Malware Analysis Report

2024-11-13 14:22

Sample ID 241109-exalsazpck
Target c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818
SHA256 c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818
Tags
sectoprat discovery evasion rat themida trojan spyware stealer 44caliber pyinstaller redline asap infostealer boss8 echelon collection ninja0809
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818

Threat Level: Known bad

The file c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818 was found to be: Known bad.

Malicious Activity Summary

sectoprat discovery evasion rat themida trojan spyware stealer 44caliber pyinstaller redline asap infostealer boss8 echelon collection ninja0809

44Caliber family

RedLine

Redline family

RedLine payload

SectopRAT payload

Detects Echelon Stealer payload

Echelon

SectopRAT

Sectoprat family

44Caliber

Echelon family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Sets file to hidden

Executes dropped EXE

Checks BIOS information in registry

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Themida packer

Drops startup file

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Browser Information Discovery

Unsigned PE

Detects Pyinstaller

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Checks processor information in registry

Views/modifies file attributes

Modifies registry class

Kills process with taskkill

Suspicious use of WriteProcessMemory

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 04:19

Signatures

Detects Echelon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Echelon family

echelon

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Crystal.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Crystal.exe

"C:\Users\Admin\AppData\Local\Temp\Crystal.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
FI 185.252.144.65:4545 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 185.252.144.65:4545 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
FI 185.252.144.65:4545 tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
FI 185.252.144.65:4545 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 185.252.144.65:4545 tcp
FI 185.252.144.65:4545 tcp

Files

memory/3636-0-0x0000000000120000-0x00000000008B8000-memory.dmp

memory/3636-1-0x0000000075D60000-0x0000000075D61000-memory.dmp

memory/3636-5-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-4-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-3-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-2-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-7-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-8-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-6-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-9-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-13-0x0000000000120000-0x00000000008B8000-memory.dmp

memory/3636-14-0x0000000000120000-0x00000000008B8000-memory.dmp

memory/3636-15-0x0000000005C30000-0x0000000006248000-memory.dmp

memory/3636-16-0x00000000056D0000-0x00000000056E2000-memory.dmp

memory/3636-17-0x0000000005730000-0x000000000576C000-memory.dmp

memory/3636-18-0x0000000005770000-0x00000000057BC000-memory.dmp

memory/3636-19-0x0000000005A30000-0x0000000005B3A000-memory.dmp

memory/3636-20-0x0000000000120000-0x00000000008B8000-memory.dmp

memory/3636-21-0x0000000075D60000-0x0000000075D61000-memory.dmp

memory/3636-22-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-23-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-24-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-25-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-26-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-27-0x0000000075D40000-0x0000000075E30000-memory.dmp

memory/3636-29-0x0000000075D40000-0x0000000075E30000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:21

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe

"C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 82.146.43.167:80 82.146.43.167 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.3.46:443 iplogger.org tcp
US 8.8.8.8:53 167.43.146.82.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 46.3.26.104.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/4144-0-0x0000000000ED0000-0x000000000170A000-memory.dmp

memory/4144-2-0x0000000076540000-0x0000000076630000-memory.dmp

memory/4144-1-0x0000000076560000-0x0000000076561000-memory.dmp

memory/4144-3-0x0000000076540000-0x0000000076630000-memory.dmp

memory/4144-4-0x0000000076540000-0x0000000076630000-memory.dmp

memory/4144-5-0x0000000076540000-0x0000000076630000-memory.dmp

memory/4144-7-0x0000000076540000-0x0000000076630000-memory.dmp

memory/4144-6-0x0000000076540000-0x0000000076630000-memory.dmp

memory/4144-10-0x0000000000ED0000-0x000000000170A000-memory.dmp

memory/4144-11-0x0000000000ED0000-0x000000000170A000-memory.dmp

memory/4144-13-0x0000000006C00000-0x0000000006C92000-memory.dmp

memory/4144-12-0x00000000070D0000-0x0000000007674000-memory.dmp

memory/4144-14-0x0000000000ED0000-0x000000000170A000-memory.dmp

memory/4144-15-0x0000000076560000-0x0000000076561000-memory.dmp

memory/4144-17-0x0000000076540000-0x0000000076630000-memory.dmp

memory/4144-16-0x0000000076540000-0x0000000076630000-memory.dmp

memory/4144-21-0x0000000000ED0000-0x000000000170A000-memory.dmp

memory/4144-20-0x0000000076540000-0x0000000076630000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win7-20241023-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe

"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"

C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe

"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI14722\python39.dll

MD5 c4b75218b11808db4a04255574b2eb33
SHA1 f4a3497fb6972037fb271cfdc5b404a4b28ccf07
SHA256 53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2
SHA512 0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:21

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsAnalyzer C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe N/A

Browser Information Discovery

discovery

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe
PID 2020 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe
PID 680 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 3680 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 6816 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 6816 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 6792 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 6792 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 6772 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 6772 N/A C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe

"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"

C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe

"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.12.205:443 api.ipify.org tcp
US 8.8.8.8:53 discord.com udp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 205.12.26.104.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 232.137.159.162.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 162.159.137.232:443 discord.com tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI20202\python39.dll

MD5 c4b75218b11808db4a04255574b2eb33
SHA1 f4a3497fb6972037fb271cfdc5b404a4b28ccf07
SHA256 53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2
SHA512 0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c

C:\Users\Admin\AppData\Local\Temp\_MEI20202\VCRUNTIME140.dll

MD5 7942be5474a095f673582997ae3054f1
SHA1 e982f6ebc74d31153ba9738741a7eec03a9fa5e8
SHA256 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c
SHA512 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

C:\Users\Admin\AppData\Local\Temp\_MEI20202\base_library.zip

MD5 3c9567cdb28edb96e1491f1787915c34
SHA1 0cead74ca10f1dc9af5135aa2b951bdffb087c19
SHA256 eb5cf3a9aef9130c053ddb40b50fe505356eb0d7001bc62022aa33b9f9f8908c
SHA512 e43671696d2b4ba20fcfce5dfe0da18cecb668f9213ffd62a4874c41de4798fc51ab02b77e1b05809eff8124c5de2d2b01d1f8f2482ab3ac0d8738ae7ebf3525

C:\Users\Admin\AppData\Local\Temp\_MEI20202\_ctypes.pyd

MD5 b74f6285a790ffd7e9ec26e3ab4ca8df
SHA1 7e023c1e4f12e8e577e46da756657fd2db80b5e8
SHA256 c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a
SHA512 3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299

C:\Users\Admin\AppData\Local\Temp\_MEI20202\libffi-7.dll

MD5 eef7981412be8ea459064d3090f4b3aa
SHA1 c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256 f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512 dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

C:\Users\Admin\AppData\Local\Temp\_MEI20202\_socket.pyd

MD5 0df2287791c20a764e6641029a882f09
SHA1 8a0aeb4b4d8410d837469339244997c745c9640c
SHA256 09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869
SHA512 60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de

C:\Users\Admin\AppData\Local\Temp\_MEI20202\select.pyd

MD5 a2a4cf664570944ccc691acf47076eeb
SHA1 918a953817fff228dbd0bdf784ed6510314f4dd9
SHA256 b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434
SHA512 d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767

C:\Users\Admin\AppData\Local\Temp\_MEI20202\pywintypes39.dll

MD5 72511a9c3a320bcdbeff9bedcf21450f
SHA1 7a7af481fecbaf144ae67127e334b88f1a2c1562
SHA256 c06a570b160d5fd8030b8c7ccba64ce8a18413cb4f11be11982756aa4a2b6a80
SHA512 0d1682bb2637834bd8cf1909ca8dbeff0ea0da39687a97b5ef3d699210dc536d5a49a4f5ff9097cabd8eb65d8694e02572ff0fdabd8b186a3c45cd66f23df868

C:\Users\Admin\AppData\Local\Temp\_MEI20202\_bz2.pyd

MD5 499462206034b6ab7d18cc208a5b67e3
SHA1 1cd350a9f5d048d337475e66dcc0b9fab6aebf78
SHA256 6c2bbed242c399c4bc9b33268afe538cf1dea494c75c8d0db786030a0dcc4b7e
SHA512 17a1191f1d5ca00562b80eff2363b22869f7606a2a17f2f0b361d9b36b6e88cb43814255a5bac49d044ea7046b872bac63bd524f9442c9839ab80a54d96f1e6b

C:\Users\Admin\AppData\Local\Temp\_MEI20202\_lzma.pyd

MD5 bc118fb4e14de484452bb1be413c082a
SHA1 25d09b7fbc2452457bcf7025c3498947bc96c2d1
SHA256 ac0ceb8e6b5e67525b136b5ce97500fe4f152061b1bf2783f127eff557b248a3
SHA512 68a24d137b8641cd474180971142511d8708738096d865a73fb928315dd9edf46c4ebf97d596f4a9e207ec81828e5db7e90c7b8b00d5f416737ba8bffc2887bf

C:\Users\Admin\AppData\Local\Temp\_MEI20202\win32api.pyd

MD5 99a3fc100cd43ad8d4bf9a2975a2192f
SHA1 cf37b7e17e51e7823b82b77c88145312df5b78cc
SHA256 1665ad12ad7cbf44ae63a622e8b97b5fd2ed0a092dfc5db8f09a9b6fdc2d57e7
SHA512 c0a60d5333925ce306ceb2eb38e13c6bae60d2663d70c37ecfc81b7346d12d9346550cb229d7c4f58d04dd182536d799e6eff77996d712fc177b1f5af7f4a4f2

C:\Users\Admin\AppData\Local\Temp\_MEI20202\pythoncom39.dll

MD5 778867d6c0fff726a86dc079e08c4449
SHA1 45f9b20f4bf27fc3df9fa0d891ca6d37da4add84
SHA256 5dfd4ad6ed4cee8f9eda2e39fe4da2843630089549c47c7adda8a3c74662698a
SHA512 5865cb730aa90c9ac95702396e5c9f32a80ff3a7720e16d64010583387b6dbd76d30426f77ab96ecb0e79d62262e211a4d08eae28109cd21846d51ed4256b8ea

C:\Users\Admin\AppData\Local\Temp\_MEI20202\pyexpat.pyd

MD5 ed82c3f14a839092d2d9d27092a19640
SHA1 41ffcd82998b003c1e83961c329379d3512c863f
SHA256 2d59ddb10d0fa2516da1e879d2b3f180272160a4325f705d4e71ed21b90438b8
SHA512 1b25165bda699c8e1a37e022d3412a4a6e780c1f93b2880aa67902811b0971fee0b100ad561271d23c4b7dc36eae6ee5af40b19481df75285db35d15c0904bf9

C:\Users\Admin\AppData\Local\Temp\_MEI20202\_ssl.pyd

MD5 66172f2e3a46d2a0f04204d8f83c2b1e
SHA1 e74fee81b719effc003564edb6b50973f7df9364
SHA256 2b16154826a417c41cda72190b0cbcf0c05c6e6fe44bf06e680a407138402c01
SHA512 123b5858659b8a0ac1c0d43c24fbb9114721d86a2e06be3521ad0ed44b2e116546b7b6332fd2291d692d031ec598e865f476291d3f8f44131aacc8e7cf19f283

C:\Users\Admin\AppData\Local\Temp\_MEI20202\libcrypto-1_1.dll

MD5 cc4cbf715966cdcad95a1e6c95592b3d
SHA1 d5873fea9c084bcc753d1c93b2d0716257bea7c3
SHA256 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1
SHA512 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

C:\Users\Admin\AppData\Local\Temp\_MEI20202\libssl-1_1.dll

MD5 bc778f33480148efa5d62b2ec85aaa7d
SHA1 b1ec87cbd8bc4398c6ebb26549961c8aab53d855
SHA256 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843
SHA512 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

C:\Users\Admin\AppData\Local\Temp\_MEI20202\_pytransform.dll

MD5 7ea0bb19e187f58fa2f57adc54262241
SHA1 8a70a2b8de7acfa2d9258001edd0dbcc30de638d
SHA256 2a3630a8390b7ff1eca1f1dff43193d1587f38b34edbf9052e7da2564c0eba00
SHA512 38c125f7a0760c292e9102b32c1302fea8b21837c19b2aad0eaf5f86e8111a4ba46e0ae380e39e8331e626c883d73b69eef5a7cbd748a20c731e076c87f474ca

memory/680-1148-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1146-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1144-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1142-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1140-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1138-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20202\tcl\encoding\cp1252.enc

MD5 5900f51fd8b5ff75e65594eb7dd50533
SHA1 2e21300e0bc8a847d0423671b08d3c65761ee172
SHA256 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0
SHA512 ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc

C:\Users\Admin\AppData\Local\Temp\_MEI20202\tk86t.dll

MD5 fdc8a5d96f9576bd70aa1cadc2f21748
SHA1 bae145525a18ce7e5bc69c5f43c6044de7b6e004
SHA256 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5
SHA512 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c

C:\Users\Admin\AppData\Local\Temp\_MEI20202\tcl86t.dll

MD5 c0b23815701dbae2a359cb8adb9ae730
SHA1 5be6736b645ed12e97b9462b77e5a43482673d90
SHA256 f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768
SHA512 ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725

C:\Users\Admin\AppData\Local\Temp\_MEI20202\_tkinter.pyd

MD5 426a61990ded0d75ec892b475888caa3
SHA1 a382595a3481949ecd9d88683f585b1d95d285e4
SHA256 7b42c10c651931b8984e4797fc713656bcce4db420197881f9d9946daad0cf6a
SHA512 eb23ae788178f9a26a2254db79abe8ddb8a12ba8b188a473a59eaa7574883452b79e2dee792598d8f3f03893448d7edcdc9b22c2b5f728a4a7a71380877000ad

C:\Users\Admin\AppData\Local\Temp\_MEI20202\unicodedata.pyd

MD5 5753efb74fcb02a31a662d9d47a04754
SHA1 e7bf5ea3a235b6b661bf6d838e0067db0db0c5f4
SHA256 9be2b4c7db2c3a05ec3cbd08970e622fcaeb4091a55878df12995f2aeb727e72
SHA512 86372016c3b43bfb85e0d818ab02a471796cfad6d370f88f54957dfc18a874a20428a7a142fcd5a2ecd4a61f047321976af736185896372ac8fd8ca4131f3514

C:\Users\Admin\AppData\Local\Temp\_MEI20202\_queue.pyd

MD5 34537f5b9da004c623a61911e19cbee5
SHA1 9d78f6cd2960c594ec98e837d992c08751c61d51
SHA256 a7cdedaa58c7ba9aba98193fce599598d2cd35ed9c80d1ad7fc9e6182c9a25d5
SHA512 70bf8e8e3216050e8519b683097e958f1fcba60333eb1f18e3736bbcc195d0fad6657b24e4c3902d24b84a462c35a560eb4c7b8a15f7123249c0770143b67467

C:\Users\Admin\AppData\Local\Temp\_MEI20202\_hashlib.pyd

MD5 60f420a9a606e2c95168d25d2c1ac12e
SHA1 1e77cf7de26ed75208d31751fe61da5eddbbaf12
SHA256 8aa7abe0a92a89adf821e4eb783ad254a19858e62d99f80eb5872d81e8b3541c
SHA512 aaf768176cf034004a6d13370b11f0e4bbf86b9b76de7fa06d0939e98915607d504e076ad8adb1a0ebfb6fd021c51764a772f8af6af7f6d15b0d376448aba1a7

memory/680-1136-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1134-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1132-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1130-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1128-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1126-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1124-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1122-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1120-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1118-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1116-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1114-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1112-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1110-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1108-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1106-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1104-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1102-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1100-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1098-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1096-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1094-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1092-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1090-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1088-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1086-0x000001FB064C0000-0x000001FB064C1000-memory.dmp

memory/680-1085-0x000001FB064B0000-0x000001FB064B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI20202\PIL\_imaging.cp39-win_amd64.pyd

MD5 35f50141e5098b5c4f07d665974667fd
SHA1 d06651f3964ac9558270742d2fe2e374c7ae0c36
SHA256 7a080c64f55abca2c577da08a370802aff9ee7803edca775ee18aaa6b3dd3c82
SHA512 b992fb66f258a80d35c1052f5c38498ec602e16e7ff2ee5d1cdbfa8494ed7d9481135e4404799e37af5e6adda647c1a5bd95dcd269e0a967ac59c6b7898ada5d

C:\Users\Admin\AppData\Local\Temp\_MEI20202\_elementtree.pyd

MD5 087351dd1e9508a29633e03dbdc7d2ae
SHA1 284a7662e548ea9179906bc4ae013d04d4f5d09c
SHA256 a048bae40ececd2d56a79216c8552e3a3e6f9c4bfa1f6fb1c4987b954b80bcb1
SHA512 cf3e9b146ef20c0c50ef07650cc13c4b9f70632dcff9783df761d2a8b6e0e0f25f78a290db3b6150bbc83684ecb000bc8bb2d7b7fe283d40822b7d09a605228f

C:\Users\Admin\AppData\Local\Temp\_MEI20202\libopenblas.GK7GX5KEQ4F6UYO3P26ULGBQYHGQO7J4.gfortran-win_amd64.dll

MD5 0119d61f73d023d9a51e040cd8764ca7
SHA1 8607b40dad6aca39df5752ac722ddbd2d0825606
SHA256 14a58b4ac68defb67c5dcc10f9740804ca8eafa6ddbd1a459e6651f740d81552
SHA512 297dc4078512a00275932d698b5431aa0307fd72485423672bd7e59c7060e64906852b639fcad28cf50e146d37085fef1210953d01227aa04fe8b25700a5353a

C:\Users\Admin\AppData\Local\Temp\_MEI20202\numpy\core\_multiarray_umath.cp39-win_amd64.pyd

MD5 7ecf2a96fc0b0024186361324b5bfc2b
SHA1 877c74b2a017f2f789fae64b69363561956b1dfd
SHA256 77e322e541ab58ef0363b1f747bb48a8f650958bc5414ee471b3f067a4b6769a
SHA512 23be248dc1a3428f716f98985d9436ba5a7ab9022a13a0d9eda38963535504abfd1c46ccbc5b5fa9aee0a9b725d6dca403aaa80bff9aa65df6a95c178b0186c4

C:\Users\Admin\AppData\Local\Temp\_MEI20202\numpy\core\_multiarray_tests.cp39-win_amd64.pyd

MD5 65c1da609a369c772ae106dfcd8290a4
SHA1 43c62f2d96d587db653ec29633e87e0a3c67e4f0
SHA256 1fa45bea6cf1d8b175cb6835aba649ef88070ade9b16eccf3895e8525bbeb7ea
SHA512 ffabecd5ffcac9ad1421b46dd706d367800ad4ddefb5a3e725d71e2b4d31c2d288d8a71fee60c85b698511bdf9863596a409b84f0f61eb01af6a7e53f939a722

C:\Users\Admin\AppData\Local\Temp\_MEI20202\numpy\linalg\lapack_lite.cp39-win_amd64.pyd

MD5 72aa1beb9a4ca55dc51e3da7cf6b9eba
SHA1 666c110abe09e9a29a813cd93d5c7c97e47a9701
SHA256 088e025cd0fd0b27c08caa40fc436a4bc99ce1b62721c4b855c8010e4631dbb4
SHA512 963c6e88ccbc81ed9da8b42bf60257403e9491bbfe718a72881eecaf69e0326ccc74ab0bacc1fd01817f9000744e2759dcde447a3d1e9122115c1af32d5d8d47

C:\Users\Admin\AppData\Local\Temp\_MEI20202\numpy\linalg\_umath_linalg.cp39-win_amd64.pyd

MD5 cd10932fa83c7822323bbf0089b6f3f7
SHA1 32f9bbc17c78c078e78857e954c5f889fc066acf
SHA256 6158e604c71bed88ab5a0dac409ca24676dd288e60e01fe2f9be56bcc2f7bf52
SHA512 fb697f2b8693d328dd2d8e29430acc633efb10bdeb125b0eddb46ce496e576ebd223ae803ed9dd2eff2d2f6735d74db0a49f0a71d0c268bf5b20b8909cd9eacf

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe"

Signatures

44Caliber

stealer 44caliber

44Caliber family

44caliber

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe

"C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe"

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 freegeoip.app udp
US 104.21.73.97:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp
US 8.8.8.8:53 71.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 97.73.21.104.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\main.exe

MD5 53476f1737d178939ad93e38465fddd6
SHA1 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2
SHA256 b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43
SHA512 d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

MD5 5b8d83823531d567241106b9cec66d06
SHA1 4a34b951287719ca9558fea764262ec8af52f20d
SHA256 5a12b229ff508e7ecfecdaf3a52da45ec02160587ccb852646e72b789ada6ac5
SHA512 c7aceaad5b54a23de1f76691dc12184ae381d3dc7409fc582b30938273a09fb2f6538eef886aca5c871ae9243e4eaf399178e44d3cb47666f025ea31ce6b46fd

memory/1932-20-0x00007FFBC4803000-0x00007FFBC4805000-memory.dmp

memory/1932-21-0x0000000000F70000-0x0000000000FBA000-memory.dmp

memory/1932-59-0x00007FFBC4800000-0x00007FFBC52C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI1162\python38.dll

MD5 d2a8a5e7380d5f4716016777818a32c5
SHA1 fb12f31d1d0758fe3e056875461186056121ed0c
SHA256 59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9
SHA512 ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

C:\Users\Admin\AppData\Local\Temp\_MEI1162\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI1162\base_library.zip

MD5 19d34805782c4704d1e2a81fe32e9c27
SHA1 8c3d99a0616abc478d6230d07f9dc7b38313813e
SHA256 06f3c20b42de72e69e9c6b2f66f149f5a65161873e30d07129333f53858d97bb
SHA512 267b8db8751ea170cd2e04ff5a4d87b0b65edc6d251a8016c213c97bcd8f3a12d955fc25860147b303b153b00d0a41191c09ed24e6fd4b95cb34ae98009456a4

C:\Users\Admin\AppData\Local\Temp\_MEI1162\_ctypes.pyd

MD5 f1e33a8f6f91c2ed93dc5049dd50d7b8
SHA1 23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4
SHA256 9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4
SHA512 229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

C:\Users\Admin\AppData\Local\Temp\_MEI1162\libffi-7.dll

MD5 4424baf6ed5340df85482fa82b857b03
SHA1 181b641bf21c810a486f855864cd4b8967c24c44
SHA256 8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79
SHA512 8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

C:\Users\Admin\AppData\Local\Temp\_MEI1162\_socket.pyd

MD5 d6bae4b430f349ab42553dc738699f0e
SHA1 7e5efc958e189c117eccef39ec16ebf00e7645a9
SHA256 587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef
SHA512 a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e

C:\Users\Admin\AppData\Local\Temp\_MEI1162\select.pyd

MD5 6ae54d103866aad6f58e119d27552131
SHA1 bc53a92a7667fd922ce29e98dfcf5f08f798a3d2
SHA256 63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88
SHA512 ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

C:\Users\Admin\AppData\Local\Temp\_MEI1162\_ssl.pyd

MD5 8ee827f2fe931163f078acdc97107b64
SHA1 149bb536f3492bc59bd7071a3da7d1f974860641
SHA256 eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4
SHA512 a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565

C:\Users\Admin\AppData\Local\Temp\_MEI1162\libssl-1_1.dll

MD5 fe1f3632af98e7b7a2799e3973ba03cf
SHA1 353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA256 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512 a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

C:\Users\Admin\AppData\Local\Temp\_MEI1162\libcrypto-1_1.dll

MD5 bf83f8ad60cb9db462ce62c73208a30d
SHA1 f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512 ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

C:\Users\Admin\AppData\Local\44\Process.txt

MD5 125f2355b347b41bace907d07b25d973
SHA1 8985a0f7fb83d41fb9f1ec1279dcf0936d5b1ca9
SHA256 c646b40ac685cb16c77cbf6fe1de37c6a8040d6a4e0baa767ecafef08314b4aa
SHA512 82b2563c5bcb1b97eff843e33b9d4ed1ff3bc2ad77879dee511137ec810271e33a16b53aeb34692352aab18630df7cc8f55e5d203942aafbc619a9b7d0648f76

C:\Users\Admin\AppData\Local\44\Process.txt

MD5 11b8abc65ea7855d9a3bdd3d495423dc
SHA1 91706a15229fdc6271f658966214d82f2e57dda8
SHA256 a2d58b4fa18df007ece0fc7f15640aaacf02d131a601935e35941bf50cc90dec
SHA512 5d1e4cc0a40d9f65abcbf5a192b15dd9fd7391b72d6a513d508f02730c822c015d96a9feb3cf2cafe5a439ba3aabc71e87e178431fd3266b5378d461206d654a

C:\Users\Admin\AppData\Local\44\Process.txt

MD5 0a2334e5a78635f336c2f16f00c64e32
SHA1 45c9d7247b65ea5e91b03b100dd9b52e52d73bad
SHA256 0b48984cba8b810a8f2f82598f8fedc3afe5043f46c12371b7eabaeb8ff04c7b
SHA512 93e0da277ecdf9ea82f51e46f312715d9eaa77ae9ad72fd3ed7b38b3a8e1b7e376b47847dbca7904366e65fefd27152511fc717ff8d5550f93ef445c17d65978

memory/1932-189-0x00007FFBC4800000-0x00007FFBC52C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI1162\_hashlib.pyd

MD5 a6448bc5e5da21a222de164823add45c
SHA1 6c26eb949d7eb97d19e42559b2e3713d7629f2f9
SHA256 3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a
SHA512 a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba

C:\Users\Admin\AppData\Local\Temp\_MEI1162\_bz2.pyd

MD5 3dc8af67e6ee06af9eec52fe985a7633
SHA1 1451b8c598348a0c0e50afc0ec91513c46fe3af6
SHA256 c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929
SHA512 da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087

C:\Users\Admin\AppData\Local\Temp\_MEI1162\unicodedata.pyd

MD5 4c0d43f1a31e76255cb592bb616683e7
SHA1 0a9f3d77a6e064baebacacc780701117f09169ad
SHA256 0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8
SHA512 b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778

C:\Users\Admin\AppData\Local\Temp\_MEI1162\certifi\cacert.pem

MD5 1ba3b44f73a6b25711063ea5232f4883
SHA1 1b1a84804f896b7085924f8bf0431721f3b5bdbe
SHA256 bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197
SHA512 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

C:\Users\Admin\AppData\Local\Temp\_MEI1162\_lzma.pyd

MD5 37057c92f50391d0751f2c1d7ad25b02
SHA1 a43c6835b11621663fa251da421be58d143d2afb
SHA256 9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764
SHA512 953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c

C:\Users\Admin\AppData\Local\Temp\_MEI1162\_queue.pyd

MD5 44b72e0ad8d1e1ec3d8722088b48c3c5
SHA1 e0f41bf85978dd8f5abb0112c26322b72c0d7770
SHA256 4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e
SHA512 05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win7-20240903-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bird.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bird.exe

"C:\Users\Admin\AppData\Local\Temp\Bird.exe"

Network

Country Destination Domain Proto
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp

Files

memory/2032-0-0x0000000000090000-0x00000000006EE000-memory.dmp

memory/2032-1-0x0000000075881000-0x0000000075882000-memory.dmp

memory/2032-2-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-8-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-26-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-25-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-24-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-23-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-22-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-21-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-20-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-19-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-27-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-18-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-17-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-16-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-15-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-14-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-13-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-12-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-11-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-10-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-9-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-7-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-28-0x0000000000090000-0x00000000006EE000-memory.dmp

memory/2032-29-0x0000000000090000-0x00000000006EE000-memory.dmp

memory/2032-30-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-31-0x0000000075870000-0x0000000075980000-memory.dmp

memory/2032-32-0x0000000075870000-0x0000000075980000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win7-20240903-en

Max time kernel

141s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Network

Country Destination Domain Proto
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp

Files

memory/1680-1-0x0000000002D90000-0x0000000002DB2000-memory.dmp

memory/1680-2-0x0000000003320000-0x0000000003340000-memory.dmp

memory/1680-3-0x0000000000400000-0x0000000002C86000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1604 set thread context of 3176 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"

C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 109.248.201.150:63757 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/1604-0-0x000000007510E000-0x000000007510F000-memory.dmp

memory/1604-1-0x0000000000910000-0x0000000000A56000-memory.dmp

memory/1604-2-0x0000000005A60000-0x0000000006004000-memory.dmp

memory/1604-3-0x00000000054B0000-0x0000000005542000-memory.dmp

memory/1604-4-0x0000000005450000-0x000000000545A000-memory.dmp

memory/1604-5-0x0000000075100000-0x00000000758B0000-memory.dmp

memory/1604-6-0x000000007510E000-0x000000007510F000-memory.dmp

memory/1604-7-0x0000000075100000-0x00000000758B0000-memory.dmp

memory/1604-8-0x0000000005460000-0x0000000005482000-memory.dmp

memory/1604-9-0x00000000057B0000-0x0000000005826000-memory.dmp

memory/1604-10-0x00000000055F0000-0x000000000560E000-memory.dmp

memory/3176-11-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1604-13-0x0000000075100000-0x00000000758B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Minecraft_v4.4.exe.log

MD5 fb3264819f05b468156e37fecd7ca1e7
SHA1 8461be627ec2c21766472ac5a9215204f6cd03d6
SHA256 902e22368b4d29d67c78eb445d67c7e36001a79c7701a1e171a9c7af457a739c
SHA512 ddcb2a199799dc30a5627d6bb2aff30aca350b52e15f574ecc9e9e9e4d388fd1fe808b5fd2a8ea7015c91e369a06f045be455bf070c6d20d8c3b1c06de8ef964

memory/3176-15-0x0000000075100000-0x00000000758B0000-memory.dmp

memory/3176-16-0x0000000005410000-0x0000000005A28000-memory.dmp

memory/3176-17-0x0000000004E80000-0x0000000004E92000-memory.dmp

memory/3176-18-0x0000000004F20000-0x0000000004F5C000-memory.dmp

memory/3176-19-0x0000000004F60000-0x0000000004FAC000-memory.dmp

memory/3176-20-0x0000000075100000-0x00000000758B0000-memory.dmp

memory/3176-21-0x0000000005230000-0x000000000533A000-memory.dmp

memory/3176-22-0x0000000075100000-0x00000000758B0000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win7-20240903-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NewHacks.exe"

Signatures

Detects Echelon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Echelon

stealer spyware echelon

Echelon family

echelon

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\NewHacks.exe C:\Windows\system32\WerFault.exe
PID 2800 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\NewHacks.exe C:\Windows\system32\WerFault.exe
PID 2800 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\NewHacks.exe C:\Windows\system32\WerFault.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NewHacks.exe

"C:\Users\Admin\AppData\Local\Temp\NewHacks.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2800 -s 1504

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.13:443 g.api.mega.co.nz tcp

Files

memory/2800-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp

memory/2800-1-0x0000000000CF0000-0x0000000000E18000-memory.dmp

memory/2800-29-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

C:\Users\Admin\AppData\Roaming\BByyXyDZJDHB8BB80FD49\49B8BB80FDBByyXyDZJDH\Browsers\Passwords\Passwords_Edge.txt

MD5 fdec4452a98b7d7f3dc83904cd82a724
SHA1 2b447ea859993ab549ee1547c72071e59cace07c
SHA256 59b16ba683aaf821362d2061fef52b52a909ad63be1192ef3d2374f3e8a4b235
SHA512 87a573d8a9a085ffeea49335d213f96cd55385a3afa281d1a4a321043e82cd81a324d1131c764d024966d9dcbcc219d78514b0cdce74f849fe33e0f9ce2df432

memory/2800-56-0x000007FEF5880000-0x000007FEF626C000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file3.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\file3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\NSpack\updIns\Sgsmmodul.com N/A
N/A N/A C:\NSpack\updIns\mmscx.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\NSpack\updIns\mmscx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\NSpack\updIns\Sgsmmodul.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\file3.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\file3.exe C:\Windows\SysWOW64\WScript.exe
PID 2788 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\file3.exe C:\Windows\SysWOW64\WScript.exe
PID 2788 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\file3.exe C:\Windows\SysWOW64\WScript.exe
PID 628 wrote to memory of 2372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 2372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 2372 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2372 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2372 wrote to memory of 3092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2372 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\Sgsmmodul.com
PID 2372 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\Sgsmmodul.com
PID 2372 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\Sgsmmodul.com
PID 2372 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2372 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2372 wrote to memory of 3688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2372 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2372 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2372 wrote to memory of 4828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2372 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2372 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2372 wrote to memory of 3440 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4828 wrote to memory of 4936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4828 wrote to memory of 4936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4828 wrote to memory of 4936 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4936 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4936 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4936 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4936 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4936 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4936 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4936 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\mmscx.exe
PID 4936 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\mmscx.exe
PID 4936 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\mmscx.exe
PID 4936 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4936 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4936 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4936 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4936 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4936 wrote to memory of 840 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4936 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4936 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4936 wrote to memory of 1752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4936 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4936 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4936 wrote to memory of 3980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file3.exe

"C:\Users\Admin\AppData\Local\Temp\file3.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\44t.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout 7

C:\NSpack\updIns\Sgsmmodul.com

"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar

C:\Windows\SysWOW64\timeout.exe

timeout 6

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 8

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\gg4359.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\NSpack\updIns"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\NSpack\updIns\mmscx.exe

mmscx.exe /start

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Sgsmmodul.com

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Sgsmmodul.com

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\NSpack\updIns"

C:\Windows\SysWOW64\timeout.exe

timeout 4

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\NSpack\updIns\tetracom.vbs

MD5 bdc0fb5cada9a89f074961224aaf4e63
SHA1 9284fe4ecc0fde705fc596dd89191c02915fd7a4
SHA256 b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db
SHA512 83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28

C:\NSpack\updIns\44t.bat

MD5 96c69dbc1233bfa7c5e883658e0758d4
SHA1 613179fa74db9e71516bdb3a93341e9d90c4ecba
SHA256 deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde
SHA512 43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3

C:\NSpack\updIns\dc.isi

MD5 fbd467e1613c53b03376e987f3dbf2da
SHA1 e2ca3ff625122f49e8a382dee32d0ca2f98648bf
SHA256 cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68
SHA512 e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05

C:\NSpack\updIns\Sgsmmodul.com

MD5 061f64173293969577916832be29b90d
SHA1 b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA256 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA512 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

C:\NSpack\updIns\sevenup.vbs

MD5 6a551928353982ab64107a4929c91c91
SHA1 b68ee5e77a722638f184d0fbf6a4834bb8cc188e
SHA256 0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3
SHA512 870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d

C:\NSpack\updIns\gg4359.bat

MD5 b4be21a8f4bb91b11ccaf08b39b679d5
SHA1 b3da567bb1072168b54866ee29301bde61bdc45e
SHA256 35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d
SHA512 a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c

memory/3232-26-0x0000000000400000-0x0000000000467000-memory.dmp

C:\NSpack\updIns\mmscx.exe

MD5 3e79f72a8ae481ac76a69ccf1213d24d
SHA1 de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA256 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA512 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

memory/3232-28-0x0000000000400000-0x0000000000467000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win7-20240903-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file3.exe"

Signatures

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\NSpack\updIns\Sgsmmodul.com N/A
N/A N/A C:\NSpack\updIns\mmscx.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\NSpack\updIns\mmscx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\file3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\NSpack\updIns\Sgsmmodul.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\timeout.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\file3.exe C:\Windows\SysWOW64\WScript.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\file3.exe C:\Windows\SysWOW64\WScript.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\file3.exe C:\Windows\SysWOW64\WScript.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\file3.exe C:\Windows\SysWOW64\WScript.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\file3.exe C:\Windows\SysWOW64\WScript.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\file3.exe C:\Windows\SysWOW64\WScript.exe
PID 2180 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\file3.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 2612 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2612 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\Sgsmmodul.com
PID 2612 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\Sgsmmodul.com
PID 2612 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\Sgsmmodul.com
PID 2612 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\Sgsmmodul.com
PID 2612 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\Sgsmmodul.com
PID 2612 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\Sgsmmodul.com
PID 2612 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\NSpack\updIns\Sgsmmodul.com
PID 2612 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2612 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2612 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2612 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2612 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2612 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2612 wrote to memory of 2964 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WScript.exe
PID 2612 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2612 wrote to memory of 2228 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2804 wrote to memory of 2832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\file3.exe

"C:\Users\Admin\AppData\Local\Temp\file3.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\NSpack\updIns\44t.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout 7

C:\NSpack\updIns\Sgsmmodul.com

"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar

C:\Windows\SysWOW64\timeout.exe

timeout 6

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"

C:\Windows\SysWOW64\timeout.exe

timeout 8

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\NSpack\updIns\gg4359.bat" "

C:\Windows\SysWOW64\attrib.exe

attrib +s +h "C:\NSpack\updIns"

C:\Windows\SysWOW64\timeout.exe

timeout 2

C:\NSpack\updIns\mmscx.exe

mmscx.exe /start

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Sgsmmodul.com

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Sgsmmodul.com

C:\Windows\SysWOW64\attrib.exe

attrib -s -h "C:\NSpack\updIns"

C:\Windows\SysWOW64\timeout.exe

timeout 4

Network

N/A

Files

C:\NSpack\updIns\tetracom.vbs

MD5 bdc0fb5cada9a89f074961224aaf4e63
SHA1 9284fe4ecc0fde705fc596dd89191c02915fd7a4
SHA256 b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db
SHA512 83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28

C:\NSpack\updIns\44t.bat

MD5 96c69dbc1233bfa7c5e883658e0758d4
SHA1 613179fa74db9e71516bdb3a93341e9d90c4ecba
SHA256 deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde
SHA512 43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3

C:\NSpack\updIns\dc.isi

MD5 fbd467e1613c53b03376e987f3dbf2da
SHA1 e2ca3ff625122f49e8a382dee32d0ca2f98648bf
SHA256 cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68
SHA512 e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05

\NSpack\updIns\Sgsmmodul.com

MD5 061f64173293969577916832be29b90d
SHA1 b05b80385de20463a80b6c9c39bd1d53123aab9b
SHA256 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce
SHA512 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da

C:\NSpack\updIns\sevenup.vbs

MD5 6a551928353982ab64107a4929c91c91
SHA1 b68ee5e77a722638f184d0fbf6a4834bb8cc188e
SHA256 0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3
SHA512 870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d

C:\NSpack\updIns\gg4359.bat

MD5 b4be21a8f4bb91b11ccaf08b39b679d5
SHA1 b3da567bb1072168b54866ee29301bde61bdc45e
SHA256 35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d
SHA512 a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c

\NSpack\updIns\mmscx.exe

MD5 3e79f72a8ae481ac76a69ccf1213d24d
SHA1 de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2
SHA256 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4
SHA512 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90

memory/2804-43-0x0000000000180000-0x00000000001E7000-memory.dmp

memory/2844-45-0x0000000000400000-0x0000000000467000-memory.dmp

memory/2804-42-0x0000000000180000-0x00000000001E7000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 102.208.201.84.in-addr.arpa udp
NL 45.14.49.109:54819 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 45.14.49.109:54819 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 45.14.49.109:54819 tcp
NL 45.14.49.109:54819 tcp

Files

memory/2520-1-0x0000000002E60000-0x0000000002F60000-memory.dmp

memory/2520-2-0x0000000002DB0000-0x0000000002DDF000-memory.dmp

memory/2520-3-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2520-4-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

memory/2520-5-0x00000000074B0000-0x0000000007A54000-memory.dmp

memory/2520-6-0x0000000004C60000-0x0000000004C80000-memory.dmp

memory/2520-7-0x0000000000400000-0x0000000002C86000-memory.dmp

memory/2520-8-0x0000000007A60000-0x0000000008078000-memory.dmp

memory/2520-10-0x0000000007440000-0x000000000747C000-memory.dmp

memory/2520-9-0x0000000007420000-0x0000000007432000-memory.dmp

memory/2520-11-0x0000000008080000-0x00000000080CC000-memory.dmp

memory/2520-12-0x0000000008210000-0x000000000831A000-memory.dmp

memory/2520-14-0x0000000002E60000-0x0000000002F60000-memory.dmp

memory/2520-15-0x0000000002DB0000-0x0000000002DDF000-memory.dmp

memory/2520-16-0x0000000000400000-0x0000000000432000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NewHacks.exe"

Signatures

Detects Echelon Stealer payload

Description Indicator Process Target
N/A N/A N/A N/A

Echelon

stealer spyware echelon

Echelon family

echelon

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A api.ipify.org N/A N/A

Browser Information Discovery

discovery

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\NewHacks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NewHacks.exe

"C:\Users\Admin\AppData\Local\Temp\NewHacks.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.14:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 205.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 gfs270n082.userstorage.mega.co.nz udp
LU 89.44.168.229:80 gfs270n082.userstorage.mega.co.nz tcp
US 8.8.8.8:53 14.125.203.66.in-addr.arpa udp
US 8.8.8.8:53 229.168.44.89.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp

Files

memory/4772-0-0x00007FF8028E3000-0x00007FF8028E5000-memory.dmp

memory/4772-1-0x00000000008B0000-0x00000000009D8000-memory.dmp

memory/4772-5-0x00007FF8028E0000-0x00007FF8033A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\VuJDLRVuHBFFuFPuTPTPDZE87CF40088\88E87CF400VuJDLRVuHBFFuFPuTPTPDZ\Browsers\Passwords\Passwords_Edge.txt

MD5 42fa959509b3ed7c94c0cf3728b03f6d
SHA1 661292176640beb0b38dc9e7a462518eb592d27d
SHA256 870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00
SHA512 7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

memory/4772-71-0x000000001C0A0000-0x000000001C0C2000-memory.dmp

memory/4772-84-0x00007FF8028E0000-0x00007FF8033A1000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win7-20241010-en

Max time kernel

150s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1492 set thread context of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe
PID 1492 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe

Network

Country Destination Domain Proto
NL 185.92.73.140:80 185.92.73.140 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp

Files

memory/1492-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/1492-1-0x0000000001000000-0x0000000001060000-memory.dmp

memory/1492-2-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/1492-3-0x00000000745BE000-0x00000000745BF000-memory.dmp

memory/1492-4-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/1492-5-0x0000000000730000-0x0000000000756000-memory.dmp

memory/2476-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2476-8-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2476-10-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1492-11-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2476-12-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2476-13-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2476-14-0x00000000745B0000-0x0000000074C9E000-memory.dmp

memory/2476-15-0x00000000745B0000-0x0000000074C9E000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1116 set thread context of 3240 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Local\Temp\Setup.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Local\Temp\Setup.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
NL 185.92.73.140:80 185.92.73.140 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 140.73.92.185.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp
NL 185.92.73.140:443 tcp

Files

memory/1116-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/1116-1-0x0000000000230000-0x0000000000290000-memory.dmp

memory/1116-2-0x0000000005050000-0x00000000055F4000-memory.dmp

memory/1116-3-0x0000000004B40000-0x0000000004BD2000-memory.dmp

memory/1116-4-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/1116-5-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

memory/1116-6-0x0000000074ADE000-0x0000000074ADF000-memory.dmp

memory/1116-7-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/1116-8-0x0000000004D30000-0x0000000004D56000-memory.dmp

memory/3240-9-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.log

MD5 7ebe314bf617dc3e48b995a6c352740c
SHA1 538f643b7b30f9231a3035c448607f767527a870
SHA256 48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8
SHA512 0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e

memory/3240-12-0x0000000005770000-0x0000000005D88000-memory.dmp

memory/1116-15-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/3240-14-0x0000000005200000-0x0000000005212000-memory.dmp

memory/3240-13-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/3240-16-0x0000000005260000-0x000000000529C000-memory.dmp

memory/3240-18-0x0000000074AD0000-0x0000000075280000-memory.dmp

memory/3240-17-0x00000000052A0000-0x00000000052EC000-memory.dmp

memory/3240-19-0x0000000005510000-0x000000000561A000-memory.dmp

memory/3240-20-0x0000000074AD0000-0x0000000075280000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bird.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Bird.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Bird.exe

"C:\Users\Admin\AppData\Local\Temp\Bird.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
FI 65.21.103.71:56458 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 65.21.103.71:56458 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 67.208.201.84.in-addr.arpa udp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
FI 65.21.103.71:56458 tcp
FI 65.21.103.71:56458 tcp

Files

memory/2328-0-0x0000000000C90000-0x00000000012EE000-memory.dmp

memory/2328-1-0x0000000076570000-0x0000000076571000-memory.dmp

memory/2328-2-0x0000000076550000-0x0000000076640000-memory.dmp

memory/2328-3-0x0000000076550000-0x0000000076640000-memory.dmp

memory/2328-4-0x0000000076550000-0x0000000076640000-memory.dmp

memory/2328-5-0x0000000076550000-0x0000000076640000-memory.dmp

memory/2328-6-0x0000000076550000-0x0000000076640000-memory.dmp

memory/2328-10-0x0000000000C90000-0x00000000012EE000-memory.dmp

memory/2328-11-0x0000000006070000-0x0000000006614000-memory.dmp

memory/2328-13-0x0000000005C10000-0x0000000005CA2000-memory.dmp

memory/2328-12-0x0000000006C40000-0x0000000007258000-memory.dmp

memory/2328-14-0x0000000005BD0000-0x0000000005BE2000-memory.dmp

memory/2328-15-0x0000000005DF0000-0x0000000005E2C000-memory.dmp

memory/2328-16-0x0000000005FF0000-0x000000000603C000-memory.dmp

memory/2328-17-0x0000000006790000-0x000000000689A000-memory.dmp

memory/2328-18-0x0000000000C90000-0x00000000012EE000-memory.dmp

memory/2328-19-0x0000000076570000-0x0000000076571000-memory.dmp

memory/2328-20-0x0000000076550000-0x0000000076640000-memory.dmp

memory/2328-21-0x0000000076550000-0x0000000076640000-memory.dmp

memory/2328-22-0x0000000076550000-0x0000000076640000-memory.dmp

memory/2328-23-0x0000000076550000-0x0000000076640000-memory.dmp

memory/2328-25-0x0000000076550000-0x0000000076640000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:21

Platform

win7-20240708-en

Max time kernel

140s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Crystal.exe"

Signatures

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Crystal.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Crystal.exe

"C:\Users\Admin\AppData\Local\Temp\Crystal.exe"

Network

Country Destination Domain Proto
FI 185.252.144.65:4545 tcp
FI 185.252.144.65:4545 tcp
FI 185.252.144.65:4545 tcp
FI 185.252.144.65:4545 tcp
FI 185.252.144.65:4545 tcp
FI 185.252.144.65:4545 tcp

Files

memory/1620-0-0x00000000011C0000-0x0000000001958000-memory.dmp

memory/1620-1-0x00000000760F4000-0x00000000760F5000-memory.dmp

memory/1620-2-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-14-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-13-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-19-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-21-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-31-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-29-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-28-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-27-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-26-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-22-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-20-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-18-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-17-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-16-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-15-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-12-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-11-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-10-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-9-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-8-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-7-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-6-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-5-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-4-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-3-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-32-0x00000000011C0000-0x0000000001958000-memory.dmp

memory/1620-33-0x00000000011C0000-0x0000000001958000-memory.dmp

memory/1620-34-0x00000000011C0000-0x0000000001958000-memory.dmp

memory/1620-35-0x00000000760F4000-0x00000000760F5000-memory.dmp

memory/1620-36-0x00000000760E0000-0x00000000761F0000-memory.dmp

memory/1620-37-0x00000000760E0000-0x00000000761F0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win7-20241010-en

Max time kernel

130s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2876 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
PID 2876 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"

C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe

"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"

Network

Country Destination Domain Proto
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp
RU 109.248.201.150:63757 tcp

Files

memory/2876-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

memory/2876-1-0x0000000000E70000-0x0000000000FB6000-memory.dmp

memory/2876-2-0x0000000074CC0000-0x00000000753AE000-memory.dmp

memory/2876-3-0x0000000074CCE000-0x0000000074CCF000-memory.dmp

memory/2876-4-0x0000000074CC0000-0x00000000753AE000-memory.dmp

memory/2876-5-0x0000000000640000-0x0000000000662000-memory.dmp

memory/2724-7-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2724-6-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2724-12-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2724-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2724-9-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2724-8-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2876-13-0x0000000074CC0000-0x00000000753AE000-memory.dmp

memory/2724-17-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2724-15-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2724-18-0x00000000745DE000-0x00000000745DF000-memory.dmp

memory/2724-19-0x00000000745D0000-0x0000000074CBE000-memory.dmp

memory/2724-20-0x00000000745DE000-0x00000000745DF000-memory.dmp

memory/2724-21-0x00000000745D0000-0x0000000074CBE000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:22

Platform

win7-20240903-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe

"C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"

Network

Country Destination Domain Proto
RU 82.146.43.167:80 82.146.43.167 tcp
US 8.8.8.8:53 iplogger.org udp
US 104.26.2.46:443 iplogger.org tcp

Files

memory/2420-1-0x0000000076434000-0x0000000076435000-memory.dmp

memory/2420-0-0x0000000000E00000-0x000000000163A000-memory.dmp

memory/2420-2-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-12-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-8-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-7-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-6-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-5-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-4-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-3-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-19-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-18-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-17-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-16-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-14-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-15-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-13-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-21-0x0000000000E00000-0x000000000163A000-memory.dmp

memory/2420-24-0x0000000000E00000-0x000000000163A000-memory.dmp

memory/2420-23-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-22-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-20-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-25-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-27-0x0000000076420000-0x0000000076530000-memory.dmp

memory/2420-28-0x0000000000E00000-0x000000000163A000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-09 04:18

Reported

2024-11-09 04:21

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe"

Signatures

44Caliber

stealer 44caliber

44Caliber family

44caliber

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Looks up external IP address via web service

Description Indicator Process Target
N/A freegeoip.app N/A N/A
N/A freegeoip.app N/A N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Insidious.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1860 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 1860 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 1860 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 1860 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 1860 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe C:\Users\Admin\AppData\Local\Temp\Insidious.exe
PID 1860 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe C:\Users\Admin\AppData\Local\Temp\Insidious.exe
PID 1860 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe C:\Users\Admin\AppData\Local\Temp\Insidious.exe
PID 1860 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe C:\Users\Admin\AppData\Local\Temp\Insidious.exe
PID 2444 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 2444 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 2444 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Users\Admin\AppData\Local\Temp\main.exe
PID 2708 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 828 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\main.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe

"C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe"

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Users\Admin\AppData\Local\Temp\Insidious.exe

"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"

C:\Users\Admin\AppData\Local\Temp\main.exe

"C:\Users\Admin\AppData\Local\Temp\main.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 freegeoip.app udp
US 172.67.160.84:443 freegeoip.app tcp
US 8.8.8.8:53 ipbase.com udp
US 172.67.209.71:443 ipbase.com tcp

Files

\Users\Admin\AppData\Local\Temp\main.exe

MD5 53476f1737d178939ad93e38465fddd6
SHA1 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2
SHA256 b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43
SHA512 d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3

\Users\Admin\AppData\Local\Temp\Insidious.exe

MD5 5b8d83823531d567241106b9cec66d06
SHA1 4a34b951287719ca9558fea764262ec8af52f20d
SHA256 5a12b229ff508e7ecfecdaf3a52da45ec02160587ccb852646e72b789ada6ac5
SHA512 c7aceaad5b54a23de1f76691dc12184ae381d3dc7409fc582b30938273a09fb2f6538eef886aca5c871ae9243e4eaf399178e44d3cb47666f025ea31ce6b46fd

memory/2196-14-0x000007FEF5233000-0x000007FEF5234000-memory.dmp

memory/2196-33-0x00000000001E0000-0x000000000022A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI24442\python38.dll

MD5 d2a8a5e7380d5f4716016777818a32c5
SHA1 fb12f31d1d0758fe3e056875461186056121ed0c
SHA256 59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9
SHA512 ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7

C:\Users\Admin\AppData\Local\Temp\_MEI24442\VCRUNTIME140.dll

MD5 0e675d4a7a5b7ccd69013386793f68eb
SHA1 6e5821ddd8fea6681bda4448816f39984a33596b
SHA256 bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1
SHA512 cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

C:\Users\Admin\AppData\Local\Temp\_MEI24442\base_library.zip

MD5 19d34805782c4704d1e2a81fe32e9c27
SHA1 8c3d99a0616abc478d6230d07f9dc7b38313813e
SHA256 06f3c20b42de72e69e9c6b2f66f149f5a65161873e30d07129333f53858d97bb
SHA512 267b8db8751ea170cd2e04ff5a4d87b0b65edc6d251a8016c213c97bcd8f3a12d955fc25860147b303b153b00d0a41191c09ed24e6fd4b95cb34ae98009456a4

\Users\Admin\AppData\Local\Temp\_MEI24442\_ctypes.pyd

MD5 f1e33a8f6f91c2ed93dc5049dd50d7b8
SHA1 23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4
SHA256 9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4
SHA512 229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5

\Users\Admin\AppData\Local\Temp\_MEI24442\libffi-7.dll

MD5 4424baf6ed5340df85482fa82b857b03
SHA1 181b641bf21c810a486f855864cd4b8967c24c44
SHA256 8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79
SHA512 8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33

C:\Users\Admin\AppData\Local\Temp\_MEI24442\select.pyd

MD5 6ae54d103866aad6f58e119d27552131
SHA1 bc53a92a7667fd922ce29e98dfcf5f08f798a3d2
SHA256 63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88
SHA512 ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0

\Users\Admin\AppData\Local\Temp\_MEI24442\_socket.pyd

MD5 d6bae4b430f349ab42553dc738699f0e
SHA1 7e5efc958e189c117eccef39ec16ebf00e7645a9
SHA256 587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef
SHA512 a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e

\Users\Admin\AppData\Local\Temp\_MEI24442\_ssl.pyd

MD5 8ee827f2fe931163f078acdc97107b64
SHA1 149bb536f3492bc59bd7071a3da7d1f974860641
SHA256 eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4
SHA512 a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565

C:\Users\Admin\AppData\Local\Temp\_MEI24442\libcrypto-1_1.dll

MD5 bf83f8ad60cb9db462ce62c73208a30d
SHA1 f1bc7dbc1e5b00426a51878719196d78981674c4
SHA256 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d
SHA512 ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e

\Users\Admin\AppData\Local\Temp\_MEI24442\libssl-1_1.dll

MD5 fe1f3632af98e7b7a2799e3973ba03cf
SHA1 353c7382e2de3ccdd2a4911e9e158e7c78648496
SHA256 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b
SHA512 a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0

C:\Users\Admin\AppData\Local\Temp\_MEI24442\_hashlib.pyd

MD5 a6448bc5e5da21a222de164823add45c
SHA1 6c26eb949d7eb97d19e42559b2e3713d7629f2f9
SHA256 3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a
SHA512 a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba

C:\Users\Admin\AppData\Local\Temp\_MEI24442\_queue.pyd

MD5 44b72e0ad8d1e1ec3d8722088b48c3c5
SHA1 e0f41bf85978dd8f5abb0112c26322b72c0d7770
SHA256 4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e
SHA512 05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c

\Users\Admin\AppData\Local\Temp\_MEI24442\_bz2.pyd

MD5 3dc8af67e6ee06af9eec52fe985a7633
SHA1 1451b8c598348a0c0e50afc0ec91513c46fe3af6
SHA256 c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929
SHA512 da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087

C:\Users\Admin\AppData\Local\Temp\_MEI24442\_lzma.pyd

MD5 37057c92f50391d0751f2c1d7ad25b02
SHA1 a43c6835b11621663fa251da421be58d143d2afb
SHA256 9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764
SHA512 953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c

C:\Users\Admin\AppData\Local\Temp\_MEI24442\certifi\cacert.pem

MD5 1ba3b44f73a6b25711063ea5232f4883
SHA1 1b1a84804f896b7085924f8bf0431721f3b5bdbe
SHA256 bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197
SHA512 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b

C:\Users\Admin\AppData\Local\Temp\_MEI24442\unicodedata.pyd

MD5 4c0d43f1a31e76255cb592bb616683e7
SHA1 0a9f3d77a6e064baebacacc780701117f09169ad
SHA256 0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8
SHA512 b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778

C:\Users\Admin\AppData\Local\44\Process.txt

MD5 a207f68cd7afee46a6a100b8740dda51
SHA1 f78a2853491f3c9bc7c0a64a2ec2906575537cd8
SHA256 1202ebc065fd0132ec6e9e840c7fa568bcfeef21432cc102d9fe1bb3f200fe99
SHA512 1ce2b0d64ee8435bdcda8bc3f43baa946c4547c4c7b13b21cbe7ca041d2f63159881b74e34c8bc2c938a48fcbcd14b4995259e5db3c649adc9f21713aea68b7a