Analysis Overview
SHA256
0cd33fd45b2a73c3ddd84afe74aaf91cdeaf62d28de523c25884df5d5add7cc7
Threat Level: Likely benign
The file WindowBlinds v11.02-Jasi2169.rar was found to be: Likely benign.
Malicious Activity Summary
UPX packed file
Executes dropped EXE
Loads dropped DLL
System Location Discovery: System Language Discovery
Enumerates physical storage devices
One or more HTTP URLs in qr code identified
Unsigned PE
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-03 16:33
Signatures
One or more HTTP URLs in qr code identified
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-03 16:32
Reported
2024-11-03 17:02
Platform
win11-20241007-en
Max time kernel
442s
Max time network
448s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Download More.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-03 16:32
Reported
2024-11-03 17:02
Platform
win11-20241007-en
Max time kernel
437s
Max time network
443s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Jasi2169_Patch\WindowBlinds_11.02_Jasi2169_Patch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 178.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3000-0-0x000000007445E000-0x000000007445F000-memory.dmp
memory/3000-1-0x0000000000E10000-0x00000000010BA000-memory.dmp
memory/3000-2-0x0000000074450000-0x0000000074C01000-memory.dmp
memory/3000-3-0x0000000006DB0000-0x0000000007348000-memory.dmp
memory/3000-4-0x0000000007900000-0x0000000007EA6000-memory.dmp
memory/3000-5-0x0000000007430000-0x00000000074C2000-memory.dmp
memory/3000-6-0x00000000055E0000-0x00000000055EA000-memory.dmp
memory/3000-7-0x0000000074450000-0x0000000074C01000-memory.dmp
memory/3000-8-0x000000007445E000-0x000000007445F000-memory.dmp
memory/3000-9-0x0000000074450000-0x0000000074C01000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-03 16:32
Reported
2024-11-03 17:02
Platform
win11-20241007-en
Max time kernel
432s
Max time network
464s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Join Telegram QR.png"
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-03 16:32
Reported
2024-11-03 17:02
Platform
win11-20241007-en
Max time kernel
441s
Max time network
448s
Command Line
Signatures
Processes
C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\ieframe.dll",OpenURL "C:\Users\Admin\AppData\Local\Temp\Join Telegram for more.url"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-03 16:32
Reported
2024-11-03 17:02
Platform
win11-20241007-en
Max time kernel
595s
Max time network
436s
Command Line
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe
"C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1981986 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2584844841-1405471295-1760131749-1000"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | install.api.stardock.net | udp |
| US | 66.79.209.82:443 | install.api.stardock.net | tcp |
| GB | 2.18.190.73:80 | r10.o.lencr.org | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.21.192.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
| MD5 | 68ac216f38a5f7c823712c216ca4b060 |
| SHA1 | f6ad96e91103c40eb33fd3f1324d99093e5d014e |
| SHA256 | 748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80 |
| SHA512 | 9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll
| MD5 | 80d93d38badecdd2b134fe4699721223 |
| SHA1 | e829e58091bae93bc64e0c6f9f0bac999cfda23d |
| SHA256 | c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59 |
| SHA512 | 9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4 |
memory/3764-14-0x0000000000020000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd
| MD5 | da1d0cd400e0b6ad6415fd4d90f69666 |
| SHA1 | de9083d2902906cacf57259cf581b1466400b799 |
| SHA256 | 7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575 |
| SHA512 | f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a |
memory/3764-41-0x0000000005660000-0x00000000057A4000-memory.dmp
memory/3764-40-0x0000000002D80000-0x0000000002D83000-memory.dmp
memory/3764-39-0x0000000005660000-0x00000000057A4000-memory.dmp
memory/3764-38-0x0000000002D50000-0x0000000002D53000-memory.dmp
memory/3764-37-0x0000000010000000-0x0000000010051000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd
| MD5 | 6eec47ab86d212fe3ed0f56985c8e817 |
| SHA1 | 06da90bcc06c73ce2c7e112818af65f66fcae6c3 |
| SHA256 | d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed |
| SHA512 | 36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
| MD5 | 55bbf335f75f2a2fe0a5daf603964d41 |
| SHA1 | f1b9686e8a9f10682722fc5e08c02c016b597804 |
| SHA256 | 723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43 |
| SHA512 | af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
| MD5 | 2d1a578c0fddd7b64268303ab0937500 |
| SHA1 | 5479fbe1eddd7793d38a943f6c485e20f20544c5 |
| SHA256 | 99c94d77c0a415b768e70ed8dc6f0ced91b2a29b5d184e54c5ff9ec9a393f039 |
| SHA512 | 4d0fe15b9ebde46da7d77f077140a2863c711482ab1932d1c126181e1eb4f6279d6d49825924865c992ff75d2f26ce5ac0abdcdff07158419119f4190c8cfa95 |
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRIMG1.JPG
| MD5 | 3220a6aefb4fc719cc8849f060859169 |
| SHA1 | 85f624debcefd45fdfdf559ac2510a7d1501b412 |
| SHA256 | 988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765 |
| SHA512 | 5c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d |
memory/3764-83-0x0000000000020000-0x0000000000408000-memory.dmp
memory/3764-84-0x0000000002D80000-0x0000000002D83000-memory.dmp
memory/3764-86-0x0000000010000000-0x0000000010051000-memory.dmp
memory/3764-87-0x0000000005660000-0x00000000057A4000-memory.dmp
memory/3764-88-0x0000000000020000-0x0000000000408000-memory.dmp
memory/3764-95-0x0000000010000000-0x0000000010051000-memory.dmp
memory/3764-96-0x0000000005660000-0x00000000057A4000-memory.dmp
memory/3764-147-0x0000000005660000-0x00000000057A4000-memory.dmp
memory/3764-146-0x0000000010000000-0x0000000010051000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-03 16:32
Reported
2024-11-03 17:02
Platform
win11-20241007-en
Max time kernel
422s
Max time network
461s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2804 wrote to memory of 5268 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
| PID 2804 wrote to memory of 5268 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\NOTEPAD.EXE |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\!!!Readme_first!!!!.txt
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\!!!Readme_first!!!!.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |