tcp
US 8.8.8.8:53 27.132.105.77.in-addr.arpa udp
DE 5.75.221.27:5432 5.75.221.27 tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
US 8.8.8.8:53 civilizzzationo.shop udp
US 104.21.67.34:443 civilizzzationo.shop tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
US 104.21.67.34:443 civilizzzationo.shop tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
US 8.8.8.8:53 34.67.21.104.in-addr.arpa udp
US 104.21.67.34:443 civilizzzationo.shop tcp
US 104.21.67.34:443 civilizzzationo.shop tcp
DE 5.75.221.27:5432 5.75.221.27 tcp
US 8.8.8.8:53 tea.arpdabl.org udp
NL 185.107.56.205:80 tea.arpdabl.org tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.226:80 survey-smiles.com tcp
US 104.21.67.34:443 civilizzzationo.shop tcp
US 104.21.67.34:443 civilizzzationo.shop tcp
US 8.8.8.8:53 205.56.107.185.in-addr.arpa udp
US 8.8.8.8:53 226.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

memory/1456-0-0x000000007457E000-0x000000007457F000-memory.dmp

memory/1456-1-0x00000000003E0000-0x000000000095A000-memory.dmp

memory/1456-2-0x00000000053E0000-0x000000000547C000-memory.dmp

memory/1456-3-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/1456-4-0x0000000005480000-0x0000000005564000-memory.dmp

memory/1456-5-0x00000000053A0000-0x00000000053BC000-memory.dmp

memory/1456-11-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-65-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-63-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/3552-68-0x0000000000400000-0x0000000000648000-memory.dmp

memory/1456-70-0x0000000074570000-0x0000000074D20000-memory.dmp

memory/3552-66-0x0000000000400000-0x0000000000648000-memory.dmp

memory/1456-59-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-55-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-53-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-49-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-48-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-43-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-41-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-39-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-37-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-35-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-33-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-31-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-29-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-25-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-23-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-21-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-19-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/3552-71-0x0000000000400000-0x0000000000648000-memory.dmp

memory/1456-17-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-15-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-9-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-61-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-57-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-51-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-45-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-7-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-27-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-6-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/1456-13-0x00000000053A0000-0x00000000053B5000-memory.dmp

memory/3552-81-0x0000000000400000-0x0000000000648000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\ProgramData\BGDAAEHDHI.exe

MD5 168c5908924803d268d26965c32a5620
SHA1 9e0e2dc9c7e931c4ee860c32d83711c433f7b1a3
SHA256 2fd72d0d0fbc053a53adee5d9ec6cffde3fb5a3c6ba0c0490e24552b264d5449
SHA512 749f0e4da8d6fde35b53e769b0b594c2e63835f970eedc54c8c15889863811b5fb296650ae9f5e255bafdd4b942ad3434a60c48e05f1283820c378d30645f1c1

memory/688-147-0x0000000000330000-0x000000000041F000-memory.dmp

memory/2892-150-0x0000000000400000-0x0000000000457000-memory.dmp

memory/3552-153-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2892-154-0x0000000000400000-0x0000000000457000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-06 00:56

Reported

2024-07-06 00:59

Platform

win7-20240508-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe"

Signatures

Stops running service(s)

evasion execution

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2156 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2156 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 2156 wrote to memory of 2888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe

"C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete DBNTser

C:\Windows\SysWOW64\sc.exe

sc delete DBNTser

Network

N/A

Files

memory/2180-0-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/2180-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-06 00:56

Reported

2024-07-06 00:59

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe"

Signatures

Stops running service(s)

evasion execution

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3680 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe C:\Windows\SysWOW64\cmd.exe
PID 3680 wrote to memory of 4868 N/A C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4868 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe
PID 4868 wrote to memory of 940 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe

"C:\Users\Admin\AppData\Local\Temp\vncDbnt.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c sc delete DBNTser

C:\Windows\SysWOW64\sc.exe

sc delete DBNTser

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/3680-0-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/3680-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-06 00:56

Reported

2024-07-06 00:59

Platform

win10v2004-20240704-en

Max time kernel

147s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wzoptup.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\wzoptup.exe

"C:\Users\Admin\AppData\Local\Temp\wzoptup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/4984-0-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/4984-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 00:56

Reported

2024-07-06 00:59

Platform

win7-20240705-en

Max time kernel

119s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WezoAotoUp = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WezoAutoUP.exe\"" C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe

"C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wieie.cn udp
US 8.8.8.8:53 wieie.cn udp
CN 58.23.215.23:8765 wieie.cn tcp

Files

memory/1544-0-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1544-8-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1544-10-0x0000000000400000-0x00000000004D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 00:56

Reported

2024-07-06 00:59

Platform

win10v2004-20240704-en

Max time kernel

92s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WezoAotoUp = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WezoAutoUP.exe\"" C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe

"C:\Users\Admin\AppData\Local\Temp\WezoAutoUP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 wieie.cn udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 wieie.cn udp
CN 58.23.215.23:8765 wieie.cn tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1844-0-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1844-8-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/1844-10-0x0000000000400000-0x00000000004D0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-06 00:56

Reported

2024-07-06 01:00

Platform

win7-20240704-en

Max time kernel

118s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\culclientUp.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\culclientUp.exe

"C:\Users\Admin\AppData\Local\Temp\culclientUp.exe"

Network

N/A

Files

memory/2308-0-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/2308-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-06 00:56

Reported

2024-07-06 00:59

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\culclientUp.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\culclientUp.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\culclientUp.exe

"C:\Users\Admin\AppData\Local\Temp\culclientUp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/4316-0-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/4316-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-06 00:56

Reported

2024-07-06 00:59

Platform

win7-20240705-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\software.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\GDGIJECGDG.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3048 set thread context of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\ProgramData\GDGIJECGDG.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\software.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3048 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3048 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3048 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3048 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3048 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3048 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3048 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3048 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3048 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 3048 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\software.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2984 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\GDGIJECGDG.exe
PID 2984 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\GDGIJECGDG.exe
PID 2984 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\GDGIJECGDG.exe
PID 2984 wrote to memory of 1688 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\ProgramData\GDGIJECGDG.exe
PID 1688 wrote to memory of 1008 N/A C:\ProgramData\GDGIJECGDG.exe C:\Windows\SysWOW64\WerFault.exe
PID 1688 wrote to memory of 1008 N/A C:\ProgramData\GDGIJECGDG.exe C:\Windows\SysWOW64\WerFault.exe
PID 1688 wrote to memory of 1008 N/A C:\ProgramData\GDGIJECGDG.exe C:\Windows\SysWOW64\WerFault.exe
PID 1688 wrote to memory of 1008 N/A C:\ProgramData\GDGIJECGDG.exe C:\Windows\SysWOW64\WerFault.exe
PID 2984 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 2984 wrote to memory of 572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\SysWOW64\cmd.exe
PID 572 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 572 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 572 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 572 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\software.exe

"C:\Users\Admin\AppData\Local\Temp\software.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"

C:\ProgramData\GDGIJECGDG.exe

"C:\ProgramData\GDGIJECGDG.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 96

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\EGIDAAFIEHIE" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 2.22.99.85:443 steamcommunity.com tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 tcp
FI 95.217.241.48:443 tcp
FI 95.217.241.48:443 tcp
FI 95.217.241.48:443 tcp
FI 95.217.241.48:443 tcp
FI 95.217.241.48:443 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 77.105.132.27:80 77.105.132.27 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
FI 95.217.241.48:443 95.217.241.48 tcp
US 8.8.8.8:53 tea.arpdabl.org udp
US 104.237.196.115:80 tea.arpdabl.org tcp
US 8.8.8.8:53 survey-smiles.com udp
US 199.59.243.226:80 survey-smiles.com tcp

Files

memory/3048-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

memory/3048-1-0x0000000000100000-0x000000000067A000-memory.dmp

memory/3048-2-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/3048-3-0x0000000004CB0000-0x0000000004D94000-memory.dmp

memory/3048-4-0x0000000000F20000-0x0000000000F3C000-memory.dmp

memory/3048-10-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-26-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-36-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-34-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-32-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-30-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-28-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-24-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-40-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-38-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-22-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-20-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-50-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-48-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-52-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-46-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-44-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-54-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-42-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-18-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-64-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-62-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-60-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-58-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-56-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-16-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-14-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-12-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-8-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-6-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-5-0x0000000000F20000-0x0000000000F35000-memory.dmp

memory/3048-65-0x0000000074DE0000-0x00000000754CE000-memory.dmp

memory/2984-66-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2984-68-0x0000000000400000-0x0000000000648000-memory.dmp

memory/2984-80-0x0000000000400000-0x0000000000648000-memory.dmp

memory/3048-81-0x0000000074DE0000-0x00000000754CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabDDA4.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarDE15.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\ProgramData\GDGIJECGDG.exe

MD5 168c5908924803d268d26965c32a5620
SHA1 9e0e2dc9c7e931c4ee860c32d83711c433f7b1a3
SHA256 2fd72d0d0fbc053a53adee5d9ec6cffde3fb5a3c6ba0c0490e24552b264d5449
SHA512 749f0e4da8d6fde35b53e769b0b594c2e63835f970eedc54c8c15889863811b5fb296650ae9f5e255bafdd4b942ad3434a60c48e05f1283820c378d30645f1c1

memory/2984-560-0x0000000000400000-0x0000000000648000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-06 00:56

Reported

2024-07-06 00:59

Platform

win7-20240705-en

Max time kernel

14s

Max time network

21s

Command Line

"C:\Users\Admin\AppData\Local\Temp\wzoptup.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\wzoptup.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\wzoptup.exe

"C:\Users\Admin\AppData\Local\Temp\wzoptup.exe"

Network

N/A

Files

memory/3048-0-0x0000000000400000-0x00000000004D0000-memory.dmp

memory/3048-1-0x0000000000400000-0x00000000004D0000-memory.dmp