Malware Analysis Report

2024-10-23 21:38

Sample ID 240717-mv9xvszgng
Target _Getintopc.com_Sausage.Fattener.VST.v1.0.x86.x64.rar
SHA256 3cb27dfceb8b48a75b7cba0886ab9d7696057dd1186298114d7f5af9b497a0b5
Tags
strela stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3cb27dfceb8b48a75b7cba0886ab9d7696057dd1186298114d7f5af9b497a0b5

Threat Level: Known bad

The file _Getintopc.com_Sausage.Fattener.VST.v1.0.x86.x64.rar was found to be: Known bad.

Malicious Activity Summary

strela stealer

Strela family

Detects Strela Stealer payload

Strela stealer

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-17 10:48

Signatures

Detects Strela Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Strela family

strela

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:49

Platform

win11-20240709-en

Max time kernel

31s

Max time network

34s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\_Getintopc.com_Sausage.Fattener.VST.v1.0.x86.x64.rar

Signatures

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A
N/A N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 780 N/A C:\Windows\system32\OpenWith.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 2124 wrote to memory of 780 N/A C:\Windows\system32\OpenWith.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 2124 wrote to memory of 780 N/A C:\Windows\system32\OpenWith.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
PID 780 wrote to memory of 4440 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 780 wrote to memory of 4440 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 780 wrote to memory of 4440 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 1384 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
PID 4440 wrote to memory of 4452 N/A C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\_Getintopc.com_Sausage.Fattener.VST.v1.0.x86.x64.rar

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\_Getintopc.com_Sausage.Fattener.VST.v1.0.x86.x64.rar"

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C9E9694EBD52B2EDEA37A0112C009CF7 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1DC4494B9DA64D57EA685F5CCAAD35E5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1DC4494B9DA64D57EA685F5CCAAD35E5 --renderer-client-id=2 --mojo-platform-channel-handle=1788 --allow-no-sandbox-job /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C95190BD15DD7EC4050899CA6CDD497B --mojo-platform-channel-handle=2356 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FA2B0B72C040084684A752192BF8DC8A --mojo-platform-channel-handle=1976 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FD2F7101E2C1E71DB53F3E1EA8D655A4 --mojo-platform-channel-handle=1888 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 135.244.100.95.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 b30d3becc8731792523d599d949e63f5
SHA1 19350257e42d7aee17fb3bf139a9d3adb330fad4
SHA256 b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3
SHA512 523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 752a1f26b18748311b691c7d8fc20633
SHA1 c1f8e83eebc1cc1e9b88c773338eb09ff82ab862
SHA256 111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131
SHA512 a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

MD5 a7c38ef438c0b7a31159be4fe0bfce1f
SHA1 20b5de15a3f4cdcf52ccb9bf95b6c3491899dfa6
SHA256 7b5fd7528eaf08bee8e92ff4e1412cf275e234788e24d8a18fb5fff80cdd3d75
SHA512 5a66b20bc689256a5e9b7fc4dee200398460f40a8cc2bb9ab212bfd408a0a3550ba0008e3785caf2f01c34adc2e4b64060bb8d4f12a6e672a425218cf5d64085

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

212s

Max time network

285s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Password 123.txt"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4100 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 4100 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Password 123.txt"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Password 123.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

91s

Max time network

205s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\5.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\5.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

127s

Max time network

204s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\AboutBox.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\AboutBox.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

146s

Max time network

278s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\Background.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\Background.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

213s

Max time network

283s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Resource\Sausage Fattener 64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Resource\Sausage Fattener 64.dll",#1

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

146s

Max time network

283s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\modern-wizard.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

150s

Max time network

286s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\10.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\10.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

90s

Max time network

206s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\11.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1210443139-7911939-2760828654-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\11.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

214s

Max time network

287s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\2.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\2.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

146s

Max time network

262s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\8.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\8.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

210s

Max time network

278s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninstall.exe

"C:\Users\Admin\AppData\Local\Temp\uninstall.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 4d80cf1dcb4050035ababe91073376ed
SHA1 66479ddbc4426fb45a526d7a6fb1df1ad09eedde
SHA256 09511049b3b5d519bd9ad7fffe29fbae5bde288364e69cff6490a64d6e4f601e
SHA512 972bddb89968cb422c6e35aad471b3ca262a40169ff624a207d5a4053efd211251fa04f6381a34230163d0a22239897e751b24dbfa8390444ffe77b7d3c261cb

Analysis: behavioral13

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

100s

Max time network

207s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\12.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\12.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

93s

Max time network

206s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\13.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3637748876-3197268895-3385380113-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\13.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

212s

Max time network

282s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\15.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\15.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

92s

Max time network

207s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\4.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\4.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

90s

Max time network

206s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Resource\Sausage Fattener 32.dll",#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 3224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2060 wrote to memory of 3224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2060 wrote to memory of 3224 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Resource\Sausage Fattener 32.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Resource\Sausage Fattener 32.dll",#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3224 -ip 3224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 556

Network

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

91s

Max time network

204s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\asgn1160.sfv

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\asgn1160.sfv

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

291s

Max time network

282s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dat_bgm.ogg

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4968 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 4968 wrote to memory of 1268 N/A C:\Windows\system32\cmd.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dat_bgm.ogg

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dat_bgm.ogg"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004B8 0x00000000000004D0

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/1268-6-0x00007FFA62D60000-0x00007FFA62D94000-memory.dmp

memory/1268-5-0x00007FF6BBEE0000-0x00007FF6BBFD8000-memory.dmp

memory/1268-18-0x00007FFA5E2E0000-0x00007FFA5E2F8000-memory.dmp

memory/1268-7-0x00007FFA4D380000-0x00007FFA4D636000-memory.dmp

memory/1268-16-0x00007FFA5E330000-0x00007FFA5E371000-memory.dmp

memory/1268-15-0x00007FFA5E380000-0x00007FFA5E391000-memory.dmp

memory/1268-14-0x00007FFA4CF40000-0x00007FFA4D14B000-memory.dmp

memory/1268-30-0x00007FFA4D740000-0x00007FFA4D79C000-memory.dmp

memory/1268-13-0x00007FFA5E3A0000-0x00007FFA5E3BD000-memory.dmp

memory/1268-12-0x00007FFA5ED00000-0x00007FFA5ED11000-memory.dmp

memory/1268-11-0x00007FFA5F0A0000-0x00007FFA5F0B7000-memory.dmp

memory/1268-10-0x00007FFA5F150000-0x00007FFA5F161000-memory.dmp

memory/1268-9-0x00007FFA63CA0000-0x00007FFA63CB7000-memory.dmp

memory/1268-8-0x00007FFA63E10000-0x00007FFA63E28000-memory.dmp

memory/1268-29-0x00007FFA533C0000-0x00007FFA533D1000-memory.dmp

memory/1268-28-0x00007FFA53250000-0x00007FFA532CC000-memory.dmp

memory/1268-27-0x00007FFA532D0000-0x00007FFA53337000-memory.dmp

memory/1268-19-0x00007FFA4BE90000-0x00007FFA4CF40000-memory.dmp

memory/1268-26-0x00007FFA544B0000-0x00007FFA544E0000-memory.dmp

memory/1268-25-0x00007FFA5E030000-0x00007FFA5E048000-memory.dmp

memory/1268-24-0x00007FFA5E0A0000-0x00007FFA5E0B1000-memory.dmp

memory/1268-23-0x00007FFA5E0C0000-0x00007FFA5E0DB000-memory.dmp

memory/1268-22-0x00007FFA5E0E0000-0x00007FFA5E0F1000-memory.dmp

memory/1268-21-0x00007FFA5E190000-0x00007FFA5E1A1000-memory.dmp

memory/1268-20-0x00007FFA5E1B0000-0x00007FFA5E1C1000-memory.dmp

memory/1268-17-0x00007FFA5E300000-0x00007FFA5E321000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

150s

Max time network

279s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\1.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\1.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

213s

Max time network

283s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\16.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\16.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

90s

Max time network

205s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\6.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\6.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

152s

Max time network

262s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\7.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1376880307-1734125928-2892936080-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\7.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

142s

Max time network

206s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\9.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\9.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

291s

Max time network

194s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe"

Signatures

Detects Strela Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Strela stealer

stealer strela

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvcr71.dll C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A
File created C:\Windows\SysWOW64\mfc71.dll C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe

"C:\Users\Admin\AppData\Local\Temp\Sausage.Fattener.VST.v1.0.x86.x64\Sausage.Fattener.VST.v1.0.x86.x64\setup.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004AC 0x00000000000004D0

Network

Country Destination Domain Proto
NL 52.111.243.30:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsz8406.tmp\System.dll

MD5 c17103ae9072a06da581dec998343fc1
SHA1 b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256 dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512 d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

C:\Users\Admin\AppData\Local\Temp\nsz8406.tmp\Bass.dll

MD5 a8af308ff01b4477657955fbf0cc8408
SHA1 0794c059f0326e4a71be8a3ee4ac17a657d90d88
SHA256 14a38f56be50a3829eb1eda2a908da2de5913f81d5cb01d8b668593d0fc36594
SHA512 9e221967db95d4b86bf311891193dfd1515806aa0d43198d3bc26a17d77f06f212ab9dba1ca8575f50d224380e8b109529faccf2f56daac834da83a83677a0fd

memory/632-16-0x000000000310C000-0x000000000310D000-memory.dmp

memory/632-15-0x00000000030C0000-0x000000000310D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz8406.tmp\AdvSplash.dll

MD5 13cc92f90a299f5b2b2f795d0d2e47dc
SHA1 aa69ead8520876d232c6ed96021a4825e79f542f
SHA256 eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb
SHA512 ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

memory/632-26-0x00000000030C0000-0x000000000310D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz8406.tmp\NSIS_SkinCrafter_Plugin.dll

MD5 028251654a4d65509aa8ccb5f2ee284a
SHA1 4a4ad468a86df6b903002be4f8919017fea0c152
SHA256 8b25cf3f7aa82fadccb2ce615ce0e40c5a8a3ea7bc51180a92173ee113a0ccfe
SHA512 f252670bca0da9e8e2c519a6ef4ad6dd0c4e548aeb7566693a7d203e73e63345fc58683072020ef771d836429bed1d7b4fdf105aa3e62a969e9c8d39556e1d2d

memory/632-43-0x0000000004E20000-0x0000000004EEC000-memory.dmp

C:\Windows\SysWOW64\mfc71.dll

MD5 1fd3f9722119bdf7b8cff0ecd1e84ea6
SHA1 9a4faa258b375e173feaca91a8bd920baf1091eb
SHA256 385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823
SHA512 109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6

C:\Windows\SysWOW64\msvcr71.dll

MD5 ca2f560921b7b8be1cf555a5a18d54c3
SHA1 432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256 c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA512 23e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e

C:\Users\Admin\AppData\Local\Temp\nsz8406.tmp\SkinCrafter.dll

MD5 8fea8fd177034b52e6a5886fb5e780bd
SHA1 99f511388a2420d53b8406baed48ba550842eaad
SHA256 546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de
SHA512 5d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696

memory/632-33-0x0000000004850000-0x0000000004E1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz8406.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsz8406.tmp\ioSpecial.ini

MD5 2097b954c0c7ab9bb2d056ec161ff084
SHA1 7a5dbf0c79fafe5ed1509f3c912cd1d1a92f19c4
SHA256 e7126a7702960943cdb09b2119eb771363e6388a274f5e64451964e56b9c9a3a
SHA512 296579b829dc87c419a8abf72d92c6af11d1abc86a902086dc877a18b1f4814286661f11d68ce12d8565ae3e924193ac6676ce36bc0d88c8349341bdeace11f2

memory/632-134-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-135-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-136-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-137-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-138-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-139-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-140-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-141-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-142-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-143-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-144-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-145-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-146-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-147-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-148-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-149-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-150-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-151-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-152-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-153-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-154-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-155-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-156-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-157-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-158-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-159-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-160-0x00000000030C0000-0x000000000310D000-memory.dmp

memory/632-161-0x00000000030C0000-0x000000000310D000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

213s

Max time network

287s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dat_skin.skf

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\dat_skin.skf

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

299s

Max time network

196s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\3.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\3.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
IE 52.111.236.22:443 tcp
N/A 20.189.173.18:443 tcp

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

89s

Max time network

206s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Sausage Fattener x64.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Sausage Fattener x64.dll",#1

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

150s

Max time network

277s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ioSpecial.ini

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3171217504-1685128607-2237314850-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ioSpecial.ini

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:49

Platform

win11-20240709-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:53

Platform

win11-20240709-en

Max time kernel

147s

Max time network

277s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\14.bmp

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\Resource\14.bmp

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-07-17 10:48

Reported

2024-07-17 10:54

Platform

win11-20240709-en

Max time kernel

213s

Max time network

280s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Sausage Fattener.dll",#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5752 wrote to memory of 4076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5752 wrote to memory of 4076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5752 wrote to memory of 4076 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Sausage Fattener.dll",#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Sausage Fattener.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp

Files

N/A