Malware Analysis Report

2025-03-15 04:27

Sample ID 241025-zze99swcpq
Target 9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN
SHA256 9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5e
Tags
discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5e

Threat Level: Shows suspicious behavior

The file 9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence spyware stealer upx

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

UPX packed file

System Location Discovery: System Language Discovery

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies Internet Explorer Phishing Filter

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 21:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 21:09

Reported

2024-10-25 21:11

Platform

win7-20240903-en

Max time kernel

120s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\svest\3ED979F323C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\4Y3Y0C3AXZZI9IYVAYWEANJXPXOTBS = "C:\\svest\\3ED979F323C.exe /q" C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\svest\3ED979F323C.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8 = "0" C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon = "0" C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit = "0" C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe N/A
N/A N/A C:\svest\3ED979F323C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe N/A
Token: SeDebugPrivilege N/A C:\svest\3ED979F323C.exe N/A
Token: SeDebugPrivilege N/A C:\svest\3ED979F323C.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe C:\svest\3ED979F323C.exe
PID 2868 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe C:\svest\3ED979F323C.exe
PID 2868 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe C:\svest\3ED979F323C.exe
PID 2868 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe C:\svest\3ED979F323C.exe
PID 1832 wrote to memory of 1128 N/A C:\svest\3ED979F323C.exe C:\Users\Admin\AppData\Local\Temp\RN990CB.exe
PID 1832 wrote to memory of 1128 N/A C:\svest\3ED979F323C.exe C:\Users\Admin\AppData\Local\Temp\RN990CB.exe
PID 1832 wrote to memory of 1128 N/A C:\svest\3ED979F323C.exe C:\Users\Admin\AppData\Local\Temp\RN990CB.exe
PID 1832 wrote to memory of 1128 N/A C:\svest\3ED979F323C.exe C:\Users\Admin\AppData\Local\Temp\RN990CB.exe
PID 1832 wrote to memory of 1128 N/A C:\svest\3ED979F323C.exe C:\Users\Admin\AppData\Local\Temp\RN990CB.exe
PID 1832 wrote to memory of 1128 N/A C:\svest\3ED979F323C.exe C:\Users\Admin\AppData\Local\Temp\RN990CB.exe
PID 1128 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe
PID 1128 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe
PID 1128 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe
PID 1128 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\RN990CB.exe C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe

"C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe"

C:\svest\3ED979F323C.exe

"C:\svest\3ED979F323C.exe"

C:\Users\Admin\AppData\Local\Temp\RN990CB.exe

"C:\Users\Admin\AppData\Local\Temp\RN990CB.exe"

Network

Country Destination Domain Proto
NL 89.149.202.144:3000 tcp
US 8.8.8.8:53 druid1kkun.com udp
NL 188.72.233.21:8080 tcp
N/A 127.0.0.1:49267 tcp
US 8.8.8.8:53 druid1kkun.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.25.193.234:80 www.microsoft.com tcp
US 8.8.8.8:53 microwavecolosol.com udp
US 8.8.8.8:53 microwavecolosol.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.25.193.234:80 www.microsoft.com tcp

Files

memory/2868-0-0x0000000000480000-0x0000000000483000-memory.dmp

memory/2868-1-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2868-2-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2868-3-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2868-4-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2868-6-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2868-5-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2868-10-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\svest\3ED979F323C.exe

MD5 5dc3523309ca2b02be4accac2c562140
SHA1 134ad5ff01e268d7065cc86e751b6bcb9dc0ec8a
SHA256 9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5e
SHA512 140d05724590d1329a614af34d47ef79bb8a2b310a03c7023f8263709a5eb8c8aa44ca588ff1421da3ef2bb46b9d795fa1904bca7fceb8ad3d115c87e9d07b8e

memory/1832-19-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/2868-18-0x0000000000480000-0x0000000000483000-memory.dmp

memory/1832-20-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1832-21-0x0000000000400000-0x00000000004CE000-memory.dmp

memory/1832-25-0x0000000000400000-0x00000000004CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RN990CB.exe

MD5 29090b6b4d6605a97ac760d06436ac2d
SHA1 d929d3389642e52bae5ad8512293c9c4d3e4fab5
SHA256 98a24f0caf5b578e230e6f1103a5fba6aecb28a9128cad5520fcde546d643272
SHA512 9121ec42fa66e14a4fc3932c8dbcc8fb1a93ab9de00da57a82e176faa70b73f6992f8c5e2ab52c02fc28c8f0c59aee73b6fbbd39107db7d15105054f4390e9be

memory/1128-32-0x0000000002010000-0x000000000205E000-memory.dmp

memory/1128-41-0x0000000002010000-0x000000000205E000-memory.dmp

C:\svest\66AF4C4F9A638E2

MD5 6bdc7b3b994a9bc3d2a9f3cd8ef98295
SHA1 b21d0f954d12ed53b7343bd9fdd3d9f846d4ada5
SHA256 7a6d61da8cbbd3e27170650bedb960c6bfa781791e32ead108be9bd1c111ef23
SHA512 d9874173defb090a41d4722c83c8193f1cb04ce1c2123a262614e1c1a666735686391d619535cf3825b91bc72946165908dd6624314902a7a38b3e8e363b4845

memory/1128-39-0x0000000002010000-0x000000000205E000-memory.dmp

memory/1128-38-0x0000000002010000-0x000000000205E000-memory.dmp

memory/1128-37-0x0000000002010000-0x000000000205E000-memory.dmp

memory/1128-45-0x0000000002010000-0x000000000205E000-memory.dmp

memory/1128-47-0x00000000001B0000-0x00000000001B5000-memory.dmp

memory/1128-52-0x0000000000BF0000-0x0000000000C3C000-memory.dmp

memory/1128-51-0x0000000002010000-0x000000000205E000-memory.dmp

memory/1128-50-0x0000000001000000-0x0000000001004000-memory.dmp

memory/1128-49-0x0000000001001000-0x0000000001002000-memory.dmp

memory/1128-48-0x0000000000BF0000-0x0000000000C3C000-memory.dmp

memory/1128-46-0x00000000001A0000-0x00000000001A5000-memory.dmp

memory/1128-44-0x0000000002010000-0x000000000205E000-memory.dmp

memory/1128-68-0x0000000000BF0000-0x0000000000C3C000-memory.dmp

memory/1128-71-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-79-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-84-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-88-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-89-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-91-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-90-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-87-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-86-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-85-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-83-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-99-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-98-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-96-0x0000000002010000-0x000000000205E000-memory.dmp

memory/1128-95-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-94-0x0000000002010000-0x000000000205E000-memory.dmp

memory/1128-93-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-82-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/2868-100-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1128-130-0x00000000754C7000-0x00000000754C9000-memory.dmp

memory/2868-128-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2868-127-0x00000000773EF000-0x00000000773F1000-memory.dmp

memory/1128-81-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-80-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-78-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-77-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-76-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-75-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-74-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-73-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-70-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-69-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-72-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-66-0x0000000000BF0000-0x0000000000C3C000-memory.dmp

memory/1128-65-0x0000000000BF0000-0x0000000000C3C000-memory.dmp

memory/1128-63-0x00000000001B0000-0x00000000001B5000-memory.dmp

memory/1128-62-0x000000000BAD0000-0x000000000BB1E000-memory.dmp

memory/1128-55-0x0000000000BF0000-0x0000000000C3C000-memory.dmp

memory/1128-54-0x0000000000BF0000-0x0000000000C3C000-memory.dmp

memory/1128-144-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-143-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-142-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-146-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-145-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-147-0x00000000001A0000-0x00000000001A5000-memory.dmp

memory/1128-148-0x00000000001B0000-0x00000000001B5000-memory.dmp

memory/1128-149-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-150-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-151-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-152-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-153-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-154-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-156-0x00000000754B0000-0x00000000755B0000-memory.dmp

memory/1128-166-0x00000000754B0000-0x00000000755B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 21:09

Reported

2024-10-25 21:11

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe

"C:\Users\Admin\AppData\Local\Temp\9c9a9a2a9ae608eea61229125342e9184e755c094ad2d5deef7a898cffa45f5eN.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4176 -ip 4176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4176 -s 476

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A