Malware Analysis Report

2024-11-30 05:33

Sample ID 240709-wat6caxgqf
Target !#!SEtUp_4455_Pa$$W0rD$$!!%!.rar
SHA256 2a975179e4cbc850602edf860bd6644ddbc4b39587c31860f4c5cf09ff8605a5
Tags
amadey lumma execution persistence privilege_escalation spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a975179e4cbc850602edf860bd6644ddbc4b39587c31860f4c5cf09ff8605a5

Threat Level: Known bad

The file !#!SEtUp_4455_Pa$$W0rD$$!!%!.rar was found to be: Known bad.

Malicious Activity Summary

amadey lumma execution persistence privilege_escalation spyware stealer trojan

Lumma Stealer

Amadey

Downloads MZ/PE file

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

Unsigned PE

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 17:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win10v2004-20240709-en

Max time kernel

209s

Max time network

209s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Amadey

trojan amadey

Lumma Stealer

stealer lumma

Downloads MZ/PE file

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3856 set thread context of 4532 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 2444 set thread context of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe C:\Windows\SysWOW64\netsh.exe
PID 1856 set thread context of 208 N/A C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe C:\Windows\SysWOW64\netsh.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\ToolUpdate.job C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Windows\Tasks\MH Beacon Helper.job C:\Windows\SysWOW64\netsh.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 3856 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 3856 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 3856 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 4532 wrote to memory of 3092 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4532 wrote to memory of 3092 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4532 wrote to memory of 3092 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4532 wrote to memory of 3092 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 4532 wrote to memory of 3092 N/A C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\SearchIndexer.exe
PID 3092 wrote to memory of 2444 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe
PID 3092 wrote to memory of 2444 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe
PID 3092 wrote to memory of 2444 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe
PID 2444 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe C:\Windows\SysWOW64\netsh.exe
PID 2444 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe C:\Windows\SysWOW64\netsh.exe
PID 2444 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe C:\Windows\SysWOW64\netsh.exe
PID 2444 wrote to memory of 4352 N/A C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe C:\Windows\SysWOW64\netsh.exe
PID 3092 wrote to memory of 1856 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe
PID 3092 wrote to memory of 1856 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe
PID 3092 wrote to memory of 1856 N/A C:\Windows\SysWOW64\SearchIndexer.exe C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe
PID 1856 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe C:\Windows\SysWOW64\netsh.exe
PID 1856 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe C:\Windows\SysWOW64\netsh.exe
PID 1856 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe C:\Windows\SysWOW64\netsh.exe
PID 1856 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe C:\Windows\SysWOW64\netsh.exe
PID 4352 wrote to memory of 4080 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 4352 wrote to memory of 4080 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 4352 wrote to memory of 4080 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 208 wrote to memory of 1384 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 208 wrote to memory of 1384 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 208 wrote to memory of 1384 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 4352 wrote to memory of 4080 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 208 wrote to memory of 1384 N/A C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\explorer.exe
PID 1384 wrote to memory of 3088 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3088 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1384 wrote to memory of 3088 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe

"C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe

"C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy remotesigned -File "C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 bittercoldzzdwu.shop udp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 179.25.21.104.in-addr.arpa udp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 104.21.25.179:443 bittercoldzzdwu.shop tcp
US 8.8.8.8:53 foodupdates.shop udp
US 104.21.48.83:443 foodupdates.shop tcp
US 8.8.8.8:53 83.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 cdn.steamstatic.com udp
GB 2.16.170.35:443 cdn.steamstatic.com tcp
US 8.8.8.8:53 35.170.16.2.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 downloaddining.com udp
US 8.8.8.8:53 downloaddining2.com udp
US 8.8.8.8:53 downloaddining3.com udp
US 172.67.209.34:80 downloaddining2.com tcp
US 104.21.77.130:80 downloaddining3.com tcp
RU 45.140.19.240:80 downloaddining.com tcp
US 8.8.8.8:53 contur2fa.recipeupdates.rest udp
US 104.21.76.173:443 contur2fa.recipeupdates.rest tcp
US 8.8.8.8:53 130.77.21.104.in-addr.arpa udp
US 8.8.8.8:53 34.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 173.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 240.19.140.45.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/3856-0-0x00007FFA439B0000-0x00007FFA43E22000-memory.dmp

memory/3856-10-0x00007FFA439C8000-0x00007FFA439C9000-memory.dmp

memory/3856-11-0x00007FFA439B0000-0x00007FFA43E22000-memory.dmp

memory/3856-12-0x00007FFA439B0000-0x00007FFA43E22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7bbc0863

MD5 688e1ee85adf7b6fc1dbe74fa5a9e930
SHA1 b12b75fde2b6523e5c63108c1e4d7d7b6c814065
SHA256 59315baec5a1193c52651d7485fe61abe1f76ab53f8a6915efba813cd065d86c
SHA512 30cac4e3fac56a46e532cc78d8ccd2c765f0a0c5da8b4b043844568e2c6ca77f687f54d8f984cf8e30451949f374c56b0899c0bdcc4d1d7ad57cbe5acee5e30a

memory/4532-15-0x00007FFA45770000-0x00007FFA45965000-memory.dmp

memory/4532-17-0x0000000075BFE000-0x0000000075C00000-memory.dmp

memory/4532-18-0x0000000075BF0000-0x000000007602C000-memory.dmp

memory/4532-16-0x0000000075BF0000-0x000000007602C000-memory.dmp

memory/4532-20-0x0000000075BF0000-0x000000007602C000-memory.dmp

memory/3092-21-0x00007FFA45770000-0x00007FFA45965000-memory.dmp

memory/3092-22-0x00000000006D0000-0x0000000000720000-memory.dmp

memory/3092-23-0x0000000000A9B000-0x0000000000AA2000-memory.dmp

memory/4532-24-0x0000000075BFE000-0x0000000075C00000-memory.dmp

memory/3092-25-0x00000000006D0000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7MF3DD0LJI7849MPGWYI6MGZ574.exe

MD5 d8d3eaf3756ec2fd01063f9fd2623c7e
SHA1 0e63c687984112e96bbfcf985c1fbf602f1c86e4
SHA256 0ac72e797e244a733d5357b9fc90a5efaee168b5ab9b751493c080183be58829
SHA512 d87f33d7b6596719545899be6f54eb0f3b9f4ccf2ab4afea16d2a05386201c77243a6c80890ace81940ae2a09f743329bc3ed38b03499b2f6700da363668fa6c

memory/2444-30-0x0000000000670000-0x00000000009A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\773f1649

MD5 0bb8b2b96cd95f9a6fb8192883c94ca7
SHA1 16b7b4cfcacef943b4824e21b475c295cb4d9dff
SHA256 42139a8703db654c15f60607495822317b23a29b7c64b1b083428cc3716c14ec
SHA512 44d45b97bf76b3194375f2a63314dacf47add2223b37a9e080ddcfe49cb30a844436686ae62842cb08589b1b248c864b5d17ee7ae3e766931722824bd205565b

memory/2444-36-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

memory/2444-37-0x00007FFA45770000-0x00007FFA45965000-memory.dmp

memory/3092-38-0x00000000006D0000-0x0000000000720000-memory.dmp

memory/2444-39-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7972f5ac

MD5 780479723bd568fc7facdf04f26f7394
SHA1 70de1ebb084c3ed9ec4e50e7455a3e90fc6a7331
SHA256 4eed3d3ac1af84955599ddd544e9f0f7a5c2b0f896158ed74c8ab3b7e5b160d6
SHA512 28d755e892145dabd27eabe20735c17c9f0bdf513d28e8ac83b2bf57be44061d5d225d99e875b3382c9df4cf6a032981bcf704b089beb7a69971034c814d30a4

C:\Users\Admin\AppData\Local\Temp\7J19L9LEJBWA3VT0XIRGPOO7OOLT.exe

MD5 753234a5fa72cf7ff8c56fd867478f31
SHA1 9d689ec16a5da11eea5e60c800ef2bce6f4212f3
SHA256 211646612334caf8f5779788e6b9bd3a47a23c35c9cdcddddca34cba4e12379f
SHA512 f641b30948127a0ee9bd538d4ad3aaae1047720a141eb71f2f82276cbd2bb5393e174a7f5a79778ef248ca43781dd55bdaa1d7cf84ef12a8e99028b5fb0a9e82

memory/3092-45-0x00000000006D0000-0x0000000000720000-memory.dmp

memory/1856-46-0x00000000009D0000-0x0000000000F8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bc839a68

MD5 f74f23c47dbb6ed0a1422be1c86ba44d
SHA1 585956eab70da3892bd82cf21470be142daec324
SHA256 aa2cc4edd00008635d8c09a5706b5e5b28886825065895afe733426c794af041
SHA512 9db56c720c03f87d332cdab8d61ff22f0b2dd376bb22ef91b6b8a52dbcb6893bdf7a7db0a55dc10e23619ed1099a8a773f1bdacdad70ca04733bc60b440280dd

memory/1856-53-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

memory/1856-54-0x00007FFA45770000-0x00007FFA45965000-memory.dmp

memory/1856-55-0x0000000073AD0000-0x0000000073C4B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c0210430

MD5 8b554ad02c946157f4285384a8f0268d
SHA1 b2932ef2ed57e6e1b033fd23e62e4a36b531402c
SHA256 5e55670faa74d9aeaa43249daa3fe64729361bb48d54f964d8cc8b05ea2476c6
SHA512 11e4ce4ca1ec573ce21e2f0b576b5f3ad56829b9a34aaa6c7b5b7d1815e5557eead8adc18a96c1d625f4f3af82137dcd1a3a56a334b7d6d053c05cf5bfb4de0c

memory/4352-58-0x00007FFA45770000-0x00007FFA45965000-memory.dmp

memory/208-61-0x00007FFA45770000-0x00007FFA45965000-memory.dmp

memory/4080-65-0x00007FFA45770000-0x00007FFA45965000-memory.dmp

memory/1384-67-0x00007FFA45770000-0x00007FFA45965000-memory.dmp

memory/4080-68-0x0000000000850000-0x00000000008B7000-memory.dmp

memory/1384-69-0x0000000000910000-0x0000000000981000-memory.dmp

memory/4080-73-0x0000000000850000-0x00000000008B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000003041\run.ps1

MD5 0fb684cc15d197c0b937e5528359d7c8
SHA1 7d963246f52f42012bdcddb31214283c84c954ed
SHA256 e767d70fc57483aae7a20cb094a9bfc1fd4f04e97fb772cd6892d057e5be4260
SHA512 c40335f72f802479dc0926704d87670a782362fedae5bb50179d427fc343c6a33cfe09f4640acb15624d1511d3d66f76d87f663f9ad430fc2ddb00c54056103c

memory/3088-87-0x0000000002D70000-0x0000000002DA6000-memory.dmp

memory/3088-88-0x0000000005940000-0x0000000005F68000-memory.dmp

memory/3088-89-0x00000000056D0000-0x00000000056F2000-memory.dmp

memory/3088-90-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/3088-91-0x0000000006050000-0x00000000060B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dw4xh2ky.hze.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3088-101-0x00000000061C0000-0x0000000006514000-memory.dmp

memory/3088-102-0x0000000006670000-0x000000000668E000-memory.dmp

memory/3088-103-0x00000000066B0000-0x00000000066FC000-memory.dmp

memory/1384-105-0x0000000000910000-0x0000000000981000-memory.dmp

memory/3088-106-0x0000000007640000-0x0000000007672000-memory.dmp

memory/3088-107-0x0000000073340000-0x000000007338C000-memory.dmp

memory/3088-117-0x0000000006C60000-0x0000000006C7E000-memory.dmp

memory/3088-118-0x0000000007680000-0x0000000007723000-memory.dmp

memory/3088-119-0x0000000007FF0000-0x000000000866A000-memory.dmp

memory/3088-120-0x00000000079D0000-0x00000000079EA000-memory.dmp

memory/3088-121-0x0000000007A10000-0x0000000007A1A000-memory.dmp

memory/3088-122-0x0000000007C40000-0x0000000007CD6000-memory.dmp

memory/3088-123-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

memory/3088-124-0x0000000007BE0000-0x0000000007BEE000-memory.dmp

memory/3088-125-0x0000000007BF0000-0x0000000007C04000-memory.dmp

memory/3088-126-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

memory/3088-127-0x0000000007C20000-0x0000000007C28000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win7-20240708-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1288 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1288 wrote to memory of 1256 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1288 -s 80

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:46

Platform

win7-20240704-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GSLogging.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2052 wrote to memory of 1072 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2052 wrote to memory of 1072 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2052 wrote to memory of 1072 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GSLogging.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2052 -s 80

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:46

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\handstand.dxf

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\handstand.dxf

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:46

Platform

win10v2004-20240709-en

Max time kernel

120s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100u.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100u.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win7-20240705-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcp100.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 2812 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2780 wrote to memory of 2812 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2780 wrote to memory of 2812 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcp100.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2780 -s 80

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win10v2004-20240704-en

Max time kernel

93s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcp100.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcp100.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win10v2004-20240709-en

Max time kernel

95s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:46

Platform

win7-20240705-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MigrationLibrary.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2404 wrote to memory of 2420 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2404 wrote to memory of 2420 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2404 wrote to memory of 2420 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MigrationLibrary.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2404 -s 156

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:46

Platform

win10v2004-20240709-en

Max time kernel

92s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MigrationLibrary.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\MigrationLibrary.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:46

Platform

win7-20240704-en

Max time kernel

46s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\WerFault.exe
PID 2524 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\WerFault.exe
PID 2524 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2524 -s 92

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win7-20240704-en

Max time kernel

121s

Max time network

122s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\handstand.dxf

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.dxf\ = "dxf_auto_file" C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file\shell\Read\command C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" C:\Windows\system32\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file\ C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\.dxf C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file\shell\Read C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_CLASSES\dxf_auto_file\shell C:\Windows\system32\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000_Classes\Local Settings C:\Windows\system32\rundll32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\handstand.dxf

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\handstand.dxf

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\handstand.dxf"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

MD5 548e62b5d6f3955f008735ab5e1b3993
SHA1 407ceb3645f3d1596d4b027d3c0c3e79a71938b3
SHA256 52f00ca02264c5ab2fb8a3019e90b41f6e354ba19b079117e9796fa82a9fe592
SHA512 ae713fae67982345a72191ae7e3120b6006bdb5cf2f74ae9ba1b9ad1bc70c00aacab15c1854404274dc05553dc5fd44b007f5d4c6969104745f61dfefd51ef97

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win7-20240708-en

Max time kernel

119s

Max time network

121s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\oral.log

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\oral.log

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win10v2004-20240709-en

Max time kernel

135s

Max time network

136s

Command Line

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\oral.log

Signatures

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Processes

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\oral.log

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win7-20240705-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2144 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 2144 wrote to memory of 2680 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\sqlite3.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2144 -s 156

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:46

Platform

win10v2004-20240709-en

Max time kernel

143s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GSLogging.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\GSLogging.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:46

Platform

win7-20240708-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100enu.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100enu.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win10v2004-20240709-en

Max time kernel

94s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100enu.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100enu.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:46

Platform

win7-20240708-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100u.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\mfc100u.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-09 17:43

Reported

2024-07-09 17:47

Platform

win10v2004-20240704-en

Max time kernel

148s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\msvcr100.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A