Malware Analysis Report

2025-01-03 09:57

Sample ID 241103-t2cdha1nhk
Target WindowBlinds v11.02-Jasi2169.rar
SHA256 0cd33fd45b2a73c3ddd84afe74aaf91cdeaf62d28de523c25884df5d5add7cc7
Tags
discovery upx qr link
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

0cd33fd45b2a73c3ddd84afe74aaf91cdeaf62d28de523c25884df5d5add7cc7

Threat Level: Likely benign

The file WindowBlinds v11.02-Jasi2169.rar was found to be: Likely benign.

Malicious Activity Summary

discovery upx qr link

UPX packed file

Executes dropped EXE

Loads dropped DLL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

One or more HTTP URLs in qr code identified

Unsigned PE

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 16:33

Signatures

One or more HTTP URLs in qr code identified

qr link

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 16:32

Reported

2024-11-03 17:02

Platform

win11-20241007-en

Max time kernel

442s

Max time network

448s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Download More.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Download More.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-03 16:32

Reported

2024-11-03 17:02

Platform

win11-20241007-en

Max time kernel

437s

Max time network

443s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe

"C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/3000-0-0x000000007445E000-0x000000007445F000-memory.dmp

memory/3000-1-0x0000000000E10000-0x00000000010BA000-memory.dmp

memory/3000-2-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/3000-3-0x0000000006DB0000-0x0000000007348000-memory.dmp

memory/3000-4-0x0000000007900000-0x0000000007EA6000-memory.dmp

memory/3000-5-0x0000000007430000-0x00000000074C2000-memory.dmp

memory/3000-6-0x00000000055E0000-0x00000000055EA000-memory.dmp

memory/3000-7-0x0000000074450000-0x0000000074C01000-memory.dmp

memory/3000-8-0x000000007445E000-0x000000007445F000-memory.dmp

memory/3000-9-0x0000000074450000-0x0000000074C01000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-03 16:32

Reported

2024-11-03 17:02

Platform

win11-20241007-en

Max time kernel

432s

Max time network

464s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Join Telegram QR.png"

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Join Telegram QR.png"

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-03 16:32

Reported

2024-11-03 17:02

Platform

win11-20241007-en

Max time kernel

441s

Max time network

448s

Command Line

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Join Telegram for more.url"

Signatures

N/A

Processes

C:\Windows\System32\rundll32.exe

"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Join Telegram for more.url"

Network

Country Destination Domain Proto
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-03 16:32

Reported

2024-11-03 17:02

Platform

win11-20241007-en

Max time kernel

595s

Max time network

436s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe

"C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1981986 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2584844841-1405471295-1760131749-1000"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Network

Country Destination Domain Proto
US 8.8.8.8:53 install.api.stardock.net udp
US 66.79.209.82:443 install.api.stardock.net tcp
GB 2.18.190.73:80 r10.o.lencr.org tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 125.21.192.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

MD5 68ac216f38a5f7c823712c216ca4b060
SHA1 f6ad96e91103c40eb33fd3f1324d99093e5d014e
SHA256 748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80
SHA512 9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

MD5 80d93d38badecdd2b134fe4699721223
SHA1 e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256 c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA512 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

memory/3764-14-0x0000000000020000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

MD5 da1d0cd400e0b6ad6415fd4d90f69666
SHA1 de9083d2902906cacf57259cf581b1466400b799
SHA256 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512 f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

memory/3764-41-0x0000000005660000-0x00000000057A4000-memory.dmp

memory/3764-40-0x0000000002D80000-0x0000000002D83000-memory.dmp

memory/3764-39-0x0000000005660000-0x00000000057A4000-memory.dmp

memory/3764-38-0x0000000002D50000-0x0000000002D53000-memory.dmp

memory/3764-37-0x0000000010000000-0x0000000010051000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

MD5 6eec47ab86d212fe3ed0f56985c8e817
SHA1 06da90bcc06c73ce2c7e112818af65f66fcae6c3
SHA256 d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed
SHA512 36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

MD5 55bbf335f75f2a2fe0a5daf603964d41
SHA1 f1b9686e8a9f10682722fc5e08c02c016b597804
SHA256 723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43
SHA512 af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

MD5 2d1a578c0fddd7b64268303ab0937500
SHA1 5479fbe1eddd7793d38a943f6c485e20f20544c5
SHA256 99c94d77c0a415b768e70ed8dc6f0ced91b2a29b5d184e54c5ff9ec9a393f039
SHA512 4d0fe15b9ebde46da7d77f077140a2863c711482ab1932d1c126181e1eb4f6279d6d49825924865c992ff75d2f26ce5ac0abdcdff07158419119f4190c8cfa95

C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG

MD5 3220a6aefb4fc719cc8849f060859169
SHA1 85f624debcefd45fdfdf559ac2510a7d1501b412
SHA256 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765
SHA512 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d

memory/3764-83-0x0000000000020000-0x0000000000408000-memory.dmp

memory/3764-84-0x0000000002D80000-0x0000000002D83000-memory.dmp

memory/3764-86-0x0000000010000000-0x0000000010051000-memory.dmp

memory/3764-87-0x0000000005660000-0x00000000057A4000-memory.dmp

memory/3764-88-0x0000000000020000-0x0000000000408000-memory.dmp

memory/3764-95-0x0000000010000000-0x0000000010051000-memory.dmp

memory/3764-96-0x0000000005660000-0x00000000057A4000-memory.dmp

memory/3764-147-0x0000000005660000-0x00000000057A4000-memory.dmp

memory/3764-146-0x0000000010000000-0x0000000010051000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 16:32

Reported

2024-11-03 17:02

Platform

win11-20241007-en

Max time kernel

422s

Max time network

461s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\!!!Readme_first!!!!.txt

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2804 wrote to memory of 5268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE
PID 2804 wrote to memory of 5268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\NOTEPAD.EXE

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\!!!Readme_first!!!!.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\!!!Readme_first!!!!.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

N/A