Analysis Overview
SHA256
360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc
Threat Level: Known bad
The file 360790a458803634b049c75f5a6b181042dc1be365e1d87552a1ea98bbe9f9cc was found to be: Known bad.
Malicious Activity Summary
CryptBot
Gcleaner family
Onlylogger family
CryptBot payload
OnlyLogger
GCleaner
Cryptbot family
OnlyLogger payload
Executes dropped EXE
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
UPX packed file
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Checks processor information in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 06:43
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240729-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe
"C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | basessri42.top | udp |
Files
memory/2232-1-0x0000000000400000-0x0000000004DD7000-memory.dmp
memory/2232-2-0x00000000002E0000-0x0000000000380000-memory.dmp
memory/2232-3-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2232-4-0x0000000000400000-0x0000000004DD7000-memory.dmp
memory/2232-5-0x0000000000400000-0x0000000004DD7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt
| MD5 | caed8140308f2f9b672591aa068b4a3c |
| SHA1 | 239432832f5a7adcb5a0b62c87a6a5d9ff19825b |
| SHA256 | be9a3ae568cff174a79789c8f9c5a4b6212cf1f13172b378af57702d8492b3b9 |
| SHA512 | 7c36417e70d60a68ced74867a86cd9069af9c13d5bf95f6cd596de0f6c4e61f50b999a57a50d2ca691e2811846f9f77340b74687cda6d6fb6b12234b435f8cfb |
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt
| MD5 | 6d2e0a1b75e53207b8f414673db7deb8 |
| SHA1 | 19be3d07c71d1ef51e77ecac738767b4d1101298 |
| SHA256 | bdee07fbc4a865cfb4a61d681467a36b44c56418f8a117627b676d9aec7358fc |
| SHA512 | f7d0c5f6764698b8cbc152c1b157b760d5e58cd7844820cd5f5709b6d73b48fd26fbc093124cf8f42d6c265a6654e8a972bf7e3537dde7a95b9406d18f301028 |
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt
| MD5 | 5cac59a9d3e3ac4138b3f353a2675d90 |
| SHA1 | e43c74dcd13ce81bfbf294b888bf51761c61bc3b |
| SHA256 | 81e6d3922db75a7312dff543dbfa3a9bd2b0c9666cc7c0d48e936b856f7515fd |
| SHA512 | 714a07ea41d079c000a8d4e61b219a84c35b12ebe397842d6c63429bf59e3645fde6182829ba4cfd51b7937768609afb1aa6b1fb36b47f9d1a16c1c14a0fa0b9 |
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt
| MD5 | f994df90cee0dcb836aa1910f263ec15 |
| SHA1 | 3a0b90804a5c79a952e0677c9e28a04966df3fdd |
| SHA256 | db120ea7c45777239e76b0dd165d6676698bc2e1976523d4071760828fca1b72 |
| SHA512 | 64365633b031444f9e2f214974a9c34825c656f12b96b2ff331c129b59b12dc7e8c79d7099e55742085809bf504e6678fda1b13089b128c9ad4bdd9968893738 |
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Information.txt
| MD5 | 5bb5750146e910367ef481661b50c47f |
| SHA1 | 8fd675fabd66780d6e29376c993499376612fab4 |
| SHA256 | f69ded66892f3e8e6a7f042bd492b07fdb5b2b6e4716fd9711e21bea7c72bf75 |
| SHA512 | f0d63db64811c1abe54c8490b81370c9f925bdb0bf56946c11393e8daeb819de14f3e63ef1135e3f029b03cfcea864f870e1e526177528296eb1c5852e04b8c0 |
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt
| MD5 | 51f9f3112b0b8d38722d4132e532a8aa |
| SHA1 | 7901bdba976b400b8033d0a6956e4054ddf06829 |
| SHA256 | e9b13bdb1700ee35e663f9cdf950ccb30da37df756b74deda8293b67714c435f |
| SHA512 | e090fb727775275c4e8d60e491f2dc204b48102f843f24a741a9cf17e5ab40e9c6be4ab96cf871976cc8abbb4154b6d609585faf930d699c8b7adea161210aef |
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt
| MD5 | 6979364f6fbcf39e786b59b33f725184 |
| SHA1 | fd56af67f4f0c5f40483553b7fc9ebcae35ab9a5 |
| SHA256 | 45fe741cb4ba3c53d4241aba8445b2140a530bad5e64ce1bfe328789a2dbd0c3 |
| SHA512 | 558a7b61040e34611874ed18d66f6ef53f643b2bd9b1cfc8ec7cb68028932640ffc7db54e5e61d099ab8625384b238b7b0487ee11bc4ef105fffc3ef1a209a91 |
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt
| MD5 | 156db86b04635e91034410a98ae4762d |
| SHA1 | 0ee5c8a0a89cbf8ba7b4cd9039944566f217ca0b |
| SHA256 | 07ce4c37d2c65ff857039a58e50a71b5e328f3c59fcb275d97983ada6743fecc |
| SHA512 | cb3b10692456134ea0a6156bbaf6ea9314967512b9c1fd3d59a8bdb9e136d02c4813a0a262871c313b658096b11257d789143ec974bb0170b23b177e8a8167cc |
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\files_\system_info.txt
| MD5 | 668134af186ccb6337f0971d711df5d8 |
| SHA1 | c9121cd7abefba115908e80375304f0eac7d82d9 |
| SHA256 | e69e3c424bfd635f4e57396df509b2cd06394828cb7bd24521056c885da62b4b |
| SHA512 | db1f727dc4ce39181b40fc99371fd5e784640ef8577cd6e77986773d3305c4bae5d36373be8c2b06fa176dbd762835dda46e024c94767dd454f4e8e6c4a9dcde |
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\_Files\_Screen_Desktop.jpeg
| MD5 | 1a97e97e8c6302d155d7197f5b74d13d |
| SHA1 | 625e6b92de999741ec3a83b77a89937b67a7b364 |
| SHA256 | c0265ac446049b2a210cfd2eb9c50d86871726c55f11d795330fe0d6fa2492b0 |
| SHA512 | e639e5668e06adbca6bb4dfe94da86b35ec8e7dfbdf99337c5d48e36b5c0f7c4e7600882899936c4b01c63d76d893a2e623f639acf0cdde614c88af3c78ad760 |
memory/2232-222-0x0000000000400000-0x0000000004DD7000-memory.dmp
memory/2232-223-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ukR0wnpgnl\ZVnrdjpyWA.zip
| MD5 | 823d9c724183d7f44f7929813dec7d73 |
| SHA1 | a2dd0b12bfa58b33dd5fc21a0a6ac80d996ad3b7 |
| SHA256 | 78013ddc9d38b6129b9fffebf585602161cdf2bd7d5fffff360515c857ea9e0c |
| SHA512 | bd1f5d80d6550711e0038df794ff5fa60218d1e69f1c059cbfb9e220aa353f17e5010252619066537c5cbeaad89bb7f55af7e228c56f8ebd53e0370aa50e1620 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20241010-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe
"C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | needioerw02.top | udp |
Files
memory/2384-1-0x0000000000630000-0x0000000000730000-memory.dmp
memory/2384-2-0x0000000000330000-0x00000000003D0000-memory.dmp
memory/2384-3-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2384-4-0x0000000000400000-0x000000000052F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt
| MD5 | 18d99c15a942305d365644b7096536bf |
| SHA1 | ebfc71778058be4f2a9cf830bf508e5caa5276e6 |
| SHA256 | babba0c95aca5d8db0dd7268e0b3cb64e1741b863bef12af2c629a66c747dcf9 |
| SHA512 | 51b91bfc3e2204c98455d6f6c0ec3b02e4d82e2132ec76816001258c693b9b7345d38768e40aa2961fb966d7581f5cb7eecdbf29e6b71800b6a20bc710553484 |
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt
| MD5 | 6a7f92aeee653fef9b57efcfd7d6858a |
| SHA1 | 8c5d9ce1fb39e28b45955947c8653a968289df23 |
| SHA256 | cdd3624b078791b5f7a5fc641321e00e0b0e73eb0e75affbda4b36a3291e9ebd |
| SHA512 | 285388ebbe319f57435aa5af3dc43a6e2dcb32da20f0a689dcdd5369ef8c1d02814fa387f7c4127d1470fcf194571565527927295034741bbd0917a1338c4257 |
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt
| MD5 | 8ba855105258074ed53d37236e71e883 |
| SHA1 | 61f14eec58833f1016ec1a1218222cac3227af70 |
| SHA256 | 2ee72b1afab3e45e17fb608f710a0140727cceafe267d5c086cd4d1434337594 |
| SHA512 | 9ecb2c4203bb621699fb63c2047e50c67ae62a6fb3010c65f6f490a8ffce7711734498d318439fc693df9c585958a99303e82c4eae268a6692617d2fa3578bb9 |
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt
| MD5 | ce90c1a56f2070dcd505a86ed389f362 |
| SHA1 | f6dcdf514e27622b69a1fe445253caa234c92eea |
| SHA256 | 050651927e053313415d7a597395ac5257f67aefed671b770a08a2d0cc5a3300 |
| SHA512 | 39b213a1147542521c446a2b30e2db901552251363d92abe4e5bac096b1667ce4a08b8a273f1ef20d5e82dd566252406deb4c4417e782b1fde10ee35c5d59a2e |
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt
| MD5 | 2c2243754b6e094e555171cfa7f8c182 |
| SHA1 | 9a8318129aa5c6020f1bf0b5e9632836ad794c65 |
| SHA256 | 6c8683f31246753b7fdc8986d310ac21d94c0f5bbb3051952e407e28d5411d0c |
| SHA512 | 621a4315447504e81f9f85a6db1e1d06b0f9efb9922b3fdb1b4b1638192c55bcda69593e2e345b44fabcff6853eeab7ec0b6c2878e9e8ea7437b75c3e5d630f6 |
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Information.txt
| MD5 | 52f7b2b35a69df44f087f4bec9279ade |
| SHA1 | 84f4b4c4309e72056a245e6c317cf8d26534de79 |
| SHA256 | fda44806b4a767c04fd6e19ea21b745903cddec70a1d2c4ecf780cadd19d30d4 |
| SHA512 | eb4dfeeebc256a34e1a03da6f701ec62400e6a4883504ac8d6d7dcc377dc16b364bbf0339c03b594234d93129aa4c8a887fb8e9698c71db651db9bffaa9267be |
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\files_\system_info.txt
| MD5 | 819d03116b40b99128f06c426d3bb70f |
| SHA1 | 900259dfd7610bc922fc1e4e83fa4a0e61f6782d |
| SHA256 | 7d7e30282273bec84b7c9c07916ac27b42b42b43a3701137ef310dfd3b20eda4 |
| SHA512 | 4024467b131b0fb66355ad1019d14f79616b34fe2d5cfc843d7153dc8743910779ab5d0ce1cffe69dad8f387ad1455d041c467c59db29bdc21c63b813fabb916 |
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\files_\system_info.txt
| MD5 | d6fe7c3262bc630bbd8def3b8e0486ef |
| SHA1 | 4b88227042b397c5636dcc0b32ea90555000e709 |
| SHA256 | f090c2d2c12f41aab3ba1f5d50d7e3699f20ca8305f405caa4c1d73fdc36cc10 |
| SHA512 | 5338a2823df94d5b521ae93d35879c910629fbdfaa216839e507a010744799b0b3727c47228573fe691b71f778cd0cba0c4b6ef9f6b00fd46f8581d4fa644d4e |
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\files_\system_info.txt
| MD5 | 01701dad40619754872284517acb82ac |
| SHA1 | b63c004eeb258a9a9f57f542493a6d6afa625e74 |
| SHA256 | 274d677e8c2afe4f8048d93a6357abc09752848c68fcab096cba3f79a3d16b34 |
| SHA512 | 46ab290186d22fdbcb7d162ac698060e1401f7fd11963b9cf715d3f062e193454433cb98a98888ca139f5f8001db18c6f801a793950acde1f588f8ca30b5284a |
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\_Files\_Screen_Desktop.jpeg
| MD5 | 5c500e7454fa77bc4021366d532c3b5b |
| SHA1 | b6980902d5a3044826ae81da60aaf552f4323744 |
| SHA256 | 45d0a65f4d9327beaa0fadbb94c0dae496ac04c4bab9bddc36f32b6025037054 |
| SHA512 | 3f2f633969153a63ba6b45e08fc0f22c0cdea72207236817db8c23f05b9094b5de081f0b8c2336b63d782c339b1cc01ec9dfe82b79bff3b6540ba274ede3c222 |
memory/2384-221-0x0000000000630000-0x0000000000730000-memory.dmp
memory/2384-222-0x0000000000400000-0x000000000052F000-memory.dmp
memory/2384-223-0x0000000000330000-0x00000000003D0000-memory.dmp
memory/2384-224-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eANfxmuaU7gS\PqzgshgUs0Zbbb.zip
| MD5 | 01ad1027365ec4287b2c94507e1d356d |
| SHA1 | 17f9011712436049a8bf335236a3f526c0ded702 |
| SHA256 | b710a091cd3aa96d96f21d2d8bbbafb1afc3fc73d057ffdf52d6da20098289d6 |
| SHA512 | c548b83331449e4cb84a5bf123432cfa81267c8a344f10c6637fa504dd84570bc116f9fe4721e9df8e8080b3e0130cf28c31f57f19c0bc2f7103b871418e0b1f |
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2196 set thread context of 2868 | N/A | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe |
| PID 2524 set thread context of 2988 | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
"C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe"
C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
"C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe"
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
Network
Files
memory/2196-0-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/2196-1-0x0000000000E20000-0x0000000000E7E000-memory.dmp
memory/2196-2-0x00000000746AE000-0x00000000746AF000-memory.dmp
memory/2196-3-0x0000000000440000-0x0000000000462000-memory.dmp
memory/2196-4-0x0000000000460000-0x0000000000472000-memory.dmp
memory/2868-10-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2868-9-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2868-8-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2868-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 7c206dae3d5cb963584b75a2ecce94a8 |
| SHA1 | 7eaff221e85eba8400bed8f7dc156b7984f2e08c |
| SHA256 | 1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b |
| SHA512 | 62d67495e0ea6a689a90fcd347b73331866b36c3a2cd865a3f799b2ad31805426dc60b065ee8326912b07182893ef134304d985eae920ee771173c16b93b6b10 |
memory/2868-18-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2196-17-0x00000000746A0000-0x0000000074D8E000-memory.dmp
memory/2868-27-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2524-29-0x000000007456E000-0x000000007456F000-memory.dmp
memory/2524-30-0x0000000000B70000-0x0000000000BCE000-memory.dmp
memory/2868-15-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2868-13-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2868-7-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2868-6-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2868-5-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2196-31-0x00000000746A0000-0x0000000074D8E000-memory.dmp
memory/2524-32-0x000000007456E000-0x000000007456F000-memory.dmp
memory/2524-33-0x0000000000210000-0x0000000000222000-memory.dmp
memory/2988-49-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2524-47-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2988-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe
"C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessrn17.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
Files
memory/4020-1-0x0000000000400000-0x00000000051B5000-memory.dmp
memory/4020-2-0x0000000005650000-0x00000000056F0000-memory.dmp
memory/4020-3-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/4020-4-0x0000000000400000-0x00000000051B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt
| MD5 | 4ae55559cad102385dda060c2d981e2a |
| SHA1 | 2000dfac7ac9f32b932aa0ae764391c647420e7b |
| SHA256 | 6d050e6b7d4ff70a9693d972cdaa959a00e7f4f4ce1b2d8ae0f58061c687846b |
| SHA512 | 06605fc8dd8a51c2f252edbf058c29a7b42e6a446069fd332671742413ecda013b96de3062c7c8e1ba4121691c8f6185131018d672d3e192813087bbbdad4975 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt
| MD5 | 3fe2c0481e0d417eec5ca141b97f75d7 |
| SHA1 | 37f522b1849b333000dc32b44e5171f4571154c3 |
| SHA256 | d4ac0fbc0e1c0f93c0f648a1e9cc82a7fcc981bb01ead846d323d1f632ff32ac |
| SHA512 | d6b20002b762958e1d2c10d29284cbd4873a17a30e57eec4c8de8651cd9bf23a24191d67bfaec314e4ae867d62ccb8db90a4133bd4c408eeb91aa15d8f4b0cca |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt
| MD5 | 630b6add90911ca328640c68dfc2e36d |
| SHA1 | 0ce9facc0ccb37901f96e1a20c6955dc7997d019 |
| SHA256 | 6c9781064642ede95f0112ed15e8a91378c862f9e0b6a4381e7d4b3b12f249a3 |
| SHA512 | b2ad2b35da0ef89c992f014682df7d5a4a9cf363dcf625dc1611418566201ee083fb082c4ece7403538cef145e3e7647aa1da801499632c8b3d5007e5d8cbcc3 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg
| MD5 | 937a08bdbad1b0756ff169cf99b0fad1 |
| SHA1 | bd2b00ce406c8b42a1ba9dda4574d33de2b1bc68 |
| SHA256 | 22dab6a07f2981561a63b28cd38707f5b3946100a888a42fafbea67460741681 |
| SHA512 | db8e480c83fa251fcada152b8a0ac77df22c700c9c6a3f45293d721ffb5cde1b9bd421724506910a397066534c5938b2372c2064bf7056a8d96a4d1da1743aef |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt
| MD5 | d5fe614c40a2e75e74fdd7aecbc400db |
| SHA1 | 2d1d6710964f3253dad143eda303a63750b4157d |
| SHA256 | e8803fb3ee4311276b4f9a6bd7b050fb540969765da15e0d6cd7993ea1b7bd3d |
| SHA512 | c1a3ee1a75a7fe15f15a9e7db10b48570eb5cfccf85909c2ee3aba1b9fba6b50c377a1782d49148182821e8f40bcc84d99a5ea3d5d11e5f9af132b0288e9ab42 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt
| MD5 | 269a6974de4f24c645e419845d8d0724 |
| SHA1 | a9ce214e6b46d69a2a6ee658c61fb621d8d40da2 |
| SHA256 | 2e9d4aef672af71b239c82f345b0a13e87b72c47ea2a552e7cdb3d913ee8d0d0 |
| SHA512 | 15e0e42a356ba47297e392f212e348a0ed5f53a441db8effe465f6bc3d68ac623e7bfd4371c783bdf75595e21ce38bcd508cbabecdb67f527860ec54ccb75ad3 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt
| MD5 | 8ee2dd478c09b1849ba8a43d72f3982e |
| SHA1 | d56506c99664dfb6042f0c01dcaf74a97d656143 |
| SHA256 | c984d2a20376dedd04f11ae1d76dd82f3ae0e1ae75a7b62796d4b33732b07ed1 |
| SHA512 | 44b34e0ff048a7592f124e7addfae8045591616e3efd1bdcb616341c069bbd04c033d6b3cdef31f991fb960fe662c446d49a12466f7b395c3fc43d380359bf89 |
memory/4020-219-0x0000000000400000-0x00000000051B5000-memory.dmp
memory/4020-221-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip
| MD5 | 8de88e8d9f16a4bd681bf4aedd208aa4 |
| SHA1 | 9a5478d2fd7237f68dbe3fc5456c058ad197be8e |
| SHA256 | 2089ad11cc2ee99809a63450611ed878fa5ea582ef7d735ef4d2882bfbc0873e |
| SHA512 | 1a937906dbb86bbdf42eb7d79bd28c2fc70dd4c6b10e5841563317414fc94955c06599d812759ab344a237554cbc7b5cbb3ee2bbdba7a7d2425d894990e63fe3 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\ubMtZf6KK.zip
| MD5 | 6602dd0c07e4f7b9e2afd805dd6f5db7 |
| SHA1 | f62865ab53a187f778f0eb7eab9c8988706f12dd |
| SHA256 | 63ff5d141ee8611f8f95e012c8578507b8bae360882c83752c5b503aba2ddaf4 |
| SHA512 | 20d7e0c8694814f5871891cdcaa1c7819dca2c2dfa98c98ecf4a9df14a8a926e1574c386407370f52cb7295c3b4bfab6ad60951b99963d39efa0a2c061756442 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe
"C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:80 | api.ip.sb | tcp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:80 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:80 | ipbase.com | tcp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 172.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.85.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/3648-0-0x0000000000400000-0x00000000047CB000-memory.dmp
memory/3648-2-0x0000000000400000-0x0000000000448000-memory.dmp
memory/3648-1-0x0000000004CB0000-0x0000000004CF6000-memory.dmp
memory/3648-3-0x0000000000400000-0x00000000047CB000-memory.dmp
memory/3648-4-0x0000000000400000-0x00000000047CB000-memory.dmp
memory/3648-6-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20241023-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe
"C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/2412-1-0x0000000000400000-0x0000000005177000-memory.dmp
memory/2412-2-0x00000000002B0000-0x00000000002DE000-memory.dmp
memory/2412-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2412-4-0x0000000000400000-0x0000000005177000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240903-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe
"C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/2084-0-0x0000000000400000-0x00000000047D1000-memory.dmp
memory/2084-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2084-1-0x00000000001B0000-0x00000000001DE000-memory.dmp
memory/2084-3-0x0000000000400000-0x00000000047D1000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
152s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe
"C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | basessrb23.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
| US | 8.8.8.8:53 | moraaaasa07.top | udp |
Files
memory/4284-1-0x0000000000400000-0x00000000051B5000-memory.dmp
memory/4284-2-0x0000000005660000-0x0000000005700000-memory.dmp
memory/4284-3-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/4284-4-0x0000000000400000-0x00000000051B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt
| MD5 | aa2db10c6f4076f716aedb385b38d512 |
| SHA1 | 9dae265c786d6c01d358a52e96d36607848e7106 |
| SHA256 | 74c54ab77f55b9ad37e49efd5a4acc89e753422a7817b9a9b3d52ffa579e0716 |
| SHA512 | 45c65ba85b13237fea61bc3bb6121fbfddf405e62b13f4e2babc39cb062d798a4f8b39aa8a16e1d5230c07c290422478fe2a906bb06502addc560f2577a9eff0 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg
| MD5 | 7e1c7974fcc98b5277ea48754d67e1ac |
| SHA1 | 9ba6a12557d0f3640630d99cb3ae5050374b4339 |
| SHA256 | d4226393bad15206f5f73b7fa339be7abcfa2ff66643e073697abdc6fd6d2454 |
| SHA512 | fb3514a06d281b5bda1ff96fcce6ee91b79fd53cbdefdf2c5512975eb57ed955ba0efc10ad851b27f404243f6582c86cfb14ad6457c35b408f858ebe02014713 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt
| MD5 | 8be5d80ff10cc48eb050edbf1225dee5 |
| SHA1 | e9b752a85013f72503d89b4dbbd60a4762b9f1e7 |
| SHA256 | 0826647551b407df72ae911afe9ef39bf8c4f7ee15301a9f9412584431263742 |
| SHA512 | 8448aec97056a6f56dc84bee5c7a3ffed540935c9286d606c42061b9a6b197ad5c3dbe64170d3195fc974ee6b443dcc94c1b3fa28fe04c89f945cad44bede298 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt
| MD5 | 311264214a63c9258d730e9533f15ed0 |
| SHA1 | 189956df104be53a838dd0760a7c0f803df12801 |
| SHA256 | be4fe0f21c67f9c6ef236492b5061c56c4e675942085ff7dc9cd0f5fb921355e |
| SHA512 | ece68c334a9b108b5665eee7d74adeb9c4c2dcd9d6ce9237e6e8664e0051f19cc3107e7fb462656136e5e04bcd81f0d93d8e884c689991518dc6fa7bcac0388d |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt
| MD5 | eb0ca5f52c2db51fc9f7d7e9e17623ac |
| SHA1 | c1d6fab43cf2f7c8a9b2ea4964cbd6d4bd60e00a |
| SHA256 | 7e62becfdef6dd8de04ba170554ec443ca0cff0c0f37f174eb4920f5e56506b7 |
| SHA512 | 00696b01cfa038d34fadee3b1bef03b02d4c46d740ee4a3ef653ffa986f732f3e839a04a6013e56d7981a71bf93dec337df8ea5cd09d8d044fdae37ec02dc471 |
memory/4284-219-0x0000000000400000-0x00000000051B5000-memory.dmp
memory/4284-221-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip
| MD5 | 91df12ed0b5bf0e9875537ab470dcbd9 |
| SHA1 | 15d41418f7c279dbd5b49b1d87d01f9df31a0d16 |
| SHA256 | 4d0b1e915cb26760329f4fc0b06bc6e90d6f2551613172e4efa1260cf14ff88e |
| SHA512 | c092e3772c0958ce3896e9eb3fd4c35f192a6f84a0e39f62fdba1c253331343ecba5ee61ae379d28a2046fdbfdb6a7f647f7f1012fb81287c8b8cf4baacb3d5d |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\i6wyofYjLX.zip
| MD5 | 74fcb9b6bade9f3f6ec0eda313af0b66 |
| SHA1 | 02597d2da12b3e69a63b87f3ed80331e83e9e9e7 |
| SHA256 | c86f30b31dbed9100e9e192a20b410a0b93f42bc4a774b446728012594ea4912 |
| SHA512 | f6d7b318cb6617f38469b701ab3c4575504bf0fc77786f549805ad13787d0625d28d4924aaf81f59a9c8e28cf2503c871925e6a42bf12c1a5e7ddfcdfa1102c5 |
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240903-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe
"C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/2692-0-0x0000000000400000-0x00000000047C9000-memory.dmp
memory/2692-1-0x0000000000400000-0x00000000047C9000-memory.dmp
Analysis: behavioral29
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20241023-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe
"C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
Files
memory/2836-1-0x00000000005A0000-0x00000000006A0000-memory.dmp
memory/2836-2-0x00000000002A0000-0x0000000000340000-memory.dmp
memory/2836-3-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2836-4-0x0000000000400000-0x000000000052F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt
| MD5 | 8a0bd3f407b01943d0b9bf720955f801 |
| SHA1 | 5665f3000a5671d4834eaf99ef640cb9041d0dd4 |
| SHA256 | 4f14f0083550c0d86971df9b249903ece5f36d864f051778fa5779a0b81956c7 |
| SHA512 | 2181548dab06b14402c49e710e7507d4a70a5d433b0f03e9649b3be886e070bdc3499e80977128e7c9d451f729a503ebd1f6d5b7a5673d53a22ab3e1bf8d6afd |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt
| MD5 | 60f47cfc21b618e2c3a9d1318ffeccba |
| SHA1 | 138b7cb74074744c9031dea1b6e6bc632b63e927 |
| SHA256 | a4d67dccd4dd521d34b0594045353ff9bbd2c269dd0c1a9ef6d8c809a59b7c57 |
| SHA512 | a04fce8b707d3aed0c04f244549ff44c4c7aa54a7ad7dca45123a4b77ba49b06f451a7ab43c61ffd5f46ef9a386db26a9f9190bc792bafb9c1eaf0cd8e4126ee |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt
| MD5 | 35a54761c51414e7bd44a9cfef652314 |
| SHA1 | 0472649f4e39fc6aef4c827e7817487ce83bb07d |
| SHA256 | 1f66cde9fdba552ea269b4b2f35606c869cafe42265b10e0ac664454f55120a0 |
| SHA512 | b9f06a1d74904e3eb8dd2693854cd2d154b20a0cc25fb23005b7fd9dc56d21efb13bf2658a80f72a584679d99d4362ed9d265da69e8bdf6dc59ecac3f9868744 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt
| MD5 | ce5a4c5df65981c9a15e2d4c17fc07fe |
| SHA1 | 7da68f3ac02a64d93e84a2fa91a4c87e5b72d860 |
| SHA256 | a7746c25510d8568b98b27ada2a91a40ea1a0ff67f2f71d381e46a89d6c0ae3f |
| SHA512 | 415f80f1ae5171b5baeed29c02acebea328271e0d284d9241f7d3f5c73fb97a2689d3622fd3872240e304ad13c9ec160741051185e94a910ffc21939c1356373 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt
| MD5 | c0d24ed3c41cee29c39d85cfe2f98576 |
| SHA1 | ac7b9e4d5b920f4882bf9970e204fe9f1619c6ee |
| SHA256 | 8edd794f8ece18de9eeddc54ab0e430444dab0bfc033d39fdd1b1ac5d3f49520 |
| SHA512 | 165766bc12061bfc879f46ba71396f7fe6f5ed5c7afc5441431d8b0091c0fd30ba33817ea4e7db3e957b8c18d9469f02f298433da873ba07a827ae330b42407c |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt
| MD5 | c757c241dd18874002c79c291ebda34c |
| SHA1 | 82f8078b2e3d6bd611fc889d426328ccf267db22 |
| SHA256 | 19fd8dedcd7fb7fc45a33bb04df161cd3bb3966c92fa9bc35bc53546eca6d589 |
| SHA512 | cd757c721376f25d930898bd04c8c421647a503bd9aaa86d0668980a27ccb05a2d221fce0f4bae4792109286eb3a89e318c14a8b9ef22a2d6c28433cdf6caf71 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt
| MD5 | 7a3e9706e104b280edf5d44ffdb7b285 |
| SHA1 | 00aa2221725fca2ba10df19f60301e0f77e2f86b |
| SHA256 | bd2d2aa86925f3f5eb86018749b7425944e48cdf53a36b1d34ddf6f3a4537513 |
| SHA512 | b27f1e1d0a9cedcd70d7d1edd91066d8bec993610656745379b5744def4be199f44c1052dc4d0d1f383627a03a35b4c01fddd66c475de8c522e7f2bed7c4be68 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt
| MD5 | 68c9dfcfcf1e77949f59df3d16d351a2 |
| SHA1 | 5246cd4200ff22da288473b84d28deaf8524f31c |
| SHA256 | a523cb37dfb619ea7b524600fcfd6417b70c39d5e44045a035104aa1a3d0ad36 |
| SHA512 | 4a39dd4c8538cfa1602e683abe5400e1b3d2fb33009eda8e4b09b7047477f3e437372155934d840ffe6d3bed0ebcbbcf71e9d65473cb2cc3a60d82b1246c580f |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt
| MD5 | e0fe3d2fe4a02850297db83e5d8cab49 |
| SHA1 | 611000e76a4f14361d25b99e9265cb8226db40f7 |
| SHA256 | fba88425f8d494ce7b2c1dbc36c44d6a19b109f8ca891a583e44b5f54191cec9 |
| SHA512 | 3bb34dfd4f5e33b86fd971a56fc4073ebdd19de59916b122ad336485d06d228cbe270628db69eab2d0a947f224c53525766127b974e31f69b940d836bea48e7b |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Files\StartStop.txt
| MD5 | a52ef8b9bb0e5d26e6bf28c613d71be0 |
| SHA1 | c774360d6d70a984690d118292d58c389014067e |
| SHA256 | de694b9cdae4aff1cb799ecda251028bffdfd8d86e6c315fe7ed4b9fd5462dac |
| SHA512 | 417ceb9b9455ee020a8b0703acc42babd753de67e3efe72e9771f7c5e3286e177cdbdc0dc997b59b6931f6b9fda3ac476de4cbd487ba9b104b3853d92e4e7172 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Screen_Desktop.jpeg
| MD5 | 76d73e8b0bad36d3e16be99d718d9add |
| SHA1 | e2ca0149da16ab57f19180c5e22085540798f57a |
| SHA256 | 15c579422d25b762e354fdfcd59dc8570cd34c8a6143c308bb86239765840c1b |
| SHA512 | 630e5dd1231f0a3a788f43f5407497f6103158d111aa2ffd01b3b4f7ed539ef9676cafaee7d38f3f2f4096b88e6fde927fd282094efa27c7970bf786d90ccf3f |
memory/2836-226-0x00000000005A0000-0x00000000006A0000-memory.dmp
memory/2836-227-0x00000000002A0000-0x0000000000340000-memory.dmp
memory/2836-229-0x0000000000400000-0x000000000052F000-memory.dmp
memory/2836-230-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\WSOGWnVpPzqm8.zip
| MD5 | 6b2523baa3c207084c14454eb7fd77cd |
| SHA1 | 7d5bdddb2494f925468e290370cbef223bddb457 |
| SHA256 | a4cdbdea81b10d5e58de218897f46c3373beb5527d7f41f273269e20cc83e73c |
| SHA512 | ae3e06cf382e8ecbe5f2c9c4e53a31d2083b4b5b55084a37db841dcbbb93ef62b0fcbf5133518728da59b5ccdef32f3cd74c40ae2972d7038f8c66b8971af5a9 |
Analysis: behavioral32
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
118s
Max time network
153s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe
"C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/2996-0-0x0000000000400000-0x00000000047B6000-memory.dmp
memory/2996-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2996-1-0x0000000004950000-0x000000000497E000-memory.dmp
memory/2996-3-0x0000000000400000-0x00000000047B6000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe
"C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/2316-1-0x0000000000400000-0x000000000517C000-memory.dmp
memory/2316-2-0x0000000000400000-0x000000000517C000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240903-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe
"C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/2584-1-0x0000000000400000-0x0000000005177000-memory.dmp
memory/2584-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2584-2-0x0000000000220000-0x000000000024E000-memory.dmp
memory/2584-4-0x0000000000400000-0x0000000005177000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240903-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe
"C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/1704-1-0x0000000000400000-0x0000000005177000-memory.dmp
memory/1704-2-0x0000000000220000-0x000000000024E000-memory.dmp
memory/1704-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1704-4-0x0000000000400000-0x0000000005177000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3280 set thread context of 3512 | N/A | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe |
| PID 2208 set thread context of 3712 | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
"C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe"
C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe
"C:\Users\Admin\AppData\Local\Temp\1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b.exe"
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.189.79.40.in-addr.arpa | udp |
Files
memory/3280-0-0x000000007487E000-0x000000007487F000-memory.dmp
memory/3280-1-0x0000000000140000-0x000000000019E000-memory.dmp
memory/3280-2-0x000000007487E000-0x000000007487F000-memory.dmp
memory/3280-3-0x0000000000BC0000-0x0000000000BE2000-memory.dmp
memory/3280-4-0x0000000002490000-0x00000000024A2000-memory.dmp
memory/3512-7-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3512-6-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3512-5-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3512-11-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3280-10-0x0000000074870000-0x0000000075020000-memory.dmp
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 7c206dae3d5cb963584b75a2ecce94a8 |
| SHA1 | 7eaff221e85eba8400bed8f7dc156b7984f2e08c |
| SHA256 | 1fe8e976dc31ecc74c27018b3a7550e3c16c39b05f17237a39f59a1cf262330b |
| SHA512 | 62d67495e0ea6a689a90fcd347b73331866b36c3a2cd865a3f799b2ad31805426dc60b065ee8326912b07182893ef134304d985eae920ee771173c16b93b6b10 |
memory/3512-18-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2208-19-0x00000000746CE000-0x00000000746CF000-memory.dmp
memory/3280-20-0x0000000074870000-0x0000000075020000-memory.dmp
memory/2208-21-0x00000000746CE000-0x00000000746CF000-memory.dmp
memory/2208-23-0x0000000001830000-0x0000000001842000-memory.dmp
memory/2208-22-0x0000000001950000-0x0000000001972000-memory.dmp
memory/3712-28-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3712-27-0x0000000000400000-0x0000000000427000-memory.dmp
memory/3712-29-0x0000000000400000-0x0000000000427000-memory.dmp
memory/2208-30-0x00000000746C0000-0x0000000074E70000-memory.dmp
memory/2208-31-0x00000000746C0000-0x0000000074E70000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe
"C:\Users\Admin\AppData\Local\Temp\1017f357d88223cb18ec43554b65f2ec3f2d67851c7723f3a21bf67d7f02f1c6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/3880-0-0x0000000000400000-0x00000000047D1000-memory.dmp
memory/3880-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3880-1-0x00000000047E0000-0x000000000480E000-memory.dmp
memory/3880-3-0x0000000000400000-0x00000000047D1000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe
"C:\Users\Admin\AppData\Local\Temp\152de8e813722eadbc25a08e1871382a887505388e03991595572bb632974e2e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | basessri42.top | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | moraaaasy09.top | udp |
| US | 8.8.8.8:53 | moraaaasy09.top | udp |
| US | 8.8.8.8:53 | moraaaasy09.top | udp |
| US | 8.8.8.8:53 | moraaaasy09.top | udp |
| US | 8.8.8.8:53 | moraaaasy09.top | udp |
| US | 8.8.8.8:53 | moraaaasy09.top | udp |
| US | 8.8.8.8:53 | moraaaasy09.top | udp |
| US | 8.8.8.8:53 | moraaaasy09.top | udp |
| US | 8.8.8.8:53 | 59.189.79.40.in-addr.arpa | udp |
Files
memory/2904-1-0x0000000000400000-0x0000000004DD7000-memory.dmp
memory/2904-2-0x00000000050A0000-0x0000000005140000-memory.dmp
memory/2904-3-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2904-4-0x0000000000400000-0x0000000004DD7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt
| MD5 | 4f34cd42994b5c03d5f7f5fa024cc9fb |
| SHA1 | ef482103e1b02784d0d55d8f8f957ded0617577c |
| SHA256 | fd6fb484aa07a17c64f2edf023d3256aaaa79051adb141f509188f492a14fa61 |
| SHA512 | 68055bf6c1b2689ada13297ae7dbf9beb5cb41e357b0d50563d7e3750bb1bedbf5fb344d3ab2e06f2ff727050cadba24aa4b5b549f4c5c41ce4dc9754a68b24f |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt
| MD5 | b144cc96952701c0dddfdd49dde7fbfc |
| SHA1 | 183002c04e262e0386550420952d0191ac47d51a |
| SHA256 | 03b58903a31f9781d2b10a7df019af3d099078df20e1ad6dbb610d8bfbbcaee4 |
| SHA512 | 3d1fc5188bffd5116e9ddff2902a451b49d8a8ed211c03d32a5d3161f931e0b4a26bcf0f9072d772769e750fae1479976e003e49f86ecf6459962503503a1a30 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg
| MD5 | 2da7eae9db1b714813c23bafdfa8ebc2 |
| SHA1 | ad43e12a09359193120d52b4c4baf981265c431c |
| SHA256 | fbbbdc8603f484f4c2dea195c961c3e41ef1da404201c56251d540010999c760 |
| SHA512 | ce93e1bc00cd9c0e6392ce90cb7b50f66dd84a593f70fe37758b672fda56648a132ede3befe5867a71afbae96e518fec129c10fca54003c33841fa9ac4a5e349 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt
| MD5 | 0b7047eae4da8d0e423f359d4dab4d1d |
| SHA1 | 27d5feeb1fe3418046a3ad85b0b03fcaa24b9043 |
| SHA256 | 553a539fbac287e44cc689f05b38101384ffaf260bd8f431782bcec1f4a46fa9 |
| SHA512 | 16f2e7921b9cd7880546832118219e9e3d2de8ea5c44d8b750e8c4184a754355407206f47d80f3464ba0ca9753bd9c1fbd460828c13ae8cc29aa6773b3618993 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt
| MD5 | 200ce97704f46bb88798b680df10a826 |
| SHA1 | 75276cc13ffed8d1e99fa4a094773234f886b84d |
| SHA256 | d56b9aab4961a26ec243e0d0409f00b7f1606896c39e14bea3da55619b7a9417 |
| SHA512 | b34a0ffc2cbe152526560d3d53a84d71fbce6eaa7dfd041b7d3021670213c99196ea1463813cec14d327d2bf16cc2978fe6d0e180c7ad21f60afbc4c09410f8f |
memory/2904-218-0x0000000000400000-0x0000000004DD7000-memory.dmp
memory/2904-221-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip
| MD5 | dcf742f59f682b0a887d35c096b0dda8 |
| SHA1 | 23e414f9a246d0753d19a76bb6a70a20b89155f0 |
| SHA256 | fdb53e98c405c6ba32105fe63b3b03e2991a4d85bb344a55876af105306c1c3f |
| SHA512 | 6f02bae33b61d15f4241e7162ab7bf4a64710657d3d62c603e286aa6468884faf7e13ec6c813021ba18a9ba05dea602b1f2b3a7c587722ee118cb29c7b7b8620 |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\jVtKZ23rKJi6.zip
| MD5 | dbd391e36a6c60c1d1359bdb56bbb327 |
| SHA1 | 0faef71e451f94d61fff0d6952a96606b3f4ec75 |
| SHA256 | a3187ca57bb20442691aef856c86c1c9a70e6ff3e20970f0a751ef4aaa5caeb4 |
| SHA512 | 0cad32ac080ba6655beca58371658addb22520035d87f521c9b6186ac7a4fa0cf957bd5d3a1820ebd307a1523bdc38a7220035ab80aede090c50673381813431 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe
"C:\Users\Admin\AppData\Local\Temp\18a7c9bb155a24636fb7679c2c33562f66a85fa29949493d4a2dc31b0443321a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
Files
memory/3140-2-0x00000000007B0000-0x0000000000850000-memory.dmp
memory/3140-1-0x00000000005E0000-0x00000000006E0000-memory.dmp
memory/3140-3-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\_Files\_Information.txt
| MD5 | 608bfa1d367daf50d0cec2d64e9962f2 |
| SHA1 | a0362210804130a0f1fdbd725796adf0e270beff |
| SHA256 | 0f48e960b2f1fa7c749cf1c29515393bd2659efdb4542794bc4a6a37a96cb471 |
| SHA512 | a1b96371ea83be0d748a89d300d2cee0416cd6dec0e71c220feb33b3c06e6e5dc73c9cd10d1e04bcb9bbb3c134bd761da6fa01e3e2e50027898cbceee421222c |
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\files_\system_info.txt
| MD5 | 233bc14eaba21d80927a9b552266d3f4 |
| SHA1 | ab06c097f3596ae91022117cb0befa854af1bcb8 |
| SHA256 | 00c338995131db9eea9c087097189de439aee2487d7e981821b7c75e931b53f0 |
| SHA512 | ca9c272c7d80ca997dba82f25002cb13e039cc1a58369bbe5748a1a8206ea497fa287cd77447845d308e41a07c605808c1895efd00a172b9668b68782fac1208 |
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\files_\system_info.txt
| MD5 | 02cf311a5e273802dc6878211d2b8dd5 |
| SHA1 | 4c54ad41bdcda47a3f597a013f478241bbe81fc5 |
| SHA256 | c284e51dc73f37280c6849304e27398b8623c54fe85da9c51352e86848d3df56 |
| SHA512 | 04baddb9eed7658f16910e8366cc2a32c470a749b6a97f2fa01613bbdc95e880adedcabdbf21b5c7d65c05c772830424caedcabd30fa19a690bb5794648f54b1 |
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\_Files\_Screen_Desktop.jpeg
| MD5 | dedcde8de4b6b64bd0f5e371ff3c083b |
| SHA1 | 87e7d0839cfc9b33640c1732a576a78ac1e94a92 |
| SHA256 | f13bd39c581362fcd9eaaf978c1527f535e38d5d4ea39ceb7ce4df92a643508c |
| SHA512 | 7e6771f1bbdb382570936b851b682dc726f9d37670b45453f2420db60e170706e0a563a6ce91f5a4bd39f37dba8a297e0396c21f0feb3c95e67ce02828c7a366 |
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\_Files\_Files\CompressWait.txt
| MD5 | 09f79ca4b3356d9c5c4589bde59ca492 |
| SHA1 | 6502ecf4baac9259cd2cca6cb46289f0d8bb3f16 |
| SHA256 | 6445e7509d43af45301f7c11821c4c4e44399111e51e532fb2ed690de95df4ce |
| SHA512 | 4f0ba86d6ce417700b1cd1e886da6d197eca9755a152e1a8b0d764dde020f678c7efecef722d00c1b2ae6f5a563fc6392aa328d981631467dd1148a46ed27dac |
memory/3140-222-0x00000000005E0000-0x00000000006E0000-memory.dmp
memory/3140-225-0x00000000007B0000-0x0000000000850000-memory.dmp
memory/3140-224-0x0000000000400000-0x000000000052F000-memory.dmp
memory/3140-226-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\p68ah4m5Lye.zip
| MD5 | 3e8c022d6bb37a47220d18c3dffec48d |
| SHA1 | 575a45d5b782a262e15a3d1c2ea6d1cb05c69c45 |
| SHA256 | 9efb7f4bbc787b03b9a2b019d3d125a5f7545e5ebe350f4dd372728955c45241 |
| SHA512 | 5ba0714f943cb59d451f2a839bbd64172296216c5aea89d19cc16e4ff2fd7d12e728d5e452f438984279ed071cd7b7d7cf9b3416491086d9b7a888c8d1cc3b3b |
C:\Users\Admin\AppData\Local\Temp\3xPqTlA8vRF\LaZuGlRq.zip
| MD5 | 22b3b5ba3d06c347e128e8e231db66ff |
| SHA1 | c87b20261cb0852c52c061caebd6e49d31e2c6c3 |
| SHA256 | e958945142fedafaeb6e46bb49a5d48153fb103d19b8b2be147750f254ae2793 |
| SHA512 | 48a4402c87273ad6f2673745b67ea124f7a4ba24d72b9e8c4f77eabb76df93574353cdfae3f03b329e518164dec906d7a7bea61052cd9516955d8ccb2aab66ae |
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe
"C:\Users\Admin\AppData\Local\Temp\1c429652e66bc481a2ce0309e4389cbcf93c1bd9727760d70418b9071a6818c5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3540-0-0x0000000000400000-0x00000000047C9000-memory.dmp
memory/3540-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3540-1-0x0000000006410000-0x000000000643E000-memory.dmp
memory/3540-3-0x0000000000400000-0x00000000047C9000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
149s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe
"C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
Files
memory/544-2-0x0000000004D00000-0x0000000004D2E000-memory.dmp
memory/544-1-0x0000000002FD0000-0x00000000030D0000-memory.dmp
memory/544-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/544-4-0x0000000002FD0000-0x00000000030D0000-memory.dmp
memory/544-6-0x0000000004D00000-0x0000000004D2E000-memory.dmp
memory/544-5-0x0000000000400000-0x0000000002FBB000-memory.dmp
memory/544-7-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral30
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe
"C:\Users\Admin\AppData\Local\Temp\26ccb116f44f24784c0c2e9e2f4f796b239ce96c34246b50194342c76fa3198f.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | needioerw02.top | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
| US | 8.8.8.8:53 | moraffdds01.top | udp |
Files
memory/3928-1-0x00000000007D0000-0x00000000008D0000-memory.dmp
memory/3928-2-0x0000000000700000-0x00000000007A0000-memory.dmp
memory/3928-3-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt
| MD5 | 39e2452945540549ccdf189ce19da20c |
| SHA1 | 63a1ef8d0e49e974427ab6dd6d27517df3ccc59f |
| SHA256 | d1e8a5c38151f883ee6d92824ea8fdd3b4c62a91077fa8a154d59120fe3cc693 |
| SHA512 | 793e7fba4461fded76fe1dc4c4d18b465fbaa34c7ab9fee4cd5c78c93a1ede81381f5c610cdb6ba13c0acf648a7a60d81c3dbb3ee7dcfb64018c5731d5b63553 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Screen_Desktop.jpeg
| MD5 | f41db03dfc0a0d09ad72444b0cbbfaf5 |
| SHA1 | 7185fe78cb4b1424bddb53b3e20c015c2dd8371d |
| SHA256 | 0c0933fe3ee28bcca614d693515fc4e44cf057fba74a131efb03980c83dd39de |
| SHA512 | d5507f29b0a869642c17dd730571473560164280695f2e31688b8986a9e278a7e6247fb9dda7528c80954373659b0e472987ef17b6c67dab37b661285a6ed0de |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt
| MD5 | c27b0ade13757dfe48569ecbca483e9f |
| SHA1 | c658d8e0a24e7d6390ab85ff7bddf8efdef31e95 |
| SHA256 | 7b7e410cb85ceaaeb645eec67989a6d386e8db8141de0321795399647b075bcf |
| SHA512 | 9b1f8c30a94f97f1e3fdf86ebdeed2c89ac78aef14f853e755935e1f51ec80cd7bdd0ddf8fe21bb6dda0fb0e6d168e5cec807967ae137b189d42b11278eb92a4 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt
| MD5 | 482908618347c2f83da7874504176f04 |
| SHA1 | 948fe7455823cf94033a408f2040e7b4c5c1876d |
| SHA256 | cf3515f50c5a4cff8f11f28dd64e813d9cb6f15a6fc5c98a9578a6307a76f26f |
| SHA512 | dd984529262e80aaa0550b01392944d7e30d2ee058fcf784b27a298a494660b0235734a2f27a99573b8e66b368b5282a0f5273a693aac52318829aad1bc021db |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt
| MD5 | c59e1b3113d29dae2ebeaf0ea220f4dd |
| SHA1 | f52a2ec0f609336fa92a5c58f27f782c67a92454 |
| SHA256 | 354de3e8c5094857296ee101377549d39fd7e7c7ecf8eca7520542bc9bae0ee0 |
| SHA512 | 5006d36062437ae7c3349003b3316b46691dab4a16630b1ff656b3f9e972c113434a705d82610b3ea6c88ca3a6e69c3878d56fa53cf69358134e703aabd05105 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt
| MD5 | a1bb22ba3fca7b9a8ba5f437ab57c2fc |
| SHA1 | adaf3df9ba683445f8570e9a8864e5be61dbfbd5 |
| SHA256 | 240cb0c84da8ab1ffa9b4c8d8fff80f739f295082b008faac463e5dc8549b874 |
| SHA512 | f4514a63a5112d668de20b7a13a114b9d8f88111a681bd4699d3b814920fc2ba75511010826e793997c860354f05d299ceb4f2bc9f1fd63f1ecf817e610480a2 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt
| MD5 | deef5e8804faefcf411d53190fa09e98 |
| SHA1 | 45229ec8f2fa59f7cf2a533a2cf8b76cfaffc3f5 |
| SHA256 | d1082c2cf7a84d3c05678485fa141a5b46046988fcc69f2e2e2a4cda18d45634 |
| SHA512 | c83208ccdcaf1f8915ba04ea4d297483204005bf4c760fb3e07f184af524a1c039fb9cd5910d82357419517a46f02128d387128dda436e2e1064f257e31f823e |
memory/3928-218-0x00000000007D0000-0x00000000008D0000-memory.dmp
memory/3928-220-0x0000000000700000-0x00000000007A0000-memory.dmp
memory/3928-219-0x0000000000400000-0x000000000052F000-memory.dmp
memory/3928-221-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\WSOGWnVpPzqm8.zip
| MD5 | 2c404be853aaac1d5801afbcb3f3a40c |
| SHA1 | 3cc9120a8663c88db7c1a7e6832ba207f9cdbd53 |
| SHA256 | 921c3a26b170704f63cd9886ac375bc5e510115affff30c56f0b1d6a5a1f490d |
| SHA512 | 73ac68cfc11b6457b97538909c1a7662ad3a4acbaa24512a09072a2a6241d40f80c347b2b4abebfb8867e0ea402b76fd931a93769b51fb12319cd4e244e68c3b |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\nPbiXXTb.zip
| MD5 | 55d5602d16e32e6457b2edd4cc6e2beb |
| SHA1 | 6d65ec99ffbf01c5179e3385532d08dcec367134 |
| SHA256 | f8496a84c8af2941b99a7aa0129aff461bb3e1fad370a47c77a575824e0d11f6 |
| SHA512 | bc9441fc60751b0fbeeff5223470653e16911c0ffbb7d087ea380823eca5784ac57182528596800399e80be5fb2f035f405d57bc2990ab790cebfac0c7b5cb73 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe
"C:\Users\Admin\AppData\Local\Temp\078db59624b35fe4dd0fe0420bd99bd349aa053ef07c982fdc6a58effd96c76d.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |
Files
memory/552-1-0x0000000000400000-0x000000000517C000-memory.dmp
memory/552-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/552-2-0x00000000051F0000-0x000000000521E000-memory.dmp
memory/552-4-0x0000000000400000-0x000000000517C000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240903-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe
"C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/2976-0-0x0000000000400000-0x00000000047BE000-memory.dmp
memory/2976-1-0x0000000000240000-0x000000000026E000-memory.dmp
memory/2976-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2976-3-0x0000000000400000-0x00000000047BE000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20241010-en
Max time kernel
149s
Max time network
158s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe
"C:\Users\Admin\AppData\Local\Temp\08b9d4c93970927de49d4c012b62cf663a181a83afc9f6be03eac0afe0e736ff.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 172.67.75.172:80 | api.ip.sb | tcp |
| US | 172.67.75.172:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:80 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 104.21.85.189:80 | ipbase.com | tcp |
| US | 104.21.85.189:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/1236-0-0x0000000000400000-0x00000000047CB000-memory.dmp
memory/1236-2-0x0000000000400000-0x0000000000448000-memory.dmp
memory/1236-1-0x00000000003B0000-0x00000000003F6000-memory.dmp
memory/1236-3-0x0000000000400000-0x00000000047CB000-memory.dmp
memory/1236-4-0x0000000000400000-0x00000000047CB000-memory.dmp
memory/1236-5-0x0000000000400000-0x0000000000448000-memory.dmp
Analysis: behavioral31
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240729-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe
"C:\Users\Admin\AppData\Local\Temp\2936e6b87d417380f2f28b8274f791a526d2dc7b2d9c014b80e8c88ab9ad2099.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/2748-0-0x0000000000400000-0x00000000047B6000-memory.dmp
memory/2748-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2748-1-0x0000000000240000-0x000000000026E000-memory.dmp
memory/2748-3-0x0000000000400000-0x00000000047B6000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe
"C:\Users\Admin\AppData\Local\Temp\083d3eee7980bb0b8f28a0452ed2af47610e747db2823a0ad6eb7dbfad7ef98c.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/4212-1-0x0000000000400000-0x0000000005177000-memory.dmp
memory/4212-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4212-2-0x00000000055E0000-0x000000000560E000-memory.dmp
memory/4212-4-0x0000000000400000-0x0000000005177000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
84s
Max time network
153s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe
"C:\Users\Admin\AppData\Local\Temp\08c1757fc2332f7d219bf2c7bff648ed78f51106e262e6e6f3ade6b0e847dff6.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/4832-0-0x0000000000400000-0x00000000047BE000-memory.dmp
memory/4832-1-0x0000000004A70000-0x0000000004A9E000-memory.dmp
memory/4832-2-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4832-3-0x0000000000400000-0x00000000047BE000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240708-en
Max time kernel
57s
Max time network
122s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe
"C:\Users\Admin\AppData\Local\Temp\231f15571a7f90c6c74f0f6eb57a813a54fa927b5c13610e5d6ff680023852d3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gc-partners.rest | udp |
Files
memory/2184-1-0x0000000003060000-0x0000000003160000-memory.dmp
memory/2184-2-0x0000000000220000-0x000000000024E000-memory.dmp
memory/2184-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/2184-4-0x0000000003060000-0x0000000003160000-memory.dmp
memory/2184-6-0x0000000000220000-0x000000000024E000-memory.dmp
memory/2184-5-0x0000000000400000-0x0000000002FBB000-memory.dmp
memory/2184-7-0x0000000000400000-0x0000000000430000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240903-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe
"C:\Users\Admin\AppData\Local\Temp\253a433e14fd88a5d504c492279fc0a4f192023768409738a11c17790499d66a.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | basessrn17.top | udp |
Files
memory/2616-1-0x0000000000400000-0x00000000051B5000-memory.dmp
memory/2616-3-0x0000000000400000-0x00000000004A3000-memory.dmp
memory/2616-2-0x0000000000220000-0x00000000002C0000-memory.dmp
memory/2616-4-0x0000000000400000-0x00000000051B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Information.txt
| MD5 | 55f067c761be97fdfcdee685d28dcc72 |
| SHA1 | c42674dd84086d02a052d3995648a0672ebf0574 |
| SHA256 | feae4808b816dba5ee8346b0933b6bae209764017f6bef4e468a23fb3d4a4147 |
| SHA512 | c862e504af35ef9158b4a5157a44083719bbae47fdce873ffd690bc91d9c47d4b58282237c7ec6d50e91c4643d35f4ea0da606d03e34f7797577f24530813335 |
memory/2616-113-0x0000000000400000-0x00000000051B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt
| MD5 | 412723766fba16535c4dc04b5ab1ffbc |
| SHA1 | e1a9ddb546f3d5f40f564d9e6ae8c16b41b2eefa |
| SHA256 | 460379f98f712ba8106a2489d35da51de90d46d306a89e57e6c088fe4043c43e |
| SHA512 | 031e5fbee9d1552aec12aebeddb164a5261d534d52950d80b3548014572e3dab9dda4719af22fcf59303d0ac351aaa51b2aadef65e30a41b203ae7cab89773d7 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\files_\system_info.txt
| MD5 | f7e600180646f8020b2c184fa42139bd |
| SHA1 | fb49032c5d0dc688ce83aa82de5cd14ed302c6f8 |
| SHA256 | a12e414eaee7022062aa042ab2098d2b01747f4e6ba09908b7b9860e5022ca07 |
| SHA512 | 289b471f9c4309140add9bb2b4599bdd52ae0a7bc997cdca55cf819a75342d0f68e8567f8fd067490f09579ce97eb591433139bc57a7cd993b9b7af85536d0d7 |
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\_Files\_Screen_Desktop.jpeg
| MD5 | 52a76bcfa17c99d01a5b59cbba2aed62 |
| SHA1 | e7689d10a84f83283f2c40e4a0da14e8fd0bf642 |
| SHA256 | 6799ddc6ee8cb096d0e23058b699b13cc877fefd37e0c0611ca27706c8fa79ff |
| SHA512 | 7d2c04858d094cbf13491b7c2e8dbac208bfa83c9b3ebd9686e6c6e7eba70fd5e85a8a8d332f9fb1488be334738f12b97e044947d1b23ed2d50e86ad3af9db74 |
memory/2616-222-0x0000000000400000-0x00000000051B5000-memory.dmp
memory/2616-225-0x0000000000400000-0x00000000004A3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GgIFodiI\WSOGWnVpPzqm8.zip
| MD5 | f462ff2b77fa7b6977a4bca5588bc540 |
| SHA1 | a936a6939db99f94b7aeb80757909d905e3548c2 |
| SHA256 | 6ee50f1055c3672c4dd2c5336e02d56443824b434318ca1d7533f54a95cf7a2f |
| SHA512 | e6967503672aedf2cf73c966ad3e8bff4d2306748b2629b1fec6340178fbd348912b3b550eaaafb843ed1bf5685795e6e3a47145eae5c83408f31c4ca6f5a572 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
89s
Max time network
152s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe
"C:\Users\Admin\AppData\Local\Temp\07f59c1814f6b5d712b6bd55b180bd9d69890eb337b44977749a59bf39958b17.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/1592-1-0x0000000000400000-0x0000000005177000-memory.dmp
memory/1592-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1592-2-0x00000000052F0000-0x000000000531E000-memory.dmp
memory/1592-4-0x0000000000400000-0x0000000005177000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win7-20240903-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
CryptBot
CryptBot payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cryptbot family
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe
"C:\Users\Admin\AppData\Local\Temp\0d08ee2ca8d53593d1394983068966c0f0f978afa9942e5df703f61a0579a9dd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | basessrb23.top | udp |
Files
memory/1032-1-0x0000000000400000-0x00000000051B5000-memory.dmp
memory/1032-2-0x0000000000400000-0x00000000051B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Information.txt
| MD5 | 3c81f4967fe17a60d3fbcbd075449acd |
| SHA1 | e5791f78ec603b258d1b17864474a99efd3c64c6 |
| SHA256 | 16dbf784f691381515871ca443c821e00c3f969cbf55690d9f4cc3bd2160a805 |
| SHA512 | 21d85aa5a0000470a8bc81343fb4b3488ccc2f6a62e6415f9f65850304b94779ccd9267d73c582fec00e58ca824bace7ee67d7833819c7df7c929917975a9d97 |
memory/1032-111-0x0000000000400000-0x00000000051B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\files_\system_info.txt
| MD5 | 996205af5187ae51df2c89d5e78e5f3d |
| SHA1 | 1786978860f407adb48a30fc973fbc7210f19060 |
| SHA256 | ce687913e7ef01efeea0927fa051e2508dcea54d3e93a42c02ae9bf56b4163ae |
| SHA512 | 9bacfb28693c23631a8edde772fdc39a4dc52324e99bf4c003f1ee0476a3e82cda820e3bde5de9b8e3c0c015805354db1eaa57a21321110c4e7210b27f02c43f |
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\_Files\_Screen_Desktop.jpeg
| MD5 | 0ef4cde8862b5c23f8c1e0a14c362d08 |
| SHA1 | 9904baef689e5d27f0d4e1aeff5e1b8cc6d1a656 |
| SHA256 | b061ebe8ff240f3bbde80d1b3ebeb0ef891be61a2c6a3cf49a3da04dd964050f |
| SHA512 | 01d39e31f7c96b5adc2486d076308d37541aabc08f29158800476a6e51737fdc53f4596cf58113e8690bee63a77a597d5316ed89b11d79bbdf51c6ee34d52591 |
memory/1032-219-0x0000000000400000-0x00000000051B5000-memory.dmp
memory/1032-221-0x0000000000400000-0x00000000051B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\VqhDiVkQqpn\exUqUje1EIF.zip
| MD5 | 09c6f936b2f4c6c423cb6ddc96885fa2 |
| SHA1 | 0a290165c493ca398e5b7be7f850ca98ea966c98 |
| SHA256 | 9074a7bf5d33243e6db0bf9decce39a84842123c7b3b386455f050ca35cb1930 |
| SHA512 | 553edb8e3f257b878431f3c0c892bbdd288021f335ecd6b59c71a43baefa1301a263034a38f2b521ec8b16cec43432f69f3752030cf02210e125a03e7e2bf52b |
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-08 06:43
Reported
2024-11-08 06:46
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
GCleaner
Gcleaner family
OnlyLogger
Onlylogger family
OnlyLogger payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe
"C:\Users\Admin\AppData\Local\Temp\0d1c17f83137538366a2ca9f2948458b00943a4b5033f5d0b9f25f85af36edd0.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 101.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
| US | 8.8.8.8:53 | gcc-partners.in | udp |
Files
memory/1280-1-0x0000000000400000-0x0000000005177000-memory.dmp
memory/1280-3-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1280-2-0x00000000055E0000-0x000000000560E000-memory.dmp
memory/1280-4-0x0000000000400000-0x0000000005177000-memory.dmp