d33bf91b11f6b1322724aaf76a5f0564285b990833a7d2877917446a9c8b30ae

Analysis

max time kernel
84s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/10/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SideloadlySetup64.exe
Size

126.3MB
MD5

5fb52754697b1c7f56be096f8581dc5c
SHA1

80e07fb5ad530b0159ffedd6a72fa23e89f4630a
SHA256

d33bf91b11f6b1322724aaf76a5f0564285b990833a7d2877917446a9c8b30ae
SHA512

41a8576492f5705ec7265d0b2fe8070c74e500efd44406d978e61a0fbfaf9a352296e4d36da9ac10a7e6cb9bbdd94faffa8b6ec175abdaeb46ac10d782b1e111
SSDEEP

3145728:mIPLYzrmcXEisq3X1QBSLIpdfyFW/fISPI26hpMIaGABaaEK7gI2O:nYzrVEisqmELIppyFW/fISPj6DMNGu7B

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
4372	Sideloadly.exe
3888	sideloadlydaemon.exe
1812	sideloadlydaemon.exe
2820	redist484244671.exe
3516	redist484244671.exe

Loads dropped DLL 25 IoCs

pid	Process
32	SideloadlySetup64.exe
32	SideloadlySetup64.exe
32	SideloadlySetup64.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
4372	Sideloadly.exe
3516	redist484244671.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	redist484244671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SideloadlySetup64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	redist484244671.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\sideloadly\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Sideloadly\\Sideloadly.exe,1"	Sideloadly.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\sideloadly\URL Protocol	Sideloadly.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\sideloadly\ = "URL:Sideloadly link"	Sideloadly.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\sideloadly\DefaultIcon	Sideloadly.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\sideloadly\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Sideloadly\\Sideloadly.exe\" \"%1\""	Sideloadly.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\sideloadly	Sideloadly.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\sideloadly\shell	Sideloadly.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\sideloadly\shell\open	Sideloadly.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\sideloadly\shell\open\command	Sideloadly.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Sideloadly.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Sideloadly.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Sideloadly.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4372	Sideloadly.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	1348	vssvc.exe
Token: SeRestorePrivilege	1348	vssvc.exe
Token: SeAuditPrivilege	1348	vssvc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4372	Sideloadly.exe
216	SearchApp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 4372	32	SideloadlySetup64.exe	98
PID 32 wrote to memory of 4372	32	SideloadlySetup64.exe	98
PID 4372 wrote to memory of 3888	4372	Sideloadly.exe	106
PID 4372 wrote to memory of 3888	4372	Sideloadly.exe	106
PID 4372 wrote to memory of 1812	4372	Sideloadly.exe	107
PID 4372 wrote to memory of 1812	4372	Sideloadly.exe	107
PID 4372 wrote to memory of 2820	4372	Sideloadly.exe	111
PID 4372 wrote to memory of 2820	4372	Sideloadly.exe	111
PID 4372 wrote to memory of 2820	4372	Sideloadly.exe	111
PID 2820 wrote to memory of 3516	2820	redist484244671.exe	112
PID 2820 wrote to memory of 3516	2820	redist484244671.exe	112
PID 2820 wrote to memory of 3516	2820	redist484244671.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SideloadlySetup64.exe
"C:\Users\Admin\AppData\Local\Temp\SideloadlySetup64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Local\Sideloadly\Sideloadly.exe
  "C:\Users\Admin\AppData\Local\Sideloadly\Sideloadly.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Modifies system certificate store
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Users\Admin\AppData\Local\Sideloadly\sideloadlydaemon.exe
    C:\Users\Admin\AppData\Local\Sideloadly\sideloadlydaemon.exe -v
    3⤵
    - Executes dropped EXE
    PID:3888
- - C:\Users\Admin\AppData\Local\Sideloadly\sideloadlydaemon.exe
    C:\Users\Admin\AppData\Local\Sideloadly\sideloadlydaemon.exe -v
    3⤵
    - Executes dropped EXE
    PID:1812
- - C:\Users\Admin\AppData\Local\Temp\redist484244671.exe
    C:\Users\Admin\AppData\Local\Temp\redist484244671.exe /q /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Users\Admin\AppData\Local\Temp\redist484244671.exe
      "C:\Users\Admin\AppData\Local\Temp\redist484244671.exe" /q /norestart -burn.unelevated BurnPipe.{BFB4571D-4DB0-4A60-A18E-D81FC86FB894} {83CB96C4-0E81-40C5-8676-AA769995D102} 2820
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3516

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\e539e8f36f0c4bcdb81f2d5c9e04512a /t 4620 /p 4372
1⤵
PID:4856

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Sideloadly\Sideloadly.exe

Filesize
49.0MB

MD5
2c40a5ac088a61ff8305e9b323e34df4

SHA1
e94105001afd10bc69fa048bcac23abef7b53f80

SHA256
f2fbee8a1b0d85caab961a30e92ada1978604ac5564f2c2effe1555b3d9d653e

SHA512
baf5ee0e4eebabf65010a3f8e83265df976184835ce06e4c3ff8fec23696c51d651ecfb00aa69073b55685008c36fad0eb414392c5639759e78e6a1b7b35a479

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\_asyncio.pyd

Filesize
55KB

MD5
b2a7085a01852332051534a432db2f8a

SHA1
ec3bbe1f6534bcfaa0c60d7624a63bf82fb9ceaf

SHA256
d353216fee3f4fba66aa237e673f9fb294564bc6f3f3f0f779869a401dc2f596

SHA512
3eb0475dcf3486142532973c51730970aeea4438e885201e3126ddc50b3665b12d27be1c31b61f906cdcea12f52d3d8deb3918211cb681c9b317b35fb915bdcc

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\_bz2.pyd

Filesize
77KB

MD5
420f69f99fc0f01cd980c80cfc6b562f

SHA1
c245472b1e2126b147b0e8100a1d979583371951

SHA256
ced00c7fec3c6ae11fcf0f64f7d87e73c089ae448f972f30e592d9bd0bfca085

SHA512
578c55b2c03f83f261c6ad2879dd016a69bb7ebd5d5d5f39ec67b75bc83655adea961e708ad64b8e15eb89b1c33cd173f934e97852e9de55ee3345ae97a05527

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\_cffi_backend.pyd

Filesize
178KB

MD5
b03d33745d8eaf9fde67b628f2c8ab5a

SHA1
ced63fdcb801f6088771acc7b8b5865df3750693

SHA256
64a43f1b46c378e786cce70db63c2e44bc7fba562bc5ac52f0bb40071b35fb63

SHA512
2dcdc9e1164f7fe29a7c696323b3aebf262bfbbc91f3908e8881488354992a72f85ae0737daf9216bee5d30758fd955ed69ddbc459e3346ccf049280328cd9fa

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\_decimal.pyd

Filesize
255KB

MD5
4e75bcbbee30f4af7d988698e08b7cb7

SHA1
7de6fbea14655529870a54360bc427c573eda2f7

SHA256
17940d20c294bd335f4d24a0bb2191eab25dbf8d59ad974eb49e46a448d32f7e

SHA512
353de19225cf65aed7cc872a2d843867174f95b36f7884c6a7d084a411e399e5f7ef855e2bf2612a9c82f69fdcdf6b1892c9a5253f9a3394980c080aa425a75f

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\_hashlib.pyd

Filesize
38KB

MD5
7a142b5c72ddd640967d0cfbdbc294f3

SHA1
ff6d13682d15dcdfa2789d768540029f5d99aaec

SHA256
2ed66bd600cde2020fb2cccdbac49577b81c8a3393542e3074d42cc9e4ce25e8

SHA512
fbcd1b8d3d2e78795d12fbb34a43149d9dc8684759e5e4883d1233f2a7d84a0e6ec939f9e173aaaa564531556439c739e8348821f6b74aa038f60e270e0f9553

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\_lzma.pyd

Filesize
151KB

MD5
935dabf97300bbf3a6fdec23ff67ce1d

SHA1
b1818c3234d3d2bd6b8710fe01a72e8995f00562

SHA256
c99e3d6243d7178d004ac3a9d1638ee6d4b8434f462ba6a2c7d9805c0c5f3d55

SHA512
fda4002efc32308d7f5eb82e1a30cea0a4ba1475931dfa96883ceb1892ecfdb86df35add2087a24522d39bf322339bad2c31c491ae028e70802421208d26f402

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\_overlapped.pyd

Filesize
38KB

MD5
efeef018567f7a79584fefbbf2ac3a3f

SHA1
3c74e44af123b762491746d2a5d833311d2b82bb

SHA256
04a2b6d3de4be94b86fcd4ea3dec655dd2b936e0c146d8c22c0aea18d0d1c319

SHA512
33c8955b0d943deaaf49b83e6613642d343d608066c396ca4696e77ac3502759fa40902f65578437be6cefe2383da894b83e0d190123bd7da381a1e1e2531bd5

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\_queue.pyd

Filesize
21KB

MD5
b6880992fd613aca52e737ba3d1e8a28

SHA1
70a156224398e6e26131eb26f0fd1d6944732154

SHA256
7624c092949d674cb61af293b7591c67a78b183e8e2e08639a64475a0094c94e

SHA512
68c332a824a3f6bbf69119abd5f55b0fa8a16016b91117ef8b963c8f346c657330e6a92da0ec099d104ac1f5238dc8ced2e5b09921fbeb300cc0fa7aa4b41649

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\_socket.pyd

Filesize
70KB

MD5
67c936424b619a649ef270b3b9e1cc60

SHA1
8ecb6ef04a8a0b5ac68f7d7f7ab2ab4a2f4079e3

SHA256
6a7a84d9f6fb58087dbb8e49664520a07f3333f08276c49e05b92f6ec736a8aa

SHA512
2263ba410ebeec4ba8fa4f9eb77644f962e6512254751b8c7a7f521d2fbe652da63ccf818c6371a98d12d789135ffdadcf3dc9b5e8a01f52a3bbe5b1988b469b

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\_ssl.pyd

Filesize
143KB

MD5
30259fbd506c9928f1ecea52c3b3fc52

SHA1
1ad469b837dcbb91ce88a3d80f79b1870d7e8546

SHA256
3009c309cd761eb7b507ef1138f8622682656ec0e52731ae165620159ee2edd7

SHA512
14feffe5acc688e2c842727729999e9cac837dacb8000305faae3adbcfc494bf1d4930726e6e13f087a63449d67be104bcafbb103b67dd259ab8fa7499cd9f36

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\an\iTunesCore.dll

Filesize
34.8MB

MD5
8de54805d69c4536d04b8f19fa59b3d3

SHA1
cd4836b27d740992b53ae2e4b99f6510a4516edb

SHA256
db0d68cba0097da1e4ef2294a55ca8d083a997c40f03a423785a2d8bdef6f630

SHA512
805792fcfbf0f0e854b3e124d225553500221fc1434c6857221a168affb3f538945af9aa1832dc11fa258479426268d369a4e3f710c4605c0644cd671bec163f

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\an\libicuuc.dll

Filesize
1.3MB

MD5
65d85a7f81436f71ea7bdeb2fade8fbf

SHA1
a4c1ae869231f93237a6f18d1933a689b4f0b6ef

SHA256
95b7d258a84850bdfb73575e69ca1e82317b97e94fbbe822e6690c2d4dfd5e11

SHA512
8458d8640681988a6f3801728f5f6bdd2cef476ef4415b27c650a1189042b1a8b608753bf09b34257b27c6c8f9bf52546bbadda2a6e509346fd1320410a0f995

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\an\libxml2.dll

Filesize
1.3MB

MD5
366b37574d65dd63a28513cdfaf175be

SHA1
95c0d0e62750a8e406316348c501eed83be6e7d9

SHA256
1852227f3f13009d56a346e616731e9f5b7ed5476a23f680f70629320f913257

SHA512
7037e2ea21597a1aa326aa69899bea86a98fa635cef45581951692147f8e7b803e768659dee621ea962eea29112c8d1a1f6a8377176b023c4530a84fcdd40398

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\certifi\cacert.pem

Filesize
275KB

MD5
c760591283d5a4a987ad646b35de3717

SHA1
5d10cbd25ac1c7ced5bfb3d6f185fa150f6ea134

SHA256
1a14f6e1fd11efff72e1863f8645f090eec1b616614460c210c3b7e3c13d4b5e

SHA512
c192ae381008eaf180782e6e40cd51834e0233e98942bd071768308e179f58f3530e6e883f245a2630c86923dbeb68b624c5ec2167040d749813fedc37a6d1e6

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\libcrypto-1_1.dll

Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\libssl-1_1.dll

Filesize
673KB

MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\pyexpat.pyd

Filesize
178KB

MD5
3d9e5288cc9d2df9edf6976611d08854

SHA1
3603735945d096a5521097716784b2e341ea27f9

SHA256
b82ee00a7521a65a645ff9a284679c47c26d59a899517f807a42434cf50818cc

SHA512
9e26767338096480a37812adf1e1bbf70d0b5f727b4749a1723a28e6b0dede20dcb3eb9e08fc30a4840b984be9280a6ca6af87bef302f8b385e60084fff07991

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\python3.dll

Filesize
57KB

MD5
6c3e8a99ec9f235075a349b6bae9f5c5

SHA1
82233e99b5ace28889671b8ce0ab7e88ef1aee1f

SHA256
5039f5b1e44f14a6f3939e17eeda56818ca0cecacfdf978f903a349abbcea23b

SHA512
c37716f63f70e68ef875a6dbeb668d9289b921ed530aa59429e7e3321ac45a507ceec1f2ef5af7840052bec76dc1b638e277b04328b4aa51ac1fb4aaffee9554

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\python38.dll

Filesize
4.0MB

MD5
3cd1e87aeb3d0037d52c8e51030e1084

SHA1
49ecd5f6a55f26b0fb3aeb4929868b93cc4ec8af

SHA256
13f7c38dc27777a507d4b7f0bd95d9b359925f6f5bf8d0465fe91e0976b610c8

SHA512
497e48a379885fdd69a770012e31cd2a62536953e317bb28e3a50fdb177e202f8869ea58fc11802909cabb0552d8c8850537e9fb4ead7dd14a99f67283182340

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\python38.zip

Filesize
2.4MB

MD5
6a25a7874ad00daad84e74784745361e

SHA1
6d13e1dc83ab0e6703acfbbf830938ca5423a163

SHA256
613e0d63b54ed995273eda446eb09e51066e486f1e72b94f1c338a83dca3a021

SHA512
b3917912db3c291739c98f5c6d1d50866bc06b25ff974d95f466fa2c877e8d318cad0a8d8b77856a9eab1f49a6b3022a21875113d410a3e223b2cd7392cde583

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\select.pyd

Filesize
19KB

MD5
71eee36c701f4487863924c1850870ae

SHA1
a835da44fe73bd42881dcc02b2b3c3202a9dc08b

SHA256
621758287bf0a0d39931260bc2f1bc914cb1ea4203eab8f781e0e1f63ec63e17

SHA512
58079e6705caa587d8142f1df534e9465b499335743b6ec280e14c7058d78ce86ee01d6fa330de05cca317720725db313a739994f1e1df1f287707e64d21b9bb

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\sideloadly.dll

Filesize
26.4MB

MD5
23b298f950db6a9788186bf8f3a22c22

SHA1
03555157619f44ceb5af9d00726cab2ac04a3728

SHA256
00469b2f383075a503bbed2e10bf1142e400213c99809e421a8d0cfebf9e5c37

SHA512
bb3a5ddb3f521f57cfcfac99a15972b47075d7b8a85ce15a1073f483f013df3308531a958dbbef06ee2c959b541b2f2e68e65d9487b53e029d71a701a51ca7b5

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\sideloadlydaemon.exe

Filesize
42.5MB

MD5
9dfb286c81be364e7df4f3508762ae9a

SHA1
013f5bd6244f4b98d5223be49c882ae28539bf74

SHA256
ad9eedd86a34c4496a8fe0568976adb241d5012cf72e773fd05cdd7850540956

SHA512
07fe9a46aabf1b295541b72a2ba8fb5acfd744ac6afb9ab712916580d19c719701c72ae05e4492412ff87add5b006566e706086d86fb061f3e395e6142a7b412

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\unicodedata.pyd

Filesize
1.0MB

MD5
325e62dd06df9a6fbd175038572dd5c4

SHA1
3b1301332fc537f5c274b26b94a48912d7d9e05b

SHA256
71bc390082131b6fc0ff02df5cc63e26e52c154676ecb52e85b0420016087547

SHA512
491ed5bd412bb9a89b65c125f9dd22623ba090563e4adefd2ab1ff26b28bc28bab1579617c29d52fc9f143b1b5ae86d8224a38ed8d644c54c519e8b77520718b

Download Submit
C:\Users\Admin\AppData\Local\Sideloadly\vcruntime140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\StartMenu.dll

Filesize
7KB

MD5
6b7073967487c24d08e88c208a1626fa

SHA1
f75f9dd095558b3c03b1647fe23c0869634bd9cc

SHA256
c91c61861cf22d1e9cd14dbba163573b2bd3d03dc72fcb1512879e4f3ab3b276

SHA512
31e1962b761bb0304905287f8ef33bf244b05ce1490723b98134dff0cc55956295d979086c350457fa5f6618868e431f1fc2d34afb4437ada15839ae4836f6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\System.dll

Filesize
12KB

MD5
564bb0373067e1785cba7e4c24aab4bf

SHA1
7c9416a01d821b10b2eef97b80899d24014d6fc1

SHA256
7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

SHA512
22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsx9A5C.tmp\nsDialogs.dll

Filesize
9KB

MD5
48f3e7860e1de2b4e63ec744a5e9582a

SHA1
420c64d802a637c75a53efc8f748e1aede3d6dc6

SHA256
6bf9cccd8a600f4d442efe201e8c07b49605ba35f49a4b3ab22fa2641748e156

SHA512
28716ddea580eeb23d93d1ff6ea0cf79a725e13c8f8a17ec9dfacb1fe29c7981ad84c03aed05663adc52365d63d19ec2f366762d1c685e3a9d93037570c3c583

Download Submit
C:\Users\Admin\AppData\Local\Temp\redist484244671.exe

Filesize
6.9MB

MD5
49b1164f8e95ec6409ea83cdb352d8da

SHA1
1194e6bf4153fa88f20b2a70ac15bc359ada4ee2

SHA256
a4bba7701e355ae29c403431f871a537897c363e215cafe706615e270984f17c

SHA512
29b65e45ce5233f5ad480673752529026f59a760466a1026bb92fc78d1ccc82396ecb8f07b0e49c9b2315dbef976cb417273c77f4209475036775fe687dd2d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\wixstdba.dll

Filesize
117KB

MD5
a52e5220efb60813b31a82d101a97dcb

SHA1
56e16e4df0944cb07e73a01301886644f062d79b

SHA256
e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf

SHA512
d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

Download Submit
memory/216-215-0x0000022AEBF00000-0x0000022AEC000000-memory.dmp

Filesize
1024KB

Download
memory/216-214-0x0000022AEBF00000-0x0000022AEC000000-memory.dmp

Filesize
1024KB

Download
memory/216-219-0x0000022AECF20000-0x0000022AECF40000-memory.dmp

Filesize
128KB

Download
memory/216-250-0x0000022AED2F0000-0x0000022AED310000-memory.dmp

Filesize
128KB

Download
memory/216-249-0x0000022AEC9E0000-0x0000022AECA00000-memory.dmp

Filesize
128KB

Download
memory/1812-146-0x0000000000400000-0x0000000002ECA000-memory.dmp

Filesize
42.8MB

Download
memory/3888-144-0x0000000000400000-0x0000000002ECA000-memory.dmp

Filesize
42.8MB

Download
memory/4372-186-0x0000000000400000-0x0000000003537000-memory.dmp

Filesize
49.2MB

Download
memory/4372-187-0x00007FFBEFFC0000-0x00007FFBF1A8D000-memory.dmp

Filesize
26.8MB

Download
memory/4372-192-0x0000000000400000-0x0000000003537000-memory.dmp

Filesize
49.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads