Malware Analysis Report

2024-11-13 15:41

Sample ID 241107-hpd6sazqap
Target dd6f0b9730529cfe145d5585eccfb6c68510758d16ffd02043bd1fe73842ee1b
SHA256 dd6f0b9730529cfe145d5585eccfb6c68510758d16ffd02043bd1fe73842ee1b
Tags
redline sectoprat discovery infostealer rat trojan stormkitty persistence privilege_escalation spyware stealer mercurialgrabber evasion default nanocore njrat asyncrat keylogger lokibot collection hacked
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd6f0b9730529cfe145d5585eccfb6c68510758d16ffd02043bd1fe73842ee1b

Threat Level: Known bad

The file dd6f0b9730529cfe145d5585eccfb6c68510758d16ffd02043bd1fe73842ee1b was found to be: Known bad.

Malicious Activity Summary

redline sectoprat discovery infostealer rat trojan stormkitty persistence privilege_escalation spyware stealer mercurialgrabber evasion default nanocore njrat asyncrat keylogger lokibot collection hacked

Mercurialgrabber family

NanoCore

Asyncrat family

Redline family

Njrat family

StormKitty

Sectoprat family

StormKitty payload

Mercurial Grabber Stealer

AsyncRat

SectopRAT payload

Stormkitty family

Async RAT payload

Lokibot

Nanocore family

RedLine

RedLine payload

njRAT/Bladabindi

Lokibot family

SectopRAT

Looks for VirtualBox Guest Additions in registry

Async RAT payload

Modifies Windows Firewall

Looks for VMWare Tools registry key

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Unexpected DNS network traffic destination

Checks BIOS information in registry

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Drops desktop.ini file(s)

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Maps connected drives based on registry

Network Service Discovery

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Program crash

Unsigned PE

System Network Configuration Discovery: Wi-Fi Discovery

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

outlook_office_path

Checks SCSI registry key(s)

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Enumerates system info in registry

Delays execution with timeout.exe

Checks processor information in registry

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Scheduled Task/Job: Scheduled Task

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-07 06:54

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Mercurialgrabber family

mercurialgrabber

Nanocore family

nanocore

Njrat family

njrat

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3808 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 3808 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 3808 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 3808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 3808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 3808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 3808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 3808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 3808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 3808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 3808 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe

"C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe"

C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe

"{path}"

C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 newlife957.duckdns.org udp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp
IT 195.178.120.157:7225 tcp

Files

memory/3808-0-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

memory/3808-1-0x0000000000960000-0x0000000000A40000-memory.dmp

memory/3808-2-0x00000000059A0000-0x0000000005F44000-memory.dmp

memory/3808-3-0x0000000005490000-0x0000000005522000-memory.dmp

memory/3808-5-0x0000000005450000-0x000000000545A000-memory.dmp

memory/3808-4-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/3808-6-0x0000000008B70000-0x0000000008C0C000-memory.dmp

memory/3808-7-0x0000000008AE0000-0x0000000008AE8000-memory.dmp

memory/3808-8-0x0000000074D0E000-0x0000000074D0F000-memory.dmp

memory/3808-9-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/3808-10-0x0000000006AA0000-0x0000000006B26000-memory.dmp

memory/3808-11-0x0000000008B00000-0x0000000008B38000-memory.dmp

memory/1648-12-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1648-15-0x0000000005A50000-0x0000000006068000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/3808-17-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/1648-18-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/1648-16-0x0000000003050000-0x0000000003062000-memory.dmp

memory/1648-19-0x0000000005470000-0x00000000054AC000-memory.dmp

memory/1648-20-0x00000000054B0000-0x00000000054FC000-memory.dmp

memory/1648-21-0x0000000074D00000-0x00000000754B0000-memory.dmp

memory/1648-22-0x0000000005720000-0x000000000582A000-memory.dmp

memory/1648-23-0x0000000074D00000-0x00000000754B0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Downloads MZ/PE file

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\0e4ee70d89575d257d7ab2a752a7290f\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A
File created C:\Users\Admin\AppData\Local\0e4ee70d89575d257d7ab2a752a7290f\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A
File created C:\Users\Admin\AppData\Local\0e4ee70d89575d257d7ab2a752a7290f\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A
File created C:\Users\Admin\AppData\Local\0e4ee70d89575d257d7ab2a752a7290f\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A
File created C:\Users\Admin\AppData\Local\0e4ee70d89575d257d7ab2a752a7290f\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A
File created C:\Users\Admin\AppData\Local\0e4ee70d89575d257d7ab2a752a7290f\Admin@GYHASOLS_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\chcp.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3228 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe C:\Windows\SysWOW64\cmd.exe
PID 3936 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3936 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3936 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3936 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3936 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3936 wrote to memory of 1472 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 3936 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3936 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3936 wrote to memory of 2612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3228 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe C:\Windows\SysWOW64\cmd.exe
PID 4876 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4876 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4876 wrote to memory of 3052 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4876 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4876 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe
PID 4876 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe

"C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show profile

C:\Windows\SysWOW64\findstr.exe

findstr All

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3228 -ip 3228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3228 -s 2612

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid

C:\Windows\SysWOW64\chcp.com

chcp 65001

C:\Windows\SysWOW64\netsh.exe

netsh wlan show networks mode=bssid

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3228-0-0x000000007531E000-0x000000007531F000-memory.dmp

memory/3228-1-0x0000000000130000-0x0000000000152000-memory.dmp

memory/3228-2-0x0000000004AE0000-0x0000000004B46000-memory.dmp

memory/3228-3-0x0000000075310000-0x0000000075AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DotNetZip.dll

MD5 6d1c62ec1c2ef722f49b2d8dd4a4df16
SHA1 1bb08a979b7987bc7736a8cfa4779383cb0ecfa6
SHA256 00da1597d92235d3f84da979e2fa5dbf049bafb52c33bd6fc8ee7b29570c124c
SHA512 c0dce8eaa52eb6c319d4be2eec4622bb3380c65b659cfb77ff51a4ada7d3e591e791ee823dad67b5556ffac5c060ff45d09dd1cc21baaf70ba89806647cb3bd2

C:\Users\Admin\AppData\Local\0e4ee70d89575d257d7ab2a752a7290f\Admin@GYHASOLS_en-US\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

memory/3228-66-0x0000000006420000-0x00000000064B2000-memory.dmp

memory/3228-68-0x0000000006CF0000-0x0000000007294000-memory.dmp

memory/3228-92-0x0000000075310000-0x0000000075AC0000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win7-20240708-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe

"C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2972 -s 1404

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp

Files

memory/2972-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

memory/2972-1-0x0000000000C00000-0x0000000000C10000-memory.dmp

memory/2972-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

memory/2972-3-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

memory/2972-4-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

memory/2972-5-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win7-20240903-en

Max time kernel

148s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8e4c2eb5abb39c5a0a944c9995d0ce64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8e4c2eb5abb39c5a0a944c9995d0ce64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\8e4c2eb5abb39c5a0a944c9995d0ce64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8e4c2eb5abb39c5a0a944c9995d0ce64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe

"C:\Users\Admin\AppData\Local\Temp\b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\system32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE

Network

Country Destination Domain Proto
US 26.150.193.200:1604 tcp
US 26.150.193.200:1604 tcp
US 26.150.193.200:1604 tcp
US 26.150.193.200:1604 tcp
US 26.150.193.200:1604 tcp
US 26.150.193.200:1604 tcp

Files

memory/2600-0-0x000007FEF56EE000-0x000007FEF56EF000-memory.dmp

memory/2600-1-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

memory/2600-2-0x0000000000580000-0x000000000058E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 4c8326862379b2d2d6fbc47a8c33777b
SHA1 3d5d4d3f340ca4c1e004fa25588cff11f5034e3b
SHA256 b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f
SHA512 3cc74d73d8548a9a16d4cb3921c40a0641d5c0818c81d494f6fff5b16d9389c31da825dc9e1f3fa81d8b2a72b659a51c1f57047aac98cb56f1234bfab99d02e7

memory/2600-8-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

memory/2312-10-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

memory/2312-9-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

memory/2312-13-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

memory/2312-14-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

memory/2312-15-0x000007FEF5430000-0x000007FEF5DCD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe"

Signatures

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\arp.exe N/A
N/A N/A C:\Windows\SysWOW64\arp.exe N/A
N/A N/A C:\Windows\SysWOW64\arp.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1076 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 1076 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 1076 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 1076 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 1076 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 1076 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 1076 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 1076 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 1076 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe

"C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe"

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.auth.gg udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.21.73.173:443 api.auth.gg tcp
US 8.8.8.8:53 173.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp

Files

memory/1076-0-0x000000007468E000-0x000000007468F000-memory.dmp

memory/1076-1-0x00000000005F0000-0x0000000000602000-memory.dmp

memory/1076-2-0x0000000005590000-0x0000000005B34000-memory.dmp

memory/1076-3-0x0000000005080000-0x0000000005112000-memory.dmp

memory/1076-4-0x0000000074680000-0x0000000074E30000-memory.dmp

memory/1076-5-0x0000000074680000-0x0000000074E30000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win7-20241010-en

Max time kernel

143s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.70.40 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DSL Manager = "C:\\Program Files (x86)\\DSL Manager\\dslmgr.exe" C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DSL Manager\dslmgr.exe C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A
File opened for modification C:\Program Files (x86)\DSL Manager\dslmgr.exe C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe

"C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DSL Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DSL Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp92FD.tmp"

Network

Country Destination Domain Proto
US 24.101.234.141:4782 tcp
US 24.101.234.141:4782 tcp
US 24.101.234.141:4782 tcp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
US 8.8.8.8:53 mcserversetup.serveminecraft.net udp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
US 24.101.234.141:4782 tcp
US 24.101.234.141:4782 tcp
US 24.101.234.141:4782 tcp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
US 24.101.234.141:4782 tcp
US 24.101.234.141:4782 tcp

Files

memory/2484-0-0x0000000074951000-0x0000000074952000-memory.dmp

memory/2484-1-0x0000000074950000-0x0000000074EFB000-memory.dmp

memory/2484-2-0x0000000074950000-0x0000000074EFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp9241.tmp

MD5 f8d94348e9e0b4a67b3be7e5c3e4924f
SHA1 b70034fe263152e267998fbed76c06a7e0daf83e
SHA256 8049a27b744d605b123011957117d752424135d35e8e3340d2b9b05164fb73f8
SHA512 78e9c58bab031123f54057d0bbd9c7dccf8da6e84bd9e32d6b4b0ecbd7737899a4f7a6f27999e38cdfc17b8c26c2ffad2dfde73b72cd38893ceddf7aad287b88

C:\Users\Admin\AppData\Local\Temp\tmp92FD.tmp

MD5 a0bcaf1694d4fcae2c44258530850f35
SHA1 99e9ccea3a9dca8d94808f6488fdc37c0b3bfe73
SHA256 099c4a82d8e8ddf5ff801a8f08fb5a143834506e936ce846b380a42eb24e888e
SHA512 ad3f2fbc09f7d57c24a35a62f00251c93d480e065f3b7fbc7133736cb144a3031fdc9f3e8be8a1c6dcdb8b3def654618faab416f66a28628ab71e55de4df0da3

memory/2484-10-0x0000000074950000-0x0000000074EFB000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Nanocore family

nanocore

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.69.80 N/A N/A
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.70.40 N/A N/A
Destination IP 84.200.69.80 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LAN Service = "C:\\Program Files (x86)\\LAN Service\\lansv.exe" C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\LAN Service\lansv.exe C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A
File opened for modification C:\Program Files (x86)\LAN Service\lansv.exe C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe

"C:\Users\Admin\AppData\Local\Temp\304f9bc7de67c32d895d2a005283ae4b7a63e390915463ca0a9aa404a9e29e1b.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD9C6.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "LAN Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDA25.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 24.101.234.141:4782 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 24.101.234.141:4782 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 24.101.234.141:4782 tcp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
US 8.8.8.8:53 mcserversetup.serveminecraft.net udp
US 8.8.8.8:53 40.70.200.84.in-addr.arpa udp
US 8.8.8.8:53 80.69.200.84.in-addr.arpa udp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
US 8.8.8.8:53 mcserversetup.serveminecraft.net udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 24.101.234.141:4782 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 24.101.234.141:4782 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 24.101.234.141:4782 tcp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
US 8.8.8.8:53 mcserversetup.serveminecraft.net udp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
DE 84.200.69.80:53 mcserversetup.serveminecraft.net udp
DE 84.200.70.40:53 mcserversetup.serveminecraft.net udp
US 8.8.8.8:53 mcserversetup.serveminecraft.net udp
US 24.101.234.141:4782 tcp
US 24.101.234.141:4782 tcp

Files

memory/4396-0-0x00000000754B2000-0x00000000754B3000-memory.dmp

memory/4396-1-0x00000000754B0000-0x0000000075A61000-memory.dmp

memory/4396-2-0x00000000754B0000-0x0000000075A61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD9C6.tmp

MD5 f8d94348e9e0b4a67b3be7e5c3e4924f
SHA1 b70034fe263152e267998fbed76c06a7e0daf83e
SHA256 8049a27b744d605b123011957117d752424135d35e8e3340d2b9b05164fb73f8
SHA512 78e9c58bab031123f54057d0bbd9c7dccf8da6e84bd9e32d6b4b0ecbd7737899a4f7a6f27999e38cdfc17b8c26c2ffad2dfde73b72cd38893ceddf7aad287b88

C:\Users\Admin\AppData\Local\Temp\tmpDA25.tmp

MD5 6b30dba7972c92c9a1b881e88c108b15
SHA1 f76207985cc5a1f70edb2fb5bd45678f195a4564
SHA256 578f5b0ff051f02f8e0a67fc3424dad554fa9489875475ea624fbb63eabfcbf7
SHA512 e3dd368937f863cb07453de12173580fb63b8d3983db7119c24860f227c89ded76401c47607f5b1134d215d46fe2b40d4bc3d7299374f1e8abecdeaefc7b9099

memory/4396-10-0x00000000754B0000-0x0000000075A61000-memory.dmp

memory/4396-11-0x00000000754B2000-0x00000000754B3000-memory.dmp

memory/4396-12-0x00000000754B0000-0x0000000075A61000-memory.dmp

memory/4396-13-0x00000000754B0000-0x0000000075A61000-memory.dmp

memory/4396-14-0x00000000754B0000-0x0000000075A61000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win10v2004-20241007-en

Max time kernel

142s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 2000 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 4084 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 2000 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2000 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2000 wrote to memory of 2692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3424 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3424 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3424 wrote to memory of 1576 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3424 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe
PID 3424 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe
PID 3424 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe

"C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "12376w8q09dq" /tr '"C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAAD6.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "12376w8q09dq" /tr '"C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe

"C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 206.123.141.239:7777 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 206.123.141.239:7777 tcp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 206.123.141.239:7777 tcp
US 206.123.141.239:7777 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 206.123.141.239:7777 tcp
US 206.123.141.239:7777 tcp

Files

memory/4084-0-0x00000000744DE000-0x00000000744DF000-memory.dmp

memory/4084-1-0x00000000004C0000-0x00000000004D2000-memory.dmp

memory/4084-2-0x00000000744D0000-0x0000000074C80000-memory.dmp

memory/4084-3-0x0000000004D10000-0x0000000004D76000-memory.dmp

memory/4084-4-0x00000000051D0000-0x000000000526C000-memory.dmp

memory/4084-9-0x00000000744D0000-0x0000000074C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpAAD6.tmp.bat

MD5 46646f9376c0a899495a2ed668bd1232
SHA1 d76ecb685230a108c8bb2b8dd8330ab06feb5ecb
SHA256 6145f8cb161e602b77aa754bcdff4a7aa39ccf3bb80dcabb693581daf5ec89c8
SHA512 d74d3fce1f979eebffa5fc50a899eed2d82243086664e6e6d3cc310a2dea4384506eb1d9a29c645d5d61f9eca2b1d06cb01032f9b2e615b4e15bb931c8e28a45

C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe

MD5 5af5a9087ecf42eb83fb358d49b06e92
SHA1 0d4a5c5d90e6306c476036ca097a01a17b4295db
SHA256 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453
SHA512 d0608f648dd26b81d262741c373737dba3bfeb1508f86d8c448ec634a78bd9f86f52961d22cf027418c5012f2f7388928480495003dfeac7b94deb590bb7d22c

memory/2396-14-0x0000000074420000-0x0000000074BD0000-memory.dmp

memory/2396-15-0x0000000074420000-0x0000000074BD0000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win10v2004-20241007-en

Max time kernel

113s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3808 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 3808 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 3808 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 3808 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 3808 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 3808 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 3808 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 3808 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 3808 wrote to memory of 208 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe

"C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe"

C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe

"C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
TR 185.227.139.18:80 185.227.139.18 tcp
TR 185.227.139.18:80 185.227.139.18 tcp
TR 185.227.139.18:80 185.227.139.18 tcp
US 8.8.8.8:53 18.139.227.185.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
TR 185.227.139.18:80 185.227.139.18 tcp

Files

memory/3808-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

memory/3808-1-0x0000000000DE0000-0x0000000000EB0000-memory.dmp

memory/3808-2-0x0000000005D50000-0x00000000062F4000-memory.dmp

memory/3808-3-0x00000000058A0000-0x0000000005932000-memory.dmp

memory/3808-4-0x00000000059E0000-0x0000000005A7C000-memory.dmp

memory/3808-5-0x0000000005950000-0x000000000595A000-memory.dmp

memory/3808-6-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/3808-7-0x0000000005D30000-0x0000000005D44000-memory.dmp

memory/3808-8-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

memory/3808-9-0x0000000074B00000-0x00000000752B0000-memory.dmp

memory/3808-10-0x0000000009520000-0x000000000958E000-memory.dmp

memory/3808-11-0x000000000BBD0000-0x000000000BC02000-memory.dmp

memory/208-12-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/208-15-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/208-16-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/3808-17-0x0000000074B00000-0x00000000752B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3442511616-637977696-3186306149-1000\0f5007522459c86e95ffcc62f32308f1_5ab270f5-f3a9-47d1-97d7-bbd50acf9955

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

memory/208-36-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/208-44-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:57

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe"

Signatures

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8e4c2eb5abb39c5a0a944c9995d0ce64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8e4c2eb5abb39c5a0a944c9995d0ce64.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8e4c2eb5abb39c5a0a944c9995d0ce64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8e4c2eb5abb39c5a0a944c9995d0ce64 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe\" .." C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\SYSTEM32\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe

"C:\Users\Admin\AppData\Local\Temp\b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Windows\SYSTEM32\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\svchost.exe" "svchost.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 26.150.193.200:1604 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 26.150.193.200:1604 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 26.150.193.200:1604 tcp
US 26.150.193.200:1604 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 26.150.193.200:1604 tcp
US 26.150.193.200:1604 tcp
US 8.8.8.8:53 udp

Files

memory/3064-0-0x00007FF995F15000-0x00007FF995F16000-memory.dmp

memory/3064-1-0x000000001B070000-0x000000001B116000-memory.dmp

memory/3064-2-0x00007FF995C60000-0x00007FF996601000-memory.dmp

memory/3064-3-0x00007FF995C60000-0x00007FF996601000-memory.dmp

memory/3064-4-0x0000000000980000-0x000000000098E000-memory.dmp

memory/3064-5-0x000000001BDB0000-0x000000001C27E000-memory.dmp

memory/3064-6-0x00007FF995F15000-0x00007FF995F16000-memory.dmp

memory/3064-7-0x00007FF995C60000-0x00007FF996601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 4c8326862379b2d2d6fbc47a8c33777b
SHA1 3d5d4d3f340ca4c1e004fa25588cff11f5034e3b
SHA256 b67bc3d9578e037d7cf91795a1015008d2ee5629c5b8089a16ae3d3bac92168f
SHA512 3cc74d73d8548a9a16d4cb3921c40a0641d5c0818c81d494f6fff5b16d9389c31da825dc9e1f3fa81d8b2a72b659a51c1f57047aac98cb56f1234bfab99d02e7

memory/1676-20-0x00007FF995C60000-0x00007FF996601000-memory.dmp

memory/3064-21-0x00007FF995C60000-0x00007FF996601000-memory.dmp

memory/1676-22-0x00007FF995C60000-0x00007FF996601000-memory.dmp

memory/1676-25-0x00007FF995C60000-0x00007FF996601000-memory.dmp

memory/1676-26-0x000000001DDA0000-0x000000001DE3C000-memory.dmp

memory/1676-27-0x00000000027F0000-0x00000000027F8000-memory.dmp

memory/1676-28-0x00007FF995C60000-0x00007FF996601000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win7-20240903-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe"

Signatures

Lokibot

trojan spyware stealer lokibot

Lokibot family

lokibot

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe

"C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe"

C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe

"C:\Users\Admin\AppData\Local\Temp\922135a10e85dde50c701490c1b71fa8c686becb0c8bbf020e64cd3b36927754.exe"

Network

Country Destination Domain Proto
TR 185.227.139.18:80 185.227.139.18 tcp
TR 185.227.139.18:80 185.227.139.18 tcp
TR 185.227.139.18:80 185.227.139.18 tcp
TR 185.227.139.18:80 185.227.139.18 tcp

Files

memory/2980-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/2980-1-0x0000000000E90000-0x0000000000F60000-memory.dmp

memory/2980-2-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2980-3-0x0000000000290000-0x00000000002A4000-memory.dmp

memory/2980-4-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/2980-5-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2980-6-0x0000000004C30000-0x0000000004C9E000-memory.dmp

memory/2980-7-0x0000000000DC0000-0x0000000000DF2000-memory.dmp

memory/2608-8-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-10-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-23-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-22-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-20-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2608-16-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-14-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-12-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2980-24-0x00000000744B0000-0x0000000074B9E000-memory.dmp

memory/2608-28-0x0000000000400000-0x00000000004A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/2608-44-0x0000000000400000-0x00000000004A2000-memory.dmp

memory/2608-54-0x0000000000400000-0x00000000004A2000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe"

Signatures

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\arp.exe N/A
N/A N/A C:\Windows\SysWOW64\arp.exe N/A
N/A N/A C:\Windows\SysWOW64\arp.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\arp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2472 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe
PID 2472 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe C:\Windows\SysWOW64\arp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe

"C:\Users\Admin\AppData\Local\Temp\15a83de3182943e692fd43702b5b580a77d5c52a3097bac79257d9e168b0c0fa.exe"

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

C:\Windows\SysWOW64\arp.exe

"C:\Windows\System32\arp.exe" -a

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.auth.gg udp
US 172.67.164.78:443 api.auth.gg tcp

Files

memory/2472-0-0x000000007432E000-0x000000007432F000-memory.dmp

memory/2472-1-0x0000000000840000-0x0000000000852000-memory.dmp

memory/2472-2-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/2472-3-0x0000000074320000-0x0000000074A0E000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:57

Platform

win7-20241010-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe"

Signatures

Njrat family

njrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\602fdca88735a1a1338352d8ae49ef80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\602fdca88735a1a1338352d8ae49ef80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 8.tcp.ngrok.io N/A N/A
N/A 8.tcp.ngrok.io N/A N/A
N/A 8.tcp.ngrok.io N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe
PID 1820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe
PID 1820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe
PID 1820 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe
PID 1820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1820 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe C:\Windows\SysWOW64\WerFault.exe
PID 2880 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2880 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2880 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2880 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe C:\Users\Admin\AppData\Local\Temp\server.exe
PID 2912 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe
PID 2912 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\server.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe

"C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe"

C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe

"C:\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1332

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipv4bot.whatismyipaddress.com udp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 3.142.81.166:12342 8.tcp.ngrok.io tcp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp

Files

memory/1820-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

memory/1820-1-0x0000000000860000-0x0000000000B02000-memory.dmp

memory/1820-2-0x0000000074D40000-0x000000007542E000-memory.dmp

memory/1820-4-0x0000000074D40000-0x000000007542E000-memory.dmp

memory/1820-3-0x0000000074D40000-0x000000007542E000-memory.dmp

memory/1820-5-0x0000000074D40000-0x000000007542E000-memory.dmp

memory/1820-6-0x0000000000760000-0x00000000007DC000-memory.dmp

\Users\Admin\AppData\Local\Temp\oJ9jQrjBLr.exe

MD5 059302e210a714b3cebd8c6400d7d12e
SHA1 eed4e297cdffff9815bf456e4f237b699b33de6d
SHA256 7b49bca136184f784b52ca6499108288da623944a0a97eff19e3318364a0a999
SHA512 5ae9f86dc384be6d7acb085132846ef690d0e069f43837e8e9edb89558bfb8c3a5232e47332df10b79ee8df2e4e84c509386c5fbb9f8b5a7659ff8cacb1a4dcc

memory/2880-14-0x0000000070241000-0x0000000070242000-memory.dmp

memory/2880-15-0x0000000070240000-0x00000000707EB000-memory.dmp

memory/2880-16-0x0000000070240000-0x00000000707EB000-memory.dmp

memory/1820-17-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

memory/1820-18-0x0000000074D40000-0x000000007542E000-memory.dmp

memory/2880-26-0x0000000070240000-0x00000000707EB000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe"

Signatures

Njrat family

njrat

njRAT/Bladabindi

trojan njrat

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\602fdca88735a1a1338352d8ae49ef80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\602fdca88735a1a1338352d8ae49ef80 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A 8.tcp.ngrok.io N/A N/A
N/A 8.tcp.ngrok.io N/A N/A
N/A 8.tcp.ngrok.io N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\server.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe

"C:\Users\Admin\AppData\Local\Temp\61bb2c746d218b86b3b9e069899e4ec1bf16a61206e66bfda7badf06915456fd.exe"

C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe

"C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2912 -ip 2912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2912 -s 2076

C:\Users\Admin\AppData\Local\Temp\server.exe

"C:\Users\Admin\AppData\Local\Temp\server.exe"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 ipv4bot.whatismyipaddress.com udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 8.8.8.8:53 69.208.201.84.in-addr.arpa udp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 8.8.8.8:53 8.tcp.ngrok.io udp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp
US 13.58.157.220:12342 8.tcp.ngrok.io tcp

Files

memory/2912-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp

memory/2912-1-0x0000000000990000-0x0000000000C32000-memory.dmp

memory/2912-2-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/2912-3-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/2912-4-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/2912-5-0x0000000009DC0000-0x0000000009E3C000-memory.dmp

memory/2912-6-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/2912-7-0x0000000005B00000-0x00000000060A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iFjR7vUJjT.exe

MD5 059302e210a714b3cebd8c6400d7d12e
SHA1 eed4e297cdffff9815bf456e4f237b699b33de6d
SHA256 7b49bca136184f784b52ca6499108288da623944a0a97eff19e3318364a0a999
SHA512 5ae9f86dc384be6d7acb085132846ef690d0e069f43837e8e9edb89558bfb8c3a5232e47332df10b79ee8df2e4e84c509386c5fbb9f8b5a7659ff8cacb1a4dcc

memory/3676-18-0x000000006FFA2000-0x000000006FFA4000-memory.dmp

memory/3676-17-0x0000000001450000-0x0000000001460000-memory.dmp

memory/2912-16-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/3676-19-0x000000006FFA0000-0x0000000070551000-memory.dmp

memory/2912-20-0x0000000074B30000-0x00000000752E0000-memory.dmp

memory/3676-30-0x000000006FFA0000-0x0000000070551000-memory.dmp

memory/4532-31-0x000000006FFA0000-0x0000000070551000-memory.dmp

memory/4532-32-0x000000006FFA0000-0x0000000070551000-memory.dmp

memory/4532-33-0x000000006FFA0000-0x0000000070551000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win7-20240729-en

Max time kernel

16s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe"

Signatures

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe

"C:\Users\Admin\AppData\Local\Temp\78ae7a93d9e328b6e2c05b730df6384b3da3afe8674be983c19116d1457da7b6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp

Files

memory/2548-0-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

memory/2548-1-0x00000000008A0000-0x00000000008C2000-memory.dmp

memory/2548-2-0x0000000073C40000-0x000000007432E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF46F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF491.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffb1df2da060b96cad2b927bc4c66d5a
SHA1 60fae596cc6ee7dfd4e80e44df8a624791847311
SHA256 49e25cb4f1f3aef90481c72ce97720145e8d8916e412f493f71b3a9cf3dbd64a
SHA512 e2f28b9d00404044fe58931d6f048f1ca636d684c7d4ea2af775c05d72159b1a58389f165fa47a4c293594d95902019270bdab5970643b6e9801e4e06caed9c0

memory/2548-99-0x0000000073C4E000-0x0000000073C4F000-memory.dmp

memory/2548-100-0x0000000073C40000-0x000000007432E000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win7-20240903-en

Max time kernel

148s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 1628 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 1628 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 1628 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 1628 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 1628 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 1628 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 1628 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe
PID 1628 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe

Processes

C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe

"C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe"

C:\Users\Admin\AppData\Local\Temp\43087ea9490bfbbc1216d8e9aeece07cf0125fd8bfbcaf8ff726c93adc7bd4eb.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 newlife957.duckdns.org udp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp
IT 195.178.120.157:7225 newlife957.duckdns.org tcp

Files

memory/1628-0-0x000000007424E000-0x000000007424F000-memory.dmp

memory/1628-1-0x0000000001380000-0x0000000001460000-memory.dmp

memory/1628-2-0x0000000074240000-0x000000007492E000-memory.dmp

memory/1628-3-0x0000000000450000-0x0000000000458000-memory.dmp

memory/1628-4-0x000000007424E000-0x000000007424F000-memory.dmp

memory/1628-5-0x0000000074240000-0x000000007492E000-memory.dmp

memory/1628-6-0x0000000008050000-0x00000000080D6000-memory.dmp

memory/1628-7-0x0000000000790000-0x00000000007C8000-memory.dmp

memory/2808-8-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-10-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-16-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2808-13-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-12-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-18-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2808-21-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1628-22-0x0000000074240000-0x000000007492E000-memory.dmp

memory/2808-23-0x0000000074240000-0x000000007492E000-memory.dmp

memory/2808-24-0x0000000074240000-0x000000007492E000-memory.dmp

memory/2808-25-0x0000000074240000-0x000000007492E000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win7-20240903-en

Max time kernel

140s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe"

Signatures

AsyncRat

rat asyncrat

Asyncrat family

asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2712 wrote to memory of 2808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3016 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3016 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3016 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3016 wrote to memory of 2544 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3016 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe
PID 3016 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe
PID 3016 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe
PID 3016 wrote to memory of 3020 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe

"C:\Users\Admin\AppData\Local\Temp\878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "12376w8q09dq" /tr '"C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA5D.tmp.bat""

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "12376w8q09dq" /tr '"C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe"'

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe

"C:\Users\Admin\AppData\Roaming\12376w8q09dq.exe"

Network

Country Destination Domain Proto
US 206.123.141.239:7777 tcp
US 206.123.141.239:7777 tcp
US 206.123.141.239:7777 tcp
US 206.123.141.239:7777 tcp
US 206.123.141.239:7777 tcp
US 206.123.141.239:7777 tcp

Files

memory/2112-0-0x000000007483E000-0x000000007483F000-memory.dmp

memory/2112-1-0x0000000000DF0000-0x0000000000E02000-memory.dmp

memory/2112-2-0x0000000074830000-0x0000000074F1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA5D.tmp.bat

MD5 e20ea2b1fc2d8565c40c086718f2d4e8
SHA1 1a44076cff43b56b9d13346e23a05f42ab42cda8
SHA256 95d05ee7b2ffbaa98d724bf5dac51d403db9ccce88b7528375820aae40299f6f
SHA512 79f0d7ba49831e0422aec8c0c3a40c552e85486e98803e53d1b14b190f5875b1599338b097b73aa3bd5e5ba21a3c612f9559ad57481e26f60d7139bc4c128b43

memory/2112-12-0x0000000074830000-0x0000000074F1E000-memory.dmp

\Users\Admin\AppData\Roaming\12376w8q09dq.exe

MD5 5af5a9087ecf42eb83fb358d49b06e92
SHA1 0d4a5c5d90e6306c476036ca097a01a17b4295db
SHA256 878487e25eb96ab2c4ebd889e4bfc1739d730722c2af4736bc46ac3d11eca453
SHA512 d0608f648dd26b81d262741c373737dba3bfeb1508f86d8c448ec634a78bd9f86f52961d22cf027418c5012f2f7388928480495003dfeac7b94deb590bb7d22c

memory/3020-16-0x0000000000B30000-0x0000000000B42000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-07 06:54

Reported

2024-11-07 06:56

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe"

Signatures

Mercurial Grabber Stealer

stealer mercurialgrabber

Mercurialgrabber family

mercurialgrabber

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip4.seeip.org N/A N/A
N/A ip-api.com N/A N/A

Maps connected drives based on registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe

"C:\Users\Admin\AppData\Local\Temp\98e12d1098dae7e51260059a00b98ea0f197fd7b262e14693579cc8ba45e1fad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4068-0-0x00007FF81A2E3000-0x00007FF81A2E5000-memory.dmp

memory/4068-1-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

memory/4068-2-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

memory/4068-3-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp

memory/4068-7-0x00007FF81A2E0000-0x00007FF81ADA1000-memory.dmp