Malware Analysis Report

2024-11-13 19:45

Sample ID 241107-mvp8fs1bph
Target 6ce1075c1eca41e5a2c2a86ef580496414f423529d6db4d4a4b25ecff9f767d1
SHA256 6ce1075c1eca41e5a2c2a86ef580496414f423529d6db4d4a4b25ecff9f767d1
Tags
vidar 937 discovery stealer redline sectoprat test 22.08 infostealer rat trojan gcleaner onlylogger loader @original_finest evasion themida smokeloader pub1 backdoor 23.08
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6ce1075c1eca41e5a2c2a86ef580496414f423529d6db4d4a4b25ecff9f767d1

Threat Level: Known bad

The file 6ce1075c1eca41e5a2c2a86ef580496414f423529d6db4d4a4b25ecff9f767d1 was found to be: Known bad.

Malicious Activity Summary

vidar 937 discovery stealer redline sectoprat test 22.08 infostealer rat trojan gcleaner onlylogger loader @original_finest evasion themida smokeloader pub1 backdoor 23.08

Onlylogger family

Smokeloader family

SmokeLoader

Gcleaner family

RedLine

Vidar family

OnlyLogger

RedLine payload

GCleaner

Redline family

SectopRAT payload

Vidar

Sectoprat family

SectopRAT

OnlyLogger payload

Vidar Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks computer location settings

Checks BIOS information in registry

Loads dropped DLL

Executes dropped EXE

Deletes itself

Looks up external IP address via web service

Checks whether UAC is enabled

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

System Location Discovery: System Language Discovery

Checks SCSI registry key(s)

Kills process with taskkill

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Script User-Agent

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-07 10:47

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20241023-en

Max time kernel

119s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe"

Signatures

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe

"C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 864

Network

Country Destination Domain Proto
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 74.114.154.22:443 eduarroma.tumblr.com tcp

Files

memory/2616-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2616-2-0x0000000002480000-0x000000000251D000-memory.dmp

memory/2616-3-0x0000000000400000-0x00000000004A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB241.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarB273.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2616-60-0x0000000002480000-0x000000000251D000-memory.dmp

memory/2616-59-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/2616-58-0x0000000000400000-0x00000000004A1000-memory.dmp

memory/2616-57-0x0000000000400000-0x0000000002402000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe

"C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 one-wedding-film.xyz udp
US 8.8.8.8:53 getonlinewoostudio.xyz udp
US 8.8.8.8:53 w0rkinginstanc3.xyz udp
US 8.8.8.8:53 2no.co udp
US 104.21.79.229:443 2no.co tcp
US 104.21.79.229:443 2no.co tcp

Files

memory/2332-0-0x000007FEF6723000-0x000007FEF6724000-memory.dmp

memory/2332-1-0x0000000000D30000-0x0000000000D5E000-memory.dmp

memory/2332-2-0x0000000000240000-0x0000000000262000-memory.dmp

memory/2332-3-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

memory/2332-4-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe

"C:\Users\Admin\AppData\Local\Temp\HKPHM9s7J_npOwbKmifWThV8.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 one-wedding-film.xyz udp
US 8.8.8.8:53 getonlinewoostudio.xyz udp
US 8.8.8.8:53 w0rkinginstanc3.xyz udp
US 8.8.8.8:53 2no.co udp
US 172.67.149.76:443 2no.co tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 172.67.149.76:443 2no.co tcp
US 8.8.8.8:53 76.149.67.172.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/3248-0-0x00007FFB07503000-0x00007FFB07505000-memory.dmp

memory/3248-1-0x0000000000470000-0x000000000049E000-memory.dmp

memory/3248-2-0x0000000000D50000-0x0000000000D72000-memory.dmp

memory/3248-3-0x00007FFB07500000-0x00007FFB07FC1000-memory.dmp

memory/3248-5-0x00007FFB07500000-0x00007FFB07FC1000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2320 set thread context of 2648 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2320 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
PID 2320 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
PID 2320 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
PID 2320 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
PID 2320 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
PID 2320 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
PID 2320 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
PID 2320 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe
PID 2320 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe

"C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe"

C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe

"C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe"

Network

Country Destination Domain Proto
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp

Files

memory/2320-0-0x00000000742EE000-0x00000000742EF000-memory.dmp

memory/2320-1-0x0000000000B50000-0x0000000000C5C000-memory.dmp

memory/2320-2-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/2320-3-0x00000000007C0000-0x00000000007D8000-memory.dmp

memory/2320-4-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/2320-5-0x00000000742EE000-0x00000000742EF000-memory.dmp

memory/2320-6-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/2320-7-0x0000000008380000-0x0000000008424000-memory.dmp

memory/2320-8-0x0000000005F50000-0x0000000005F8A000-memory.dmp

memory/2648-19-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2648-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2648-23-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2648-21-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2320-24-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/2648-15-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2648-13-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2648-12-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2648-9-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2648-25-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/2648-26-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/2648-27-0x00000000742E0000-0x00000000749CE000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2324 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2324 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2576 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2576 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2576 wrote to memory of 2840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe

"C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{kiBL-n0vKz-VC3F-Bx0L0}\03869199344.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{kiBL-n0vKz-VC3F-Bx0L0}\51088616531.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{kiBL-n0vKz-VC3F-Bx0L0}\31148920999.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "fyiHA5hP7V19p7libPJSzjUi.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "fyiHA5hP7V19p7libPJSzjUi.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 garbage-cleaner.biz udp
UA 194.145.227.161:80 194.145.227.161 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:80 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp

Files

memory/2324-1-0x0000000002820000-0x0000000002920000-memory.dmp

memory/2324-2-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2324-3-0x0000000000400000-0x00000000023BA000-memory.dmp

memory/2324-19-0x0000000000400000-0x00000000023BA000-memory.dmp

memory/2324-20-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{kiBL-n0vKz-VC3F-Bx0L0}\03869199344.exe

MD5 6445250d234e789c0c2afe69f119e326
SHA1 03074f75c0ff50783d8c2e32d96e39b746540f66
SHA256 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f
SHA512 ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe

"C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe"

C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe

"C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe" -q

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 752

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GameBox\is-KCPON.tmp C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A
File opened for modification C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A
File created C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe

"C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe"

C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp

"C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp" /SL5="$60254,138429,56832,C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 proxycheck.io udp
US 104.26.8.187:80 proxycheck.io tcp
US 8.8.8.8:53 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com udp
IN 52.219.160.130:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 187.8.26.104.in-addr.arpa udp
IN 52.219.160.130:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp
US 8.8.8.8:53 130.160.219.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3048-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3048-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-US8HC.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/3764-6-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RL90J.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/3764-15-0x0000000003A80000-0x0000000003ABC000-memory.dmp

memory/3764-17-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3764-18-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3764-19-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3764-20-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3764-21-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3764-22-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3048-23-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3764-25-0x0000000003A80000-0x0000000003ABC000-memory.dmp

memory/3764-34-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3764-39-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/3048-40-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2684 set thread context of 2704 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe
PID 2684 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe

Processes

C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe

"C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe"

C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe

"C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe"

Network

Country Destination Domain Proto
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp

Files

memory/2684-0-0x000000007457E000-0x000000007457F000-memory.dmp

memory/2684-1-0x0000000000B00000-0x0000000000BEC000-memory.dmp

memory/2684-2-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2684-3-0x0000000000340000-0x0000000000358000-memory.dmp

memory/2684-4-0x000000007457E000-0x000000007457F000-memory.dmp

memory/2684-5-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2684-6-0x0000000007250000-0x00000000072E8000-memory.dmp

memory/2684-7-0x0000000000720000-0x000000000074E000-memory.dmp

memory/2704-8-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2704-18-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2704-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2704-14-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2704-12-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2704-10-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2684-24-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2704-23-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2704-20-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2704-25-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2704-26-0x0000000074570000-0x0000000074C5E000-memory.dmp

memory/2704-27-0x0000000074570000-0x0000000074C5E000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe

"C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe"

Network

Country Destination Domain Proto
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp

Files

memory/1908-0-0x0000000000E30000-0x0000000001490000-memory.dmp

memory/1908-1-0x0000000075081000-0x0000000075082000-memory.dmp

memory/1908-11-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-10-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-9-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-8-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-17-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-19-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-18-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-25-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-23-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-22-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-21-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-20-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-16-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-15-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-14-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-13-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-29-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-12-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-7-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-6-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-5-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-4-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-3-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-2-0x0000000075070000-0x0000000075180000-memory.dmp

memory/1908-30-0x0000000000E30000-0x0000000001490000-memory.dmp

memory/1908-31-0x0000000000E30000-0x0000000001490000-memory.dmp

memory/1908-32-0x0000000075081000-0x0000000075082000-memory.dmp

memory/1908-33-0x0000000075070000-0x0000000075180000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe

"C:\Users\Admin\AppData\Local\Temp\OvVYhhgvd6ZhUony5cRMqVoB.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp

Files

memory/1820-0-0x0000000000D60000-0x00000000013C0000-memory.dmp

memory/1820-1-0x00000000772F0000-0x00000000772F1000-memory.dmp

memory/1820-2-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-3-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-6-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-5-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-4-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-10-0x0000000000D60000-0x00000000013C0000-memory.dmp

memory/1820-11-0x00000000065F0000-0x0000000006C08000-memory.dmp

memory/1820-12-0x0000000005FA0000-0x0000000005FB2000-memory.dmp

memory/1820-13-0x00000000060E0000-0x00000000061EA000-memory.dmp

memory/1820-14-0x0000000006010000-0x000000000604C000-memory.dmp

memory/1820-15-0x0000000006050000-0x000000000609C000-memory.dmp

memory/1820-16-0x0000000000D60000-0x00000000013C0000-memory.dmp

memory/1820-17-0x00000000772F0000-0x00000000772F1000-memory.dmp

memory/1820-18-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-19-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-20-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-21-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-22-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-23-0x00000000772D0000-0x00000000773C0000-memory.dmp

memory/1820-25-0x00000000772D0000-0x00000000773C0000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

14s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe

"C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe"

C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe

"C:\Users\Admin\AppData\Local\Temp\FEhkB_OsaHE2y08GZpzK8pPE.exe" -q

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe

"C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 136

Network

N/A

Files

memory/1724-1-0x00000000024E0000-0x00000000025E0000-memory.dmp

memory/1724-2-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1724-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1724-4-0x0000000000400000-0x00000000023AE000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe

"C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp

Files

memory/368-0-0x0000000000150000-0x0000000000C34000-memory.dmp

memory/368-1-0x00000000765A0000-0x00000000765A1000-memory.dmp

memory/368-3-0x0000000076580000-0x0000000076670000-memory.dmp

memory/368-5-0x0000000076580000-0x0000000076670000-memory.dmp

memory/368-4-0x0000000076580000-0x0000000076670000-memory.dmp

memory/368-2-0x0000000076580000-0x0000000076670000-memory.dmp

memory/368-6-0x0000000076580000-0x0000000076670000-memory.dmp

memory/368-9-0x0000000000150000-0x0000000000C34000-memory.dmp

memory/368-10-0x0000000000150000-0x0000000000C34000-memory.dmp

memory/368-11-0x0000000005DB0000-0x0000000006354000-memory.dmp

memory/368-13-0x00000000058E0000-0x0000000005972000-memory.dmp

memory/368-12-0x0000000006980000-0x0000000006F98000-memory.dmp

memory/368-14-0x0000000005890000-0x00000000058A2000-memory.dmp

memory/368-15-0x0000000005A90000-0x0000000005B9A000-memory.dmp

memory/368-16-0x00000000063E0000-0x000000000641C000-memory.dmp

memory/368-17-0x0000000006420000-0x000000000646C000-memory.dmp

memory/368-18-0x0000000000150000-0x0000000000C34000-memory.dmp

memory/368-20-0x0000000076580000-0x0000000076670000-memory.dmp

memory/368-19-0x00000000765A0000-0x00000000765A1000-memory.dmp

memory/368-21-0x0000000076580000-0x0000000076670000-memory.dmp

memory/368-23-0x0000000076580000-0x0000000076670000-memory.dmp

memory/368-22-0x0000000076580000-0x0000000076670000-memory.dmp

memory/368-25-0x0000000076580000-0x0000000076670000-memory.dmp

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2884 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2664 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2664 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2664 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe

"C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\62864257160.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\61369291315.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\89984158093.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Mr4X5srRQR20TfuVZShfsrAN.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Mr4X5srRQR20TfuVZShfsrAN.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 garbage-cleaner.biz udp
UA 194.145.227.161:80 194.145.227.161 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:80 iplogger.org tcp
US 172.67.74.161:443 iplogger.org tcp

Files

memory/2884-1-0x00000000024C0000-0x00000000025C0000-memory.dmp

memory/2884-3-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2884-2-0x0000000000220000-0x0000000000250000-memory.dmp

memory/2884-22-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2884-20-0x0000000000220000-0x0000000000250000-memory.dmp

memory/2884-21-0x00000000024C0000-0x00000000025C0000-memory.dmp

memory/2884-19-0x0000000000400000-0x00000000023BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\62864257160.exe

MD5 6445250d234e789c0c2afe69f119e326
SHA1 03074f75c0ff50783d8c2e32d96e39b746540f66
SHA256 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f
SHA512 ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3836 set thread context of 1196 N/A C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe

"C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe"

C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe

"C:\Users\Admin\AppData\Local\Temp\fCe2q13vzDk3gxn554bfaSDi.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp
RU 94.103.83.88:65136 tcp

Files

memory/3836-0-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/3836-1-0x00000000007F0000-0x00000000008FC000-memory.dmp

memory/3836-2-0x00000000057E0000-0x0000000005D84000-memory.dmp

memory/3836-3-0x0000000005310000-0x00000000053A2000-memory.dmp

memory/3836-4-0x00000000053B0000-0x000000000544C000-memory.dmp

memory/3836-5-0x0000000005300000-0x000000000530A000-memory.dmp

memory/3836-6-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/3836-7-0x0000000005F20000-0x0000000005F38000-memory.dmp

memory/3836-8-0x00000000744BE000-0x00000000744BF000-memory.dmp

memory/3836-9-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/3836-10-0x0000000006A20000-0x0000000006AC4000-memory.dmp

memory/3836-11-0x000000000AE60000-0x000000000AE9A000-memory.dmp

memory/1196-12-0x0000000000400000-0x0000000000420000-memory.dmp

memory/3836-15-0x00000000744B0000-0x0000000074C60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fCe2q13vzDk3gxn554bfaSDi.exe.log

MD5 84e77a587d94307c0ac1357eb4d3d46f
SHA1 83cc900f9401f43d181207d64c5adba7a85edc1e
SHA256 e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512 aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

memory/1196-16-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/1196-17-0x0000000005380000-0x0000000005998000-memory.dmp

memory/1196-18-0x0000000004E20000-0x0000000004E32000-memory.dmp

memory/1196-19-0x0000000004F90000-0x000000000509A000-memory.dmp

memory/1196-20-0x0000000004EC0000-0x0000000004EFC000-memory.dmp

memory/1196-21-0x00000000744B0000-0x0000000074C60000-memory.dmp

memory/1196-22-0x0000000004F00000-0x0000000004F4C000-memory.dmp

memory/1196-23-0x00000000744B0000-0x0000000074C60000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1428 set thread context of 1216 N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe

"C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe"

C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe

"C:\Users\Admin\AppData\Local\Temp\GcNRfPQrt7430052z4jWGX0i.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp
DE 159.69.190.155:35975 tcp

Files

memory/1428-0-0x000000007460E000-0x000000007460F000-memory.dmp

memory/1428-1-0x00000000008D0000-0x00000000009BC000-memory.dmp

memory/1428-2-0x0000000007D80000-0x0000000008324000-memory.dmp

memory/1428-3-0x0000000007870000-0x0000000007902000-memory.dmp

memory/1428-4-0x00000000079B0000-0x0000000007A4C000-memory.dmp

memory/1428-6-0x0000000002C70000-0x0000000002C7A000-memory.dmp

memory/1428-5-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/1428-7-0x0000000007990000-0x00000000079A8000-memory.dmp

memory/1428-8-0x000000007460E000-0x000000007460F000-memory.dmp

memory/1428-9-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/1428-10-0x00000000092C0000-0x0000000009358000-memory.dmp

memory/1428-11-0x0000000006580000-0x00000000065AE000-memory.dmp

memory/1216-12-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\GcNRfPQrt7430052z4jWGX0i.exe.log

MD5 84e77a587d94307c0ac1357eb4d3d46f
SHA1 83cc900f9401f43d181207d64c5adba7a85edc1e
SHA256 e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512 aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

memory/1428-16-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/1216-17-0x0000000005800000-0x0000000005E18000-memory.dmp

memory/1216-18-0x00000000052A0000-0x00000000052B2000-memory.dmp

memory/1216-15-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/1216-19-0x0000000005300000-0x000000000533C000-memory.dmp

memory/1216-20-0x0000000005340000-0x000000000538C000-memory.dmp

memory/1216-21-0x0000000074600000-0x0000000074DB0000-memory.dmp

memory/1216-22-0x0000000005620000-0x000000000572A000-memory.dmp

memory/1216-23-0x0000000074600000-0x0000000074DB0000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2564 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2564 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 3064 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3064 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3064 wrote to memory of 3992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe

"C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1296

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1488

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{pIDW-3rULs-PIZp-25CSn}\36505323100.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{pIDW-3rULs-PIZp-25CSn}\95357621793.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{pIDW-3rULs-PIZp-25CSn}\24264079468.exe" /mix

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1860

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "HyHVsV9i0LBAcDVqJzUYu3Hy.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2564 -ip 2564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2564 -s 1576

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "HyHVsV9i0LBAcDVqJzUYu3Hy.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 garbage-cleaner.biz udp
UA 194.145.227.161:80 194.145.227.161 tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 161.227.145.194.in-addr.arpa udp
US 104.26.2.46:80 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp
US 8.8.8.8:53 46.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

memory/2564-1-0x0000000002400000-0x0000000002500000-memory.dmp

memory/2564-2-0x0000000003FC0000-0x0000000003FF0000-memory.dmp

memory/2564-3-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{pIDW-3rULs-PIZp-25CSn}\36505323100.exe

MD5 6445250d234e789c0c2afe69f119e326
SHA1 03074f75c0ff50783d8c2e32d96e39b746540f66
SHA256 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f
SHA512 ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e

memory/2564-12-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2564-11-0x0000000003FC0000-0x0000000003FF0000-memory.dmp

memory/2564-10-0x0000000000400000-0x00000000023BB000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe

"C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe"

Network

Country Destination Domain Proto
RU 188.124.36.242:25802 tcp
RU 188.124.36.242:25802 tcp
RU 188.124.36.242:25802 tcp
RU 188.124.36.242:25802 tcp
RU 188.124.36.242:25802 tcp
RU 188.124.36.242:25802 tcp
RU 188.124.36.242:25802 tcp
RU 188.124.36.242:25802 tcp

Files

memory/2788-0-0x00000000012D0000-0x000000000191E000-memory.dmp

memory/2788-1-0x0000000076C21000-0x0000000076C22000-memory.dmp

memory/2788-5-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-4-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-10-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-13-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-20-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-26-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-25-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-24-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-23-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-22-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-21-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-19-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-18-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-12-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-11-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-17-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-9-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-8-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-7-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-6-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-3-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-2-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-27-0x00000000012D0000-0x000000000191E000-memory.dmp

memory/2788-28-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-29-0x00000000012D0000-0x000000000191E000-memory.dmp

memory/2788-30-0x0000000076C21000-0x0000000076C22000-memory.dmp

memory/2788-31-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-33-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-32-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-36-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-35-0x0000000076C10000-0x0000000076D20000-memory.dmp

memory/2788-34-0x0000000076C10000-0x0000000076D20000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe

"C:\Users\Admin\AppData\Local\Temp\QKvpJeDIaPtXDcwKwH_WmAYY.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
RU 188.124.36.242:25802 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 188.124.36.242:25802 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
RU 188.124.36.242:25802 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
RU 188.124.36.242:25802 tcp
RU 188.124.36.242:25802 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 188.124.36.242:25802 tcp
RU 188.124.36.242:25802 tcp
RU 188.124.36.242:25802 tcp

Files

memory/2200-0-0x0000000000160000-0x00000000007AE000-memory.dmp

memory/2200-1-0x0000000075290000-0x0000000075291000-memory.dmp

memory/2200-3-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-2-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-4-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-8-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-7-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-6-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-9-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-5-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-12-0x0000000000160000-0x00000000007AE000-memory.dmp

memory/2200-13-0x0000000006120000-0x0000000006738000-memory.dmp

memory/2200-14-0x0000000005A90000-0x0000000005AA2000-memory.dmp

memory/2200-15-0x0000000005C10000-0x0000000005D1A000-memory.dmp

memory/2200-16-0x0000000005B00000-0x0000000005B3C000-memory.dmp

memory/2200-17-0x0000000000160000-0x00000000007AE000-memory.dmp

memory/2200-18-0x0000000005B40000-0x0000000005B8C000-memory.dmp

memory/2200-19-0x0000000075290000-0x0000000075291000-memory.dmp

memory/2200-20-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-21-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-22-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-23-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-24-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-25-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-26-0x0000000075270000-0x0000000075360000-memory.dmp

memory/2200-28-0x0000000075270000-0x0000000075360000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2980 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2508 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2508 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2508 wrote to memory of 2584 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe

"C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\94846865652.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\35834952490.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\04432548783.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "HyHVsV9i0LBAcDVqJzUYu3Hy.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\HyHVsV9i0LBAcDVqJzUYu3Hy.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "HyHVsV9i0LBAcDVqJzUYu3Hy.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 garbage-cleaner.biz udp
UA 194.145.227.161:80 194.145.227.161 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:80 iplogger.org tcp
US 104.26.2.46:443 iplogger.org tcp

Files

memory/2980-3-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2980-2-0x0000000000220000-0x0000000000250000-memory.dmp

memory/2980-1-0x0000000002460000-0x0000000002560000-memory.dmp

memory/2980-20-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2980-22-0x0000000000220000-0x0000000000250000-memory.dmp

memory/2980-19-0x0000000000400000-0x00000000023BB000-memory.dmp

memory/2980-21-0x0000000002460000-0x0000000002560000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{Iv2I-8FnAk-HGNI-QNeZN}\94846865652.exe

MD5 6445250d234e789c0c2afe69f119e326
SHA1 03074f75c0ff50783d8c2e32d96e39b746540f66
SHA256 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f
SHA512 ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20241023-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe

"C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 1120

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp

Files

memory/2816-0-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

memory/2816-1-0x0000000000D90000-0x0000000000D9A000-memory.dmp

memory/2816-2-0x0000000073C30000-0x000000007431E000-memory.dmp

memory/2816-3-0x0000000073C30000-0x000000007431E000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 1268 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe C:\Windows\SysWOW64\cmd.exe
PID 3588 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3588 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3588 wrote to memory of 2244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe

"C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1280

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1476

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\34281967484.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\04930921738.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\04995041431.exe" /mix

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2064 -ip 2064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1740

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "Mr4X5srRQR20TfuVZShfsrAN.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\Mr4X5srRQR20TfuVZShfsrAN.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2064 -ip 2064

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "Mr4X5srRQR20TfuVZShfsrAN.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 1796

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 garbage-cleaner.biz udp
UA 194.145.227.161:80 194.145.227.161 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:80 iplogger.org tcp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 161.227.145.194.in-addr.arpa udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/2064-1-0x0000000002430000-0x0000000002530000-memory.dmp

memory/2064-2-0x0000000002400000-0x0000000002430000-memory.dmp

memory/2064-3-0x0000000000400000-0x0000000000432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\34281967484.exe

MD5 6445250d234e789c0c2afe69f119e326
SHA1 03074f75c0ff50783d8c2e32d96e39b746540f66
SHA256 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f
SHA512 ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e

memory/2064-12-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2064-11-0x0000000002400000-0x0000000002430000-memory.dmp

memory/2064-10-0x0000000000400000-0x00000000023BB000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2416 set thread context of 3552 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe

"C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe"

C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe

C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp

Files

memory/2416-0-0x000000007454E000-0x000000007454F000-memory.dmp

memory/2416-1-0x0000000000DF0000-0x0000000000E8A000-memory.dmp

memory/2416-2-0x0000000005810000-0x0000000005886000-memory.dmp

memory/2416-3-0x00000000057B0000-0x00000000057CE000-memory.dmp

memory/2416-4-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/2416-5-0x0000000005EE0000-0x0000000006484000-memory.dmp

memory/3552-6-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\OEmxRS9UaiMPqIKXPz6Ef8jI.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/3552-9-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/2416-10-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3552-11-0x0000000005360000-0x00000000053F2000-memory.dmp

memory/3552-13-0x0000000005460000-0x0000000005472000-memory.dmp

memory/3552-12-0x00000000063F0000-0x0000000006A08000-memory.dmp

memory/3552-14-0x0000000006160000-0x000000000626A000-memory.dmp

memory/3552-15-0x0000000005710000-0x000000000574C000-memory.dmp

memory/3552-16-0x0000000074540000-0x0000000074CF0000-memory.dmp

memory/3552-17-0x0000000005760000-0x00000000057AC000-memory.dmp

memory/3552-18-0x0000000074540000-0x0000000074CF0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A
File created C:\Program Files (x86)\GameBox\is-NI9H0.tmp C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A
File opened for modification C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe

"C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe"

C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp" /SL5="$401B0,138429,56832,C:\Users\Admin\AppData\Local\Temp\FQ5NRIxS9E6fSVzjWc_kvJni.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 proxycheck.io udp
US 104.26.9.187:80 proxycheck.io tcp
US 8.8.8.8:53 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com udp
IN 3.5.212.101:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp
IN 3.5.212.101:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp

Files

memory/596-2-0x0000000000401000-0x000000000040B000-memory.dmp

memory/596-0-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JV1UL.tmp\FQ5NRIxS9E6fSVzjWc_kvJni.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

\Users\Admin\AppData\Local\Temp\is-55IIV.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2572-8-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2572-17-0x0000000000390000-0x00000000003CC000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-55IIV.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/2572-19-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2572-20-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2572-23-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2572-22-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2572-21-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2572-24-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/596-25-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2572-27-0x0000000000390000-0x00000000003CC000-memory.dmp

\Program Files (x86)\GameBox\unins000.exe

MD5 f0477b622428f93864bfee68dd054e6d
SHA1 28bef7759909021f7126b41299d0c310746603de
SHA256 fbe9abe3885a928bb762ff4be6e00e55395056ab6d66a8ea0d2fc6a43bdbd75e
SHA512 7bc1a0b94893cce3cf08b02b224440ce08b716165184816804d979d0c71bd0f8bbd3e5dc645dc7d20356e0f995bff39a2b1e13a4c3b140f9bfafb48965f55afe

memory/2572-37-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2572-42-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/596-43-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe

"C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 25.173.189.20.in-addr.arpa udp
NL 45.14.49.128:5385 tcp

Files

memory/4176-0-0x0000000000360000-0x00000000009C0000-memory.dmp

memory/4176-1-0x0000000076070000-0x0000000076071000-memory.dmp

memory/4176-2-0x0000000076050000-0x0000000076140000-memory.dmp

memory/4176-3-0x0000000076050000-0x0000000076140000-memory.dmp

memory/4176-6-0x0000000076050000-0x0000000076140000-memory.dmp

memory/4176-5-0x0000000076050000-0x0000000076140000-memory.dmp

memory/4176-7-0x0000000076050000-0x0000000076140000-memory.dmp

memory/4176-4-0x0000000076050000-0x0000000076140000-memory.dmp

memory/4176-11-0x0000000000360000-0x00000000009C0000-memory.dmp

memory/4176-12-0x0000000005CC0000-0x00000000062D8000-memory.dmp

memory/4176-13-0x0000000005670000-0x0000000005682000-memory.dmp

memory/4176-14-0x00000000057B0000-0x00000000058BA000-memory.dmp

memory/4176-15-0x00000000056E0000-0x000000000571C000-memory.dmp

memory/4176-16-0x0000000005720000-0x000000000576C000-memory.dmp

memory/4176-17-0x0000000000360000-0x00000000009C0000-memory.dmp

memory/4176-18-0x0000000076070000-0x0000000076071000-memory.dmp

memory/4176-20-0x0000000076050000-0x0000000076140000-memory.dmp

memory/4176-19-0x0000000076050000-0x0000000076140000-memory.dmp

memory/4176-21-0x0000000076050000-0x0000000076140000-memory.dmp

memory/4176-23-0x0000000076050000-0x0000000076140000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe

"C:\Users\Admin\AppData\Local\Temp\LIAbdwyShKY89Z9xSWSzZEGp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3672 -ip 3672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 1580

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3672-0-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

memory/3672-1-0x00000000001C0000-0x00000000001CA000-memory.dmp

memory/3672-2-0x0000000005230000-0x00000000057D4000-memory.dmp

memory/3672-3-0x0000000074C50000-0x0000000075400000-memory.dmp

memory/3672-4-0x0000000074C50000-0x0000000075400000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240903-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe

"C:\Users\Admin\AppData\Local\Temp\JntlxTU2VSh_6o3pBeenGZXP.exe"

Network

Country Destination Domain Proto
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp
RU 185.232.169.198:54681 tcp

Files

memory/2844-0-0x0000000001260000-0x0000000001D44000-memory.dmp

memory/2844-1-0x0000000076BB1000-0x0000000076BB2000-memory.dmp

memory/2844-2-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-5-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-4-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-3-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-7-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-6-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-17-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-16-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-21-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-26-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-27-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-25-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-24-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-23-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-22-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-15-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-14-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-13-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-12-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-11-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-10-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-9-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-8-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-28-0x0000000001260000-0x0000000001D44000-memory.dmp

memory/2844-29-0x0000000001260000-0x0000000001D44000-memory.dmp

memory/2844-30-0x0000000001260000-0x0000000001D44000-memory.dmp

memory/2844-31-0x0000000076BB1000-0x0000000076BB2000-memory.dmp

memory/2844-32-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-33-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-34-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-35-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-36-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-37-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-38-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-40-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

memory/2844-41-0x0000000076BA0000-0x0000000076CB0000-memory.dmp

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe

"C:\Users\Admin\AppData\Local\Temp\Ls1JHbNzSCujAe0rcXjY2nJE.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1820 -ip 1820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 356

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

memory/1820-2-0x0000000002480000-0x0000000002489000-memory.dmp

memory/1820-1-0x0000000002500000-0x0000000002600000-memory.dmp

memory/1820-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1820-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1820-5-0x0000000002480000-0x0000000002489000-memory.dmp

memory/1820-4-0x0000000000400000-0x00000000023AE000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20241010-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2000 set thread context of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
PID 2000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
PID 2000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
PID 2000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
PID 2000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
PID 2000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
PID 2000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
PID 2000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe
PID 2000 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe

Processes

C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe

"C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe"

C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe

C:\Users\Admin\AppData\Local\Temp\OEmxRS9UaiMPqIKXPz6Ef8jI.exe

Network

Country Destination Domain Proto
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp

Files

memory/2000-0-0x00000000748CE000-0x00000000748CF000-memory.dmp

memory/2000-1-0x0000000001350000-0x00000000013EA000-memory.dmp

memory/2000-2-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2612-3-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2612-5-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2612-14-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2612-11-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2612-9-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2612-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2612-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2612-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2612-16-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2000-15-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2612-17-0x00000000748C0000-0x0000000074FAE000-memory.dmp

memory/2612-18-0x00000000748C0000-0x0000000074FAE000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4604 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4604 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe C:\Windows\SysWOW64\cmd.exe
PID 4920 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4920 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4920 wrote to memory of 1620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe

"C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1416

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\05102500038.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\88143984557.exe" /mix

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\71294711291.exe" /mix

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1748

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "fyiHA5hP7V19p7libPJSzjUi.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\fyiHA5hP7V19p7libPJSzjUi.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 1904

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "fyiHA5hP7V19p7libPJSzjUi.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 garbage-cleaner.biz udp
UA 194.145.227.161:80 194.145.227.161 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.74.161:80 iplogger.org tcp
US 8.8.8.8:53 161.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 161.227.145.194.in-addr.arpa udp
US 172.67.74.161:443 iplogger.org tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4604-2-0x0000000003FD0000-0x0000000003FFF000-memory.dmp

memory/4604-1-0x0000000002730000-0x0000000002830000-memory.dmp

memory/4604-3-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{HZMY-E8cVb-dEim-of5Dw}\05102500038.exe

MD5 6445250d234e789c0c2afe69f119e326
SHA1 03074f75c0ff50783d8c2e32d96e39b746540f66
SHA256 2e6cd9433e66a9ebde268bc6949d4660de441790bd39ffc9cb0f4caaeb44320f
SHA512 ecd094a4d026378f85435f8a2dc16c92c033aff92ba126d8bbb22d6b279b842d417f4df0f63199ea248d0ec64b9679acb5a1f835560d8e3c5b84be492cc0e68e

memory/4604-12-0x0000000000400000-0x0000000000431000-memory.dmp

memory/4604-11-0x0000000003FD0000-0x0000000003FFF000-memory.dmp

memory/4604-10-0x0000000000400000-0x00000000023BA000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win10v2004-20241007-en

Max time kernel

78s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe"

Signatures

Vidar

stealer vidar

Vidar family

vidar

Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe

"C:\Users\Admin\AppData\Local\Temp\GEWsqYhryxfuQuVPf7TWao_Z.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2864 -ip 2864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 1036

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 eduarroma.tumblr.com udp
US 74.114.154.18:443 eduarroma.tumblr.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 18.154.114.74.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/2864-2-0x0000000004080000-0x000000000411D000-memory.dmp

memory/2864-1-0x0000000002580000-0x0000000002680000-memory.dmp

memory/2864-3-0x0000000000400000-0x00000000004A1000-memory.dmp

memory/2864-15-0x0000000000400000-0x00000000004A1000-memory.dmp

memory/2864-14-0x0000000004080000-0x000000000411D000-memory.dmp

memory/2864-13-0x0000000000400000-0x0000000002402000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-07 10:47

Reported

2024-11-07 10:50

Platform

win7-20240729-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe

"C:\Users\Admin\AppData\Local\Temp\JC2pSzOI0YLF3KGWlIzGFqqp.exe"

Network

Country Destination Domain Proto
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp

Files

memory/2320-0-0x00000000011D0000-0x0000000001830000-memory.dmp

memory/2320-1-0x00000000769F1000-0x00000000769F2000-memory.dmp

memory/2320-2-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-4-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-12-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-19-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-25-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-24-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-23-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-22-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-21-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-20-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-18-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-17-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-16-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-15-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-14-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-13-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-11-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-10-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-9-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-8-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-7-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-6-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-5-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-3-0x00000000769E0000-0x0000000076AF0000-memory.dmp

memory/2320-30-0x00000000011D0000-0x0000000001830000-memory.dmp

memory/2320-31-0x00000000011D0000-0x0000000001830000-memory.dmp

memory/2320-32-0x00000000769F1000-0x00000000769F2000-memory.dmp