Malware Analysis Report

2024-11-15 07:54

Sample ID 241110-n6erjawjdy
Target dbdb54d5a90130e3370590c7e07b2e3146f8578305554ba3ed11aab579a3dd3f
SHA256 dbdb54d5a90130e3370590c7e07b2e3146f8578305554ba3ed11aab579a3dd3f
Tags
fabookie ffdroider discovery evasion spyware stealer trojan upx themida smokeloader pub1 backdoor redline sectoprat build2 infostealer rat danabot 4 banker 23.08
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dbdb54d5a90130e3370590c7e07b2e3146f8578305554ba3ed11aab579a3dd3f

Threat Level: Known bad

The file dbdb54d5a90130e3370590c7e07b2e3146f8578305554ba3ed11aab579a3dd3f was found to be: Known bad.

Malicious Activity Summary

fabookie ffdroider discovery evasion spyware stealer trojan upx themida smokeloader pub1 backdoor redline sectoprat build2 infostealer rat danabot 4 banker 23.08

Fabookie

Danabot Loader Component

FFDroider

Sectoprat family

SectopRAT payload

SmokeLoader

Smokeloader family

Ffdroider family

Danabot

RedLine payload

Redline family

RedLine

Detect Fabookie payload

Fabookie family

SectopRAT

Danabot family

FFDroider payload

Detected Nirsoft tools

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Checks BIOS information in registry

Themida packer

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Checks installed software on the system

Looks up external IP address via web service

Checks whether UAC is enabled

UPX packed file

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies data under HKEY_USERS

Script User-Agent

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Checks SCSI registry key(s)

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 12:00

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Company\NewProduct\d.INTEG.RAW C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\d C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File created C:\Program Files (x86)\Company\NewProduct\tmp.edb C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File created C:\Program Files (x86)\Company\NewProduct\d.jfm C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\d.jfm C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File created C:\Program Files (x86)\Company\NewProduct\d C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Company\NewProduct\jooyu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 752 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 752 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 752 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 752 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 752 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 752 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 752 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 752 wrote to memory of 2316 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 2316 wrote to memory of 4676 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2316 wrote to memory of 4676 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2316 wrote to memory of 4676 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2316 wrote to memory of 324 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2316 wrote to memory of 324 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2316 wrote to memory of 324 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe

"C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"

C:\Program Files (x86)\Company\NewProduct\customer3.exe

"C:\Program Files (x86)\Company\NewProduct\customer3.exe"

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"

C:\Program Files (x86)\Company\NewProduct\jooyu.exe

"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 152.32.151.93:80 tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 35.151.70.163.in-addr.arpa udp
US 8.8.8.8:53 s.lletlee.com udp
GB 163.70.151.35:443 www.facebook.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 uyg5wye.2ihsfa.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 8.8.8.8:53 s.lletlee.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp

Files

C:\Program Files (x86)\Company\NewProduct\customer3.exe

MD5 1daac0c9a48a79976539b0722f9c3d3b
SHA1 843218f70a6a7fd676121e447b5b74acb0d87100
SHA256 e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA512 2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5 ce11de1000560d312bf6ab0b5327e87b
SHA1 557f3f780cb0f694887ada330a87ba976cdb168f
SHA256 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a
SHA512 655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655

C:\Program Files (x86)\Company\NewProduct\jooyu.exe

MD5 aed57d50123897b0012c35ef5dec4184
SHA1 568571b12ca44a585df589dc810bf53adf5e8050
SHA256 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512 ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

memory/1252-42-0x0000000000400000-0x0000000000644000-memory.dmp

memory/752-48-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1252-43-0x00000000001C0000-0x00000000001C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/4676-53-0x0000000000400000-0x000000000045B000-memory.dmp

memory/4676-57-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

memory/1252-67-0x00000000036F0000-0x0000000003700000-memory.dmp

memory/1252-61-0x0000000002690000-0x00000000026A0000-memory.dmp

memory/1252-73-0x00000000041C0000-0x00000000041C8000-memory.dmp

memory/1252-74-0x00000000041E0000-0x00000000041E8000-memory.dmp

memory/1252-76-0x0000000004280000-0x0000000004288000-memory.dmp

memory/1252-80-0x00000000043E0000-0x00000000043E8000-memory.dmp

memory/1252-79-0x00000000043C0000-0x00000000043C8000-memory.dmp

memory/324-84-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1252-85-0x0000000004790000-0x0000000004798000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 a6279ec92ff948760ce53bba817d6a77
SHA1 5345505e12f9e4c6d569a226d50e71b5a572dce2
SHA256 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

memory/1252-87-0x0000000004690000-0x0000000004698000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ecv952B.tmp

MD5 3df95fee3325f7a1166397bf4731fc65
SHA1 6b550232d72a4bd6226a47e62a3ce8dd69a7d547
SHA256 e79409561e551623f3953c56bcb0b61497359f0a690fe60a78cd8674b0e21f80
SHA512 ca35a6bf6f279d3c19079879d94bb1af8c9aa3f1a5e68768711daef6273a8f5997a531c8a601263a4c005ad1de9c9dab9fabf6a829ba195c0697cafb8c0d1937

memory/324-93-0x0000000000400000-0x0000000000422000-memory.dmp

memory/1252-94-0x0000000004500000-0x0000000004508000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 f24a8e6fc59249d22a860527c8dac923
SHA1 9c827f7be197e4074bd6f70eeea954be768628c0
SHA256 0e131e216a94e6ae4f83d141baec45cfb190956c98aa161693930fd6e97c1f4e
SHA512 d7d637a8c66d160d91bc820df2e2516b76bc38f0716a8aef052926ef3390116de1dd02183400104c70c33a9ced4702553726f012a513bc64be0dc565e4702715

memory/1252-107-0x00000000041E0000-0x00000000041E8000-memory.dmp

memory/1252-115-0x0000000004500000-0x0000000004508000-memory.dmp

memory/1252-117-0x0000000004630000-0x0000000004638000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 86a94fba6c691f902f7858df1040f909
SHA1 f04e841c686c702db109b905693766ff6a57bea1
SHA256 f4d48a46e806eded7fd063deffcf928fde73582e8d06645dc4da1036be2a2847
SHA512 e6d35a3b259e7e6f148242dceb8e4665806bc1eaade2bb42c8065bafd201dd3a59a8f590d6750634ee48496a5108d6ed5f710cf62eae27a6a511ed22792dc08d

memory/1252-130-0x00000000041E0000-0x00000000041E8000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 92848d0624a71666aee055daae8d4429
SHA1 11f53809b829b02d9db6697a76c993555f31a000
SHA256 6bce2f1b791b3a88264d99d6f881de41f5ff4a2e68d7b1d59e9983477e1d92e2
SHA512 5bff179a6127ce85a7bef4b8a5ff255b13d49160abfe72d4c4b7b1a8d32c37de77204856e048190b0fa42213033dc817eba9e48b5b0e3f35e63c945958c87917

memory/1252-138-0x0000000004630000-0x0000000004638000-memory.dmp

memory/1252-140-0x0000000004500000-0x0000000004508000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 7e7d16180d05bd9eeff57b23c89a415e
SHA1 8f5f59d85eebcdac50f1c64b9859b24a6885d5f7
SHA256 af6769d7571767d18d1385488a589f9aec0de8a70bdaea67b332e4245a187346
SHA512 e417e8b8cf849b848c7266ec99aa13fb262d670241270a6f4432d0e6ddf84b29d7dd8fe37f12f47c45c3e17542906d7ec6bffd9026c086d92ff3c9463e211631

memory/1252-179-0x00000000040A0000-0x00000000040A8000-memory.dmp

memory/1252-180-0x00000000040C0000-0x00000000040C8000-memory.dmp

memory/1252-188-0x0000000004160000-0x0000000004168000-memory.dmp

memory/1252-191-0x0000000004170000-0x0000000004178000-memory.dmp

memory/1252-192-0x00000000042F0000-0x00000000042F8000-memory.dmp

memory/1252-193-0x0000000004390000-0x0000000004398000-memory.dmp

memory/1252-194-0x00000000043A0000-0x00000000043A8000-memory.dmp

memory/1252-195-0x0000000004300000-0x0000000004308000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 cf39589839cc43b64970e361f8ca9850
SHA1 cb801b646e3842b83a4dcdf801e541fd1acab173
SHA256 7c5b0f3f6aa0b63639c8b16902252f4c597610312f5e04ea93a9a0b9b4734639
SHA512 e87c5a39e2881609d64523d601623745b538e40031e9f59832d70e6e97b2a5e34702f7ce65f0c8d0f1c0acd73e00419f5b20d0d88e97d9e66061eb520076fcb2

memory/1252-208-0x00000000040C0000-0x00000000040C8000-memory.dmp

memory/1252-216-0x0000000004300000-0x0000000004308000-memory.dmp

memory/1252-218-0x0000000004330000-0x0000000004338000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 de5ce6a718d5d9c4b01010e566c427b4
SHA1 532e00f5a92b42edd71c5f3b4ff82bf678e85a33
SHA256 0eed2087e41c3a4274c5b0c8d32d392b52a895856d3753fe0cd5f4b99f4dcd10
SHA512 05e6c2e30855e208698e4f7eb89761beb771828689cfa1d9b3765fe7a2b6fbe91159d5fe71d16daf48b373c185c6faf317737db33334e92f80a3b4d7d5a21703

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 5f39a5da97ef8425688987f2e54eca99
SHA1 8bf79b357cbd1006a0cfef411a564295a79baed4
SHA256 4eeb1a6953d6b58d0c45f49b96e9bd070fc4291a627be2a68beb31239f7d4c40
SHA512 4ee36934a04925e26c8dc608585d207f1044d8aafb229375df12e22c22e7d5898f323da3ea6e48da2c495782742d75c305caf5f8f74f29cbde3c6a59cfb61bdf

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 8fdbb1d2eba36030aa07f1f4a0fcb753
SHA1 5fac7fca3107ef6bf0300bff4395918db339eccb
SHA256 4eb27aefbcf5682f4ffdaf77be00bee4b1f8a52f792587a32fbab2275fd604d2
SHA512 a4604632d4010dced13452799e9d3bcc6626cecb13c5ec04d05fe991e0bf8d156349dbed04e85f4de7929dd07593df5f873b09f3480f922bdee3b1bc58f32723

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 582ceefba89aa75ba482dad15d9118ea
SHA1 45eddae3eae938881be7092fde4e416bc7c58203
SHA256 7b4be2e88894f61a45e8f059fe8c5c1729a2ae661b57ec5d74689e048ac2229d
SHA512 fb07f4346716fd7e3a54519210dc536297a4905aac5f39490bcace982d4fdf4c158c29d820da4a25843f58677dd19f6cbb8a253af33111fe4a7cb3e1ccc89593

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 249dc7e269a7c56b4237778dd8d4f80c
SHA1 125fb1a2c5f6c7d5863ca919377bc2b919e7c6bc
SHA256 889cb70ee488466fda3e79acc1cdfa4b8743dfe6d42426297408ca82addc8dfb
SHA512 7c17a2336e3802f657901ac3f8d992b7a2b960e07cb747c3dacb0df99e791b23f4feb403d249d2ac5bf7f504cd1b389425a81d70aa65da4b10c02e67f8b109e2

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 2b62135740860ef0add77255dd26b6b8
SHA1 bdf6ba9fae7427c9d0592e152cf9916ef4c45e35
SHA256 324e1e6e3c8c694c5de17f42ce7bcff386741882b58a1d379f90b0d5bf22d861
SHA512 f92e8072794f202a3f36dd57100db52f96b685027d0a907cb065d7fd886894c9c060b2416d5786d6b79186bb7464138535455836ceb1f6598e2573e72aeeb112

C:\Program Files (x86)\Company\NewProduct\d.jfm

MD5 1efd28b1f7deb9b054cb570033bb6b3e
SHA1 7c3724cb659fda69e42bd8bb4dd5d58b91c5b81c
SHA256 3146f142595ac853f8ef360b4a601aa7ae58f9d6f01a2a2f14fd105a0ce62e91
SHA512 a1a5c35ae3431a4953220d874f4e84b2a6f20fc1af3b9cc6c7f8551d0eedaa9eb3a5a5f2ae111099486673b201d05910c96bac9db30188b90df05b1fba6f4b56

Analysis: behavioral22

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe

"C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp

Files

memory/4260-0-0x0000000000AA0000-0x0000000001100000-memory.dmp

memory/4260-1-0x00000000768B0000-0x00000000768B1000-memory.dmp

memory/4260-4-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-3-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-2-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-8-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-7-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-6-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-5-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-12-0x0000000000AA0000-0x0000000001100000-memory.dmp

memory/4260-13-0x0000000006200000-0x0000000006818000-memory.dmp

memory/4260-14-0x0000000005B90000-0x0000000005BA2000-memory.dmp

memory/4260-15-0x0000000005CF0000-0x0000000005DFA000-memory.dmp

memory/4260-16-0x0000000005C20000-0x0000000005C5C000-memory.dmp

memory/4260-17-0x0000000005C60000-0x0000000005CAC000-memory.dmp

memory/4260-18-0x0000000000AA0000-0x0000000001100000-memory.dmp

memory/4260-19-0x00000000768B0000-0x00000000768B1000-memory.dmp

memory/4260-20-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-21-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-22-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-23-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-24-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-25-0x0000000076890000-0x0000000076980000-memory.dmp

memory/4260-27-0x0000000076890000-0x0000000076980000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe

"C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1692 -ip 1692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 368

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/1692-1-0x00000000024A0000-0x00000000025A0000-memory.dmp

memory/1692-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1692-3-0x0000000000400000-0x00000000023AE000-memory.dmp

memory/1692-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1692-5-0x0000000000400000-0x00000000023AE000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe

"C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp

Files

memory/3256-3-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3256-2-0x0000000003FD0000-0x0000000004000000-memory.dmp

memory/3256-1-0x00000000024D0000-0x00000000025D0000-memory.dmp

memory/3256-4-0x0000000004570000-0x0000000004594000-memory.dmp

memory/3256-5-0x00000000069C0000-0x0000000006F64000-memory.dmp

memory/3256-7-0x0000000006960000-0x0000000006982000-memory.dmp

memory/3256-6-0x0000000000400000-0x00000000023C1000-memory.dmp

memory/3256-8-0x00000000070B0000-0x0000000007142000-memory.dmp

memory/3256-9-0x0000000007150000-0x0000000007768000-memory.dmp

memory/3256-10-0x0000000007800000-0x0000000007812000-memory.dmp

memory/3256-11-0x0000000007820000-0x000000000792A000-memory.dmp

memory/3256-12-0x0000000007A90000-0x0000000007ACC000-memory.dmp

memory/3256-13-0x0000000009080000-0x00000000090CC000-memory.dmp

memory/3256-14-0x00000000024D0000-0x00000000025D0000-memory.dmp

memory/3256-16-0x0000000003FD0000-0x0000000004000000-memory.dmp

memory/3256-17-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240903-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe"

C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe" -q

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe

"C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp

Files

memory/992-1-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/992-2-0x00000000048D0000-0x00000000048FF000-memory.dmp

memory/992-3-0x0000000000400000-0x0000000000432000-memory.dmp

memory/992-4-0x0000000004ED0000-0x0000000004EF2000-memory.dmp

memory/992-5-0x0000000007520000-0x0000000007AC4000-memory.dmp

memory/992-6-0x00000000073A0000-0x00000000073C0000-memory.dmp

memory/992-7-0x0000000000400000-0x0000000002CD0000-memory.dmp

memory/992-8-0x0000000007AD0000-0x00000000080E8000-memory.dmp

memory/992-10-0x0000000007480000-0x00000000074BC000-memory.dmp

memory/992-9-0x0000000007460000-0x0000000007472000-memory.dmp

memory/992-11-0x00000000080F0000-0x000000000813C000-memory.dmp

memory/992-12-0x0000000008250000-0x000000000835A000-memory.dmp

memory/992-13-0x0000000002CE0000-0x0000000002DE0000-memory.dmp

memory/992-15-0x00000000048D0000-0x00000000048FF000-memory.dmp

memory/992-16-0x0000000000400000-0x0000000000432000-memory.dmp

Analysis: behavioral31

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240903-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1936 set thread context of 2392 N/A C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

Network

N/A

Files

memory/1936-1-0x00000000027F0000-0x00000000028F0000-memory.dmp

memory/2392-5-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2392-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1936-2-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/2392-6-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2392-7-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral32

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 432 set thread context of 3096 N/A C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe

"C:\Users\Admin\AppData\Local\Temp\AU3ie6Mv1vmus72LuhNF2jzZ.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/432-1-0x00000000023E0000-0x00000000024E0000-memory.dmp

memory/432-2-0x00000000023C0000-0x00000000023CA000-memory.dmp

memory/3096-3-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3096-4-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3096-7-0x0000000000400000-0x0000000000409000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20241010-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe

"C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe"

Network

Country Destination Domain Proto
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp

Files

memory/912-2-0x0000000000400000-0x0000000000433000-memory.dmp

memory/912-1-0x00000000025A0000-0x00000000026A0000-memory.dmp

memory/912-3-0x0000000003D60000-0x0000000003D84000-memory.dmp

memory/912-5-0x0000000003F90000-0x0000000003FB2000-memory.dmp

memory/912-4-0x0000000000400000-0x00000000023C1000-memory.dmp

memory/912-7-0x00000000025A0000-0x00000000026A0000-memory.dmp

memory/912-8-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240903-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"

Signatures

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A

FFDroider

stealer ffdroider

FFDroider payload

Description Indicator Process Target
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Fabookie family

fabookie

Ffdroider family

ffdroider

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Company\NewProduct\customer3.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Company\NewProduct\jooyu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1448 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 1448 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 1448 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 1448 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\customer3.exe
PID 1448 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 1448 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 1448 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 1448 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
PID 1448 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 1448 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 1448 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 1448 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe C:\Program Files (x86)\Company\NewProduct\jooyu.exe
PID 2548 wrote to memory of 1824 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2548 wrote to memory of 1824 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2548 wrote to memory of 1824 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2548 wrote to memory of 1824 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2548 wrote to memory of 1852 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2548 wrote to memory of 1852 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2548 wrote to memory of 1852 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
PID 2548 wrote to memory of 1852 N/A C:\Program Files (x86)\Company\NewProduct\jooyu.exe C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe

"C:\Users\Admin\AppData\Local\Temp\25jZMPTiQqNIVH0Cs2hi6z9r.exe"

C:\Program Files (x86)\Company\NewProduct\customer3.exe

"C:\Program Files (x86)\Company\NewProduct\customer3.exe"

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"

C:\Program Files (x86)\Company\NewProduct\jooyu.exe

"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 s.lletlee.com udp
US 152.32.151.93:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 www.facebook.com udp
GB 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 uyg5wye.2ihsfa.com udp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp
US 76.223.54.146:80 uyg5wye.2ihsfa.com tcp

Files

C:\Program Files (x86)\Company\NewProduct\customer3.exe

MD5 1daac0c9a48a79976539b0722f9c3d3b
SHA1 843218f70a6a7fd676121e447b5b74acb0d87100
SHA256 e496ce805aa5b3ed8e1898803a536c683d031c5a61b2a54e5c89e02c4febecdf
SHA512 2259e6e27e6ca6155b50bc0dfd8c3f9f1a31db53c8b4d1811e94e927e30aba2ded4c92a34dfee042d96bd5fd7cbfdbb73d168cc8d66f9b3a37df40980d6dfebc

memory/2716-39-0x0000000000020000-0x0000000000023000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\jooyu.exe

MD5 aed57d50123897b0012c35ef5dec4184
SHA1 568571b12ca44a585df589dc810bf53adf5e8050
SHA256 096021eb5950ee16b7ec51756abe05f90c3530206e16286e7610b8a5a544a85e
SHA512 ea0ee3a0762baa3539e8026a8c624ad897efe005faadcf1ff67ebfc555f29b912b24ad4342d5e0c209f36f5288867246bd1bdfed7df739e608a72fa7b4fa2d7c

memory/1448-46-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe

MD5 ce11de1000560d312bf6ab0b5327e87b
SHA1 557f3f780cb0f694887ada330a87ba976cdb168f
SHA256 126daa976d1eaec1bd68eb53748caa325fc537f865051dd0d5f09d599175861a
SHA512 655b45bcf75a79c174caf6fae84560980511d068f67a89883f70b264e88983f729c604b3484fdcb8d8f8a83105e43d740fe70e7a006806136bc423453d769655

memory/2716-40-0x0000000000400000-0x0000000000644000-memory.dmp

memory/1448-38-0x0000000003550000-0x0000000003794000-memory.dmp

memory/1448-37-0x0000000003550000-0x0000000003794000-memory.dmp

memory/2716-49-0x0000000000400000-0x0000000000644000-memory.dmp

\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 7fee8223d6e4f82d6cd115a28f0b6d58
SHA1 1b89c25f25253df23426bd9ff6c9208f1202f58b
SHA256 a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59
SHA512 3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

memory/2548-53-0x0000000002910000-0x000000000296B000-memory.dmp

memory/1824-59-0x0000000000400000-0x000000000045B000-memory.dmp

memory/1824-62-0x0000000000400000-0x000000000045B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

MD5 b7161c0845a64ff6d7345b67ff97f3b0
SHA1 d223f855da541fe8e4c1d5c50cb26da0a1deb5fc
SHA256 fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66
SHA512 98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

C:\Users\Admin\AppData\Local\Temp\Cab1557.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar1579.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe

MD5 a6279ec92ff948760ce53bba817d6a77
SHA1 5345505e12f9e4c6d569a226d50e71b5a572dce2
SHA256 8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181
SHA512 213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

memory/2548-101-0x0000000000210000-0x0000000000232000-memory.dmp

memory/1852-114-0x0000000000400000-0x0000000000422000-memory.dmp

memory/2548-115-0x0000000002910000-0x000000000296B000-memory.dmp

memory/2548-117-0x0000000002910000-0x000000000296B000-memory.dmp

memory/2548-118-0x0000000000210000-0x0000000000232000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240708-en

Max time kernel

147s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Danabot family

danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe

"C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.DLL,s C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.EXE

Network

Country Destination Domain Proto
US 23.229.29.48:443 tcp

Files

memory/2292-0-0x0000000002490000-0x000000000257F000-memory.dmp

memory/2292-1-0x0000000002490000-0x000000000257F000-memory.dmp

memory/2292-2-0x0000000003E10000-0x0000000003F16000-memory.dmp

memory/2292-3-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2292-6-0x0000000002490000-0x000000000257F000-memory.dmp

memory/2292-7-0x0000000003E10000-0x0000000003F16000-memory.dmp

memory/2292-9-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2292-8-0x0000000000400000-0x000000000248D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.DLL

MD5 93a004a8f56490ac2a6f4d94e9ac3944
SHA1 6549454922edecc11491cabb705e01528305a3c0
SHA256 2bdc0367a90f8c568ef3bd43ff94e9811382f0b5cd974a693db2c5d4ae6ad0f7
SHA512 39d662f5056e6fda17e0aebad9700ec1844988b686eb30fb1e33a5b50f14493cab018a7358240eefc7ea688e91a113fa7a50ae1cac754e9bcad0e7ce9a7c59c4

memory/2640-20-0x0000000000AD0000-0x0000000000C31000-memory.dmp

memory/2292-21-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2640-22-0x0000000000AD0000-0x0000000000C31000-memory.dmp

memory/2292-35-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2292-34-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2640-38-0x0000000000AD0000-0x0000000000C31000-memory.dmp

memory/2640-39-0x0000000000AD0000-0x0000000000C31000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe"

Signatures

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe"

C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe" -q

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20241023-en

Max time kernel

140s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe

"C:\Users\Admin\AppData\Local\Temp\7UwyHmKx00aB7vI0W6MvnkKA.exe"

Network

Country Destination Domain Proto
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp
NL 45.14.49.128:5385 tcp

Files

memory/3032-0-0x0000000000D90000-0x00000000013F0000-memory.dmp

memory/3032-1-0x0000000075251000-0x0000000075252000-memory.dmp

memory/3032-4-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-3-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-6-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-5-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-13-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-16-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-14-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-20-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-12-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-11-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-10-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-9-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-8-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-7-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-2-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-21-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-22-0x0000000000D90000-0x00000000013F0000-memory.dmp

memory/3032-23-0x0000000000D90000-0x00000000013F0000-memory.dmp

memory/3032-24-0x0000000075251000-0x0000000075252000-memory.dmp

memory/3032-25-0x0000000075240000-0x0000000075350000-memory.dmp

memory/3032-27-0x0000000075240000-0x0000000075350000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

131s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88wncypnTKvKj7Uwab0iiutt.exe"

Signatures

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\dwm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\system32\dwm.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\dwm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\dwm.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\dwm.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\dwm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: 33 N/A C:\Windows\system32\dwm.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\88wncypnTKvKj7Uwab0iiutt.exe

"C:\Users\Admin\AppData\Local\Temp\88wncypnTKvKj7Uwab0iiutt.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 s.lletlee.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240729-en

Max time kernel

89s

Max time network

29s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-673D1.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-673D1.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A
File created C:\Program Files (x86)\GameBox\is-K84G1.tmp C:\Users\Admin\AppData\Local\Temp\is-673D1.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A
File opened for modification C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-673D1.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-673D1.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-673D1.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe

"C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

C:\Users\Admin\AppData\Local\Temp\is-673D1.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp

"C:\Users\Admin\AppData\Local\Temp\is-673D1.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp" /SL5="$301C6,138429,56832,C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 proxycheck.io udp
US 104.26.8.187:80 proxycheck.io tcp
US 8.8.8.8:53 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com udp
IN 52.219.160.118:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp
IN 52.219.160.118:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp

Files

memory/2440-2-0x0000000000401000-0x000000000040B000-memory.dmp

memory/2440-0-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-673D1.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/2852-8-0x0000000000400000-0x00000000004BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ILF85.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2852-17-0x00000000004C0000-0x00000000004FC000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ILF85.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/2852-20-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2852-19-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2852-21-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2852-24-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2852-23-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2852-22-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2852-25-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2852-26-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2440-27-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2852-29-0x00000000004C0000-0x00000000004FC000-memory.dmp

\Program Files (x86)\GameBox\unins000.exe

MD5 f0477b622428f93864bfee68dd054e6d
SHA1 28bef7759909021f7126b41299d0c310746603de
SHA256 fbe9abe3885a928bb762ff4be6e00e55395056ab6d66a8ea0d2fc6a43bdbd75e
SHA512 7bc1a0b94893cce3cf08b02b224440ce08b716165184816804d979d0c71bd0f8bbd3e5dc645dc7d20356e0f995bff39a2b1e13a4c3b140f9bfafb48965f55afe

memory/2852-39-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2852-44-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/2440-45-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe

"C:\Users\Admin\AppData\Local\Temp\0hS8ndFapMyi9bpBTCoeqfJf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp

Files

memory/2088-2-0x0000000004110000-0x0000000004140000-memory.dmp

memory/2088-1-0x0000000002430000-0x0000000002530000-memory.dmp

memory/2088-3-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2088-4-0x00000000044A0000-0x00000000044C4000-memory.dmp

memory/2088-5-0x0000000006BA0000-0x0000000007144000-memory.dmp

memory/2088-6-0x0000000004750000-0x0000000004772000-memory.dmp

memory/2088-7-0x0000000007250000-0x00000000072E2000-memory.dmp

memory/2088-9-0x0000000000400000-0x00000000023C1000-memory.dmp

memory/2088-8-0x00000000072F0000-0x0000000007908000-memory.dmp

memory/2088-10-0x0000000007940000-0x0000000007952000-memory.dmp

memory/2088-11-0x0000000007970000-0x0000000007A7A000-memory.dmp

memory/2088-12-0x00000000092C0000-0x00000000092FC000-memory.dmp

memory/2088-13-0x0000000009410000-0x000000000945C000-memory.dmp

memory/2088-14-0x0000000002430000-0x0000000002530000-memory.dmp

memory/2088-15-0x0000000004110000-0x0000000004140000-memory.dmp

memory/2088-17-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

94s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3188 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 3188 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 3188 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 3056 wrote to memory of 4552 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 4552 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3056 wrote to memory of 4552 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 4552 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 4552 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 4552 wrote to memory of 3084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 4552 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4552 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4552 wrote to memory of 1056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 3084 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 3084 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 3084 wrote to memory of 5088 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 5088 wrote to memory of 3948 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 3948 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 5088 wrote to memory of 3948 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 3084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 3084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 1740 wrote to memory of 1844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe
PID 1740 wrote to memory of 1844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe
PID 1740 wrote to memory of 1844 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe

"C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" ) do taskkill -im "%~NXj" -f

C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe

Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo

C:\Windows\SysWOW64\taskkill.exe

taskkill -im "0rr48RlGuyf8MbsABD4Fd5xg.exe" -f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr

C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe

"C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1844 -ip 1844

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 804

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 76.126.244.207:8080 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe

MD5 3b4348d187f24c82370836531f3fa94e
SHA1 a2ca4e9f4a8d9c8634e42765e90e252803e20b15
SHA256 cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7
SHA512 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

C:\Users\Admin\AppData\Local\Temp\HwWYSzK.F2

MD5 8586e83a33f4c1b8d81f568155663be7
SHA1 95a37fbaeb58fafbe14dfae8f539aeff509efb1f
SHA256 85ec523c939d552531246b8fe2f795b4623e1108945824525d549fda22d2afb9
SHA512 51aafad0bc8cd058196c042dab1c000a62a13caeaf5e432e2e7c5f8452b36e4e3a64e66b0aa9a981979edacc37c581957448a00ac5bd154e8081c06eb0de442f

memory/1740-10-0x0000000002E30000-0x0000000002F77000-memory.dmp

memory/1740-11-0x0000000003810000-0x00000000038C1000-memory.dmp

memory/1740-12-0x00000000038D0000-0x000000000396D000-memory.dmp

memory/1740-15-0x00000000038D0000-0x000000000396D000-memory.dmp

memory/1740-16-0x0000000002E30000-0x0000000002F77000-memory.dmp

memory/1740-19-0x00000000038D0000-0x000000000396D000-memory.dmp

memory/1740-20-0x0000000003970000-0x000000000422E000-memory.dmp

memory/1740-21-0x0000000004230000-0x00000000042C5000-memory.dmp

memory/1740-22-0x00000000042D0000-0x0000000004361000-memory.dmp

memory/1740-23-0x00000000042D0000-0x0000000004361000-memory.dmp

memory/1740-25-0x00000000042D0000-0x0000000004361000-memory.dmp

memory/1740-26-0x0000000000F20000-0x0000000000F21000-memory.dmp

memory/1740-27-0x0000000000F20000-0x0000000000F24000-memory.dmp

memory/1740-28-0x0000000000F30000-0x0000000000F36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e58b8cc.exe

MD5 858939a54a0406e5be7220b92b6eb2b3
SHA1 da24c0b6f723a74a8ec59e58c9c0aea3e86b7109
SHA256 a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a
SHA512 8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

memory/1844-43-0x0000000000760000-0x0000000000768000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240903-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Smokeloader family

smokeloader

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe

"C:\Users\Admin\AppData\Local\Temp\21oenuW1qnqk7qUsHH7Z2We5.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 136

Network

N/A

Files

memory/2344-1-0x0000000002560000-0x0000000002660000-memory.dmp

memory/2344-2-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2344-3-0x0000000000400000-0x00000000023AE000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20241010-en

Max time kernel

148s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2908 set thread context of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2908 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2908 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2908 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2908 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2908 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2908 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2908 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe
PID 2908 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

"C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe"

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

Network

Country Destination Domain Proto
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp

Files

memory/2908-0-0x0000000073DCE000-0x0000000073DCF000-memory.dmp

memory/2908-1-0x0000000000F90000-0x000000000102A000-memory.dmp

memory/2908-2-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/2896-9-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2896-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2896-6-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2896-5-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2896-4-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2896-3-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2896-11-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2896-14-0x0000000000400000-0x0000000000420000-memory.dmp

memory/2908-16-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/2896-15-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/2896-17-0x0000000073DC0000-0x00000000744AE000-memory.dmp

memory/2896-18-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Danabot family

danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe

"C:\Users\Admin\AppData\Local\Temp\6IvhC9RrHtvRf0BCVttVUFQm.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.DLL,s C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3240 -ip 3240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3240 -ip 3240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 512

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 23.229.29.48:443 tcp

Files

memory/3240-1-0x00000000040B0000-0x00000000041AF000-memory.dmp

memory/3240-2-0x0000000004230000-0x0000000004336000-memory.dmp

memory/3240-3-0x0000000000400000-0x0000000000512000-memory.dmp

memory/3240-6-0x00000000040B0000-0x00000000041AF000-memory.dmp

memory/3240-7-0x0000000004230000-0x0000000004336000-memory.dmp

memory/3240-9-0x0000000000400000-0x0000000000512000-memory.dmp

memory/3240-8-0x0000000000400000-0x000000000248D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6IVHC9~1.DLL

MD5 d8f8ef8718193a4afb950034c7f85bd1
SHA1 ccaa2b426bf6ec6c8b6e0e5fa9ff43fc203318a0
SHA256 94c203ebecac4e18ee60862b95ffd21acb621df856bd8befe58c7a45d0eab97b
SHA512 ad9b216c858d09c408b9b20f43fbef24c8ad4bdf4abbf0bfbf0e9da4709c7b2b0cc2d320ec03dc3566cca0da95c98aca876ec6eca05da93d1568a2434f4ea71d

memory/3240-17-0x0000000000400000-0x000000000248D000-memory.dmp

memory/1260-18-0x0000000000400000-0x0000000000561000-memory.dmp

memory/3240-31-0x0000000000400000-0x0000000000512000-memory.dmp

memory/3240-30-0x0000000000400000-0x000000000248D000-memory.dmp

memory/1260-34-0x0000000000400000-0x0000000000561000-memory.dmp

memory/1260-35-0x0000000000400000-0x0000000000561000-memory.dmp

Analysis: behavioral23

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:00

Platform

win7-20240708-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240729-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe

"C:\Users\Admin\AppData\Local\Temp\4sqg3EO3n4bilXTOwELzdyE3.exe"

Network

Country Destination Domain Proto
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp
RU 91.142.77.189:61524 tcp

Files

memory/2088-1-0x0000000002560000-0x0000000002660000-memory.dmp

memory/2088-2-0x0000000000250000-0x0000000000280000-memory.dmp

memory/2088-3-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2088-4-0x0000000003CD0000-0x0000000003CF4000-memory.dmp

memory/2088-5-0x0000000003CF0000-0x0000000003D12000-memory.dmp

memory/2088-6-0x0000000000400000-0x00000000023C1000-memory.dmp

memory/2088-7-0x0000000002560000-0x0000000002660000-memory.dmp

memory/2088-8-0x0000000000250000-0x0000000000280000-memory.dmp

memory/2088-9-0x0000000000400000-0x0000000000433000-memory.dmp

Analysis: behavioral29

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240903-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Danabot family

danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe

"C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.DLL,s C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.EXE

Network

Country Destination Domain Proto
US 23.229.29.48:443 tcp

Files

memory/1048-0-0x0000000000220000-0x000000000030F000-memory.dmp

memory/1048-1-0x0000000000220000-0x000000000030F000-memory.dmp

memory/1048-2-0x0000000003CC0000-0x0000000003DC6000-memory.dmp

memory/1048-3-0x0000000000400000-0x0000000000512000-memory.dmp

memory/1048-6-0x0000000000220000-0x000000000030F000-memory.dmp

memory/1048-7-0x0000000003CC0000-0x0000000003DC6000-memory.dmp

memory/1048-9-0x0000000000400000-0x0000000000512000-memory.dmp

memory/1048-8-0x0000000000400000-0x000000000248D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.DLL

MD5 d77f5d0d287781b1bd9ece6ebbdd6a9b
SHA1 a45a85515987203d88ea5e846bc4b65985396be7
SHA256 e062a9882f3f24523b9492554dffee8165ba71642cb00ffa7809b85ed8f44c14
SHA512 73356d0a37f5cabb563f3c193a7d0dd5ec35888019f4819701346799446f42f437301add4559568a681e210242aa5f942abb82fbcacb680e388ed6ce0e51f8d7

memory/2752-20-0x00000000008F0000-0x0000000000A51000-memory.dmp

memory/1048-21-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2752-22-0x00000000008F0000-0x0000000000A51000-memory.dmp

memory/1048-35-0x0000000000400000-0x0000000000512000-memory.dmp

memory/1048-34-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2752-38-0x00000000008F0000-0x0000000000A51000-memory.dmp

memory/2752-39-0x00000000008F0000-0x0000000000A51000-memory.dmp

Analysis: behavioral30

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe"

Signatures

Danabot

trojan banker danabot

Danabot Loader Component

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Danabot family

danabot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe

"C:\Users\Admin\AppData\Local\Temp\A5ulgq_bFXMyWAYNZZbTBZ0Z.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.DLL,s C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2284 -ip 2284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2284 -ip 2284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 528

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 23.229.29.48:443 tcp

Files

memory/2284-1-0x0000000004130000-0x0000000004220000-memory.dmp

memory/2284-2-0x0000000004220000-0x0000000004326000-memory.dmp

memory/2284-3-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2284-6-0x0000000004130000-0x0000000004220000-memory.dmp

memory/2284-8-0x0000000004220000-0x0000000004326000-memory.dmp

memory/2284-7-0x0000000000400000-0x000000000248D000-memory.dmp

memory/2284-9-0x0000000000400000-0x0000000000512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5ULGQ~1.DLL

MD5 ae1fbd0e09cb8a0aebe1888ad6119f82
SHA1 e608c421539117c08d69af63564628de4eaa3a37
SHA256 d38bfdb148c1ad7bff1204952665783729988c0ca1a7781e6418ad7e5c132d4c
SHA512 4bb1c32ba0eadc7fb95ac8f2a2edaa007c7ad85bf8bf12c7c8d2a852fdf562c50f84b919c6b76a28edc3e5456525a920f7f4028d76179a602caa1a20bd7c8b8b

memory/3296-18-0x0000000002070000-0x00000000021D1000-memory.dmp

memory/2284-19-0x0000000000400000-0x000000000248D000-memory.dmp

memory/3296-20-0x0000000002070000-0x00000000021D1000-memory.dmp

memory/2284-33-0x0000000000400000-0x0000000000512000-memory.dmp

memory/2284-32-0x0000000000400000-0x000000000248D000-memory.dmp

memory/3296-36-0x0000000002070000-0x00000000021D1000-memory.dmp

memory/3296-37-0x0000000002070000-0x00000000021D1000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240903-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe

"C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe"

Network

Country Destination Domain Proto
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp

Files

memory/2400-0-0x0000000000C00000-0x000000000125E000-memory.dmp

memory/2400-1-0x0000000076DA1000-0x0000000076DA2000-memory.dmp

memory/2400-6-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-16-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-19-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-17-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-15-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-25-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-27-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-26-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-24-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-23-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-22-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-14-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-13-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-28-0x0000000000C00000-0x000000000125E000-memory.dmp

memory/2400-12-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-11-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-10-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-9-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-8-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-7-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-5-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-4-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-3-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-2-0x0000000076D90000-0x0000000076EA0000-memory.dmp

memory/2400-29-0x0000000000C00000-0x000000000125E000-memory.dmp

memory/2400-30-0x0000000076DA1000-0x0000000076DA2000-memory.dmp

memory/2400-31-0x0000000076D90000-0x0000000076EA0000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe

"C:\Users\Admin\AppData\Local\Temp\28NEs4WOAbFCrw46bjrvW6Dx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 45.129.236.6:63318 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 45.129.236.6:63318 tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 45.129.236.6:63318 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
RU 45.129.236.6:63318 tcp
RU 45.129.236.6:63318 tcp

Files

memory/3500-0-0x0000000000E20000-0x000000000147E000-memory.dmp

memory/3500-1-0x0000000077110000-0x0000000077111000-memory.dmp

memory/3500-2-0x00000000770F0000-0x00000000771E0000-memory.dmp

memory/3500-3-0x00000000770F0000-0x00000000771E0000-memory.dmp

memory/3500-5-0x00000000770F0000-0x00000000771E0000-memory.dmp

memory/3500-6-0x00000000770F0000-0x00000000771E0000-memory.dmp

memory/3500-4-0x00000000770F0000-0x00000000771E0000-memory.dmp

memory/3500-9-0x0000000000E20000-0x000000000147E000-memory.dmp

memory/3500-10-0x00000000064F0000-0x0000000006B08000-memory.dmp

memory/3500-11-0x0000000005E20000-0x0000000005E32000-memory.dmp

memory/3500-12-0x0000000005FE0000-0x00000000060EA000-memory.dmp

memory/3500-13-0x0000000005E80000-0x0000000005EBC000-memory.dmp

memory/3500-14-0x0000000005ED0000-0x0000000005F1C000-memory.dmp

memory/3500-15-0x0000000000E20000-0x000000000147E000-memory.dmp

memory/3500-16-0x0000000077110000-0x0000000077111000-memory.dmp

memory/3500-17-0x00000000770F0000-0x00000000771E0000-memory.dmp

memory/3500-18-0x00000000770F0000-0x00000000771E0000-memory.dmp

memory/3500-19-0x00000000770F0000-0x00000000771E0000-memory.dmp

memory/3500-21-0x00000000770F0000-0x00000000771E0000-memory.dmp

memory/3500-20-0x00000000770F0000-0x00000000771E0000-memory.dmp

memory/3500-23-0x00000000770F0000-0x00000000771E0000-memory.dmp

Analysis: behavioral27

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240903-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe

"C:\Users\Admin\AppData\Local\Temp\A04WVFPeCHaejSnQmBHCogH9.exe"

Network

Country Destination Domain Proto
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp
US 205.185.119.191:18846 tcp

Files

memory/2432-1-0x0000000002D80000-0x0000000002E80000-memory.dmp

memory/2432-2-0x0000000000230000-0x000000000025F000-memory.dmp

memory/2432-3-0x0000000000400000-0x0000000000432000-memory.dmp

memory/2432-4-0x0000000002CD0000-0x0000000002CF2000-memory.dmp

memory/2432-5-0x00000000049D0000-0x00000000049F0000-memory.dmp

memory/2432-6-0x0000000000400000-0x0000000002CD0000-memory.dmp

memory/2432-7-0x0000000002D80000-0x0000000002E80000-memory.dmp

memory/2432-8-0x0000000000230000-0x000000000025F000-memory.dmp

memory/2432-9-0x0000000000400000-0x0000000000432000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f77f882.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\f77f882.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\mshta.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f77f882.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 2720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe C:\Windows\SysWOW64\mshta.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2804 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2804 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2804 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2804 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2804 wrote to memory of 2196 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe
PID 2804 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2804 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2804 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2804 wrote to memory of 2784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2196 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 2196 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\mshta.exe
PID 2636 wrote to memory of 600 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 600 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 600 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2636 wrote to memory of 600 N/A C:\Windows\SysWOW64\mshta.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe C:\Windows\SysWOW64\rundll32.exe
PID 548 wrote to memory of 2552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f77f882.exe
PID 548 wrote to memory of 2552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f77f882.exe
PID 548 wrote to memory of 2552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f77f882.exe
PID 548 wrote to memory of 2552 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f77f882.exe
PID 2552 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\f77f882.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\f77f882.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\f77f882.exe C:\Windows\SysWOW64\WerFault.exe
PID 2552 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\f77f882.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe

"C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF """" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\0rr48RlGuyf8MbsABD4Fd5xg.exe" ) do taskkill -im "%~NXj" -f

C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe

Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo

C:\Windows\SysWOW64\taskkill.exe

taskkill -im "0rr48RlGuyf8MbsABD4Fd5xg.exe" -f

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\System32\mshta.exe" vBscrIpT: ClOsE ( CrEaTeobjeCt ( "WsCRIPt.SHELl" ). RUN( "cmD.EXe /C coPy /y ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo &IF ""-PMrvgB7ejl2YIjc3PC8aTZbo"" == """" for %j iN ( ""C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe"" ) do taskkill -im ""%~NXj"" -f " , 0 , tRue ) )

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C coPy /y "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" Z2bT94N_CMSE.Exe && START Z2Bt94N_cMSE.eXE -PMrvgB7ejl2YIjc3PC8aTZbo&IF "-PMrvgB7ejl2YIjc3PC8aTZbo" == "" for %j iN ( "C:\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe" ) do taskkill -im "%~NXj" -f

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" .\HwWYSzK.F2,zgr

C:\Users\Admin\AppData\Local\Temp\f77f882.exe

"C:\Users\Admin\AppData\Local\Temp\f77f882.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 532

Network

Country Destination Domain Proto
US 76.126.244.207:8080 tcp
US 76.126.244.207:8080 tcp

Files

\Users\Admin\AppData\Local\Temp\Z2bT94N_CMSE.Exe

MD5 3b4348d187f24c82370836531f3fa94e
SHA1 a2ca4e9f4a8d9c8634e42765e90e252803e20b15
SHA256 cd189a8c952420bf33b68cce03b41900e8c784b1010213b097ecdb2d7e8079f7
SHA512 2bab3c1e38a21cefc06363db75931bf3bfe0b4ee3f089293a750dfc866abc32c7135d2d9ba7ccb005aa01ad02d0a75a5fa02f85ca78cc8fe637615b7fa9e7394

C:\Users\Admin\AppData\Local\Temp\HwWYSzK.F2

MD5 8586e83a33f4c1b8d81f568155663be7
SHA1 95a37fbaeb58fafbe14dfae8f539aeff509efb1f
SHA256 85ec523c939d552531246b8fe2f795b4623e1108945824525d549fda22d2afb9
SHA512 51aafad0bc8cd058196c042dab1c000a62a13caeaf5e432e2e7c5f8452b36e4e3a64e66b0aa9a981979edacc37c581957448a00ac5bd154e8081c06eb0de442f

memory/548-11-0x0000000001F30000-0x0000000002077000-memory.dmp

memory/548-12-0x0000000001F30000-0x0000000002077000-memory.dmp

memory/548-13-0x0000000003660000-0x0000000003711000-memory.dmp

memory/548-14-0x0000000003720000-0x00000000037BD000-memory.dmp

memory/548-17-0x0000000003720000-0x00000000037BD000-memory.dmp

memory/548-21-0x0000000003720000-0x00000000037BD000-memory.dmp

memory/548-22-0x00000000037C0000-0x000000000407E000-memory.dmp

memory/548-23-0x0000000004080000-0x0000000004115000-memory.dmp

memory/548-25-0x0000000004120000-0x00000000041B1000-memory.dmp

memory/548-24-0x0000000004120000-0x00000000041B1000-memory.dmp

memory/548-27-0x0000000004120000-0x00000000041B1000-memory.dmp

memory/548-28-0x0000000000050000-0x0000000000051000-memory.dmp

memory/548-29-0x0000000000050000-0x0000000000054000-memory.dmp

memory/548-30-0x0000000000060000-0x0000000000066000-memory.dmp

\Users\Admin\AppData\Local\Temp\f77f882.exe

MD5 858939a54a0406e5be7220b92b6eb2b3
SHA1 da24c0b6f723a74a8ec59e58c9c0aea3e86b7109
SHA256 a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a
SHA512 8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

memory/2552-52-0x0000000000940000-0x0000000000948000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Sectoprat family

sectoprat

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1868 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

"C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe"

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

C:\Users\Admin\AppData\Local\Temp\2DWwzYoIDsZeXAHrWMUgq7wH.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
RU 95.181.172.100:55640 tcp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/1868-0-0x000000007496E000-0x000000007496F000-memory.dmp

memory/1868-1-0x00000000005C0000-0x000000000065A000-memory.dmp

memory/1868-2-0x0000000004FC0000-0x0000000005036000-memory.dmp

memory/1868-3-0x0000000004F70000-0x0000000004F8E000-memory.dmp

memory/1868-4-0x0000000074960000-0x0000000075110000-memory.dmp

memory/1868-5-0x0000000005740000-0x0000000005CE4000-memory.dmp

memory/2600-6-0x0000000000400000-0x0000000000420000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2DWwzYoIDsZeXAHrWMUgq7wH.exe.log

MD5 e5352797047ad2c91b83e933b24fbc4f
SHA1 9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772
SHA256 b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c
SHA512 dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

memory/1868-10-0x0000000074960000-0x0000000075110000-memory.dmp

memory/2600-9-0x0000000074960000-0x0000000075110000-memory.dmp

memory/2600-11-0x0000000005590000-0x0000000005622000-memory.dmp

memory/2600-12-0x0000000006630000-0x0000000006C48000-memory.dmp

memory/2600-13-0x00000000057F0000-0x0000000005802000-memory.dmp

memory/2600-14-0x0000000005930000-0x0000000005A3A000-memory.dmp

memory/2600-15-0x0000000074960000-0x0000000075110000-memory.dmp

memory/2600-16-0x00000000063E0000-0x000000000641C000-memory.dmp

memory/2600-17-0x0000000006520000-0x000000000656C000-memory.dmp

memory/2600-18-0x0000000074960000-0x0000000075110000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe"

C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe

"C:\Users\Admin\AppData\Local\Temp\6K69WRpYoPgt3vIoWRXmpAwA.exe" -q

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3796 -ip 3796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3796 -s 912

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe"

C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe

"C:\Users\Admin\AppData\Local\Temp\6RVcR1WSznUXUS8RtLypZMfp.exe" -q

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4800 -ip 4800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 920

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 a.goatgame.co udp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-11-10 12:00

Reported

2024-11-10 12:03

Platform

win10v2004-20241007-en

Max time kernel

92s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AQH6O.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-AQH6O.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A
File created C:\Program Files (x86)\GameBox\is-MS55T.tmp C:\Users\Admin\AppData\Local\Temp\is-AQH6O.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A
File opened for modification C:\Program Files (x86)\GameBox\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-AQH6O.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\is-AQH6O.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AQH6O.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe

"C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

C:\Users\Admin\AppData\Local\Temp\is-AQH6O.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AQH6O.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp" /SL5="$6023E,138429,56832,C:\Users\Admin\AppData\Local\Temp\8Jw_RggGj5lBX2auQAnIQe71.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 34.117.59.81:80 ipinfo.io tcp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 proxycheck.io udp
US 104.26.9.187:80 proxycheck.io tcp
US 8.8.8.8:53 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com udp
IN 3.5.210.162:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp
US 8.8.8.8:53 81.59.117.34.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
IN 3.5.210.162:80 7e10a716-f462-4371-a152-105d67ce51a8.s3.ap-south-1.amazonaws.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 162.210.5.3.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1896-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1896-2-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AQH6O.tmp\8Jw_RggGj5lBX2auQAnIQe71.tmp

MD5 ffcf263a020aa7794015af0edee5df0b
SHA1 bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA256 1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA512 49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

memory/1384-6-0x0000000000400000-0x00000000004BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-K65P5.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/1384-15-0x0000000003A80000-0x0000000003ABC000-memory.dmp

memory/1384-17-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1384-18-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1384-19-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1384-20-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1896-21-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1384-23-0x0000000003A80000-0x0000000003ABC000-memory.dmp

memory/1384-32-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1384-37-0x0000000000400000-0x00000000004BD000-memory.dmp

memory/1896-38-0x0000000000400000-0x0000000000414000-memory.dmp