Malware Analysis Report

2024-11-13 19:46

Sample ID 241108-hg6k3axhlq
Target 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc
SHA256 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc
Tags
cryptbot discovery spyware stealer upx gcleaner onlylogger loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc

Threat Level: Known bad

The file 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc was found to be: Known bad.

Malicious Activity Summary

cryptbot discovery spyware stealer upx gcleaner onlylogger loader

CryptBot

Gcleaner family

Onlylogger family

CryptBot payload

OnlyLogger

GCleaner

Cryptbot family

OnlyLogger payload

Executes dropped EXE

Drops startup file

Loads dropped DLL

Reads user/profile data of web browsers

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

UPX packed file

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-08 06:43

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240729-en

Max time kernel

143s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe

"C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 basessri42.top udp

Files

memory/2232-1-0x0000000000400000-0x0000000004DD7000-memory.dmp

memory/2232-2-0x00000000002E0000-0x0000000000380000-memory.dmp

memory/2232-3-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/2232-4-0x0000000000400000-0x0000000004DD7000-memory.dmp

memory/2232-5-0x0000000000400000-0x0000000004DD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt

MD5 caed8140308f2f9b672591aa068b4a3c
SHA1 239432832f5a7adcb5a0b62c87a6a5d9ff19825b
SHA256 be9a3ae568cff174a79789c8f9c5a4b6212cf1f13172b378af57702d8492b3b9
SHA512 7c36417e70d60a68ced74867a86cd9069af9c13d5bf95f6cd596de0f6c4e61f50b999a57a50d2ca691e2811846f9f77340b74687cda6d6fb6b12234b435f8cfb

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt

MD5 6d2e0a1b75e53207b8f414673db7deb8
SHA1 19be3d07c71d1ef51e77ecac738767b4d1101298
SHA256 bdee07fbc4a865cfb4a61d681467a36b44c56418f8a117627b676d9aec7358fc
SHA512 f7d0c5f6764698b8cbc152c1b157b760d5e58cd7844820cd5f5709b6d73b48fd26fbc093124cf8f42d6c265a6654e8a972bf7e3537dde7a95b9406d18f301028

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt

MD5 5cac59a9d3e3ac4138b3f353a2675d90
SHA1 e43c74dcd13ce81bfbf294b888bf51761c61bc3b
SHA256 81e6d3922db75a7312dff543dbfa3a9bd2b0c9666cc7c0d48e936b856f7515fd
SHA512 714a07ea41d079c000a8d4e61b219a84c35b12ebe397842d6c63429bf59e3645fde6182829ba4cfd51b7937768609afb1aa6b1fb36b47f9d1a16c1c14a0fa0b9

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt

MD5 f994df90cee0dcb836aa1910f263ec15
SHA1 3a0b90804a5c79a952e0677c9e28a04966df3fdd
SHA256 db120ea7c45777239e76b0dd165d6676698bc2e1976523d4071760828fca1b72
SHA512 64365633b031444f9e2f214974a9c34825c656f12b96b2ff331c129b59b12dc7e8c79d7099e55742085809bf504e6678fda1b13089b128c9ad4bdd9968893738

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt

MD5 5bb5750146e910367ef481661b50c47f
SHA1 8fd675fabd66780d6e29376c993499376612fab4
SHA256 f69ded66892f3e8e6a7f042bd492b07fdb5b2b6e4716fd9711e21bea7c72bf75
SHA512 f0d63db64811c1abe54c8490b81370c9f925bdb0bf56946c11393e8daeb819de14f3e63ef1135e3f029b03cfcea864f870e1e526177528296eb1c5852e04b8c0

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt

MD5 51f9f3112b0b8d38722d4132e532a8aa
SHA1 7901bdba976b400b8033d0a6956e4054ddf06829
SHA256 e9b13bdb1700ee35e663f9cdf950ccb30da37df756b74deda8293b67714c435f
SHA512 e090fb727775275c4e8d60e491f2dc204b48102f843f24a741a9cf17e5ab40e9c6be4ab96cf871976cc8abbb4154b6d609585faf930d699c8b7adea161210aef

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt

MD5 6979364f6fbcf39e786b59b33f725184
SHA1 fd56af67f4f0c5f40483553b7fc9ebcae35ab9a5
SHA256 45fe741cb4ba3c53d4241aba8445b2140a530bad5e64ce1bfe328789a2dbd0c3
SHA512 558a7b61040e34611874ed18d66f6ef53f643b2bd9b1cfc8ec7cb68028932640ffc7db54e5e61d099ab8625384b238b7b0487ee11bc4ef105fffc3ef1a209a91

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt

MD5 156db86b04635e91034410a98ae4762d
SHA1 0ee5c8a0a89cbf8ba7b4cd9039944566f217ca0b
SHA256 07ce4c37d2c65ff857039a58e50a71b5e328f3c59fcb275d97983ada6743fecc
SHA512 cb3b10692456134ea0a6156bbaf6ea9314967512b9c1fd3d59a8bdb9e136d02c4813a0a262871c313b658096b11257d789143ec974bb0170b23b177e8a8167cc

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt

MD5 668134af186ccb6337f0971d711df5d8
SHA1 c9121cd7abefba115908e80375304f0eac7d82d9
SHA256 e69e3c424bfd635f4e57396df509b2cd06394828cb7bd24521056c885da62b4b
SHA512 db1f727dc4ce39181b40fc99371fd5e784640ef8577cd6e77986773d3305c4bae5d36373be8c2b06fa176dbd762835dda46e024c94767dd454f4e8e6c4a9dcde

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Screen_Desktop.jpeg

MD5 1a97e97e8c6302d155d7197f5b74d13d
SHA1 625e6b92de999741ec3a83b77a89937b67a7b364
SHA256 c0265ac446049b2a210cfd2eb9c50d86871726c55f11d795330fe0d6fa2492b0
SHA512 e639e5668e06adbca6bb4dfe94da86b35ec8e7dfbdf99337c5d48e36b5c0f7c4e7600882899936c4b01c63d76d893a2e623f639acf0cdde614c88af3c78ad760

memory/2232-222-0x0000000000400000-0x0000000004DD7000-memory.dmp

memory/2232-223-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\ZVnrdjpyWA.zip

MD5 823d9c724183d7f44f7929813dec7d73
SHA1 a2dd0b12bfa58b33dd5fc21a0a6ac80d996ad3b7
SHA256 78013ddc9d38b6129b9fffebf585602161cdf2bd7d5fffff360515c857ea9e0c
SHA512 bd1f5d80d6550711e0038df794ff5fa60218d1e69f1c059cbfb9e220aa353f17e5010252619066537c5cbeaad89bb7f55af7e228c56f8ebd53e0370aa50e1620

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20241010-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe

"C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 needioerw02.top udp

Files

memory/2384-1-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2384-2-0x0000000000330000-0x00000000003D0000-memory.dmp

memory/2384-3-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/2384-4-0x0000000000400000-0x000000000052F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

MD5 18d99c15a942305d365644b7096536bf
SHA1 ebfc71778058be4f2a9cf830bf508e5caa5276e6
SHA256 babba0c95aca5d8db0dd7268e0b3cb64e1741b863bef12af2c629a66c747dcf9
SHA512 51b91bfc3e2204c98455d6f6c0ec3b02e4d82e2132ec76816001258c693b9b7345d38768e40aa2961fb966d7581f5cb7eecdbf29e6b71800b6a20bc710553484

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

MD5 6a7f92aeee653fef9b57efcfd7d6858a
SHA1 8c5d9ce1fb39e28b45955947c8653a968289df23
SHA256 cdd3624b078791b5f7a5fc641321e00e0b0e73eb0e75affbda4b36a3291e9ebd
SHA512 285388ebbe319f57435aa5af3dc43a6e2dcb32da20f0a689dcdd5369ef8c1d02814fa387f7c4127d1470fcf194571565527927295034741bbd0917a1338c4257

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

MD5 8ba855105258074ed53d37236e71e883
SHA1 61f14eec58833f1016ec1a1218222cac3227af70
SHA256 2ee72b1afab3e45e17fb608f710a0140727cceafe267d5c086cd4d1434337594
SHA512 9ecb2c4203bb621699fb63c2047e50c67ae62a6fb3010c65f6f490a8ffce7711734498d318439fc693df9c585958a99303e82c4eae268a6692617d2fa3578bb9

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

MD5 ce90c1a56f2070dcd505a86ed389f362
SHA1 f6dcdf514e27622b69a1fe445253caa234c92eea
SHA256 050651927e053313415d7a597395ac5257f67aefed671b770a08a2d0cc5a3300
SHA512 39b213a1147542521c446a2b30e2db901552251363d92abe4e5bac096b1667ce4a08b8a273f1ef20d5e82dd566252406deb4c4417e782b1fde10ee35c5d59a2e

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

MD5 2c2243754b6e094e555171cfa7f8c182
SHA1 9a8318129aa5c6020f1bf0b5e9632836ad794c65
SHA256 6c8683f31246753b7fdc8986d310ac21d94c0f5bbb3051952e407e28d5411d0c
SHA512 621a4315447504e81f9f85a6db1e1d06b0f9efb9922b3fdb1b4b1638192c55bcda69593e2e345b44fabcff6853eeab7ec0b6c2878e9e8ea7437b75c3e5d630f6

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt

MD5 52f7b2b35a69df44f087f4bec9279ade
SHA1 84f4b4c4309e72056a245e6c317cf8d26534de79
SHA256 fda44806b4a767c04fd6e19ea21b745903cddec70a1d2c4ecf780cadd19d30d4
SHA512 eb4dfeeebc256a34e1a03da6f701ec62400e6a4883504ac8d6d7dcc377dc16b364bbf0339c03b594234d93129aa4c8a887fb8e9698c71db651db9bffaa9267be

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\files_\system_info.txt

MD5 819d03116b40b99128f06c426d3bb70f
SHA1 900259dfd7610bc922fc1e4e83fa4a0e61f6782d
SHA256 7d7e30282273bec84b7c9c07916ac27b42b42b43a3701137ef310dfd3b20eda4
SHA512 4024467b131b0fb66355ad1019d14f79616b34fe2d5cfc843d7153dc8743910779ab5d0ce1cffe69dad8f387ad1455d041c467c59db29bdc21c63b813fabb916

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\files_\system_info.txt

MD5 d6fe7c3262bc630bbd8def3b8e0486ef
SHA1 4b88227042b397c5636dcc0b32ea90555000e709
SHA256 f090c2d2c12f41aab3ba1f5d50d7e3699f20ca8305f405caa4c1d73fdc36cc10
SHA512 5338a2823df94d5b521ae93d35879c910629fbdfaa216839e507a010744799b0b3727c47228573fe691b71f778cd0cba0c4b6ef9f6b00fd46f8581d4fa644d4e

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\files_\system_info.txt

MD5 01701dad40619754872284517acb82ac
SHA1 b63c004eeb258a9a9f57f542493a6d6afa625e74
SHA256 274d677e8c2afe4f8048d93a6357abc09752848c68fcab096cba3f79a3d16b34
SHA512 46ab290186d22fdbcb7d162ac698060e1401f7fd11963b9cf715d3f062e193454433cb98a98888ca139f5f8001db18c6f801a793950acde1f588f8ca30b5284a

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Screen_Desktop.jpeg

MD5 5c500e7454fa77bc4021366d532c3b5b
SHA1 b6980902d5a3044826ae81da60aaf552f4323744
SHA256 45d0a65f4d9327beaa0fadbb94c0dae496ac04c4bab9bddc36f32b6025037054
SHA512 3f2f633969153a63ba6b45e08fc0f22c0cdea72207236817db8c23f05b9094b5de081f0b8c2336b63d782c339b1cc01ec9dfe82b79bff3b6540ba274ede3c222

memory/2384-221-0x0000000000630000-0x0000000000730000-memory.dmp

memory/2384-222-0x0000000000400000-0x000000000052F000-memory.dmp

memory/2384-223-0x0000000000330000-0x00000000003D0000-memory.dmp

memory/2384-224-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\PqzgshgUs0Zbbb.zip

MD5 01ad1027365ec4287b2c94507e1d356d
SHA1 17f9011712436049a8bf335236a3f526c0ded702
SHA256 b710a091cd3aa96d96f21d2d8bbbafb1afc3fc73d057ffdf52d6da20098289d6
SHA512 c548b83331449e4cb84a5bf123432cfa81267c8a344f10c6637fa504dd84570bc116f9fe4721e9df8e8080b3e0130cf28c31f57f19c0bc2f7103b871418e0b1f

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2196 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2868 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2524 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe

"C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe"

C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe

"C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe"

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

Network

N/A

Files

memory/2196-0-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/2196-1-0x0000000000E20000-0x0000000000E7E000-memory.dmp

memory/2196-2-0x00000000746AE000-0x00000000746AF000-memory.dmp

memory/2196-3-0x0000000000440000-0x0000000000462000-memory.dmp

memory/2196-4-0x0000000000460000-0x0000000000472000-memory.dmp

memory/2868-10-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2868-9-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2868-8-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2868-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 7c206dae3d5cb963584b75a2ecce94a8
SHA1 7eaff221e85eba8400bed8f7dc156b7984f2e08c
SHA256 1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b
SHA512 62d67495e0ea6a689a90fcd347b73331866b36c3a2cd865a3f799b2ad31805426dc60b065ee8326912b07182893ef134304d985eae920ee771173c16b93b6b10

memory/2868-18-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2196-17-0x00000000746A0000-0x0000000074D8E000-memory.dmp

memory/2868-27-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2524-29-0x000000007456E000-0x000000007456F000-memory.dmp

memory/2524-30-0x0000000000B70000-0x0000000000BCE000-memory.dmp

memory/2868-15-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2868-13-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2868-7-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2868-6-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2868-5-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2196-31-0x00000000746A0000-0x0000000074D8E000-memory.dmp

memory/2524-32-0x000000007456E000-0x000000007456F000-memory.dmp

memory/2524-33-0x0000000000210000-0x0000000000222000-memory.dmp

memory/2988-49-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2524-47-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/2988-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe

"C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 basessrn17.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp

Files

memory/4020-1-0x0000000000400000-0x00000000051B5000-memory.dmp

memory/4020-2-0x0000000005650000-0x00000000056F0000-memory.dmp

memory/4020-3-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/4020-4-0x0000000000400000-0x00000000051B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

MD5 4ae55559cad102385dda060c2d981e2a
SHA1 2000dfac7ac9f32b932aa0ae764391c647420e7b
SHA256 6d050e6b7d4ff70a9693d972cdaa959a00e7f4f4ce1b2d8ae0f58061c687846b
SHA512 06605fc8dd8a51c2f252edbf058c29a7b42e6a446069fd332671742413ecda013b96de3062c7c8e1ba4121691c8f6185131018d672d3e192813087bbbdad4975

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

MD5 3fe2c0481e0d417eec5ca141b97f75d7
SHA1 37f522b1849b333000dc32b44e5171f4571154c3
SHA256 d4ac0fbc0e1c0f93c0f648a1e9cc82a7fcc981bb01ead846d323d1f632ff32ac
SHA512 d6b20002b762958e1d2c10d29284cbd4873a17a30e57eec4c8de8651cd9bf23a24191d67bfaec314e4ae867d62ccb8db90a4133bd4c408eeb91aa15d8f4b0cca

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

MD5 630b6add90911ca328640c68dfc2e36d
SHA1 0ce9facc0ccb37901f96e1a20c6955dc7997d019
SHA256 6c9781064642ede95f0112ed15e8a91378c862f9e0b6a4381e7d4b3b12f249a3
SHA512 b2ad2b35da0ef89c992f014682df7d5a4a9cf363dcf625dc1611418566201ee083fb082c4ece7403538cef145e3e7647aa1da801499632c8b3d5007e5d8cbcc3

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg

MD5 937a08bdbad1b0756ff169cf99b0fad1
SHA1 bd2b00ce406c8b42a1ba9dda4574d33de2b1bc68
SHA256 22dab6a07f2981561a63b28cd38707f5b3946100a888a42fafbea67460741681
SHA512 db8e480c83fa251fcada152b8a0ac77df22c700c9c6a3f45293d721ffb5cde1b9bd421724506910a397066534c5938b2372c2064bf7056a8d96a4d1da1743aef

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

MD5 d5fe614c40a2e75e74fdd7aecbc400db
SHA1 2d1d6710964f3253dad143eda303a63750b4157d
SHA256 e8803fb3ee4311276b4f9a6bd7b050fb540969765da15e0d6cd7993ea1b7bd3d
SHA512 c1a3ee1a75a7fe15f15a9e7db10b48570eb5cfccf85909c2ee3aba1b9fba6b50c377a1782d49148182821e8f40bcc84d99a5ea3d5d11e5f9af132b0288e9ab42

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

MD5 269a6974de4f24c645e419845d8d0724
SHA1 a9ce214e6b46d69a2a6ee658c61fb621d8d40da2
SHA256 2e9d4aef672af71b239c82f345b0a13e87b72c47ea2a552e7cdb3d913ee8d0d0
SHA512 15e0e42a356ba47297e392f212e348a0ed5f53a441db8effe465f6bc3d68ac623e7bfd4371c783bdf75595e21ce38bcd508cbabecdb67f527860ec54ccb75ad3

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

MD5 8ee2dd478c09b1849ba8a43d72f3982e
SHA1 d56506c99664dfb6042f0c01dcaf74a97d656143
SHA256 c984d2a20376dedd04f11ae1d76dd82f3ae0e1ae75a7b62796d4b33732b07ed1
SHA512 44b34e0ff048a7592f124e7addfae8045591616e3efd1bdcb616341c069bbd04c033d6b3cdef31f991fb960fe662c446d49a12466f7b395c3fc43d380359bf89

memory/4020-219-0x0000000000400000-0x00000000051B5000-memory.dmp

memory/4020-221-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip

MD5 8de88e8d9f16a4bd681bf4aedd208aa4
SHA1 9a5478d2fd7237f68dbe3fc5456c058ad197be8e
SHA256 2089ad11cc2ee99809a63450611ed878fa5ea582ef7d735ef4d2882bfbc0873e
SHA512 1a937906dbb86bbdf42eb7d79bd28c2fc70dd4c6b10e5841563317414fc94955c06599d812759ab344a237554cbc7b5cbb3ee2bbdba7a7d2425d894990e63fe3

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\ubMtZf6KK.zip

MD5 6602dd0c07e4f7b9e2afd805dd6f5db7
SHA1 f62865ab53a187f778f0eb7eab9c8988706f12dd
SHA256 63ff5d141ee8611f8f95e012c8578507b8bae360882c83752c5b503aba2ddaf4
SHA512 20d7e0c8694814f5871891cdcaa1c7819dca2c2dfa98c98ecf4a9df14a8a926e1574c386407370f52cb7295c3b4bfab6ad60951b99963d39efa0a2c061756442

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe

"C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:80 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:80 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:80 ipbase.com tcp
US 104.21.85.189:443 ipbase.com tcp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 172.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 189.85.21.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/3648-0-0x0000000000400000-0x00000000047CB000-memory.dmp

memory/3648-2-0x0000000000400000-0x0000000000448000-memory.dmp

memory/3648-1-0x0000000004CB0000-0x0000000004CF6000-memory.dmp

memory/3648-3-0x0000000000400000-0x00000000047CB000-memory.dmp

memory/3648-4-0x0000000000400000-0x00000000047CB000-memory.dmp

memory/3648-6-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20241023-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe

"C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/2412-1-0x0000000000400000-0x0000000005177000-memory.dmp

memory/2412-2-0x00000000002B0000-0x00000000002DE000-memory.dmp

memory/2412-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2412-4-0x0000000000400000-0x0000000005177000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240903-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe

"C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/2084-0-0x0000000000400000-0x00000000047D1000-memory.dmp

memory/2084-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2084-1-0x00000000001B0000-0x00000000001DE000-memory.dmp

memory/2084-3-0x0000000000400000-0x00000000047D1000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe

"C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 basessrb23.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp
US 8.8.8.8:53 moraaaasa07.top udp

Files

memory/4284-1-0x0000000000400000-0x00000000051B5000-memory.dmp

memory/4284-2-0x0000000005660000-0x0000000005700000-memory.dmp

memory/4284-3-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/4284-4-0x0000000000400000-0x00000000051B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

MD5 aa2db10c6f4076f716aedb385b38d512
SHA1 9dae265c786d6c01d358a52e96d36607848e7106
SHA256 74c54ab77f55b9ad37e49efd5a4acc89e753422a7817b9a9b3d52ffa579e0716
SHA512 45c65ba85b13237fea61bc3bb6121fbfddf405e62b13f4e2babc39cb062d798a4f8b39aa8a16e1d5230c07c290422478fe2a906bb06502addc560f2577a9eff0

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg

MD5 7e1c7974fcc98b5277ea48754d67e1ac
SHA1 9ba6a12557d0f3640630d99cb3ae5050374b4339
SHA256 d4226393bad15206f5f73b7fa339be7abcfa2ff66643e073697abdc6fd6d2454
SHA512 fb3514a06d281b5bda1ff96fcce6ee91b79fd53cbdefdf2c5512975eb57ed955ba0efc10ad851b27f404243f6582c86cfb14ad6457c35b408f858ebe02014713

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

MD5 8be5d80ff10cc48eb050edbf1225dee5
SHA1 e9b752a85013f72503d89b4dbbd60a4762b9f1e7
SHA256 0826647551b407df72ae911afe9ef39bf8c4f7ee15301a9f9412584431263742
SHA512 8448aec97056a6f56dc84bee5c7a3ffed540935c9286d606c42061b9a6b197ad5c3dbe64170d3195fc974ee6b443dcc94c1b3fa28fe04c89f945cad44bede298

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

MD5 311264214a63c9258d730e9533f15ed0
SHA1 189956df104be53a838dd0760a7c0f803df12801
SHA256 be4fe0f21c67f9c6ef236492b5061c56c4e675942085ff7dc9cd0f5fb921355e
SHA512 ece68c334a9b108b5665eee7d74adeb9c4c2dcd9d6ce9237e6e8664e0051f19cc3107e7fb462656136e5e04bcd81f0d93d8e884c689991518dc6fa7bcac0388d

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

MD5 eb0ca5f52c2db51fc9f7d7e9e17623ac
SHA1 c1d6fab43cf2f7c8a9b2ea4964cbd6d4bd60e00a
SHA256 7e62becfdef6dd8de04ba170554ec443ca0cff0c0f37f174eb4920f5e56506b7
SHA512 00696b01cfa038d34fadee3b1bef03b02d4c46d740ee4a3ef653ffa986f732f3e839a04a6013e56d7981a71bf93dec337df8ea5cd09d8d044fdae37ec02dc471

memory/4284-219-0x0000000000400000-0x00000000051B5000-memory.dmp

memory/4284-221-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip

MD5 91df12ed0b5bf0e9875537ab470dcbd9
SHA1 15d41418f7c279dbd5b49b1d87d01f9df31a0d16
SHA256 4d0b1e915cb26760329f4fc0b06bc6e90d6f2551613172e4efa1260cf14ff88e
SHA512 c092e3772c0958ce3896e9eb3fd4c35f192a6f84a0e39f62fdba1c253331343ecba5ee61ae379d28a2046fdbfdb6a7f647f7f1012fb81287c8b8cf4baacb3d5d

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\i6wyofYjLX.zip

MD5 74fcb9b6bade9f3f6ec0eda313af0b66
SHA1 02597d2da12b3e69a63b87f3ed80331e83e9e9e7
SHA256 c86f30b31dbed9100e9e192a20b410a0b93f42bc4a774b446728012594ea4912
SHA512 f6d7b318cb6617f38469b701ab3c4575504bf0fc77786f549805ad13787d0625d28d4924aaf81f59a9c8e28cf2503c871925e6a42bf12c1a5e7ddfcdfa1102c5

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240903-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe

"C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/2692-0-0x0000000000400000-0x00000000047C9000-memory.dmp

memory/2692-1-0x0000000000400000-0x00000000047C9000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20241023-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe

"C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 moraffdds01.top udp

Files

memory/2836-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/2836-2-0x00000000002A0000-0x0000000000340000-memory.dmp

memory/2836-3-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/2836-4-0x0000000000400000-0x000000000052F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

MD5 8a0bd3f407b01943d0b9bf720955f801
SHA1 5665f3000a5671d4834eaf99ef640cb9041d0dd4
SHA256 4f14f0083550c0d86971df9b249903ece5f36d864f051778fa5779a0b81956c7
SHA512 2181548dab06b14402c49e710e7507d4a70a5d433b0f03e9649b3be886e070bdc3499e80977128e7c9d451f729a503ebd1f6d5b7a5673d53a22ab3e1bf8d6afd

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

MD5 60f47cfc21b618e2c3a9d1318ffeccba
SHA1 138b7cb74074744c9031dea1b6e6bc632b63e927
SHA256 a4d67dccd4dd521d34b0594045353ff9bbd2c269dd0c1a9ef6d8c809a59b7c57
SHA512 a04fce8b707d3aed0c04f244549ff44c4c7aa54a7ad7dca45123a4b77ba49b06f451a7ab43c61ffd5f46ef9a386db26a9f9190bc792bafb9c1eaf0cd8e4126ee

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

MD5 35a54761c51414e7bd44a9cfef652314
SHA1 0472649f4e39fc6aef4c827e7817487ce83bb07d
SHA256 1f66cde9fdba552ea269b4b2f35606c869cafe42265b10e0ac664454f55120a0
SHA512 b9f06a1d74904e3eb8dd2693854cd2d154b20a0cc25fb23005b7fd9dc56d21efb13bf2658a80f72a584679d99d4362ed9d265da69e8bdf6dc59ecac3f9868744

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

MD5 ce5a4c5df65981c9a15e2d4c17fc07fe
SHA1 7da68f3ac02a64d93e84a2fa91a4c87e5b72d860
SHA256 a7746c25510d8568b98b27ada2a91a40ea1a0ff67f2f71d381e46a89d6c0ae3f
SHA512 415f80f1ae5171b5baeed29c02acebea328271e0d284d9241f7d3f5c73fb97a2689d3622fd3872240e304ad13c9ec160741051185e94a910ffc21939c1356373

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

MD5 c0d24ed3c41cee29c39d85cfe2f98576
SHA1 ac7b9e4d5b920f4882bf9970e204fe9f1619c6ee
SHA256 8edd794f8ece18de9eeddc54ab0e430444dab0bfc033d39fdd1b1ac5d3f49520
SHA512 165766bc12061bfc879f46ba71396f7fe6f5ed5c7afc5441431d8b0091c0fd30ba33817ea4e7db3e957b8c18d9469f02f298433da873ba07a827ae330b42407c

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

MD5 c757c241dd18874002c79c291ebda34c
SHA1 82f8078b2e3d6bd611fc889d426328ccf267db22
SHA256 19fd8dedcd7fb7fc45a33bb04df161cd3bb3966c92fa9bc35bc53546eca6d589
SHA512 cd757c721376f25d930898bd04c8c421647a503bd9aaa86d0668980a27ccb05a2d221fce0f4bae4792109286eb3a89e318c14a8b9ef22a2d6c28433cdf6caf71

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

MD5 7a3e9706e104b280edf5d44ffdb7b285
SHA1 00aa2221725fca2ba10df19f60301e0f77e2f86b
SHA256 bd2d2aa86925f3f5eb86018749b7425944e48cdf53a36b1d34ddf6f3a4537513
SHA512 b27f1e1d0a9cedcd70d7d1edd91066d8bec993610656745379b5744def4be199f44c1052dc4d0d1f383627a03a35b4c01fddd66c475de8c522e7f2bed7c4be68

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

MD5 68c9dfcfcf1e77949f59df3d16d351a2
SHA1 5246cd4200ff22da288473b84d28deaf8524f31c
SHA256 a523cb37dfb619ea7b524600fcfd6417b70c39d5e44045a035104aa1a3d0ad36
SHA512 4a39dd4c8538cfa1602e683abe5400e1b3d2fb33009eda8e4b09b7047477f3e437372155934d840ffe6d3bed0ebcbbcf71e9d65473cb2cc3a60d82b1246c580f

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

MD5 e0fe3d2fe4a02850297db83e5d8cab49
SHA1 611000e76a4f14361d25b99e9265cb8226db40f7
SHA256 fba88425f8d494ce7b2c1dbc36c44d6a19b109f8ca891a583e44b5f54191cec9
SHA512 3bb34dfd4f5e33b86fd971a56fc4073ebdd19de59916b122ad336485d06d228cbe270628db69eab2d0a947f224c53525766127b974e31f69b940d836bea48e7b

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Files\StartStop.txt

MD5 a52ef8b9bb0e5d26e6bf28c613d71be0
SHA1 c774360d6d70a984690d118292d58c389014067e
SHA256 de694b9cdae4aff1cb799ecda251028bffdfd8d86e6c315fe7ed4b9fd5462dac
SHA512 417ceb9b9455ee020a8b0703acc42babd753de67e3efe72e9771f7c5e3286e177cdbdc0dc997b59b6931f6b9fda3ac476de4cbd487ba9b104b3853d92e4e7172

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Screen_Desktop.jpeg

MD5 76d73e8b0bad36d3e16be99d718d9add
SHA1 e2ca0149da16ab57f19180c5e22085540798f57a
SHA256 15c579422d25b762e354fdfcd59dc8570cd34c8a6143c308bb86239765840c1b
SHA512 630e5dd1231f0a3a788f43f5407497f6103158d111aa2ffd01b3b4f7ed539ef9676cafaee7d38f3f2f4096b88e6fde927fd282094efa27c7970bf786d90ccf3f

memory/2836-226-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/2836-227-0x00000000002A0000-0x0000000000340000-memory.dmp

memory/2836-229-0x0000000000400000-0x000000000052F000-memory.dmp

memory/2836-230-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\WSOGWnVpPzqm8.zip

MD5 6b2523baa3c207084c14454eb7fd77cd
SHA1 7d5bdddb2494f925468e290370cbef223bddb457
SHA256 a4cdbdea81b10d5e58de218897f46c3373beb5527d7f41f273269e20cc83e73c
SHA512 ae3e06cf382e8ecbe5f2c9c4e53a31d2083b4b5b55084a37db841dcbbb93ef62b0fcbf5133518728da59b5ccdef32f3cd74c40ae2972d7038f8c66b8971af5a9

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

118s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe

"C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/2996-0-0x0000000000400000-0x00000000047B6000-memory.dmp

memory/2996-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2996-1-0x0000000004950000-0x000000000497E000-memory.dmp

memory/2996-3-0x0000000000400000-0x00000000047B6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe

"C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/2316-1-0x0000000000400000-0x000000000517C000-memory.dmp

memory/2316-2-0x0000000000400000-0x000000000517C000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240903-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe

"C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/2584-1-0x0000000000400000-0x0000000005177000-memory.dmp

memory/2584-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2584-2-0x0000000000220000-0x000000000024E000-memory.dmp

memory/2584-4-0x0000000000400000-0x0000000005177000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240903-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe

"C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/1704-1-0x0000000000400000-0x0000000005177000-memory.dmp

memory/1704-2-0x0000000000220000-0x000000000024E000-memory.dmp

memory/1704-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1704-4-0x0000000000400000-0x0000000005177000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3280 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 3280 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 3280 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 3280 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 3280 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 3280 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 3280 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 3280 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 3280 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 3280 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
PID 3512 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 3512 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 3512 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2208 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2208 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2208 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2208 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2208 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2208 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2208 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2208 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2208 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
PID 2208 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe

"C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe"

C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe

"C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe"

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

memory/3280-0-0x000000007487E000-0x000000007487F000-memory.dmp

memory/3280-1-0x0000000000140000-0x000000000019E000-memory.dmp

memory/3280-2-0x000000007487E000-0x000000007487F000-memory.dmp

memory/3280-3-0x0000000000BC0000-0x0000000000BE2000-memory.dmp

memory/3280-4-0x0000000002490000-0x00000000024A2000-memory.dmp

memory/3512-7-0x0000000000400000-0x0000000000427000-memory.dmp

memory/3512-6-0x0000000000400000-0x0000000000427000-memory.dmp

memory/3512-5-0x0000000000400000-0x0000000000427000-memory.dmp

memory/3512-11-0x0000000000400000-0x0000000000427000-memory.dmp

memory/3280-10-0x0000000074870000-0x0000000075020000-memory.dmp

C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe

MD5 7c206dae3d5cb963584b75a2ecce94a8
SHA1 7eaff221e85eba8400bed8f7dc156b7984f2e08c
SHA256 1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b
SHA512 62d67495e0ea6a689a90fcd347b73331866b36c3a2cd865a3f799b2ad31805426dc60b065ee8326912b07182893ef134304d985eae920ee771173c16b93b6b10

memory/3512-18-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2208-19-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/3280-20-0x0000000074870000-0x0000000075020000-memory.dmp

memory/2208-21-0x00000000746CE000-0x00000000746CF000-memory.dmp

memory/2208-23-0x0000000001830000-0x0000000001842000-memory.dmp

memory/2208-22-0x0000000001950000-0x0000000001972000-memory.dmp

memory/3712-28-0x0000000000400000-0x0000000000427000-memory.dmp

memory/3712-27-0x0000000000400000-0x0000000000427000-memory.dmp

memory/3712-29-0x0000000000400000-0x0000000000427000-memory.dmp

memory/2208-30-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/2208-31-0x00000000746C0000-0x0000000074E70000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe

"C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/3880-0-0x0000000000400000-0x00000000047D1000-memory.dmp

memory/3880-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3880-1-0x00000000047E0000-0x000000000480E000-memory.dmp

memory/3880-3-0x0000000000400000-0x00000000047D1000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe

"C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 basessri42.top udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 moraaaasy09.top udp
US 8.8.8.8:53 moraaaasy09.top udp
US 8.8.8.8:53 moraaaasy09.top udp
US 8.8.8.8:53 moraaaasy09.top udp
US 8.8.8.8:53 moraaaasy09.top udp
US 8.8.8.8:53 moraaaasy09.top udp
US 8.8.8.8:53 moraaaasy09.top udp
US 8.8.8.8:53 moraaaasy09.top udp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

memory/2904-1-0x0000000000400000-0x0000000004DD7000-memory.dmp

memory/2904-2-0x00000000050A0000-0x0000000005140000-memory.dmp

memory/2904-3-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/2904-4-0x0000000000400000-0x0000000004DD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

MD5 4f34cd42994b5c03d5f7f5fa024cc9fb
SHA1 ef482103e1b02784d0d55d8f8f957ded0617577c
SHA256 fd6fb484aa07a17c64f2edf023d3256aaaa79051adb141f509188f492a14fa61
SHA512 68055bf6c1b2689ada13297ae7dbf9beb5cb41e357b0d50563d7e3750bb1bedbf5fb344d3ab2e06f2ff727050cadba24aa4b5b549f4c5c41ce4dc9754a68b24f

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

MD5 b144cc96952701c0dddfdd49dde7fbfc
SHA1 183002c04e262e0386550420952d0191ac47d51a
SHA256 03b58903a31f9781d2b10a7df019af3d099078df20e1ad6dbb610d8bfbbcaee4
SHA512 3d1fc5188bffd5116e9ddff2902a451b49d8a8ed211c03d32a5d3161f931e0b4a26bcf0f9072d772769e750fae1479976e003e49f86ecf6459962503503a1a30

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg

MD5 2da7eae9db1b714813c23bafdfa8ebc2
SHA1 ad43e12a09359193120d52b4c4baf981265c431c
SHA256 fbbbdc8603f484f4c2dea195c961c3e41ef1da404201c56251d540010999c760
SHA512 ce93e1bc00cd9c0e6392ce90cb7b50f66dd84a593f70fe37758b672fda56648a132ede3befe5867a71afbae96e518fec129c10fca54003c33841fa9ac4a5e349

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

MD5 0b7047eae4da8d0e423f359d4dab4d1d
SHA1 27d5feeb1fe3418046a3ad85b0b03fcaa24b9043
SHA256 553a539fbac287e44cc689f05b38101384ffaf260bd8f431782bcec1f4a46fa9
SHA512 16f2e7921b9cd7880546832118219e9e3d2de8ea5c44d8b750e8c4184a754355407206f47d80f3464ba0ca9753bd9c1fbd460828c13ae8cc29aa6773b3618993

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

MD5 200ce97704f46bb88798b680df10a826
SHA1 75276cc13ffed8d1e99fa4a094773234f886b84d
SHA256 d56b9aab4961a26ec243e0d0409f00b7f1606896c39e14bea3da55619b7a9417
SHA512 b34a0ffc2cbe152526560d3d53a84d71fbce6eaa7dfd041b7d3021670213c99196ea1463813cec14d327d2bf16cc2978fe6d0e180c7ad21f60afbc4c09410f8f

memory/2904-218-0x0000000000400000-0x0000000004DD7000-memory.dmp

memory/2904-221-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip

MD5 dcf742f59f682b0a887d35c096b0dda8
SHA1 23e414f9a246d0753d19a76bb6a70a20b89155f0
SHA256 fdb53e98c405c6ba32105fe63b3b03e2991a4d85bb344a55876af105306c1c3f
SHA512 6f02bae33b61d15f4241e7162ab7bf4a64710657d3d62c603e286aa6468884faf7e13ec6c813021ba18a9ba05dea602b1f2b3a7c587722ee118cb29c7b7b8620

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\jVtKZ23rKJi6.zip

MD5 dbd391e36a6c60c1d1359bdb56bbb327
SHA1 0faef71e451f94d61fff0d6952a96606b3f4ec75
SHA256 a3187ca57bb20442691aef856c86c1c9a70e6ff3e20970f0a751ef4aaa5caeb4
SHA512 0cad32ac080ba6655beca58371658addb22520035d87f521c9b6186ac7a4fa0cf957bd5d3a1820ebd307a1523bdc38a7220035ab80aede090c50673381813431

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe

"C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 moraffdds01.top udp
US 8.8.8.8:53 moraffdds01.top udp
US 8.8.8.8:53 moraffdds01.top udp
US 8.8.8.8:53 moraffdds01.top udp
US 8.8.8.8:53 moraffdds01.top udp
US 8.8.8.8:53 moraffdds01.top udp

Files

memory/3140-2-0x00000000007B0000-0x0000000000850000-memory.dmp

memory/3140-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/3140-3-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\_Files\_Information.txt

MD5 608bfa1d367daf50d0cec2d64e9962f2
SHA1 a0362210804130a0f1fdbd725796adf0e270beff
SHA256 0f48e960b2f1fa7c749cf1c29515393bd2659efdb4542794bc4a6a37a96cb471
SHA512 a1b96371ea83be0d748a89d300d2cee0416cd6dec0e71c220feb33b3c06e6e5dc73c9cd10d1e04bcb9bbb3c134bd761da6fa01e3e2e50027898cbceee421222c

C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\files_\system_info.txt

MD5 233bc14eaba21d80927a9b552266d3f4
SHA1 ab06c097f3596ae91022117cb0befa854af1bcb8
SHA256 00c338995131db9eea9c087097189de439aee2487d7e981821b7c75e931b53f0
SHA512 ca9c272c7d80ca997dba82f25002cb13e039cc1a58369bbe5748a1a8206ea497fa287cd77447845d308e41a07c605808c1895efd00a172b9668b68782fac1208

C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\files_\system_info.txt

MD5 02cf311a5e273802dc6878211d2b8dd5
SHA1 4c54ad41bdcda47a3f597a013f478241bbe81fc5
SHA256 c284e51dc73f37280c6849304e27398b8623c54fe85da9c51352e86848d3df56
SHA512 04baddb9eed7658f16910e8366cc2a32c470a749b6a97f2fa01613bbdc95e880adedcabdbf21b5c7d65c05c772830424caedcabd30fa19a690bb5794648f54b1

C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\_Files\_Screen_Desktop.jpeg

MD5 dedcde8de4b6b64bd0f5e371ff3c083b
SHA1 87e7d0839cfc9b33640c1732a576a78ac1e94a92
SHA256 f13bd39c581362fcd9eaaf978c1527f535e38d5d4ea39ceb7ce4df92a643508c
SHA512 7e6771f1bbdb382570936b851b682dc726f9d37670b45453f2420db60e170706e0a563a6ce91f5a4bd39f37dba8a297e0396c21f0feb3c95e67ce02828c7a366

C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\_Files\_Files\CompressWait.txt

MD5 09f79ca4b3356d9c5c4589bde59ca492
SHA1 6502ecf4baac9259cd2cca6cb46289f0d8bb3f16
SHA256 6445e7509d43af45301f7c11821c4c4e44399111e51e532fb2ed690de95df4ce
SHA512 4f0ba86d6ce417700b1cd1e886da6d197eca9755a152e1a8b0d764dde020f678c7efecef722d00c1b2ae6f5a563fc6392aa328d981631467dd1148a46ed27dac

memory/3140-222-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/3140-225-0x00000000007B0000-0x0000000000850000-memory.dmp

memory/3140-224-0x0000000000400000-0x000000000052F000-memory.dmp

memory/3140-226-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\p68ah4m5Lye.zip

MD5 3e8c022d6bb37a47220d18c3dffec48d
SHA1 575a45d5b782a262e15a3d1c2ea6d1cb05c69c45
SHA256 9efb7f4bbc787b03b9a2b019d3d125a5f7545e5ebe350f4dd372728955c45241
SHA512 5ba0714f943cb59d451f2a839bbd64172296216c5aea89d19cc16e4ff2fd7d12e728d5e452f438984279ed071cd7b7d7cf9b3416491086d9b7a888c8d1cc3b3b

C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\LaZuGlRq.zip

MD5 22b3b5ba3d06c347e128e8e231db66ff
SHA1 c87b20261cb0852c52c061caebd6e49d31e2c6c3
SHA256 e958945142fedafaeb6e46bb49a5d48153fb103d19b8b2be147750f254ae2793
SHA512 48a4402c87273ad6f2673745b67ea124f7a4ba24d72b9e8c4f77eabb76df93574353cdfae3f03b329e518164dec906d7a7bea61052cd9516955d8ccb2aab66ae

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe

"C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3540-0-0x0000000000400000-0x00000000047C9000-memory.dmp

memory/3540-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3540-1-0x0000000006410000-0x000000000643E000-memory.dmp

memory/3540-3-0x0000000000400000-0x00000000047C9000-memory.dmp

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe

"C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp
US 8.8.8.8:53 gc-partners.rest udp

Files

memory/544-2-0x0000000004D00000-0x0000000004D2E000-memory.dmp

memory/544-1-0x0000000002FD0000-0x00000000030D0000-memory.dmp

memory/544-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/544-4-0x0000000002FD0000-0x00000000030D0000-memory.dmp

memory/544-6-0x0000000004D00000-0x0000000004D2E000-memory.dmp

memory/544-5-0x0000000000400000-0x0000000002FBB000-memory.dmp

memory/544-7-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe

"C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 needioerw02.top udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 moraffdds01.top udp
US 8.8.8.8:53 moraffdds01.top udp
US 8.8.8.8:53 moraffdds01.top udp
US 8.8.8.8:53 moraffdds01.top udp
US 8.8.8.8:53 moraffdds01.top udp
US 8.8.8.8:53 moraffdds01.top udp

Files

memory/3928-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/3928-2-0x0000000000700000-0x00000000007A0000-memory.dmp

memory/3928-3-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

MD5 39e2452945540549ccdf189ce19da20c
SHA1 63a1ef8d0e49e974427ab6dd6d27517df3ccc59f
SHA256 d1e8a5c38151f883ee6d92824ea8fdd3b4c62a91077fa8a154d59120fe3cc693
SHA512 793e7fba4461fded76fe1dc4c4d18b465fbaa34c7ab9fee4cd5c78c93a1ede81381f5c610cdb6ba13c0acf648a7a60d81c3dbb3ee7dcfb64018c5731d5b63553

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Screen_Desktop.jpeg

MD5 f41db03dfc0a0d09ad72444b0cbbfaf5
SHA1 7185fe78cb4b1424bddb53b3e20c015c2dd8371d
SHA256 0c0933fe3ee28bcca614d693515fc4e44cf057fba74a131efb03980c83dd39de
SHA512 d5507f29b0a869642c17dd730571473560164280695f2e31688b8986a9e278a7e6247fb9dda7528c80954373659b0e472987ef17b6c67dab37b661285a6ed0de

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

MD5 c27b0ade13757dfe48569ecbca483e9f
SHA1 c658d8e0a24e7d6390ab85ff7bddf8efdef31e95
SHA256 7b7e410cb85ceaaeb645eec67989a6d386e8db8141de0321795399647b075bcf
SHA512 9b1f8c30a94f97f1e3fdf86ebdeed2c89ac78aef14f853e755935e1f51ec80cd7bdd0ddf8fe21bb6dda0fb0e6d168e5cec807967ae137b189d42b11278eb92a4

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

MD5 482908618347c2f83da7874504176f04
SHA1 948fe7455823cf94033a408f2040e7b4c5c1876d
SHA256 cf3515f50c5a4cff8f11f28dd64e813d9cb6f15a6fc5c98a9578a6307a76f26f
SHA512 dd984529262e80aaa0550b01392944d7e30d2ee058fcf784b27a298a494660b0235734a2f27a99573b8e66b368b5282a0f5273a693aac52318829aad1bc021db

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

MD5 c59e1b3113d29dae2ebeaf0ea220f4dd
SHA1 f52a2ec0f609336fa92a5c58f27f782c67a92454
SHA256 354de3e8c5094857296ee101377549d39fd7e7c7ecf8eca7520542bc9bae0ee0
SHA512 5006d36062437ae7c3349003b3316b46691dab4a16630b1ff656b3f9e972c113434a705d82610b3ea6c88ca3a6e69c3878d56fa53cf69358134e703aabd05105

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

MD5 a1bb22ba3fca7b9a8ba5f437ab57c2fc
SHA1 adaf3df9ba683445f8570e9a8864e5be61dbfbd5
SHA256 240cb0c84da8ab1ffa9b4c8d8fff80f739f295082b008faac463e5dc8549b874
SHA512 f4514a63a5112d668de20b7a13a114b9d8f88111a681bd4699d3b814920fc2ba75511010826e793997c860354f05d299ceb4f2bc9f1fd63f1ecf817e610480a2

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

MD5 deef5e8804faefcf411d53190fa09e98
SHA1 45229ec8f2fa59f7cf2a533a2cf8b76cfaffc3f5
SHA256 d1082c2cf7a84d3c05678485fa141a5b46046988fcc69f2e2e2a4cda18d45634
SHA512 c83208ccdcaf1f8915ba04ea4d297483204005bf4c760fb3e07f184af524a1c039fb9cd5910d82357419517a46f02128d387128dda436e2e1064f257e31f823e

memory/3928-218-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/3928-220-0x0000000000700000-0x00000000007A0000-memory.dmp

memory/3928-219-0x0000000000400000-0x000000000052F000-memory.dmp

memory/3928-221-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\WSOGWnVpPzqm8.zip

MD5 2c404be853aaac1d5801afbcb3f3a40c
SHA1 3cc9120a8663c88db7c1a7e6832ba207f9cdbd53
SHA256 921c3a26b170704f63cd9886ac375bc5e510115affff30c56f0b1d6a5a1f490d
SHA512 73ac68cfc11b6457b97538909c1a7662ad3a4acbaa24512a09072a2a6241d40f80c347b2b4abebfb8867e0ea402b76fd931a93769b51fb12319cd4e244e68c3b

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\nPbiXXTb.zip

MD5 55d5602d16e32e6457b2edd4cc6e2beb
SHA1 6d65ec99ffbf01c5179e3385532d08dcec367134
SHA256 f8496a84c8af2941b99a7aa0129aff461bb3e1fad370a47c77a575824e0d11f6
SHA512 bc9441fc60751b0fbeeff5223470653e16911c0ffbb7d087ea380823eca5784ac57182528596800399e80be5fb2f035f405d57bc2990ab790cebfac0c7b5cb73

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe

"C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 107.116.69.13.in-addr.arpa udp

Files

memory/552-1-0x0000000000400000-0x000000000517C000-memory.dmp

memory/552-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/552-2-0x00000000051F0000-0x000000000521E000-memory.dmp

memory/552-4-0x0000000000400000-0x000000000517C000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240903-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe

"C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/2976-0-0x0000000000400000-0x00000000047BE000-memory.dmp

memory/2976-1-0x0000000000240000-0x000000000026E000-memory.dmp

memory/2976-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2976-3-0x0000000000400000-0x00000000047BE000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20241010-en

Max time kernel

149s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe

"C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:80 api.ip.sb tcp
US 172.67.75.172:443 api.ip.sb tcp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:80 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 104.21.85.189:80 ipbase.com tcp
US 104.21.85.189:443 ipbase.com tcp
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/1236-0-0x0000000000400000-0x00000000047CB000-memory.dmp

memory/1236-2-0x0000000000400000-0x0000000000448000-memory.dmp

memory/1236-1-0x00000000003B0000-0x00000000003F6000-memory.dmp

memory/1236-3-0x0000000000400000-0x00000000047CB000-memory.dmp

memory/1236-4-0x0000000000400000-0x00000000047CB000-memory.dmp

memory/1236-5-0x0000000000400000-0x0000000000448000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240729-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe

"C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/2748-0-0x0000000000400000-0x00000000047B6000-memory.dmp

memory/2748-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2748-1-0x0000000000240000-0x000000000026E000-memory.dmp

memory/2748-3-0x0000000000400000-0x00000000047B6000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe

"C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 68.208.201.84.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4212-1-0x0000000000400000-0x0000000005177000-memory.dmp

memory/4212-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4212-2-0x00000000055E0000-0x000000000560E000-memory.dmp

memory/4212-4-0x0000000000400000-0x0000000005177000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

84s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe

"C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/4832-0-0x0000000000400000-0x00000000047BE000-memory.dmp

memory/4832-1-0x0000000004A70000-0x0000000004A9E000-memory.dmp

memory/4832-2-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4832-3-0x0000000000400000-0x00000000047BE000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240708-en

Max time kernel

57s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe

"C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 gc-partners.rest udp

Files

memory/2184-1-0x0000000003060000-0x0000000003160000-memory.dmp

memory/2184-2-0x0000000000220000-0x000000000024E000-memory.dmp

memory/2184-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2184-4-0x0000000003060000-0x0000000003160000-memory.dmp

memory/2184-6-0x0000000000220000-0x000000000024E000-memory.dmp

memory/2184-5-0x0000000000400000-0x0000000002FBB000-memory.dmp

memory/2184-7-0x0000000000400000-0x0000000000430000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240903-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe

"C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 basessrn17.top udp

Files

memory/2616-1-0x0000000000400000-0x00000000051B5000-memory.dmp

memory/2616-3-0x0000000000400000-0x00000000004A3000-memory.dmp

memory/2616-2-0x0000000000220000-0x00000000002C0000-memory.dmp

memory/2616-4-0x0000000000400000-0x00000000051B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt

MD5 55f067c761be97fdfcdee685d28dcc72
SHA1 c42674dd84086d02a052d3995648a0672ebf0574
SHA256 feae4808b816dba5ee8346b0933b6bae209764017f6bef4e468a23fb3d4a4147
SHA512 c862e504af35ef9158b4a5157a44083719bbae47fdce873ffd690bc91d9c47d4b58282237c7ec6d50e91c4643d35f4ea0da606d03e34f7797577f24530813335

memory/2616-113-0x0000000000400000-0x00000000051B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

MD5 412723766fba16535c4dc04b5ab1ffbc
SHA1 e1a9ddb546f3d5f40f564d9e6ae8c16b41b2eefa
SHA256 460379f98f712ba8106a2489d35da51de90d46d306a89e57e6c088fe4043c43e
SHA512 031e5fbee9d1552aec12aebeddb164a5261d534d52950d80b3548014572e3dab9dda4719af22fcf59303d0ac351aaa51b2aadef65e30a41b203ae7cab89773d7

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt

MD5 f7e600180646f8020b2c184fa42139bd
SHA1 fb49032c5d0dc688ce83aa82de5cd14ed302c6f8
SHA256 a12e414eaee7022062aa042ab2098d2b01747f4e6ba09908b7b9860e5022ca07
SHA512 289b471f9c4309140add9bb2b4599bdd52ae0a7bc997cdca55cf819a75342d0f68e8567f8fd067490f09579ce97eb591433139bc57a7cd993b9b7af85536d0d7

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Screen_Desktop.jpeg

MD5 52a76bcfa17c99d01a5b59cbba2aed62
SHA1 e7689d10a84f83283f2c40e4a0da14e8fd0bf642
SHA256 6799ddc6ee8cb096d0e23058b699b13cc877fefd37e0c0611ca27706c8fa79ff
SHA512 7d2c04858d094cbf13491b7c2e8dbac208bfa83c9b3ebd9686e6c6e7eba70fd5e85a8a8d332f9fb1488be334738f12b97e044947d1b23ed2d50e86ad3af9db74

memory/2616-222-0x0000000000400000-0x00000000051B5000-memory.dmp

memory/2616-225-0x0000000000400000-0x00000000004A3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GgIFodiI\WSOGWnVpPzqm8.zip

MD5 f462ff2b77fa7b6977a4bca5588bc540
SHA1 a936a6939db99f94b7aeb80757909d905e3548c2
SHA256 6ee50f1055c3672c4dd2c5336e02d56443824b434318ca1d7533f54a95cf7a2f
SHA512 e6967503672aedf2cf73c966ad3e8bff4d2306748b2629b1fec6340178fbd348912b3b550eaaafb843ed1bf5685795e6e3a47145eae5c83408f31c4ca6f5a572

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

89s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe

"C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/1592-1-0x0000000000400000-0x0000000005177000-memory.dmp

memory/1592-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1592-2-0x00000000052F0000-0x000000000531E000-memory.dmp

memory/1592-4-0x0000000000400000-0x0000000005177000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win7-20240903-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe"

Signatures

CryptBot

spyware stealer cryptbot

CryptBot payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Cryptbot family

cryptbot

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe

"C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 basessrb23.top udp

Files

memory/1032-1-0x0000000000400000-0x00000000051B5000-memory.dmp

memory/1032-2-0x0000000000400000-0x00000000051B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt

MD5 3c81f4967fe17a60d3fbcbd075449acd
SHA1 e5791f78ec603b258d1b17864474a99efd3c64c6
SHA256 16dbf784f691381515871ca443c821e00c3f969cbf55690d9f4cc3bd2160a805
SHA512 21d85aa5a0000470a8bc81343fb4b3488ccc2f6a62e6415f9f65850304b94779ccd9267d73c582fec00e58ca824bace7ee67d7833819c7df7c929917975a9d97

memory/1032-111-0x0000000000400000-0x00000000051B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt

MD5 996205af5187ae51df2c89d5e78e5f3d
SHA1 1786978860f407adb48a30fc973fbc7210f19060
SHA256 ce687913e7ef01efeea0927fa051e2508dcea54d3e93a42c02ae9bf56b4163ae
SHA512 9bacfb28693c23631a8edde772fdc39a4dc52324e99bf4c003f1ee0476a3e82cda820e3bde5de9b8e3c0c015805354db1eaa57a21321110c4e7210b27f02c43f

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg

MD5 0ef4cde8862b5c23f8c1e0a14c362d08
SHA1 9904baef689e5d27f0d4e1aeff5e1b8cc6d1a656
SHA256 b061ebe8ff240f3bbde80d1b3ebeb0ef891be61a2c6a3cf49a3da04dd964050f
SHA512 01d39e31f7c96b5adc2486d076308d37541aabc08f29158800476a6e51737fdc53f4596cf58113e8690bee63a77a597d5316ed89b11d79bbdf51c6ee34d52591

memory/1032-219-0x0000000000400000-0x00000000051B5000-memory.dmp

memory/1032-221-0x0000000000400000-0x00000000051B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip

MD5 09c6f936b2f4c6c423cb6ddc96885fa2
SHA1 0a290165c493ca398e5b7be7f850ca98ea966c98
SHA256 9074a7bf5d33243e6db0bf9decce39a84842123c7b3b386455f050ca35cb1930
SHA512 553edb8e3f257b878431f3c0c892bbdd288021f335ecd6b59c71a43baefa1301a263034a38f2b521ec8b16cec43432f69f3752030cf02210e125a03e7e2bf52b

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-08 06:43

Reported

2024-11-08 06:46

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe"

Signatures

GCleaner

loader gcleaner

Gcleaner family

gcleaner

OnlyLogger

loader onlylogger

Onlylogger family

onlylogger

OnlyLogger payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe

"C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp
US 8.8.8.8:53 gcc-partners.in udp

Files

memory/1280-1-0x0000000000400000-0x0000000005177000-memory.dmp

memory/1280-3-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1280-2-0x00000000055E0000-0x000000000560E000-memory.dmp

memory/1280-4-0x0000000000400000-0x0000000005177000-memory.dmp