Analysis Overview
SHA256
6ce1075c1eca41e5a2c2a86ef580496414f423529d6db4d4a4b25ecff9f767d1
Threat Level: Known bad
The file 6ce1075c1eca41e5a2c2a86ef580496414f423529d6db4d4a4b25ecff9f767d1 was found to be: Known bad.
Malicious Activity Summary
Onlylogger family
Smokeloader family
SmokeLoader
Gcleaner family
RedLine
Vidar family
OnlyLogger
RedLine payload
GCleaner
Redline family
SectopRAT payload
Vidar
Sectoprat family
SectopRAT
OnlyLogger payload
Vidar Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Themida packer
Checks computer location settings
Checks BIOS information in registry
Loads dropped DLL
Executes dropped EXE
Deletes itself
Looks up external IP address via web service
Checks whether UAC is enabled
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Enumerates physical storage devices
Program crash
Unsigned PE
System Location Discovery: System Language Discovery
Checks SCSI registry key(s)
Kills process with taskkill
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Script User-Agent
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-07 10:47
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20241023-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2616 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2616 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2616 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2616 wrote to memory of 2708 | N/A | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe
"C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 864
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.22:443 | eduarroma.tumblr.com | tcp |
Files
memory/2616-1-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/2616-2-0x0000000002480000-0x000000000251D000-memory.dmp
memory/2616-3-0x0000000000400000-0x00000000004A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabB241.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB273.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2616-60-0x0000000002480000-0x000000000251D000-memory.dmp
memory/2616-59-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/2616-58-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/2616-57-0x0000000000400000-0x0000000002402000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe
"C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | one-wedding-film.xyz | udp |
| US | 8.8.8.8:53 | getonlinewoostudio.xyz | udp |
| US | 8.8.8.8:53 | w0rkinginstanc3.xyz | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 104.21.79.229:443 | 2no.co | tcp |
| US | 104.21.79.229:443 | 2no.co | tcp |
Files
memory/2332-0-0x000007FEF6723000-0x000007FEF6724000-memory.dmp
memory/2332-1-0x0000000000D30000-0x0000000000D5E000-memory.dmp
memory/2332-2-0x0000000000240000-0x0000000000262000-memory.dmp
memory/2332-3-0x000007FEF6720000-0x000007FEF710C000-memory.dmp
memory/2332-4-0x000007FEF6720000-0x000007FEF710C000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe
"C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | one-wedding-film.xyz | udp |
| US | 8.8.8.8:53 | getonlinewoostudio.xyz | udp |
| US | 8.8.8.8:53 | w0rkinginstanc3.xyz | udp |
| US | 8.8.8.8:53 | 2no.co | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 172.67.149.76:443 | 2no.co | tcp |
| US | 8.8.8.8:53 | 76.149.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.173.189.20.in-addr.arpa | udp |
Files
memory/3248-0-0x00007FFB07503000-0x00007FFB07505000-memory.dmp
memory/3248-1-0x0000000000470000-0x000000000049E000-memory.dmp
memory/3248-2-0x0000000000D50000-0x0000000000D72000-memory.dmp
memory/3248-3-0x00007FFB07500000-0x00007FFB07FC1000-memory.dmp
memory/3248-5-0x00007FFB07500000-0x00007FFB07FC1000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2320 set thread context of 2648 | N/A | C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe | C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
"C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe"
C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
"C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp |
Files
memory/2320-0-0x00000000742EE000-0x00000000742EF000-memory.dmp
memory/2320-1-0x0000000000B50000-0x0000000000C5C000-memory.dmp
memory/2320-2-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/2320-3-0x00000000007C0000-0x00000000007D8000-memory.dmp
memory/2320-4-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/2320-5-0x00000000742EE000-0x00000000742EF000-memory.dmp
memory/2320-6-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/2320-7-0x0000000008380000-0x0000000008424000-memory.dmp
memory/2320-8-0x0000000005F50000-0x0000000005F8A000-memory.dmp
memory/2648-19-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2648-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2648-23-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2648-21-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2320-24-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/2648-15-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2648-13-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2648-12-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2648-9-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2648-25-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/2648-26-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/2648-27-0x00000000742E0000-0x00000000749CE000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe
"C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{kiBL-n0vKz-VC3F-Bx0L0}\03869199344.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{kiBL-n0vKz-VC3F-Bx0L0}\51088616531.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{kiBL-n0vKz-VC3F-Bx0L0}\31148920999.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "fyiHA5hP7V19p7libPJSzjUi.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "fyiHA5hP7V19p7libPJSzjUi.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garbage-cleaner.biz | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:80 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
Files
memory/2324-1-0x0000000002820000-0x0000000002920000-memory.dmp
memory/2324-2-0x0000000000400000-0x0000000000431000-memory.dmp
memory/2324-3-0x0000000000400000-0x00000000023BA000-memory.dmp
memory/2324-19-0x0000000000400000-0x00000000023BA000-memory.dmp
memory/2324-20-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{kiBL-n0vKz-VC3F-Bx0L0}\03869199344.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1028 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe |
| PID 1028 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe |
| PID 1028 wrote to memory of 1924 | N/A | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe
"C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe"
C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe
"C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe" -q
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1924 -ip 1924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 752
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | a.goatgame.co | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
147s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\GameBox\is-KCPON.tmp | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
| File created | C:\Program Files (x86)\GameBox\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3048 wrote to memory of 3764 | N/A | C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp |
| PID 3048 wrote to memory of 3764 | N/A | C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp |
| PID 3048 wrote to memory of 3764 | N/A | C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe | C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp |
Processes
C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe
"C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe"
C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp
"C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp" /SL5="$60254,138429,56832,C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | proxycheck.io | udp |
| US | 104.26.8.187:80 | proxycheck.io | tcp |
| US | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| IN | 52.219.160.130:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.8.26.104.in-addr.arpa | udp |
| IN | 52.219.160.130:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| US | 8.8.8.8:53 | 130.160.219.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
memory/3048-0-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3048-2-0x0000000000401000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
memory/3764-6-0x0000000000400000-0x00000000004BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-RL90J.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/3764-15-0x0000000003A80000-0x0000000003ABC000-memory.dmp
memory/3764-17-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3764-18-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3764-19-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3764-20-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3764-21-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3764-22-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3048-23-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3764-25-0x0000000003A80000-0x0000000003ABC000-memory.dmp
memory/3764-34-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3764-39-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/3048-40-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2684 set thread context of 2704 | N/A | C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe | C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
"C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe"
C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
"C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp |
Files
memory/2684-0-0x000000007457E000-0x000000007457F000-memory.dmp
memory/2684-1-0x0000000000B00000-0x0000000000BEC000-memory.dmp
memory/2684-2-0x0000000074570000-0x0000000074C5E000-memory.dmp
memory/2684-3-0x0000000000340000-0x0000000000358000-memory.dmp
memory/2684-4-0x000000007457E000-0x000000007457F000-memory.dmp
memory/2684-5-0x0000000074570000-0x0000000074C5E000-memory.dmp
memory/2684-6-0x0000000007250000-0x00000000072E8000-memory.dmp
memory/2684-7-0x0000000000720000-0x000000000074E000-memory.dmp
memory/2704-8-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2704-18-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2704-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2704-14-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2704-12-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2704-10-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2684-24-0x0000000074570000-0x0000000074C5E000-memory.dmp
memory/2704-23-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2704-20-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2704-25-0x0000000074570000-0x0000000074C5E000-memory.dmp
memory/2704-26-0x0000000074570000-0x0000000074C5E000-memory.dmp
memory/2704-27-0x0000000074570000-0x0000000074C5E000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe
"C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp |
Files
memory/1908-0-0x0000000000E30000-0x0000000001490000-memory.dmp
memory/1908-1-0x0000000075081000-0x0000000075082000-memory.dmp
memory/1908-11-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-10-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-9-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-8-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-17-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-19-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-18-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-25-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-23-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-22-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-21-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-20-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-16-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-15-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-14-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-13-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-29-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-12-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-7-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-6-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-5-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-4-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-3-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-2-0x0000000075070000-0x0000000075180000-memory.dmp
memory/1908-30-0x0000000000E30000-0x0000000001490000-memory.dmp
memory/1908-31-0x0000000000E30000-0x0000000001490000-memory.dmp
memory/1908-32-0x0000000075081000-0x0000000075082000-memory.dmp
memory/1908-33-0x0000000075070000-0x0000000075180000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe
"C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp |
Files
memory/1820-0-0x0000000000D60000-0x00000000013C0000-memory.dmp
memory/1820-1-0x00000000772F0000-0x00000000772F1000-memory.dmp
memory/1820-2-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-3-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-6-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-5-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-4-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-10-0x0000000000D60000-0x00000000013C0000-memory.dmp
memory/1820-11-0x00000000065F0000-0x0000000006C08000-memory.dmp
memory/1820-12-0x0000000005FA0000-0x0000000005FB2000-memory.dmp
memory/1820-13-0x00000000060E0000-0x00000000061EA000-memory.dmp
memory/1820-14-0x0000000006010000-0x000000000604C000-memory.dmp
memory/1820-15-0x0000000006050000-0x000000000609C000-memory.dmp
memory/1820-16-0x0000000000D60000-0x00000000013C0000-memory.dmp
memory/1820-17-0x00000000772F0000-0x00000000772F1000-memory.dmp
memory/1820-18-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-19-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-20-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-21-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-22-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-23-0x00000000772D0000-0x00000000773C0000-memory.dmp
memory/1820-25-0x00000000772D0000-0x00000000773C0000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
14s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2148 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe |
| PID 2148 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe |
| PID 2148 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe |
| PID 2148 wrote to memory of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe | C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe
"C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe"
C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe
"C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe" -q
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
SmokeLoader
Smokeloader family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1724 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1724 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1724 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 1724 wrote to memory of 2380 | N/A | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe
"C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 136
Network
Files
memory/1724-1-0x00000000024E0000-0x00000000025E0000-memory.dmp
memory/1724-2-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1724-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1724-4-0x0000000000400000-0x00000000023AE000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe
"C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp |
Files
memory/368-0-0x0000000000150000-0x0000000000C34000-memory.dmp
memory/368-1-0x00000000765A0000-0x00000000765A1000-memory.dmp
memory/368-3-0x0000000076580000-0x0000000076670000-memory.dmp
memory/368-5-0x0000000076580000-0x0000000076670000-memory.dmp
memory/368-4-0x0000000076580000-0x0000000076670000-memory.dmp
memory/368-2-0x0000000076580000-0x0000000076670000-memory.dmp
memory/368-6-0x0000000076580000-0x0000000076670000-memory.dmp
memory/368-9-0x0000000000150000-0x0000000000C34000-memory.dmp
memory/368-10-0x0000000000150000-0x0000000000C34000-memory.dmp
memory/368-11-0x0000000005DB0000-0x0000000006354000-memory.dmp
memory/368-13-0x00000000058E0000-0x0000000005972000-memory.dmp
memory/368-12-0x0000000006980000-0x0000000006F98000-memory.dmp
memory/368-14-0x0000000005890000-0x00000000058A2000-memory.dmp
memory/368-15-0x0000000005A90000-0x0000000005B9A000-memory.dmp
memory/368-16-0x00000000063E0000-0x000000000641C000-memory.dmp
memory/368-17-0x0000000006420000-0x000000000646C000-memory.dmp
memory/368-18-0x0000000000150000-0x0000000000C34000-memory.dmp
memory/368-20-0x0000000076580000-0x0000000076670000-memory.dmp
memory/368-19-0x00000000765A0000-0x00000000765A1000-memory.dmp
memory/368-21-0x0000000076580000-0x0000000076670000-memory.dmp
memory/368-23-0x0000000076580000-0x0000000076670000-memory.dmp
memory/368-22-0x0000000076580000-0x0000000076670000-memory.dmp
memory/368-25-0x0000000076580000-0x0000000076670000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe
"C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\62864257160.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\61369291315.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\89984158093.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Mr4X5srRQR20TfuVZShfsrAN.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Mr4X5srRQR20TfuVZShfsrAN.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garbage-cleaner.biz | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:80 | iplogger.org | tcp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
Files
memory/2884-1-0x00000000024C0000-0x00000000025C0000-memory.dmp
memory/2884-3-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2884-2-0x0000000000220000-0x0000000000250000-memory.dmp
memory/2884-22-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2884-20-0x0000000000220000-0x0000000000250000-memory.dmp
memory/2884-21-0x00000000024C0000-0x00000000025C0000-memory.dmp
memory/2884-19-0x0000000000400000-0x00000000023BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\62864257160.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3836 set thread context of 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe | C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
"C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe"
C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
"C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp | |
| RU | 94.103.83.88:65136 | tcp |
Files
memory/3836-0-0x00000000744BE000-0x00000000744BF000-memory.dmp
memory/3836-1-0x00000000007F0000-0x00000000008FC000-memory.dmp
memory/3836-2-0x00000000057E0000-0x0000000005D84000-memory.dmp
memory/3836-3-0x0000000005310000-0x00000000053A2000-memory.dmp
memory/3836-4-0x00000000053B0000-0x000000000544C000-memory.dmp
memory/3836-5-0x0000000005300000-0x000000000530A000-memory.dmp
memory/3836-6-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3836-7-0x0000000005F20000-0x0000000005F38000-memory.dmp
memory/3836-8-0x00000000744BE000-0x00000000744BF000-memory.dmp
memory/3836-9-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/3836-10-0x0000000006A20000-0x0000000006AC4000-memory.dmp
memory/3836-11-0x000000000AE60000-0x000000000AE9A000-memory.dmp
memory/1196-12-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3836-15-0x00000000744B0000-0x0000000074C60000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fCe2q13vzDk3gxn554bfaSDi.exe.log
| MD5 | 84e77a587d94307c0ac1357eb4d3d46f |
| SHA1 | 83cc900f9401f43d181207d64c5adba7a85edc1e |
| SHA256 | e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99 |
| SHA512 | aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691 |
memory/1196-16-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/1196-17-0x0000000005380000-0x0000000005998000-memory.dmp
memory/1196-18-0x0000000004E20000-0x0000000004E32000-memory.dmp
memory/1196-19-0x0000000004F90000-0x000000000509A000-memory.dmp
memory/1196-20-0x0000000004EC0000-0x0000000004EFC000-memory.dmp
memory/1196-21-0x00000000744B0000-0x0000000074C60000-memory.dmp
memory/1196-22-0x0000000004F00000-0x0000000004F4C000-memory.dmp
memory/1196-23-0x00000000744B0000-0x0000000074C60000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1428 set thread context of 1216 | N/A | C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe | C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
"C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe"
C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
"C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp | |
| DE | 159.69.190.155:35975 | tcp |
Files
memory/1428-0-0x000000007460E000-0x000000007460F000-memory.dmp
memory/1428-1-0x00000000008D0000-0x00000000009BC000-memory.dmp
memory/1428-2-0x0000000007D80000-0x0000000008324000-memory.dmp
memory/1428-3-0x0000000007870000-0x0000000007902000-memory.dmp
memory/1428-4-0x00000000079B0000-0x0000000007A4C000-memory.dmp
memory/1428-6-0x0000000002C70000-0x0000000002C7A000-memory.dmp
memory/1428-5-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/1428-7-0x0000000007990000-0x00000000079A8000-memory.dmp
memory/1428-8-0x000000007460E000-0x000000007460F000-memory.dmp
memory/1428-9-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/1428-10-0x00000000092C0000-0x0000000009358000-memory.dmp
memory/1428-11-0x0000000006580000-0x00000000065AE000-memory.dmp
memory/1216-12-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GcNRfPQrt7430052z4jWGX0i.exe.log
| MD5 | 84e77a587d94307c0ac1357eb4d3d46f |
| SHA1 | 83cc900f9401f43d181207d64c5adba7a85edc1e |
| SHA256 | e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99 |
| SHA512 | aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691 |
memory/1428-16-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/1216-17-0x0000000005800000-0x0000000005E18000-memory.dmp
memory/1216-18-0x00000000052A0000-0x00000000052B2000-memory.dmp
memory/1216-15-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/1216-19-0x0000000005300000-0x000000000533C000-memory.dmp
memory/1216-20-0x0000000005340000-0x000000000538C000-memory.dmp
memory/1216-21-0x0000000074600000-0x0000000074DB0000-memory.dmp
memory/1216-22-0x0000000005620000-0x000000000572A000-memory.dmp
memory/1216-23-0x0000000074600000-0x0000000074DB0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe
"C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1012
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1068
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1296
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1488
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{pIDW-3rULs-PIZp-25CSn}\36505323100.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{pIDW-3rULs-PIZp-25CSn}\95357621793.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{pIDW-3rULs-PIZp-25CSn}\24264079468.exe" /mix
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1860
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "HyHVsV9i0LBAcDVqJzUYu3Hy.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2564 -ip 2564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1576
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "HyHVsV9i0LBAcDVqJzUYu3Hy.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | garbage-cleaner.biz | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 8.8.8.8:53 | 161.227.145.194.in-addr.arpa | udp |
| US | 104.26.2.46:80 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.2.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/2564-1-0x0000000002400000-0x0000000002500000-memory.dmp
memory/2564-2-0x0000000003FC0000-0x0000000003FF0000-memory.dmp
memory/2564-3-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{pIDW-3rULs-PIZp-25CSn}\36505323100.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
memory/2564-12-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2564-11-0x0000000003FC0000-0x0000000003FF0000-memory.dmp
memory/2564-10-0x0000000000400000-0x00000000023BB000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe
"C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 188.124.36.242:25802 | tcp | |
| RU | 188.124.36.242:25802 | tcp | |
| RU | 188.124.36.242:25802 | tcp | |
| RU | 188.124.36.242:25802 | tcp | |
| RU | 188.124.36.242:25802 | tcp | |
| RU | 188.124.36.242:25802 | tcp | |
| RU | 188.124.36.242:25802 | tcp | |
| RU | 188.124.36.242:25802 | tcp |
Files
memory/2788-0-0x00000000012D0000-0x000000000191E000-memory.dmp
memory/2788-1-0x0000000076C21000-0x0000000076C22000-memory.dmp
memory/2788-5-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-4-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-10-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-13-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-20-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-26-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-25-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-24-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-23-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-22-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-21-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-19-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-18-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-12-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-11-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-17-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-9-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-8-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-7-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-6-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-3-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-2-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-27-0x00000000012D0000-0x000000000191E000-memory.dmp
memory/2788-28-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-29-0x00000000012D0000-0x000000000191E000-memory.dmp
memory/2788-30-0x0000000076C21000-0x0000000076C22000-memory.dmp
memory/2788-31-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-33-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-32-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-36-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-35-0x0000000076C10000-0x0000000076D20000-memory.dmp
memory/2788-34-0x0000000076C10000-0x0000000076D20000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe
"C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| RU | 188.124.36.242:25802 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 188.124.36.242:25802 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| RU | 188.124.36.242:25802 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| RU | 188.124.36.242:25802 | tcp | |
| RU | 188.124.36.242:25802 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| RU | 188.124.36.242:25802 | tcp | |
| RU | 188.124.36.242:25802 | tcp | |
| RU | 188.124.36.242:25802 | tcp |
Files
memory/2200-0-0x0000000000160000-0x00000000007AE000-memory.dmp
memory/2200-1-0x0000000075290000-0x0000000075291000-memory.dmp
memory/2200-3-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-2-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-4-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-8-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-7-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-6-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-9-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-5-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-12-0x0000000000160000-0x00000000007AE000-memory.dmp
memory/2200-13-0x0000000006120000-0x0000000006738000-memory.dmp
memory/2200-14-0x0000000005A90000-0x0000000005AA2000-memory.dmp
memory/2200-15-0x0000000005C10000-0x0000000005D1A000-memory.dmp
memory/2200-16-0x0000000005B00000-0x0000000005B3C000-memory.dmp
memory/2200-17-0x0000000000160000-0x00000000007AE000-memory.dmp
memory/2200-18-0x0000000005B40000-0x0000000005B8C000-memory.dmp
memory/2200-19-0x0000000075290000-0x0000000075291000-memory.dmp
memory/2200-20-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-21-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-22-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-23-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-24-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-25-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-26-0x0000000075270000-0x0000000075360000-memory.dmp
memory/2200-28-0x0000000075270000-0x0000000075360000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
117s
Max time network
119s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe
"C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\94846865652.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\35834952490.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\04432548783.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "HyHVsV9i0LBAcDVqJzUYu3Hy.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "HyHVsV9i0LBAcDVqJzUYu3Hy.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | garbage-cleaner.biz | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:80 | iplogger.org | tcp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
Files
memory/2980-3-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2980-2-0x0000000000220000-0x0000000000250000-memory.dmp
memory/2980-1-0x0000000002460000-0x0000000002560000-memory.dmp
memory/2980-20-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2980-22-0x0000000000220000-0x0000000000250000-memory.dmp
memory/2980-19-0x0000000000400000-0x00000000023BB000-memory.dmp
memory/2980-21-0x0000000002460000-0x0000000002560000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\94846865652.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20241023-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2816 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2816 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2816 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 2816 wrote to memory of 2484 | N/A | C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe
"C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1120
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
Files
memory/2816-0-0x0000000073C3E000-0x0000000073C3F000-memory.dmp
memory/2816-1-0x0000000000D90000-0x0000000000D9A000-memory.dmp
memory/2816-2-0x0000000073C30000-0x000000007431E000-memory.dmp
memory/2816-3-0x0000000073C30000-0x000000007431E000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
146s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe
"C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1020
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1280
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1476
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\34281967484.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\04930921738.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\04995041431.exe" /mix
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2064 -ip 2064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1740
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Mr4X5srRQR20TfuVZShfsrAN.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2064 -ip 2064
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "Mr4X5srRQR20TfuVZShfsrAN.exe" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1796
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | garbage-cleaner.biz | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:80 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.227.145.194.in-addr.arpa | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/2064-1-0x0000000002430000-0x0000000002530000-memory.dmp
memory/2064-2-0x0000000002400000-0x0000000002430000-memory.dmp
memory/2064-3-0x0000000000400000-0x0000000000432000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\34281967484.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
memory/2064-12-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2064-11-0x0000000002400000-0x0000000002430000-memory.dmp
memory/2064-10-0x0000000000400000-0x00000000023BB000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2416 set thread context of 3552 | N/A | C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe | C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
"C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe"
C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 95.181.172.100:55640 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| RU | 95.181.172.100:55640 | tcp | |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp |
Files
memory/2416-0-0x000000007454E000-0x000000007454F000-memory.dmp
memory/2416-1-0x0000000000DF0000-0x0000000000E8A000-memory.dmp
memory/2416-2-0x0000000005810000-0x0000000005886000-memory.dmp
memory/2416-3-0x00000000057B0000-0x00000000057CE000-memory.dmp
memory/2416-4-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/2416-5-0x0000000005EE0000-0x0000000006484000-memory.dmp
memory/3552-6-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OEmxRS9UaiMPqIKXPz6Ef8jI.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/3552-9-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/2416-10-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/3552-11-0x0000000005360000-0x00000000053F2000-memory.dmp
memory/3552-13-0x0000000005460000-0x0000000005472000-memory.dmp
memory/3552-12-0x00000000063F0000-0x0000000006A08000-memory.dmp
memory/3552-14-0x0000000006160000-0x000000000626A000-memory.dmp
memory/3552-15-0x0000000005710000-0x000000000574C000-memory.dmp
memory/3552-16-0x0000000074540000-0x0000000074CF0000-memory.dmp
memory/3552-17-0x0000000005760000-0x00000000057AC000-memory.dmp
memory/3552-18-0x0000000074540000-0x0000000074CF0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\GameBox\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
| File created | C:\Program Files (x86)\GameBox\is-NI9H0.tmp | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\GameBox\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe
"C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe"
C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp" /SL5="$401B0,138429,56832,C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | proxycheck.io | udp |
| US | 104.26.9.187:80 | proxycheck.io | tcp |
| US | 8.8.8.8:53 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | udp |
| IN | 3.5.212.101:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
| IN | 3.5.212.101:80 | 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com | tcp |
Files
memory/596-2-0x0000000000401000-0x000000000040B000-memory.dmp
memory/596-0-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp
| MD5 | ffcf263a020aa7794015af0edee5df0b |
| SHA1 | bce1eb5f0efb2c83f416b1782ea07c776666fdab |
| SHA256 | 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64 |
| SHA512 | 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a |
\Users\Admin\AppData\Local\Temp\is-55IIV.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2572-8-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2572-17-0x0000000000390000-0x00000000003CC000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-55IIV.tmp\itdownload.dll
| MD5 | d82a429efd885ca0f324dd92afb6b7b8 |
| SHA1 | 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea |
| SHA256 | b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3 |
| SHA512 | 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df |
memory/2572-19-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2572-20-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2572-23-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2572-22-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2572-21-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2572-24-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/596-25-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2572-27-0x0000000000390000-0x00000000003CC000-memory.dmp
\Program Files (x86)\GameBox\unins000.exe
| MD5 | f0477b622428f93864bfee68dd054e6d |
| SHA1 | 28bef7759909021f7126b41299d0c310746603de |
| SHA256 | fbe9abe3885a928bb762ff4be6e00e55395056ab6d66a8ea0d2fc6a43bdbd75e |
| SHA512 | 7bc1a0b94893cce3cf08b02b224440ce08b716165184816804d979d0c71bd0f8bbd3e5dc645dc7d20356e0f995bff39a2b1e13a4c3b140f9bfafb48965f55afe |
memory/2572-37-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2572-42-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/596-43-0x0000000000400000-0x0000000000414000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe
"C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
| NL | 45.14.49.128:5385 | tcp |
Files
memory/4176-0-0x0000000000360000-0x00000000009C0000-memory.dmp
memory/4176-1-0x0000000076070000-0x0000000076071000-memory.dmp
memory/4176-2-0x0000000076050000-0x0000000076140000-memory.dmp
memory/4176-3-0x0000000076050000-0x0000000076140000-memory.dmp
memory/4176-6-0x0000000076050000-0x0000000076140000-memory.dmp
memory/4176-5-0x0000000076050000-0x0000000076140000-memory.dmp
memory/4176-7-0x0000000076050000-0x0000000076140000-memory.dmp
memory/4176-4-0x0000000076050000-0x0000000076140000-memory.dmp
memory/4176-11-0x0000000000360000-0x00000000009C0000-memory.dmp
memory/4176-12-0x0000000005CC0000-0x00000000062D8000-memory.dmp
memory/4176-13-0x0000000005670000-0x0000000005682000-memory.dmp
memory/4176-14-0x00000000057B0000-0x00000000058BA000-memory.dmp
memory/4176-15-0x00000000056E0000-0x000000000571C000-memory.dmp
memory/4176-16-0x0000000005720000-0x000000000576C000-memory.dmp
memory/4176-17-0x0000000000360000-0x00000000009C0000-memory.dmp
memory/4176-18-0x0000000076070000-0x0000000076071000-memory.dmp
memory/4176-20-0x0000000076050000-0x0000000076140000-memory.dmp
memory/4176-19-0x0000000076050000-0x0000000076140000-memory.dmp
memory/4176-21-0x0000000076050000-0x0000000076140000-memory.dmp
memory/4176-23-0x0000000076050000-0x0000000076140000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
149s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe
"C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3672 -ip 3672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1580
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/3672-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp
memory/3672-1-0x00000000001C0000-0x00000000001CA000-memory.dmp
memory/3672-2-0x0000000005230000-0x00000000057D4000-memory.dmp
memory/3672-3-0x0000000074C50000-0x0000000075400000-memory.dmp
memory/3672-4-0x0000000074C50000-0x0000000075400000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240903-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe
"C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp | |
| RU | 185.232.169.198:54681 | tcp |
Files
memory/2844-0-0x0000000001260000-0x0000000001D44000-memory.dmp
memory/2844-1-0x0000000076BB1000-0x0000000076BB2000-memory.dmp
memory/2844-2-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-5-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-4-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-3-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-7-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-6-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-17-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-16-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-21-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-26-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-27-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-25-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-24-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-23-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-22-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-15-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-14-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-13-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-12-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-11-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-10-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-9-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-8-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-28-0x0000000001260000-0x0000000001D44000-memory.dmp
memory/2844-29-0x0000000001260000-0x0000000001D44000-memory.dmp
memory/2844-30-0x0000000001260000-0x0000000001D44000-memory.dmp
memory/2844-31-0x0000000076BB1000-0x0000000076BB2000-memory.dmp
memory/2844-32-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-33-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-34-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-35-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-36-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-37-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-38-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-40-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
memory/2844-41-0x0000000076BA0000-0x0000000076CB0000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
SmokeLoader
Smokeloader family
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe
"C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1820 -ip 1820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 356
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
Files
memory/1820-2-0x0000000002480000-0x0000000002489000-memory.dmp
memory/1820-1-0x0000000002500000-0x0000000002600000-memory.dmp
memory/1820-3-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1820-6-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1820-5-0x0000000002480000-0x0000000002489000-memory.dmp
memory/1820-4-0x0000000000400000-0x00000000023AE000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20241010-en
Max time kernel
144s
Max time network
147s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2000 set thread context of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe | C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
"C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe"
C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
Network
| Country | Destination | Domain | Proto |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp | |
| RU | 95.181.172.100:55640 | tcp |
Files
memory/2000-0-0x00000000748CE000-0x00000000748CF000-memory.dmp
memory/2000-1-0x0000000001350000-0x00000000013EA000-memory.dmp
memory/2000-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp
memory/2612-3-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2612-5-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2612-14-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2612-11-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2612-9-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2612-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2612-6-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2612-4-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2612-16-0x00000000748C0000-0x0000000074FAE000-memory.dmp
memory/2000-15-0x00000000748C0000-0x0000000074FAE000-memory.dmp
memory/2612-17-0x00000000748C0000-0x0000000074FAE000-memory.dmp
memory/2612-18-0x00000000748C0000-0x0000000074FAE000-memory.dmp
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
135s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe
"C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 780
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1028
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1416
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\05102500038.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\88143984557.exe" /mix
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\71294711291.exe" /mix
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1748
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "fyiHA5hP7V19p7libPJSzjUi.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4604 -ip 4604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1904
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "fyiHA5hP7V19p7libPJSzjUi.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | garbage-cleaner.biz | udp |
| UA | 194.145.227.161:80 | 194.145.227.161 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.74.161:80 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 161.74.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.227.145.194.in-addr.arpa | udp |
| US | 172.67.74.161:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4604-2-0x0000000003FD0000-0x0000000003FFF000-memory.dmp
memory/4604-1-0x0000000002730000-0x0000000002830000-memory.dmp
memory/4604-3-0x0000000000400000-0x0000000000431000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\05102500038.exe
| MD5 | 6445250d234e789c0c2afe69f119e326 |
| SHA1 | 03074f75c0ff50783d8c2e32d96e39b746540f66 |
| SHA256 | 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f |
| SHA512 | ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e |
memory/4604-12-0x0000000000400000-0x0000000000431000-memory.dmp
memory/4604-11-0x0000000003FD0000-0x0000000003FFF000-memory.dmp
memory/4604-10-0x0000000000400000-0x00000000023BA000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win10v2004-20241007-en
Max time kernel
78s
Max time network
144s
Command Line
Signatures
Vidar
Vidar family
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe
"C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2864 -ip 2864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1036
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eduarroma.tumblr.com | udp |
| US | 74.114.154.18:443 | eduarroma.tumblr.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.154.114.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/2864-2-0x0000000004080000-0x000000000411D000-memory.dmp
memory/2864-1-0x0000000002580000-0x0000000002680000-memory.dmp
memory/2864-3-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/2864-15-0x0000000000400000-0x00000000004A1000-memory.dmp
memory/2864-14-0x0000000004080000-0x000000000411D000-memory.dmp
memory/2864-13-0x0000000000400000-0x0000000002402000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-07 10:47
Reported
2024-11-07 10:50
Platform
win7-20240729-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe
"C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp | |
| NL | 45.14.49.128:5385 | tcp |
Files
memory/2320-0-0x00000000011D0000-0x0000000001830000-memory.dmp
memory/2320-1-0x00000000769F1000-0x00000000769F2000-memory.dmp
memory/2320-2-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-4-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-12-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-19-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-25-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-24-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-23-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-22-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-21-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-20-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-18-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-17-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-16-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-15-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-14-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-13-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-11-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-10-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-9-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-8-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-7-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-6-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-5-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-3-0x00000000769E0000-0x0000000076AF0000-memory.dmp
memory/2320-30-0x00000000011D0000-0x0000000001830000-memory.dmp
memory/2320-31-0x00000000011D0000-0x0000000001830000-memory.dmp
memory/2320-32-0x00000000769F1000-0x00000000769F2000-memory.dmp