Analysis Overview
SHA256
c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818
Threat Level: Known bad
The file c6897ee5e6e0c63e0cf1866460859894664359d397f9d453546adf12c7794818 was found to be: Known bad.
Malicious Activity Summary
44Caliber family
RedLine
Redline family
RedLine payload
SectopRAT payload
Detects Echelon Stealer payload
Echelon
SectopRAT
Sectoprat family
44Caliber
Echelon family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Sets file to hidden
Executes dropped EXE
Checks BIOS information in registry
Loads dropped DLL
Reads user/profile data of web browsers
Checks computer location settings
Themida packer
Drops startup file
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Browser Information Discovery
Unsigned PE
Detects Pyinstaller
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Delays execution with timeout.exe
Checks processor information in registry
Views/modifies file attributes
Modifies registry class
Kills process with taskkill
Suspicious use of WriteProcessMemory
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 04:19
Signatures
Detects Echelon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Echelon family
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Crystal.exe
"C:\Users\Admin\AppData\Local\Temp\Crystal.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| FI | 185.252.144.65:4545 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| FI | 185.252.144.65:4545 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| FI | 185.252.144.65:4545 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| FI | 185.252.144.65:4545 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 185.252.144.65:4545 | tcp | |
| FI | 185.252.144.65:4545 | tcp |
Files
memory/3636-0-0x0000000000120000-0x00000000008B8000-memory.dmp
memory/3636-1-0x0000000075D60000-0x0000000075D61000-memory.dmp
memory/3636-5-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-4-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-3-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-2-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-7-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-8-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-6-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-9-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-13-0x0000000000120000-0x00000000008B8000-memory.dmp
memory/3636-14-0x0000000000120000-0x00000000008B8000-memory.dmp
memory/3636-15-0x0000000005C30000-0x0000000006248000-memory.dmp
memory/3636-16-0x00000000056D0000-0x00000000056E2000-memory.dmp
memory/3636-17-0x0000000005730000-0x000000000576C000-memory.dmp
memory/3636-18-0x0000000005770000-0x00000000057BC000-memory.dmp
memory/3636-19-0x0000000005A30000-0x0000000005B3A000-memory.dmp
memory/3636-20-0x0000000000120000-0x00000000008B8000-memory.dmp
memory/3636-21-0x0000000075D60000-0x0000000075D61000-memory.dmp
memory/3636-22-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-23-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-24-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-25-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-26-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-27-0x0000000075D40000-0x0000000075E30000-memory.dmp
memory/3636-29-0x0000000075D40000-0x0000000075E30000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:21
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
140s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 82.146.43.167:80 | 82.146.43.167 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.3.46:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 167.43.146.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.3.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4144-0-0x0000000000ED0000-0x000000000170A000-memory.dmp
memory/4144-2-0x0000000076540000-0x0000000076630000-memory.dmp
memory/4144-1-0x0000000076560000-0x0000000076561000-memory.dmp
memory/4144-3-0x0000000076540000-0x0000000076630000-memory.dmp
memory/4144-4-0x0000000076540000-0x0000000076630000-memory.dmp
memory/4144-5-0x0000000076540000-0x0000000076630000-memory.dmp
memory/4144-7-0x0000000076540000-0x0000000076630000-memory.dmp
memory/4144-6-0x0000000076540000-0x0000000076630000-memory.dmp
memory/4144-10-0x0000000000ED0000-0x000000000170A000-memory.dmp
memory/4144-11-0x0000000000ED0000-0x000000000170A000-memory.dmp
memory/4144-13-0x0000000006C00000-0x0000000006C92000-memory.dmp
memory/4144-12-0x00000000070D0000-0x0000000007674000-memory.dmp
memory/4144-14-0x0000000000ED0000-0x000000000170A000-memory.dmp
memory/4144-15-0x0000000076560000-0x0000000076561000-memory.dmp
memory/4144-17-0x0000000076540000-0x0000000076630000-memory.dmp
memory/4144-16-0x0000000076540000-0x0000000076630000-memory.dmp
memory/4144-21-0x0000000000ED0000-0x000000000170A000-memory.dmp
memory/4144-20-0x0000000076540000-0x0000000076630000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win7-20241023-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1472 wrote to memory of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe |
| PID 1472 wrote to memory of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe |
| PID 1472 wrote to memory of 1224 | N/A | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"
C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI14722\python39.dll
| MD5 | c4b75218b11808db4a04255574b2eb33 |
| SHA1 | f4a3497fb6972037fb271cfdc5b404a4b28ccf07 |
| SHA256 | 53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2 |
| SHA512 | 0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c |
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:21
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
154s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsAnalyzer | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe | N/A |
Browser Information Discovery
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"
C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe
"C:\Users\Admin\AppData\Local\Temp\forcenitro2.4.1.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.12.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 205.12.26.104.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20202\python39.dll
| MD5 | c4b75218b11808db4a04255574b2eb33 |
| SHA1 | f4a3497fb6972037fb271cfdc5b404a4b28ccf07 |
| SHA256 | 53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2 |
| SHA512 | 0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\VCRUNTIME140.dll
| MD5 | 7942be5474a095f673582997ae3054f1 |
| SHA1 | e982f6ebc74d31153ba9738741a7eec03a9fa5e8 |
| SHA256 | 8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c |
| SHA512 | 49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\base_library.zip
| MD5 | 3c9567cdb28edb96e1491f1787915c34 |
| SHA1 | 0cead74ca10f1dc9af5135aa2b951bdffb087c19 |
| SHA256 | eb5cf3a9aef9130c053ddb40b50fe505356eb0d7001bc62022aa33b9f9f8908c |
| SHA512 | e43671696d2b4ba20fcfce5dfe0da18cecb668f9213ffd62a4874c41de4798fc51ab02b77e1b05809eff8124c5de2d2b01d1f8f2482ab3ac0d8738ae7ebf3525 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_ctypes.pyd
| MD5 | b74f6285a790ffd7e9ec26e3ab4ca8df |
| SHA1 | 7e023c1e4f12e8e577e46da756657fd2db80b5e8 |
| SHA256 | c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a |
| SHA512 | 3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_socket.pyd
| MD5 | 0df2287791c20a764e6641029a882f09 |
| SHA1 | 8a0aeb4b4d8410d837469339244997c745c9640c |
| SHA256 | 09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869 |
| SHA512 | 60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\select.pyd
| MD5 | a2a4cf664570944ccc691acf47076eeb |
| SHA1 | 918a953817fff228dbd0bdf784ed6510314f4dd9 |
| SHA256 | b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434 |
| SHA512 | d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\pywintypes39.dll
| MD5 | 72511a9c3a320bcdbeff9bedcf21450f |
| SHA1 | 7a7af481fecbaf144ae67127e334b88f1a2c1562 |
| SHA256 | c06a570b160d5fd8030b8c7ccba64ce8a18413cb4f11be11982756aa4a2b6a80 |
| SHA512 | 0d1682bb2637834bd8cf1909ca8dbeff0ea0da39687a97b5ef3d699210dc536d5a49a4f5ff9097cabd8eb65d8694e02572ff0fdabd8b186a3c45cd66f23df868 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_bz2.pyd
| MD5 | 499462206034b6ab7d18cc208a5b67e3 |
| SHA1 | 1cd350a9f5d048d337475e66dcc0b9fab6aebf78 |
| SHA256 | 6c2bbed242c399c4bc9b33268afe538cf1dea494c75c8d0db786030a0dcc4b7e |
| SHA512 | 17a1191f1d5ca00562b80eff2363b22869f7606a2a17f2f0b361d9b36b6e88cb43814255a5bac49d044ea7046b872bac63bd524f9442c9839ab80a54d96f1e6b |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_lzma.pyd
| MD5 | bc118fb4e14de484452bb1be413c082a |
| SHA1 | 25d09b7fbc2452457bcf7025c3498947bc96c2d1 |
| SHA256 | ac0ceb8e6b5e67525b136b5ce97500fe4f152061b1bf2783f127eff557b248a3 |
| SHA512 | 68a24d137b8641cd474180971142511d8708738096d865a73fb928315dd9edf46c4ebf97d596f4a9e207ec81828e5db7e90c7b8b00d5f416737ba8bffc2887bf |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\win32api.pyd
| MD5 | 99a3fc100cd43ad8d4bf9a2975a2192f |
| SHA1 | cf37b7e17e51e7823b82b77c88145312df5b78cc |
| SHA256 | 1665ad12ad7cbf44ae63a622e8b97b5fd2ed0a092dfc5db8f09a9b6fdc2d57e7 |
| SHA512 | c0a60d5333925ce306ceb2eb38e13c6bae60d2663d70c37ecfc81b7346d12d9346550cb229d7c4f58d04dd182536d799e6eff77996d712fc177b1f5af7f4a4f2 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\pythoncom39.dll
| MD5 | 778867d6c0fff726a86dc079e08c4449 |
| SHA1 | 45f9b20f4bf27fc3df9fa0d891ca6d37da4add84 |
| SHA256 | 5dfd4ad6ed4cee8f9eda2e39fe4da2843630089549c47c7adda8a3c74662698a |
| SHA512 | 5865cb730aa90c9ac95702396e5c9f32a80ff3a7720e16d64010583387b6dbd76d30426f77ab96ecb0e79d62262e211a4d08eae28109cd21846d51ed4256b8ea |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\pyexpat.pyd
| MD5 | ed82c3f14a839092d2d9d27092a19640 |
| SHA1 | 41ffcd82998b003c1e83961c329379d3512c863f |
| SHA256 | 2d59ddb10d0fa2516da1e879d2b3f180272160a4325f705d4e71ed21b90438b8 |
| SHA512 | 1b25165bda699c8e1a37e022d3412a4a6e780c1f93b2880aa67902811b0971fee0b100ad561271d23c4b7dc36eae6ee5af40b19481df75285db35d15c0904bf9 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_ssl.pyd
| MD5 | 66172f2e3a46d2a0f04204d8f83c2b1e |
| SHA1 | e74fee81b719effc003564edb6b50973f7df9364 |
| SHA256 | 2b16154826a417c41cda72190b0cbcf0c05c6e6fe44bf06e680a407138402c01 |
| SHA512 | 123b5858659b8a0ac1c0d43c24fbb9114721d86a2e06be3521ad0ed44b2e116546b7b6332fd2291d692d031ec598e865f476291d3f8f44131aacc8e7cf19f283 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\libcrypto-1_1.dll
| MD5 | cc4cbf715966cdcad95a1e6c95592b3d |
| SHA1 | d5873fea9c084bcc753d1c93b2d0716257bea7c3 |
| SHA256 | 594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1 |
| SHA512 | 3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\libssl-1_1.dll
| MD5 | bc778f33480148efa5d62b2ec85aaa7d |
| SHA1 | b1ec87cbd8bc4398c6ebb26549961c8aab53d855 |
| SHA256 | 9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843 |
| SHA512 | 80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_pytransform.dll
| MD5 | 7ea0bb19e187f58fa2f57adc54262241 |
| SHA1 | 8a70a2b8de7acfa2d9258001edd0dbcc30de638d |
| SHA256 | 2a3630a8390b7ff1eca1f1dff43193d1587f38b34edbf9052e7da2564c0eba00 |
| SHA512 | 38c125f7a0760c292e9102b32c1302fea8b21837c19b2aad0eaf5f86e8111a4ba46e0ae380e39e8331e626c883d73b69eef5a7cbd748a20c731e076c87f474ca |
memory/680-1148-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1146-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1144-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1142-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1140-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1138-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20202\tcl\encoding\cp1252.enc
| MD5 | 5900f51fd8b5ff75e65594eb7dd50533 |
| SHA1 | 2e21300e0bc8a847d0423671b08d3c65761ee172 |
| SHA256 | 14df3ae30e81e7620be6bbb7a9e42083af1ae04d94cf1203565f8a3c0542ace0 |
| SHA512 | ea0455ff4cd5c0d4afb5e79b671565c2aede2857d534e1371f0c10c299c74cb4ad113d56025f58b8ae9e88e2862f0864a4836fed236f5730360b2223fde479dc |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\tk86t.dll
| MD5 | fdc8a5d96f9576bd70aa1cadc2f21748 |
| SHA1 | bae145525a18ce7e5bc69c5f43c6044de7b6e004 |
| SHA256 | 1a6d0871be2fa7153de22be008a20a5257b721657e6d4b24da8b1f940345d0d5 |
| SHA512 | 816ada61c1fd941d10e6bb4350baa77f520e2476058249b269802be826bab294a9c18edc5d590f5ed6f8dafed502ab7ffb29db2f44292cb5bedf2f5fa609f49c |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\tcl86t.dll
| MD5 | c0b23815701dbae2a359cb8adb9ae730 |
| SHA1 | 5be6736b645ed12e97b9462b77e5a43482673d90 |
| SHA256 | f650d6bc321bcda3fc3ac3dec3ac4e473fb0b7b68b6c948581bcfc54653e6768 |
| SHA512 | ed60384e95be8ea5930994db8527168f78573f8a277f8d21c089f0018cd3b9906da764ed6fcc1bd4efad009557645e206fbb4e5baef9ab4b2e3c8bb5c3b5d725 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_tkinter.pyd
| MD5 | 426a61990ded0d75ec892b475888caa3 |
| SHA1 | a382595a3481949ecd9d88683f585b1d95d285e4 |
| SHA256 | 7b42c10c651931b8984e4797fc713656bcce4db420197881f9d9946daad0cf6a |
| SHA512 | eb23ae788178f9a26a2254db79abe8ddb8a12ba8b188a473a59eaa7574883452b79e2dee792598d8f3f03893448d7edcdc9b22c2b5f728a4a7a71380877000ad |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\unicodedata.pyd
| MD5 | 5753efb74fcb02a31a662d9d47a04754 |
| SHA1 | e7bf5ea3a235b6b661bf6d838e0067db0db0c5f4 |
| SHA256 | 9be2b4c7db2c3a05ec3cbd08970e622fcaeb4091a55878df12995f2aeb727e72 |
| SHA512 | 86372016c3b43bfb85e0d818ab02a471796cfad6d370f88f54957dfc18a874a20428a7a142fcd5a2ecd4a61f047321976af736185896372ac8fd8ca4131f3514 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_queue.pyd
| MD5 | 34537f5b9da004c623a61911e19cbee5 |
| SHA1 | 9d78f6cd2960c594ec98e837d992c08751c61d51 |
| SHA256 | a7cdedaa58c7ba9aba98193fce599598d2cd35ed9c80d1ad7fc9e6182c9a25d5 |
| SHA512 | 70bf8e8e3216050e8519b683097e958f1fcba60333eb1f18e3736bbcc195d0fad6657b24e4c3902d24b84a462c35a560eb4c7b8a15f7123249c0770143b67467 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_hashlib.pyd
| MD5 | 60f420a9a606e2c95168d25d2c1ac12e |
| SHA1 | 1e77cf7de26ed75208d31751fe61da5eddbbaf12 |
| SHA256 | 8aa7abe0a92a89adf821e4eb783ad254a19858e62d99f80eb5872d81e8b3541c |
| SHA512 | aaf768176cf034004a6d13370b11f0e4bbf86b9b76de7fa06d0939e98915607d504e076ad8adb1a0ebfb6fd021c51764a772f8af6af7f6d15b0d376448aba1a7 |
memory/680-1136-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1134-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1132-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1130-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1128-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1126-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1124-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1122-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1120-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1118-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1116-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1114-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1112-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1110-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1108-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1106-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1104-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1102-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1100-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1098-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1096-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1094-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1092-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1090-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1088-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1086-0x000001FB064C0000-0x000001FB064C1000-memory.dmp
memory/680-1085-0x000001FB064B0000-0x000001FB064B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI20202\PIL\_imaging.cp39-win_amd64.pyd
| MD5 | 35f50141e5098b5c4f07d665974667fd |
| SHA1 | d06651f3964ac9558270742d2fe2e374c7ae0c36 |
| SHA256 | 7a080c64f55abca2c577da08a370802aff9ee7803edca775ee18aaa6b3dd3c82 |
| SHA512 | b992fb66f258a80d35c1052f5c38498ec602e16e7ff2ee5d1cdbfa8494ed7d9481135e4404799e37af5e6adda647c1a5bd95dcd269e0a967ac59c6b7898ada5d |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\_elementtree.pyd
| MD5 | 087351dd1e9508a29633e03dbdc7d2ae |
| SHA1 | 284a7662e548ea9179906bc4ae013d04d4f5d09c |
| SHA256 | a048bae40ececd2d56a79216c8552e3a3e6f9c4bfa1f6fb1c4987b954b80bcb1 |
| SHA512 | cf3e9b146ef20c0c50ef07650cc13c4b9f70632dcff9783df761d2a8b6e0e0f25f78a290db3b6150bbc83684ecb000bc8bb2d7b7fe283d40822b7d09a605228f |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\libopenblas.GK7GX5KEQ4F6UYO3P26ULGBQYHGQO7J4.gfortran-win_amd64.dll
| MD5 | 0119d61f73d023d9a51e040cd8764ca7 |
| SHA1 | 8607b40dad6aca39df5752ac722ddbd2d0825606 |
| SHA256 | 14a58b4ac68defb67c5dcc10f9740804ca8eafa6ddbd1a459e6651f740d81552 |
| SHA512 | 297dc4078512a00275932d698b5431aa0307fd72485423672bd7e59c7060e64906852b639fcad28cf50e146d37085fef1210953d01227aa04fe8b25700a5353a |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\numpy\core\_multiarray_umath.cp39-win_amd64.pyd
| MD5 | 7ecf2a96fc0b0024186361324b5bfc2b |
| SHA1 | 877c74b2a017f2f789fae64b69363561956b1dfd |
| SHA256 | 77e322e541ab58ef0363b1f747bb48a8f650958bc5414ee471b3f067a4b6769a |
| SHA512 | 23be248dc1a3428f716f98985d9436ba5a7ab9022a13a0d9eda38963535504abfd1c46ccbc5b5fa9aee0a9b725d6dca403aaa80bff9aa65df6a95c178b0186c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\numpy\core\_multiarray_tests.cp39-win_amd64.pyd
| MD5 | 65c1da609a369c772ae106dfcd8290a4 |
| SHA1 | 43c62f2d96d587db653ec29633e87e0a3c67e4f0 |
| SHA256 | 1fa45bea6cf1d8b175cb6835aba649ef88070ade9b16eccf3895e8525bbeb7ea |
| SHA512 | ffabecd5ffcac9ad1421b46dd706d367800ad4ddefb5a3e725d71e2b4d31c2d288d8a71fee60c85b698511bdf9863596a409b84f0f61eb01af6a7e53f939a722 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\numpy\linalg\lapack_lite.cp39-win_amd64.pyd
| MD5 | 72aa1beb9a4ca55dc51e3da7cf6b9eba |
| SHA1 | 666c110abe09e9a29a813cd93d5c7c97e47a9701 |
| SHA256 | 088e025cd0fd0b27c08caa40fc436a4bc99ce1b62721c4b855c8010e4631dbb4 |
| SHA512 | 963c6e88ccbc81ed9da8b42bf60257403e9491bbfe718a72881eecaf69e0326ccc74ab0bacc1fd01817f9000744e2759dcde447a3d1e9122115c1af32d5d8d47 |
C:\Users\Admin\AppData\Local\Temp\_MEI20202\numpy\linalg\_umath_linalg.cp39-win_amd64.pyd
| MD5 | cd10932fa83c7822323bbf0089b6f3f7 |
| SHA1 | 32f9bbc17c78c078e78857e954c5f889fc066acf |
| SHA256 | 6158e604c71bed88ab5a0dac409ca24676dd288e60e01fe2f9be56bcc2f7bf52 |
| SHA512 | fb697f2b8693d328dd2d8e29430acc633efb10bdeb125b0eddb46ce496e576ebd223ae803ed9dd2eff2d2f6735d74db0a49f0a71d0c268bf5b20b8909cd9eacf |
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
143s
Command Line
Signatures
44Caliber
44Caliber family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe
"C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe"
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 104.21.73.97:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
| US | 8.8.8.8:53 | 71.209.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.73.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
| MD5 | 5b8d83823531d567241106b9cec66d06 |
| SHA1 | 4a34b951287719ca9558fea764262ec8af52f20d |
| SHA256 | 5a12b229ff508e7ecfecdaf3a52da45ec02160587ccb852646e72b789ada6ac5 |
| SHA512 | c7aceaad5b54a23de1f76691dc12184ae381d3dc7409fc582b30938273a09fb2f6538eef886aca5c871ae9243e4eaf399178e44d3cb47666f025ea31ce6b46fd |
memory/1932-20-0x00007FFBC4803000-0x00007FFBC4805000-memory.dmp
memory/1932-21-0x0000000000F70000-0x0000000000FBA000-memory.dmp
memory/1932-59-0x00007FFBC4800000-0x00007FFBC52C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI1162\python38.dll
| MD5 | d2a8a5e7380d5f4716016777818a32c5 |
| SHA1 | fb12f31d1d0758fe3e056875461186056121ed0c |
| SHA256 | 59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9 |
| SHA512 | ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7 |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\base_library.zip
| MD5 | 19d34805782c4704d1e2a81fe32e9c27 |
| SHA1 | 8c3d99a0616abc478d6230d07f9dc7b38313813e |
| SHA256 | 06f3c20b42de72e69e9c6b2f66f149f5a65161873e30d07129333f53858d97bb |
| SHA512 | 267b8db8751ea170cd2e04ff5a4d87b0b65edc6d251a8016c213c97bcd8f3a12d955fc25860147b303b153b00d0a41191c09ed24e6fd4b95cb34ae98009456a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\_ctypes.pyd
| MD5 | f1e33a8f6f91c2ed93dc5049dd50d7b8 |
| SHA1 | 23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4 |
| SHA256 | 9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4 |
| SHA512 | 229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5 |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\libffi-7.dll
| MD5 | 4424baf6ed5340df85482fa82b857b03 |
| SHA1 | 181b641bf21c810a486f855864cd4b8967c24c44 |
| SHA256 | 8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79 |
| SHA512 | 8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33 |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\_socket.pyd
| MD5 | d6bae4b430f349ab42553dc738699f0e |
| SHA1 | 7e5efc958e189c117eccef39ec16ebf00e7645a9 |
| SHA256 | 587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef |
| SHA512 | a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\select.pyd
| MD5 | 6ae54d103866aad6f58e119d27552131 |
| SHA1 | bc53a92a7667fd922ce29e98dfcf5f08f798a3d2 |
| SHA256 | 63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88 |
| SHA512 | ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0 |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\_ssl.pyd
| MD5 | 8ee827f2fe931163f078acdc97107b64 |
| SHA1 | 149bb536f3492bc59bd7071a3da7d1f974860641 |
| SHA256 | eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4 |
| SHA512 | a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565 |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\libssl-1_1.dll
| MD5 | fe1f3632af98e7b7a2799e3973ba03cf |
| SHA1 | 353c7382e2de3ccdd2a4911e9e158e7c78648496 |
| SHA256 | 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b |
| SHA512 | a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0 |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
C:\Users\Admin\AppData\Local\44\Process.txt
| MD5 | 125f2355b347b41bace907d07b25d973 |
| SHA1 | 8985a0f7fb83d41fb9f1ec1279dcf0936d5b1ca9 |
| SHA256 | c646b40ac685cb16c77cbf6fe1de37c6a8040d6a4e0baa767ecafef08314b4aa |
| SHA512 | 82b2563c5bcb1b97eff843e33b9d4ed1ff3bc2ad77879dee511137ec810271e33a16b53aeb34692352aab18630df7cc8f55e5d203942aafbc619a9b7d0648f76 |
C:\Users\Admin\AppData\Local\44\Process.txt
| MD5 | 11b8abc65ea7855d9a3bdd3d495423dc |
| SHA1 | 91706a15229fdc6271f658966214d82f2e57dda8 |
| SHA256 | a2d58b4fa18df007ece0fc7f15640aaacf02d131a601935e35941bf50cc90dec |
| SHA512 | 5d1e4cc0a40d9f65abcbf5a192b15dd9fd7391b72d6a513d508f02730c822c015d96a9feb3cf2cafe5a439ba3aabc71e87e178431fd3266b5378d461206d654a |
C:\Users\Admin\AppData\Local\44\Process.txt
| MD5 | 0a2334e5a78635f336c2f16f00c64e32 |
| SHA1 | 45c9d7247b65ea5e91b03b100dd9b52e52d73bad |
| SHA256 | 0b48984cba8b810a8f2f82598f8fedc3afe5043f46c12371b7eabaeb8ff04c7b |
| SHA512 | 93e0da277ecdf9ea82f51e46f312715d9eaa77ae9ad72fd3ed7b38b3a8e1b7e376b47847dbca7904366e65fefd27152511fc717ff8d5550f93ef445c17d65978 |
memory/1932-189-0x00007FFBC4800000-0x00007FFBC52C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI1162\_hashlib.pyd
| MD5 | a6448bc5e5da21a222de164823add45c |
| SHA1 | 6c26eb949d7eb97d19e42559b2e3713d7629f2f9 |
| SHA256 | 3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a |
| SHA512 | a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\_bz2.pyd
| MD5 | 3dc8af67e6ee06af9eec52fe985a7633 |
| SHA1 | 1451b8c598348a0c0e50afc0ec91513c46fe3af6 |
| SHA256 | c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929 |
| SHA512 | da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087 |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\unicodedata.pyd
| MD5 | 4c0d43f1a31e76255cb592bb616683e7 |
| SHA1 | 0a9f3d77a6e064baebacacc780701117f09169ad |
| SHA256 | 0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8 |
| SHA512 | b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778 |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\certifi\cacert.pem
| MD5 | 1ba3b44f73a6b25711063ea5232f4883 |
| SHA1 | 1b1a84804f896b7085924f8bf0431721f3b5bdbe |
| SHA256 | bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197 |
| SHA512 | 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\_lzma.pyd
| MD5 | 37057c92f50391d0751f2c1d7ad25b02 |
| SHA1 | a43c6835b11621663fa251da421be58d143d2afb |
| SHA256 | 9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764 |
| SHA512 | 953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c |
C:\Users\Admin\AppData\Local\Temp\_MEI1162\_queue.pyd
| MD5 | 44b72e0ad8d1e1ec3d8722088b48c3c5 |
| SHA1 | e0f41bf85978dd8f5abb0112c26322b72c0d7770 |
| SHA256 | 4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e |
| SHA512 | 05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win7-20240903-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Bird.exe
"C:\Users\Admin\AppData\Local\Temp\Bird.exe"
Network
| Country | Destination | Domain | Proto |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp |
Files
memory/2032-0-0x0000000000090000-0x00000000006EE000-memory.dmp
memory/2032-1-0x0000000075881000-0x0000000075882000-memory.dmp
memory/2032-2-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-8-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-26-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-25-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-24-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-23-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-22-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-21-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-20-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-19-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-27-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-18-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-17-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-16-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-15-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-14-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-13-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-12-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-11-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-10-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-9-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-7-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-28-0x0000000000090000-0x00000000006EE000-memory.dmp
memory/2032-29-0x0000000000090000-0x00000000006EE000-memory.dmp
memory/2032-30-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-31-0x0000000075870000-0x0000000075980000-memory.dmp
memory/2032-32-0x0000000075870000-0x0000000075980000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win7-20240903-en
Max time kernel
141s
Max time network
143s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp |
Files
memory/1680-1-0x0000000002D90000-0x0000000002DB2000-memory.dmp
memory/1680-2-0x0000000003320000-0x0000000003340000-memory.dmp
memory/1680-3-0x0000000000400000-0x0000000002C86000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1604 set thread context of 3176 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 109.248.201.150:63757 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp | |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
memory/1604-0-0x000000007510E000-0x000000007510F000-memory.dmp
memory/1604-1-0x0000000000910000-0x0000000000A56000-memory.dmp
memory/1604-2-0x0000000005A60000-0x0000000006004000-memory.dmp
memory/1604-3-0x00000000054B0000-0x0000000005542000-memory.dmp
memory/1604-4-0x0000000005450000-0x000000000545A000-memory.dmp
memory/1604-5-0x0000000075100000-0x00000000758B0000-memory.dmp
memory/1604-6-0x000000007510E000-0x000000007510F000-memory.dmp
memory/1604-7-0x0000000075100000-0x00000000758B0000-memory.dmp
memory/1604-8-0x0000000005460000-0x0000000005482000-memory.dmp
memory/1604-9-0x00000000057B0000-0x0000000005826000-memory.dmp
memory/1604-10-0x00000000055F0000-0x000000000560E000-memory.dmp
memory/3176-11-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1604-13-0x0000000075100000-0x00000000758B0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Minecraft_v4.4.exe.log
| MD5 | fb3264819f05b468156e37fecd7ca1e7 |
| SHA1 | 8461be627ec2c21766472ac5a9215204f6cd03d6 |
| SHA256 | 902e22368b4d29d67c78eb445d67c7e36001a79c7701a1e171a9c7af457a739c |
| SHA512 | ddcb2a199799dc30a5627d6bb2aff30aca350b52e15f574ecc9e9e9e4d388fd1fe808b5fd2a8ea7015c91e369a06f045be455bf070c6d20d8c3b1c06de8ef964 |
memory/3176-15-0x0000000075100000-0x00000000758B0000-memory.dmp
memory/3176-16-0x0000000005410000-0x0000000005A28000-memory.dmp
memory/3176-17-0x0000000004E80000-0x0000000004E92000-memory.dmp
memory/3176-18-0x0000000004F20000-0x0000000004F5C000-memory.dmp
memory/3176-19-0x0000000004F60000-0x0000000004FAC000-memory.dmp
memory/3176-20-0x0000000075100000-0x00000000758B0000-memory.dmp
memory/3176-21-0x0000000005230000-0x000000000533A000-memory.dmp
memory/3176-22-0x0000000075100000-0x00000000758B0000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win7-20240903-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Detects Echelon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Echelon
Echelon family
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2800 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | C:\Windows\system32\WerFault.exe |
| PID 2800 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | C:\Windows\system32\WerFault.exe |
| PID 2800 wrote to memory of 1820 | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | C:\Windows\system32\WerFault.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NewHacks.exe
"C:\Users\Admin\AppData\Local\Temp\NewHacks.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2800 -s 1504
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.13:443 | g.api.mega.co.nz | tcp |
Files
memory/2800-0-0x000007FEF5883000-0x000007FEF5884000-memory.dmp
memory/2800-1-0x0000000000CF0000-0x0000000000E18000-memory.dmp
memory/2800-29-0x000007FEF5880000-0x000007FEF626C000-memory.dmp
C:\Users\Admin\AppData\Roaming\BByyXyDZJDHB8BB80FD49\49B8BB80FDBByyXyDZJDH\Browsers\Passwords\Passwords_Edge.txt
| MD5 | fdec4452a98b7d7f3dc83904cd82a724 |
| SHA1 | 2b447ea859993ab549ee1547c72071e59cace07c |
| SHA256 | 59b16ba683aaf821362d2061fef52b52a909ad63be1192ef3d2374f3e8a4b235 |
| SHA512 | 87a573d8a9a085ffeea49335d213f96cd55385a3afa281d1a4a321043e82cd81a324d1131c764d024966d9dcbcc219d78514b0cdce74f849fe33e0f9ce2df432 |
memory/2800-56-0x000007FEF5880000-0x000007FEF626C000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
154s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\file3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\NSpack\updIns\Sgsmmodul.com | N/A |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\NSpack\updIns\mmscx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\NSpack\updIns\Sgsmmodul.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\file3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file3.exe
"C:\Users\Admin\AppData\Local\Temp\file3.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\44t.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 7
C:\NSpack\updIns\Sgsmmodul.com
"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\NSpack\updIns\gg4359.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\NSpack\updIns"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\NSpack\updIns"
C:\Windows\SysWOW64\timeout.exe
timeout 4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
C:\NSpack\updIns\tetracom.vbs
| MD5 | bdc0fb5cada9a89f074961224aaf4e63 |
| SHA1 | 9284fe4ecc0fde705fc596dd89191c02915fd7a4 |
| SHA256 | b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db |
| SHA512 | 83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28 |
C:\NSpack\updIns\44t.bat
| MD5 | 96c69dbc1233bfa7c5e883658e0758d4 |
| SHA1 | 613179fa74db9e71516bdb3a93341e9d90c4ecba |
| SHA256 | deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde |
| SHA512 | 43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3 |
C:\NSpack\updIns\dc.isi
| MD5 | fbd467e1613c53b03376e987f3dbf2da |
| SHA1 | e2ca3ff625122f49e8a382dee32d0ca2f98648bf |
| SHA256 | cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68 |
| SHA512 | e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05 |
C:\NSpack\updIns\Sgsmmodul.com
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
C:\NSpack\updIns\sevenup.vbs
| MD5 | 6a551928353982ab64107a4929c91c91 |
| SHA1 | b68ee5e77a722638f184d0fbf6a4834bb8cc188e |
| SHA256 | 0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3 |
| SHA512 | 870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d |
C:\NSpack\updIns\gg4359.bat
| MD5 | b4be21a8f4bb91b11ccaf08b39b679d5 |
| SHA1 | b3da567bb1072168b54866ee29301bde61bdc45e |
| SHA256 | 35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d |
| SHA512 | a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c |
memory/3232-26-0x0000000000400000-0x0000000000467000-memory.dmp
C:\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
memory/3232-28-0x0000000000400000-0x0000000000467000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\NSpack\updIns\Sgsmmodul.com | N/A |
| N/A | N/A | C:\NSpack\updIns\mmscx.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\NSpack\updIns\mmscx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\file3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\NSpack\updIns\Sgsmmodul.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file3.exe
"C:\Users\Admin\AppData\Local\Temp\file3.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\tetracom.vbs" /f=CREATE_NO_WINDOW install.cmd
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NSpack\updIns\44t.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout 7
C:\NSpack\updIns\Sgsmmodul.com
"Sgsmmodul.com" e -pEktfsdu78s8f87Ap8pHr6Mqaq9SQ mit.rar
C:\Windows\SysWOW64\timeout.exe
timeout 6
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\NSpack\updIns\sevenup.vbs"
C:\Windows\SysWOW64\timeout.exe
timeout 8
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\NSpack\updIns\gg4359.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\NSpack\updIns"
C:\Windows\SysWOW64\timeout.exe
timeout 2
C:\NSpack\updIns\mmscx.exe
mmscx.exe /start
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Sgsmmodul.com
C:\Windows\SysWOW64\attrib.exe
attrib -s -h "C:\NSpack\updIns"
C:\Windows\SysWOW64\timeout.exe
timeout 4
Network
Files
C:\NSpack\updIns\tetracom.vbs
| MD5 | bdc0fb5cada9a89f074961224aaf4e63 |
| SHA1 | 9284fe4ecc0fde705fc596dd89191c02915fd7a4 |
| SHA256 | b6156e744da7ffcd5e47e78d487b2ad78b1babf44aaa4145d706247f308106db |
| SHA512 | 83cdf2cdc78106075fe5d8dfaa84fabae7251e76d8b706e74491291a03366bacd94ede79893e62f62f52c13c4cf1e5b5e53ebd49942d3789b01724464ee6ee28 |
C:\NSpack\updIns\44t.bat
| MD5 | 96c69dbc1233bfa7c5e883658e0758d4 |
| SHA1 | 613179fa74db9e71516bdb3a93341e9d90c4ecba |
| SHA256 | deb0fa40647bb04decbdf7e62fd62985bceb5a47ab5f15556763b8db1266acde |
| SHA512 | 43d0621374de43a216086807ac90f3dac4339975cfca251e762c84680bbe4932dfcfee9d08e5c2ff113fa2b4db50e4e8ede960864da34d8905e76851ed91e0d3 |
C:\NSpack\updIns\dc.isi
| MD5 | fbd467e1613c53b03376e987f3dbf2da |
| SHA1 | e2ca3ff625122f49e8a382dee32d0ca2f98648bf |
| SHA256 | cca183bc9bb6e35a4713e1e25e80147ff5ab3857984a22ce74b5836f6e98ab68 |
| SHA512 | e2cf3762d688a9d4b43224e86a258751085734af3da3bac93cc3baabb8499b2147c8026dcfc9745fedc5b906116cf1e59f010ad342b43ae242dbc47755fc0e05 |
\NSpack\updIns\Sgsmmodul.com
| MD5 | 061f64173293969577916832be29b90d |
| SHA1 | b05b80385de20463a80b6c9c39bd1d53123aab9b |
| SHA256 | 34dfe4869b0a524c63cc4696fafe30c83a22dc5fe4b994b9fe777f2c986733ce |
| SHA512 | 66e284f7c7e40af988ab09ff48cc786d287ac906368042d98d313be764058f01ecb5c3a7ab8d4336ee6494ea4a1347e73f0f2b4f3baec25ca6bcec1d888bd3da |
C:\NSpack\updIns\sevenup.vbs
| MD5 | 6a551928353982ab64107a4929c91c91 |
| SHA1 | b68ee5e77a722638f184d0fbf6a4834bb8cc188e |
| SHA256 | 0281bbb85161fdb990c6f1c149a7e4bbaafe262f028e4fb66ffa995e2c4a45f3 |
| SHA512 | 870ef201fafd9d0036dcb4ea912676157075089390c9fecd0ad45d805e38bd74c5dc1fd413e9b765df50249628968ef8684b1b9ea57e2340769553e818c2159d |
C:\NSpack\updIns\gg4359.bat
| MD5 | b4be21a8f4bb91b11ccaf08b39b679d5 |
| SHA1 | b3da567bb1072168b54866ee29301bde61bdc45e |
| SHA256 | 35e6fbd496632c91eb924e1d3b7749eeba36125bc4551624786b171bea1d465d |
| SHA512 | a52f7e9ad3ae76abe66920608c8b33a899ace0a4f4600903dc721a822114d5928cd85701a7405ef8ee1dc1aaa295174124a63ccec3e3fd3e347f01dbb2011f3c |
\NSpack\updIns\mmscx.exe
| MD5 | 3e79f72a8ae481ac76a69ccf1213d24d |
| SHA1 | de4fd0b5fc3ea6d2d095e1f492d12e14dd3aa7f2 |
| SHA256 | 1776cf6e4dfd98cc059403d5289b955c227a34fdffc43afe4a967468f2c117d4 |
| SHA512 | 2271bdc91dc5ffd388799fdd5016f1b3b0f81da9d62ac57631eced9539fbaca42e494c5edaf65e06194a150d4730ec292c5c97f45bf599a53ed80e5b41a0ae90 |
memory/2804-43-0x0000000000180000-0x00000000001E7000-memory.dmp
memory/2844-45-0x0000000000400000-0x0000000000467000-memory.dmp
memory/2804-42-0x0000000000180000-0x00000000001E7000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.208.201.84.in-addr.arpa | udp |
| NL | 45.14.49.109:54819 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 45.14.49.109:54819 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp |
Files
memory/2520-1-0x0000000002E60000-0x0000000002F60000-memory.dmp
memory/2520-2-0x0000000002DB0000-0x0000000002DDF000-memory.dmp
memory/2520-3-0x0000000000400000-0x0000000000432000-memory.dmp
memory/2520-4-0x0000000004BC0000-0x0000000004BE2000-memory.dmp
memory/2520-5-0x00000000074B0000-0x0000000007A54000-memory.dmp
memory/2520-6-0x0000000004C60000-0x0000000004C80000-memory.dmp
memory/2520-7-0x0000000000400000-0x0000000002C86000-memory.dmp
memory/2520-8-0x0000000007A60000-0x0000000008078000-memory.dmp
memory/2520-10-0x0000000007440000-0x000000000747C000-memory.dmp
memory/2520-9-0x0000000007420000-0x0000000007432000-memory.dmp
memory/2520-11-0x0000000008080000-0x00000000080CC000-memory.dmp
memory/2520-12-0x0000000008210000-0x000000000831A000-memory.dmp
memory/2520-14-0x0000000002E60000-0x0000000002F60000-memory.dmp
memory/2520-15-0x0000000002DB0000-0x0000000002DDF000-memory.dmp
memory/2520-16-0x0000000000400000-0x0000000000432000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win10v2004-20241007-en
Max time kernel
92s
Max time network
151s
Command Line
Signatures
Detects Echelon Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Echelon
Echelon family
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\NewHacks.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NewHacks.exe
"C:\Users\Admin\AppData\Local\Temp\NewHacks.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 104.26.13.205:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | g.api.mega.co.nz | udp |
| LU | 66.203.125.14:443 | g.api.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 205.13.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gfs270n082.userstorage.mega.co.nz | udp |
| LU | 89.44.168.229:80 | gfs270n082.userstorage.mega.co.nz | tcp |
| US | 8.8.8.8:53 | 14.125.203.66.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.168.44.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
Files
memory/4772-0-0x00007FF8028E3000-0x00007FF8028E5000-memory.dmp
memory/4772-1-0x00000000008B0000-0x00000000009D8000-memory.dmp
memory/4772-5-0x00007FF8028E0000-0x00007FF8033A1000-memory.dmp
C:\Users\Admin\AppData\Roaming\VuJDLRVuHBFFuFPuTPTPDZE87CF40088\88E87CF400VuJDLRVuHBFFuFPuTPTPDZ\Browsers\Passwords\Passwords_Edge.txt
| MD5 | 42fa959509b3ed7c94c0cf3728b03f6d |
| SHA1 | 661292176640beb0b38dc9e7a462518eb592d27d |
| SHA256 | 870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00 |
| SHA512 | 7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007 |
memory/4772-71-0x000000001C0A0000-0x000000001C0C2000-memory.dmp
memory/4772-84-0x00007FF8028E0000-0x00007FF8033A1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win7-20241010-en
Max time kernel
150s
Max time network
161s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1492 set thread context of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Network
| Country | Destination | Domain | Proto |
| NL | 185.92.73.140:80 | 185.92.73.140 | tcp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp |
Files
memory/1492-0-0x00000000745BE000-0x00000000745BF000-memory.dmp
memory/1492-1-0x0000000001000000-0x0000000001060000-memory.dmp
memory/1492-2-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/1492-3-0x00000000745BE000-0x00000000745BF000-memory.dmp
memory/1492-4-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/1492-5-0x0000000000730000-0x0000000000756000-memory.dmp
memory/2476-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2476-8-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2476-10-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1492-11-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2476-12-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2476-13-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2476-14-0x00000000745B0000-0x0000000074C9E000-memory.dmp
memory/2476-15-0x00000000745B0000-0x0000000074C9E000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1116 set thread context of 3240 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Users\Admin\AppData\Local\Temp\Setup.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Local\Temp\Setup.exe
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 185.92.73.140:80 | 185.92.73.140 | tcp |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 140.73.92.185.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp |
Files
memory/1116-0-0x0000000074ADE000-0x0000000074ADF000-memory.dmp
memory/1116-1-0x0000000000230000-0x0000000000290000-memory.dmp
memory/1116-2-0x0000000005050000-0x00000000055F4000-memory.dmp
memory/1116-3-0x0000000004B40000-0x0000000004BD2000-memory.dmp
memory/1116-4-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/1116-5-0x0000000004CE0000-0x0000000004CEA000-memory.dmp
memory/1116-6-0x0000000074ADE000-0x0000000074ADF000-memory.dmp
memory/1116-7-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/1116-8-0x0000000004D30000-0x0000000004D56000-memory.dmp
memory/3240-9-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Setup.exe.log
| MD5 | 7ebe314bf617dc3e48b995a6c352740c |
| SHA1 | 538f643b7b30f9231a3035c448607f767527a870 |
| SHA256 | 48178f884b8a4dd96e330b210b0530667d9473a7629fc6b4ad12b614bf438ee8 |
| SHA512 | 0ba9d8f4244c15285e254d27b4bff7c49344ff845c48bc0bf0d8563072fab4d6f7a6abe6b6742e8375a08e9a3b3e5d5dc4937ab428dbe2dd8e62892fda04507e |
memory/3240-12-0x0000000005770000-0x0000000005D88000-memory.dmp
memory/1116-15-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/3240-14-0x0000000005200000-0x0000000005212000-memory.dmp
memory/3240-13-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/3240-16-0x0000000005260000-0x000000000529C000-memory.dmp
memory/3240-18-0x0000000074AD0000-0x0000000075280000-memory.dmp
memory/3240-17-0x00000000052A0000-0x00000000052EC000-memory.dmp
memory/3240-19-0x0000000005510000-0x000000000561A000-memory.dmp
memory/3240-20-0x0000000074AD0000-0x0000000075280000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Bird.exe
"C:\Users\Admin\AppData\Local\Temp\Bird.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| FI | 65.21.103.71:56458 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 65.21.103.71:56458 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.208.201.84.in-addr.arpa | udp |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp |
Files
memory/2328-0-0x0000000000C90000-0x00000000012EE000-memory.dmp
memory/2328-1-0x0000000076570000-0x0000000076571000-memory.dmp
memory/2328-2-0x0000000076550000-0x0000000076640000-memory.dmp
memory/2328-3-0x0000000076550000-0x0000000076640000-memory.dmp
memory/2328-4-0x0000000076550000-0x0000000076640000-memory.dmp
memory/2328-5-0x0000000076550000-0x0000000076640000-memory.dmp
memory/2328-6-0x0000000076550000-0x0000000076640000-memory.dmp
memory/2328-10-0x0000000000C90000-0x00000000012EE000-memory.dmp
memory/2328-11-0x0000000006070000-0x0000000006614000-memory.dmp
memory/2328-13-0x0000000005C10000-0x0000000005CA2000-memory.dmp
memory/2328-12-0x0000000006C40000-0x0000000007258000-memory.dmp
memory/2328-14-0x0000000005BD0000-0x0000000005BE2000-memory.dmp
memory/2328-15-0x0000000005DF0000-0x0000000005E2C000-memory.dmp
memory/2328-16-0x0000000005FF0000-0x000000000603C000-memory.dmp
memory/2328-17-0x0000000006790000-0x000000000689A000-memory.dmp
memory/2328-18-0x0000000000C90000-0x00000000012EE000-memory.dmp
memory/2328-19-0x0000000076570000-0x0000000076571000-memory.dmp
memory/2328-20-0x0000000076550000-0x0000000076640000-memory.dmp
memory/2328-21-0x0000000076550000-0x0000000076640000-memory.dmp
memory/2328-22-0x0000000076550000-0x0000000076640000-memory.dmp
memory/2328-23-0x0000000076550000-0x0000000076640000-memory.dmp
memory/2328-25-0x0000000076550000-0x0000000076640000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:21
Platform
win7-20240708-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Crystal.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Crystal.exe
"C:\Users\Admin\AppData\Local\Temp\Crystal.exe"
Network
| Country | Destination | Domain | Proto |
| FI | 185.252.144.65:4545 | tcp | |
| FI | 185.252.144.65:4545 | tcp | |
| FI | 185.252.144.65:4545 | tcp | |
| FI | 185.252.144.65:4545 | tcp | |
| FI | 185.252.144.65:4545 | tcp | |
| FI | 185.252.144.65:4545 | tcp |
Files
memory/1620-0-0x00000000011C0000-0x0000000001958000-memory.dmp
memory/1620-1-0x00000000760F4000-0x00000000760F5000-memory.dmp
memory/1620-2-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-14-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-13-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-19-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-21-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-31-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-29-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-28-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-27-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-26-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-22-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-20-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-18-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-17-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-16-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-15-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-12-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-11-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-10-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-9-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-8-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-7-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-6-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-5-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-4-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-3-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-32-0x00000000011C0000-0x0000000001958000-memory.dmp
memory/1620-33-0x00000000011C0000-0x0000000001958000-memory.dmp
memory/1620-34-0x00000000011C0000-0x0000000001958000-memory.dmp
memory/1620-35-0x00000000760F4000-0x00000000760F5000-memory.dmp
memory/1620-36-0x00000000760E0000-0x00000000761F0000-memory.dmp
memory/1620-37-0x00000000760E0000-0x00000000761F0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win7-20241010-en
Max time kernel
130s
Max time network
144s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2876 set thread context of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.4.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp |
Files
memory/2876-0-0x0000000074CCE000-0x0000000074CCF000-memory.dmp
memory/2876-1-0x0000000000E70000-0x0000000000FB6000-memory.dmp
memory/2876-2-0x0000000074CC0000-0x00000000753AE000-memory.dmp
memory/2876-3-0x0000000074CCE000-0x0000000074CCF000-memory.dmp
memory/2876-4-0x0000000074CC0000-0x00000000753AE000-memory.dmp
memory/2876-5-0x0000000000640000-0x0000000000662000-memory.dmp
memory/2724-7-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2724-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2724-12-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2724-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2724-9-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2724-8-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2876-13-0x0000000074CC0000-0x00000000753AE000-memory.dmp
memory/2724-17-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2724-15-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2724-18-0x00000000745DE000-0x00000000745DF000-memory.dmp
memory/2724-19-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/2724-20-0x00000000745DE000-0x00000000745DF000-memory.dmp
memory/2724-21-0x00000000745D0000-0x0000000074CBE000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:22
Platform
win7-20240903-en
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe
"C:\Users\Admin\AppData\Local\Temp\Software patch v2.0.5.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 82.146.43.167:80 | 82.146.43.167 | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.26.2.46:443 | iplogger.org | tcp |
Files
memory/2420-1-0x0000000076434000-0x0000000076435000-memory.dmp
memory/2420-0-0x0000000000E00000-0x000000000163A000-memory.dmp
memory/2420-2-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-12-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-8-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-7-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-6-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-5-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-4-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-3-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-19-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-18-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-17-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-16-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-14-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-15-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-13-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-21-0x0000000000E00000-0x000000000163A000-memory.dmp
memory/2420-24-0x0000000000E00000-0x000000000163A000-memory.dmp
memory/2420-23-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-22-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-20-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-25-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-27-0x0000000076420000-0x0000000076530000-memory.dmp
memory/2420-28-0x0000000000E00000-0x000000000163A000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-09 04:18
Reported
2024-11-09 04:21
Platform
win7-20240903-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
44Caliber
44Caliber family
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | freegeoip.app | N/A | N/A |
| N/A | freegeoip.app | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Insidious.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe
"C:\Users\Admin\AppData\Local\Temp\nitro_gen.exe"
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Users\Admin\AppData\Local\Temp\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | freegeoip.app | udp |
| US | 172.67.160.84:443 | freegeoip.app | tcp |
| US | 8.8.8.8:53 | ipbase.com | udp |
| US | 172.67.209.71:443 | ipbase.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\main.exe
| MD5 | 53476f1737d178939ad93e38465fddd6 |
| SHA1 | 5c8dde18b9d4b5d8c72de85d5f613dbfd77fe5b2 |
| SHA256 | b2b71248264c08ba56ed8d39f72e6811fea58d110bcae39381e18bf3fd387d43 |
| SHA512 | d01aa9891808b20cb891d816affca0eaac1ba2e8d768d03d56a03eb1e1905de93a9fc9960d098150c53dcc5abde36c0fd0754a4725e554b95ee13e5e90b4bee3 |
\Users\Admin\AppData\Local\Temp\Insidious.exe
| MD5 | 5b8d83823531d567241106b9cec66d06 |
| SHA1 | 4a34b951287719ca9558fea764262ec8af52f20d |
| SHA256 | 5a12b229ff508e7ecfecdaf3a52da45ec02160587ccb852646e72b789ada6ac5 |
| SHA512 | c7aceaad5b54a23de1f76691dc12184ae381d3dc7409fc582b30938273a09fb2f6538eef886aca5c871ae9243e4eaf399178e44d3cb47666f025ea31ce6b46fd |
memory/2196-14-0x000007FEF5233000-0x000007FEF5234000-memory.dmp
memory/2196-33-0x00000000001E0000-0x000000000022A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI24442\python38.dll
| MD5 | d2a8a5e7380d5f4716016777818a32c5 |
| SHA1 | fb12f31d1d0758fe3e056875461186056121ed0c |
| SHA256 | 59ab345c565304f638effa7c0236f26041fd06e35041a75988e13995cd28ace9 |
| SHA512 | ad1269d1367f587809e3fbe44af703c464a88fa3b2ae0bf2ad6544b8ed938e4265aab7e308d999e6c8297c0c85c608e3160796325286db3188a3edf040a02ab7 |
C:\Users\Admin\AppData\Local\Temp\_MEI24442\VCRUNTIME140.dll
| MD5 | 0e675d4a7a5b7ccd69013386793f68eb |
| SHA1 | 6e5821ddd8fea6681bda4448816f39984a33596b |
| SHA256 | bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1 |
| SHA512 | cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66 |
C:\Users\Admin\AppData\Local\Temp\_MEI24442\base_library.zip
| MD5 | 19d34805782c4704d1e2a81fe32e9c27 |
| SHA1 | 8c3d99a0616abc478d6230d07f9dc7b38313813e |
| SHA256 | 06f3c20b42de72e69e9c6b2f66f149f5a65161873e30d07129333f53858d97bb |
| SHA512 | 267b8db8751ea170cd2e04ff5a4d87b0b65edc6d251a8016c213c97bcd8f3a12d955fc25860147b303b153b00d0a41191c09ed24e6fd4b95cb34ae98009456a4 |
\Users\Admin\AppData\Local\Temp\_MEI24442\_ctypes.pyd
| MD5 | f1e33a8f6f91c2ed93dc5049dd50d7b8 |
| SHA1 | 23c583dc98aa3f6b8b108db5d90e65d3dd72e9b4 |
| SHA256 | 9459d246df7a3c638776305cf3683946ba8db26a7de90df8b60e1be0b27e53c4 |
| SHA512 | 229896da389d78cbdf2168753ed7fcc72d8e0e62c6607a3766d6d47842c0abd519ac4f5d46607b15e7ba785280f9d27b482954e931645337a152b8a54467c6a5 |
\Users\Admin\AppData\Local\Temp\_MEI24442\libffi-7.dll
| MD5 | 4424baf6ed5340df85482fa82b857b03 |
| SHA1 | 181b641bf21c810a486f855864cd4b8967c24c44 |
| SHA256 | 8c1f7f64579d01fedfde07e0906b1f8e607c34d5e6424c87abe431a2322eba79 |
| SHA512 | 8adb94893ada555de2e82f006ab4d571fad8a1b16ac19ca4d2efc1065677f25d2de5c981473fabd0398f6328c1be1ebd4d36668ea67f8a5d25060f1980ee7e33 |
C:\Users\Admin\AppData\Local\Temp\_MEI24442\select.pyd
| MD5 | 6ae54d103866aad6f58e119d27552131 |
| SHA1 | bc53a92a7667fd922ce29e98dfcf5f08f798a3d2 |
| SHA256 | 63b81af5d3576473c17ac929bea0add5bf8d7ea95c946caf66cbb9ad3f233a88 |
| SHA512 | ff23f3196a10892ea22b28ae929330c8b08ab64909937609b7af7bfb1623cd2f02a041fd9fab24e4bc1754276bdafd02d832c2f642c8ecdcb233f639bdf66dd0 |
\Users\Admin\AppData\Local\Temp\_MEI24442\_socket.pyd
| MD5 | d6bae4b430f349ab42553dc738699f0e |
| SHA1 | 7e5efc958e189c117eccef39ec16ebf00e7645a9 |
| SHA256 | 587c4f3092b5f3e34f6b1e927ecc7127b3fe2f7fa84e8a3d0c41828583bd5cef |
| SHA512 | a8f8fed5ea88e8177e291b708e44b763d105907e9f8c9e046c4eebb8684a1778383d1fba6a5fa863ca37c42fd58ed977e9bb3a6b12c5b8d9ab6ef44de75e3d1e |
\Users\Admin\AppData\Local\Temp\_MEI24442\_ssl.pyd
| MD5 | 8ee827f2fe931163f078acdc97107b64 |
| SHA1 | 149bb536f3492bc59bd7071a3da7d1f974860641 |
| SHA256 | eaeefa6722c45e486f48a67ba18b4abb3ff0c29e5b30c23445c29a4d0b1cd3e4 |
| SHA512 | a6d24e72bf620ef695f08f5ffde70ef93f42a3fa60f7c76eb0f521393c595717e05ccb7a61ae216c18fe41e95fb238d82637714cf5208ee8f1dd32ae405b5565 |
C:\Users\Admin\AppData\Local\Temp\_MEI24442\libcrypto-1_1.dll
| MD5 | bf83f8ad60cb9db462ce62c73208a30d |
| SHA1 | f1bc7dbc1e5b00426a51878719196d78981674c4 |
| SHA256 | 012866b68f458ec204b9bce067af8f4a488860774e7e17973c49e583b52b828d |
| SHA512 | ae1bdda1c174ddf4205ab19a25737fe523dca6a9a339030cd8a95674c243d0011121067c007be56def4eaeffc40cbdadfdcbd1e61df3404d6a3921d196dcd81e |
\Users\Admin\AppData\Local\Temp\_MEI24442\libssl-1_1.dll
| MD5 | fe1f3632af98e7b7a2799e3973ba03cf |
| SHA1 | 353c7382e2de3ccdd2a4911e9e158e7c78648496 |
| SHA256 | 1ce7ba99e817c1c2d71bc88a1bdd6fcad82aa5c3e519b91ebd56c96f22e3543b |
| SHA512 | a0123dfe324d3ebf68a44afafca7c6f33d918716f29b063c72c4a8bd2006b81faea6848f4f2423778d57296d7bf4f99a3638fc87b37520f0dcbeefa3a2343de0 |
C:\Users\Admin\AppData\Local\Temp\_MEI24442\_hashlib.pyd
| MD5 | a6448bc5e5da21a222de164823add45c |
| SHA1 | 6c26eb949d7eb97d19e42559b2e3713d7629f2f9 |
| SHA256 | 3692fc8e70e6e29910032240080fc8109248ce9a996f0a70d69acf1542fca69a |
| SHA512 | a3833c7e1cf0e4d181ac4de95c5dfa685cf528dc39010bf0ac82864953106213eccff70785021ccb05395b5cf0dcb89404394327cd7e69f820d14dfa6fba8cba |
C:\Users\Admin\AppData\Local\Temp\_MEI24442\_queue.pyd
| MD5 | 44b72e0ad8d1e1ec3d8722088b48c3c5 |
| SHA1 | e0f41bf85978dd8f5abb0112c26322b72c0d7770 |
| SHA256 | 4aa1bbde1621c49edab4376cf9a13c1aa00a9b0a9905d9640a2694ef92f77d5e |
| SHA512 | 05853f93c6d79d8f9c96519ce4c195b9204df1255b01329deaa65e29bd3e988d41454cd305e2199404f587e855737879c330638f2f07bff11388a49e67ba896c |
\Users\Admin\AppData\Local\Temp\_MEI24442\_bz2.pyd
| MD5 | 3dc8af67e6ee06af9eec52fe985a7633 |
| SHA1 | 1451b8c598348a0c0e50afc0ec91513c46fe3af6 |
| SHA256 | c55821f5fdb0064c796b2c0b03b51971f073140bc210cbe6ed90387db2bed929 |
| SHA512 | da16bfbc66c8abc078278d4d3ce1595a54c9ef43ae8837ceb35ae2f4757b930fe55e258827036eba8218315c10af5928e30cb22c60ff69159c8fe76327280087 |
C:\Users\Admin\AppData\Local\Temp\_MEI24442\_lzma.pyd
| MD5 | 37057c92f50391d0751f2c1d7ad25b02 |
| SHA1 | a43c6835b11621663fa251da421be58d143d2afb |
| SHA256 | 9442dc46829485670a6ac0c02ef83c54b401f1570d1d5d1d85c19c1587487764 |
| SHA512 | 953dc856ad00c3aec6aeab3afa2deb24211b5b791c184598a2573b444761db2d4d770b8b807ebba00ee18725ff83157ec5fa2e3591a7756eb718eba282491c7c |
C:\Users\Admin\AppData\Local\Temp\_MEI24442\certifi\cacert.pem
| MD5 | 1ba3b44f73a6b25711063ea5232f4883 |
| SHA1 | 1b1a84804f896b7085924f8bf0431721f3b5bdbe |
| SHA256 | bb77f13d3fbec9e98bbf28ac95046b44196c7d8f55ab7720061e99991a829197 |
| SHA512 | 0dd2a14331308b1de757d56fab43678431e0ad6f5f5b12c32fa515d142bd955f8be690b724e07f41951dd03c9fee00e604f4e0b9309da3ea438c8e9b56ca581b |
C:\Users\Admin\AppData\Local\Temp\_MEI24442\unicodedata.pyd
| MD5 | 4c0d43f1a31e76255cb592bb616683e7 |
| SHA1 | 0a9f3d77a6e064baebacacc780701117f09169ad |
| SHA256 | 0f84e9f0d0bf44d10527a9816fcab495e3d797b09e7bbd1e6bd666ceb4b6c1a8 |
| SHA512 | b8176a180a441fe402e86f055aa5503356e7f49e984d70ab1060dee4f5f17fcec9c01f75bbff75ce5f4ef212677a6525804be53646cc0d7817b6ed5fd83fd778 |
C:\Users\Admin\AppData\Local\44\Process.txt
| MD5 | a207f68cd7afee46a6a100b8740dda51 |
| SHA1 | f78a2853491f3c9bc7c0a64a2ec2906575537cd8 |
| SHA256 | 1202ebc065fd0132ec6e9e840c7fa568bcfeef21432cc102d9fe1bb3f200fe99 |
| SHA512 | 1ce2b0d64ee8435bdcda8bc3f43baa946c4547c4c7b13b21cbe7ca041d2f63159881b74e34c8bc2c938a48fcbcd14b4995259e5db3c649adc9f21713aea68b7a |